Menu
▾
▴
Re: [SignServer-develop] Informations and tests
|
From: Markus K. <ejb...@pr...> - 2012-07-31 18:37:39
|
Hi Antoine, I finally found it. It was there in the change log for the next release all the time, not sure how I could miss it. Anyway, the certificate was renewed as part of https://jira.primekey.se/browse/DSS-483 and the issue was already resolved in the 3.2 branch and will be available in the next release (SignServer 3.2.3). Best regards, Markus On 2012-07-31 10:11, Antoine Louiset wrote: > Yes, I use the version 3.2.2. > > Le 31/07/2012 10:04, Markus Kilås a écrit : >> I did the same thing but I have much later dates for the >> TestLimitKeyUsageSigner (5802). Are you really using the latest release >> (ie. 3.2.2) otherwise upgrading should solve the problem. >> >> Best regards, >> Markus >> >> On 2012-07-30 20:56, Antoine Louiset wrote: >>> You were right Markus (as always ! ) ! >>> >>> I have got 2 errors and one fail. I join a screenshot of the admin gui >>> (in the reports.rar file). After launching the tests, we can see that >>> the worker 5802 and others are unavailable. >>> >>> After removing this worker, I launch bin/signserver.sh setproperties >>> modules/SignServer-Module-XMLSigner/src/conf/junittest-part-config.properties >>> >>> to activate its and then the reload command. >>> >>> We can see in the Capture-1.png the result. The signer certificate is >>> indeed valid until 20/04/12. >>> >>> After resolving this problem, there will be one last error !! >>> >>> Have a nice evening. >>> >>> Best regards, >>> >>> Le 30/07/2012 19:05, Markus Kilås a écrit : >>>> I am not able to reproduce the test failure you are getting. I also >>>> checked the certificate for worker 5802 and it should not expire until >>>> year 2021 so it is a very strange error message. >>>> >>>> Have you tried clearing th database before running the tests in case >>>> some signers are left from previous test runs? >>>> >>>> Best regards, >>>> Markus >>>> >>>> On 2012-07-30 16:54, Antoine Louiset wrote: >>>>> Ok Markus, no problem ! Thanks ! >>>>> >>>>> Best regards, >>>>> >>>>> Antoine >>>>> >>>>> Le 30/07/2012 16:53, Markus Kilås a écrit : >>>>>> On 2012-07-30 15:08, Antoine Louiset wrote: >>>>>>> Hi Markus, >>>>>>> >>>>>>> Thanks for your fast answer ! >>>>>>> >>>>>>> I have just one remark for the JCE installation. I don't find it in >>>>>>> the >>>>>>> installation guide (I read it quickly). >>>>>> I was really surprised it wasn't there. I have registered >>>>>> https://jira.primekey.se/browse/DSS-514. >>>>>> >>>>>>> I download JCE policy and it resolves one fail. The problem of the >>>>>>> signer 5802 will resolve one fail and one error. So there will >>>>>>> be no >>>>>>> more fails but I have no idea about the other errors. What do you >>>>>>> think >>>>>>> about them ? >>>>>> I will try to get back about them. I haven't yet had to time to >>>>>> test it >>>>>> on my machine. >>>>>> >>>>>> Best regards, >>>>>> Markus >>>>>> >>>>>>> Good afternoon ! >>>>>>> >>>>>>> >>>>>>> Antoine >>>>>>> >>>>>>> Le 30/07/2012 10:47, Markus Kilås a écrit : >>>>>>>> Hi Antoine, >>>>>>>> >>>>>>>> See answers below. >>>>>>>> >>>>>>>> On 2012-07-28 23:24, Antoine Louiset wrote: >>>>>>>>> Hi Markus, >>>>>>>>> >>>>>>>>> The p12 directory seems to be used to set truststore certificates >>>>>>>>> for >>>>>>>>> JBoss (see >>>>>>>>> http://signserver.org/manual/complete.en.html#4.%20Configure%20web%20server%20keystores) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> but I think this truststore is just used in the tests of >>>>>>>>> signserver >>>>>>>>> and >>>>>>>>> could be used for the java trust keystore. Jboss and glassfish >>>>>>>>> have >>>>>>>>> their own truststore and keystore, why don't you use them ? >>>>>>>> That is correct. The truststore in the p12 folder is used both by >>>>>>>> JBoss >>>>>>>> and the tests. So if you are going to run the tests you can put a >>>>>>>> truststore in the p12 folder. I believe the reason for handling it >>>>>>>> this >>>>>>>> way is that different application servers have different locations >>>>>>>> for >>>>>>>> the truststore and the tests would not know where to find it. >>>>>>>> In fact >>>>>>>> where JBoss finds it depends on what is written in the server.xml, >>>>>>>> so it >>>>>>>> could also be different if SignServer isn't used for deploying it. >>>>>>>> The >>>>>>>> solution we use, to not depend on different application servers >>>>>>>> and >>>>>>>> configurations is to decide that it should be placed in the p12 >>>>>>>> folder >>>>>>>> of SignServer. >>>>>>>> >>>>>>>>> In the signserver_build.properties file, there are several >>>>>>>>> properties >>>>>>>>> which are written for the use of JBoss but we do not know if they >>>>>>>>> are >>>>>>>>> needed for Glassfish : httpsserver.bindaddress.* | database.url | >>>>>>>>> deploy.hostname.node* >>>>>>>> Some are explained in the installation guide, such as >>>>>>>> "database.url" >>>>>>>> which is said to be used by JBoss and some comments talks about >>>>>>>> JBoss in >>>>>>>> the sample configuration file. But the documentation is lacking >>>>>>>> for >>>>>>>> many >>>>>>>> of the other properties in this aspect. >>>>>>>> >>>>>>>>> What is the aim of deploy.ssh.* properties ? >>>>>>>> I think the idea is to be able to deploy to a remote server by >>>>>>>> transferring the files (signserver.ear etc) over SSH. Not sure if >>>>>>>> it is >>>>>>>> working though as I can not find any documentation about it. >>>>>>>> You are >>>>>>>> very welcome to test it out if you want and let us know if it is >>>>>>>> working. If not we might consider either fixing it and adding >>>>>>>> documentation for it or remove it. >>>>>>>> >>>>>>>>> Why j2ee.web-nohttps has to be set to true to launch the tests >>>>>>>>> while >>>>>>>>> https is used in these tests ? >>>>>>>> j2ee.web-nohttps is controlling wither the keystores and >>>>>>>> truststores >>>>>>>> should be deployed (to JBoss) or not. The tests should not >>>>>>>> depend on >>>>>>>> this setting so if it says somewhere that it must be set to true I >>>>>>>> would >>>>>>>> suspect that to be a bug in the documentation. Please report a bug >>>>>>>> with >>>>>>>> where you seen it in that case. >>>>>>>> >>>>>>>>> The most important thing for me today is tests ! I run them, I >>>>>>>>> resolve >>>>>>>>> the problem about trustanchors. I join the results, I do not >>>>>>>>> understand >>>>>>>>> the errors and the fails, have you ever seen them ? >>>>>>>> From the test report you attached I can see two different >>>>>>>> failures >>>>>>>> which >>>>>>>> probably is also the cause of all the errors. >>>>>>>> 1. ExtendedHardCodedCryptoTokenTest testStrongCryptoAvailable >>>>>>>> JCE crypto policy was not installed as the key length was limited >>>>>>>> expected:<2147483647> but was:<64> >>>>>>>> >>>>>>>> This means that you are running the Oracle JDK and have not >>>>>>>> installed >>>>>>>> JCE crypto policy. See the installation guide. >>>>>>>> >>>>>>>> 2. LimitKeyUsagesTest test01Limit Error Signer 5802 expired at Fri >>>>>>>> Apr >>>>>>>> 20 16:18:57 CEST 2012 >>>>>>>> Looks like the demo signer certificate used has expired. I will >>>>>>>> run the >>>>>>>> tests on your continues integration server and see if we have the >>>>>>>> same >>>>>>>> problem there. They might just have to be renewed. >>>>>>>> >>>>>>>>> How can I send my script to install signserver ? >>>>>>>> If it is less then 40 KB you can just send it to the mailing list, >>>>>>>> otherwise try to upload it somewhere and send the link or send it >>>>>>>> directly to me. >>>>>>>> >>>>>>>>> I take this mail to congratulate you and your team for this >>>>>>>>> project >>>>>>>>> which is really good. >>>>>>>> Thanks to you for reporting the issues you find. >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Markus >>>>>>>> >>>>>>>>> Have a nice weekend. >>>>>>>>> >>>>>>>>> Best regards, >>>>>>>>> >>>> >> >> > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ |
