Re: [SignServer-develop] Informations and tests

[Antoine L. <ant...@yo...>]

Hi Markus,

Thanks for your answer. It's ok for me, do you think it will resolve the 
last error : no active worker available ?

Best regards,

Antoine

Le 31/07/2012 20:37, Markus Kilås a écrit :
> Hi Antoine,
>
> I finally found it.
>
> It was there in the change log for the next release all the time, not 
> sure how I could miss it. Anyway, the certificate was renewed as part 
> of https://jira.primekey.se/browse/DSS-483 and the issue was already 
> resolved in the 3.2 branch and will be available in the next release 
> (SignServer 3.2.3).
>
> Best regards,
> Markus
>
>
> On 2012-07-31 10:11, Antoine Louiset wrote:
>> Yes, I use the version 3.2.2.
>>
>> Le 31/07/2012 10:04, Markus Kilås a écrit :
>>> I did the same thing but I have much later dates for the
>>> TestLimitKeyUsageSigner (5802). Are you really using the latest release
>>> (ie. 3.2.2) otherwise upgrading should solve the problem.
>>>
>>> Best regards,
>>> Markus
>>>
>>> On 2012-07-30 20:56, Antoine Louiset wrote:
>>>> You were right Markus (as always ! ) !
>>>>
>>>> I have got 2 errors and one fail. I join a screenshot of the admin gui
>>>> (in the reports.rar file). After launching the tests, we can see that
>>>> the worker 5802 and others are unavailable.
>>>>
>>>> After removing this worker, I launch bin/signserver.sh setproperties
>>>> modules/SignServer-Module-XMLSigner/src/conf/junittest-part-config.properties 
>>>>
>>>> to activate its and then the reload command.
>>>>
>>>> We can see in the Capture-1.png the result. The signer certificate is
>>>> indeed valid until 20/04/12.
>>>>
>>>> After resolving this problem, there will be one last error !!
>>>>
>>>> Have a nice evening.
>>>>
>>>> Best regards,
>>>>
>>>> Le 30/07/2012 19:05, Markus Kilås a écrit :
>>>>> I am not able to reproduce the test failure you are getting. I also
>>>>> checked the certificate for worker 5802 and it should not expire 
>>>>> until
>>>>> year 2021 so it is a very strange error message.
>>>>>
>>>>> Have you tried clearing th database before running the tests in case
>>>>> some signers are left from previous test runs?
>>>>>
>>>>> Best regards,
>>>>> Markus
>>>>>
>>>>> On 2012-07-30 16:54, Antoine Louiset wrote:
>>>>>> Ok Markus, no problem ! Thanks !
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Antoine
>>>>>>
>>>>>> Le 30/07/2012 16:53, Markus Kilås a écrit :
>>>>>>> On 2012-07-30 15:08, Antoine Louiset wrote:
>>>>>>>> Hi Markus,
>>>>>>>>
>>>>>>>> Thanks for your fast answer !
>>>>>>>>
>>>>>>>> I have just one remark for the JCE installation. I don't find 
>>>>>>>> it in
>>>>>>>> the
>>>>>>>> installation guide (I read it quickly).
>>>>>>> I was really surprised it wasn't there. I have registered
>>>>>>> https://jira.primekey.se/browse/DSS-514.
>>>>>>>
>>>>>>>> I download JCE policy and it resolves one fail. The problem of the
>>>>>>>> signer 5802 will resolve one fail and one error. So there will 
>>>>>>>> be no
>>>>>>>> more fails but I have no idea about the other errors. What do you
>>>>>>>> think
>>>>>>>> about them ?
>>>>>>> I will try to get back about them. I haven't yet had to time to 
>>>>>>> test it
>>>>>>> on my machine.
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Markus
>>>>>>>
>>>>>>>> Good afternoon !
>>>>>>>>
>>>>>>>>
>>>>>>>> Antoine
>>>>>>>>
>>>>>>>> Le 30/07/2012 10:47, Markus Kilås a écrit :
>>>>>>>>> Hi Antoine,
>>>>>>>>>
>>>>>>>>> See answers below.
>>>>>>>>>
>>>>>>>>> On 2012-07-28 23:24, Antoine Louiset wrote:
>>>>>>>>>> Hi Markus,
>>>>>>>>>>
>>>>>>>>>> The p12 directory seems to be used to set truststore 
>>>>>>>>>> certificates
>>>>>>>>>> for
>>>>>>>>>> JBoss (see
>>>>>>>>>> http://signserver.org/manual/complete.en.html#4.%20Configure%20web%20server%20keystores) 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> but I think this truststore is just used in the tests of 
>>>>>>>>>> signserver
>>>>>>>>>> and
>>>>>>>>>> could be used for the java trust keystore. Jboss and 
>>>>>>>>>> glassfish have
>>>>>>>>>> their own truststore and keystore, why don't you use them ?
>>>>>>>>> That is correct. The truststore in the p12 folder is used both by
>>>>>>>>> JBoss
>>>>>>>>> and the tests. So if you are going to run the tests you can put a
>>>>>>>>> truststore in the p12 folder. I believe the reason for 
>>>>>>>>> handling it
>>>>>>>>> this
>>>>>>>>> way is that different application servers have different 
>>>>>>>>> locations
>>>>>>>>> for
>>>>>>>>> the truststore and the tests would not know where to find it. 
>>>>>>>>> In fact
>>>>>>>>> where JBoss finds it depends on what is written in the 
>>>>>>>>> server.xml,
>>>>>>>>> so it
>>>>>>>>> could also be different if SignServer isn't used for deploying 
>>>>>>>>> it.
>>>>>>>>> The
>>>>>>>>> solution we use, to not depend on different application 
>>>>>>>>> servers and
>>>>>>>>> configurations is to decide that it should be placed in the p12
>>>>>>>>> folder
>>>>>>>>> of SignServer.
>>>>>>>>>
>>>>>>>>>> In the signserver_build.properties file, there are several
>>>>>>>>>> properties
>>>>>>>>>> which are written for the use of JBoss but we do not know if 
>>>>>>>>>> they
>>>>>>>>>> are
>>>>>>>>>> needed for Glassfish : httpsserver.bindaddress.* | 
>>>>>>>>>> database.url |
>>>>>>>>>> deploy.hostname.node*
>>>>>>>>> Some are explained in the installation guide, such as 
>>>>>>>>> "database.url"
>>>>>>>>> which is said to be used by JBoss and some comments talks about
>>>>>>>>> JBoss in
>>>>>>>>> the sample configuration file. But the documentation is 
>>>>>>>>> lacking for
>>>>>>>>> many
>>>>>>>>> of the other properties in this aspect.
>>>>>>>>>
>>>>>>>>>> What is the aim of deploy.ssh.* properties ?
>>>>>>>>> I think the idea is to be able to deploy to a remote server by
>>>>>>>>> transferring the files (signserver.ear etc) over SSH. Not sure if
>>>>>>>>> it is
>>>>>>>>> working though as I can not find any documentation about it. 
>>>>>>>>> You are
>>>>>>>>> very welcome to test it out if you want and let us know if it is
>>>>>>>>> working. If not we might consider either fixing it and adding
>>>>>>>>> documentation for it or remove it.
>>>>>>>>>
>>>>>>>>>> Why j2ee.web-nohttps has to be set to true to launch the 
>>>>>>>>>> tests while
>>>>>>>>>> https is used in these tests ?
>>>>>>>>> j2ee.web-nohttps is controlling wither the keystores and 
>>>>>>>>> truststores
>>>>>>>>> should be deployed (to JBoss) or not. The tests should not 
>>>>>>>>> depend on
>>>>>>>>> this setting so if it says somewhere that it must be set to 
>>>>>>>>> true I
>>>>>>>>> would
>>>>>>>>> suspect that to be a bug in the documentation. Please report a 
>>>>>>>>> bug
>>>>>>>>> with
>>>>>>>>> where you seen it in that case.
>>>>>>>>>
>>>>>>>>>> The most important thing for me today is tests ! I run them, I
>>>>>>>>>> resolve
>>>>>>>>>> the problem about trustanchors. I join the results, I do not
>>>>>>>>>> understand
>>>>>>>>>> the errors and the fails, have you ever seen them ?
>>>>>>>>>     From the test report you attached I can see two different 
>>>>>>>>> failures
>>>>>>>>> which
>>>>>>>>> probably is also the cause of all the errors.
>>>>>>>>> 1.     ExtendedHardCodedCryptoTokenTest testStrongCryptoAvailable
>>>>>>>>> JCE crypto policy was not installed as the key length was limited
>>>>>>>>> expected:<2147483647> but was:<64>
>>>>>>>>>
>>>>>>>>> This means that you are running the Oracle JDK and have not 
>>>>>>>>> installed
>>>>>>>>> JCE crypto policy. See the installation guide.
>>>>>>>>>
>>>>>>>>> 2. LimitKeyUsagesTest test01Limit Error Signer 5802 expired at 
>>>>>>>>> Fri
>>>>>>>>> Apr
>>>>>>>>> 20 16:18:57 CEST 2012
>>>>>>>>> Looks like the demo signer certificate used has expired. I will
>>>>>>>>> run the
>>>>>>>>> tests on your continues integration server and see if we have the
>>>>>>>>> same
>>>>>>>>> problem there. They might just have to be renewed.
>>>>>>>>>
>>>>>>>>>> How can I send my script to install signserver ?
>>>>>>>>> If it is less then 40 KB you can just send it to the mailing 
>>>>>>>>> list,
>>>>>>>>> otherwise try to upload it somewhere and send the link or send it
>>>>>>>>> directly to me.
>>>>>>>>>
>>>>>>>>>> I take this mail to congratulate you and your team for this 
>>>>>>>>>> project
>>>>>>>>>> which is really good.
>>>>>>>>> Thanks to you for reporting the issues you find.
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>> Markus
>>>>>>>>>
>>>>>>>>>> Have a nice weekend.
>>>>>>>>>>
>>>>>>>>>> Best regards,
>>>>>>>>>>
>>>>>
>>>
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats.http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>
>>
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>
>
> -- 
>
> PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please seewww.primekey.se  or con...@pr...  for more information.
> http://www.primekey.se/Services/Support/
> http://www.primekey.se/Services/Training/
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop

-- 
Antoine Louiset                     Tél : +33 6 76 66 80 34
Responsable du projet Yousign       Mail : ant...@yo...