Re: [SignServer-develop] Informations and tests

[Markus K. <ma...@pr...>]

I would guess so as if the Dispatcher was configured with signers without valid certificates you would get this error. If you want to be sure you can check what workers the Dispatcher in the test was configured to use.

BR,
Markus
-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Antoine Louiset <ant...@yo...> wrote:

Hi Markus,

Thanks for your answer. It's ok for me, do you think it will resolve the last error : no active worker available ?

Best regards,

Antoine

Le 31/07/2012 20:37, Markus Kilås a écrit :

Hi Antoine,

I finally found it. 

It was there in the change log for the next release all the time, not sure how I could miss it. Anyway, the certificate was renewed as part of https://jira.primekey.se/browse/DSS-483 and the issue was already resolved in the 3.2 branch and will be available in the next release (SignServer 3.2.3).

Best regards,
Markus


On 2012-07-31 10:11, Antoine Louiset wrote:

Yes, I use the version 3.2.2. 

Le 31/07/2012 10:04, Markus Kilås a écrit : 

I did the same thing but I have much later dates for the 
TestLimitKeyUsageSigner (5802). Are you really using the latest release 
(ie. 3.2.2) otherwise upgrading should solve the problem. 

Best regards, 
Markus 

On 2012-07-30 20:56, Antoine Louiset wrote: 

You were right Markus (as always ! ) ! 

I have got 2 errors and one fail. I join a screenshot of the admin gui 
(in the reports.rar file). After launching the tests, we can see that 
the worker 5802 and others are unavailable. 

After removing this worker, I launch bin/signserver.sh setproperties 
modules/SignServer-Module-XMLSigner/src/conf/junittest-part-config.properties 
to activate its and then the reload command. 

We can see in the Capture-1.png the result. The signer certificate is 
indeed valid until 20/04/12. 

After resolving this problem, there will be one last error !! 

Have a nice evening. 

Best regards, 

Le 30/07/2012 19:05, Markus Kilås a écrit : 

I am not able to reproduce the test failure you are getting. I also 
checked the certificate for worker 5802 and it should not expire until 
year 2021 so it is a very strange error message. 

Have you tried clearing th database before running the tests in case 
some signers are left from previous test runs? 

Best regards, 
Markus 

On 2012-07-30 16:54, Antoine Louiset wrote: 

Ok Markus, no problem ! Thanks ! 

Best regards, 

Antoine 

Le 30/07/2012 16:53, Markus Kilås a écrit : 

On 2012-07-30 15:08, Antoine Louiset wrote: 

Hi Markus, 

Thanks for your fast answer ! 

I have just one remark for the JCE installation. I don't find it in 
the 
installation guide (I read it quickly). 

I was really surprised it wasn't there. I have registered 
https://jira.primekey.se/browse/DSS-514. 

I download JCE policy and it resolves one fail. The problem of the 
signer 5802 will resolve one fail and one error. So there will be no 
more fails but I have no idea about the other errors. What do you 
think 
about them ? 

I will try to get back about them. I haven't yet had to time to test it 
on my machine. 

Best regards, 
Markus 

Good afternoon ! 


Antoine 

Le 30/07/2012 10:47, Markus Kilås a écrit : 

Hi Antoine, 

See answers below. 

On 2012-07-28 23:24, Antoine Louiset wrote: 

Hi Markus, 

The p12 directory seems to be used to set truststore certificates 
for 
JBoss (see 
http://signserver.org/manual/complete.en.html#4.%20Configure%20web%20server%20keystores) 



but I think this truststore is just used in the tests of signserver 
and 
could be used for the java trust keystore. Jboss and glassfish have 
their own truststore and keystore, why don't you use them ? 

That is correct. The truststore in the p12 folder is used both by 
JBoss 
and the tests. So if you are going to run the tests you can put a 
truststore in the p12 folder. I believe the reason for handling it 
this 
way is that different application servers have different locations 
for 
the truststore and the tests would not know where to find it. In fact 
where JBoss finds it depends on what is written in the server.xml, 
so it 
could also be different if SignServer isn't used for deploying it. 
The 
solution we use, to not depend on different application servers and 
configurations is to decide that it should be placed in the p12 
folder 
of SignServer. 

In the signserver_build.properties file, there are several 
properties 
which are written for the use of JBoss but we do not know if they 
are 
needed for Glassfish : httpsserver.bindaddress.* | database.url | 
deploy.hostname.node* 

Some are explained in the installation guide, such as "database.url" 
which is said to be used by JBoss and some comments talks about 
JBoss in 
the sample configuration file. But the documentation is lacking for 
many 
of the other properties in this aspect. 

What is the aim of deploy.ssh.* properties ? 

I think the idea is to be able to deploy to a remote server by 
transferring the files (signserver.ear etc) over SSH. Not sure if 
it is 
working though as I can not find any documentation about it. You are 
very welcome to test it out if you want and let us know if it is 
working. If not we might consider either fixing it and adding 
documentation for it or remove it. 

Why j2ee.web-nohttps has to be set to true to launch the tests while 
https is used in these tests ? 

j2ee.web-nohttps is controlling wither the keystores and truststores 
should be deployed (to JBoss) or not. The tests should not depend on 
this setting so if it says somewhere that it must be set to true I 
would 
suspect that to be a bug in the documentation. Please report a bug 
with 
where you seen it in that case. 

The most important thing for me today is tests ! I run them, I 
resolve 
the problem about trustanchors. I join the results, I do not 
understand 
the errors and the fails, have you ever seen them ? 

    From the test report you attached I can see two different failures 
which 
probably is also the cause of all the errors. 
1.     ExtendedHardCodedCryptoTokenTest testStrongCryptoAvailable 
JCE crypto policy was not installed as the key length was limited 
expected:<2147483647> but was:<64> 

This means that you are running the Oracle JDK and have not installed 
JCE crypto policy. See the installation guide. 

2. LimitKeyUsagesTest test01Limit Error Signer 5802 expired at Fri 
Apr 
20 16:18:57 CEST 2012 
Looks like the demo signer certificate used has expired. I will 
run the 
tests on your continues integration server and see if we have the 
same 
problem there. They might just have to be renewed. 

How can I send my script to install signserver ? 

If it is less then 40 KB you can just send it to the mailing list, 
otherwise try to upload it somewhere and send the link or send it 
directly to me. 

I take this mail to congratulate you and your team for this project 
which is really good. 

Thanks to you for reporting the issues you find. 

Best regards, 
Markus 

Have a nice weekend. 

Best regards, 







------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ 

_______________________________________________ SignServer-develop mailing list Sig...@li... https://lists.sourceforge.net/lists/listinfo/signserver-develop 



-- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ 

------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ 

_______________________________________________ SignServer-develop mailing list Sig...@li... https://lists.sourceforge.net/lists/listinfo/signserver-develop 
-- Antoine Louiset Tél : +33 6 76 66 80 34 Responsable du projet Yousign Mail : ant...@yo...