Re: [SignServer-develop] Issue with Timestamping

[Marcin F. <mar...@en...>]

I used p12 to configure signer certyfikate.

soft-crypto-configuration.properties

# This worker will not perform any operations on its own and indicates this by
# using the worker type CryptoWorker
GLOB.WORKERGENID1.CLASSPATH=org.signserver.server.signers.CryptoWorker

# Uses a soft keystore:
#GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.SoftCryptoToken
GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.P12CryptoToken

# Name for other workers to reference this worker:
WORKERGENID1.NAME=CryptoTokenSoft
WORKERGENID1.CRYPTOTOKEN=CryptoTokenP12

# Required. The full path to the key-store file to load.
WORKERGENID1.KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12
# The password that protects the key-store. Used for automatic activation.
WORKERGENID1.KEYSTOREPASSWORD=1234567890



qs_timestamp_configuration.properties

## Global properties

GLOB.WORKERGENID1.CLASSPATH = org.signserver.module.tsa.TimeStampSigner

## General properties

# Name of the worker if referenced by name instead of Id.
WORKERGENID1.NAME=TimeStampSigner

# Authentication. One of NOAUTH, CLIENTCERT, org.signserver.server.UsernamePasswordAuthorizer, org.signserver.server.UsernameAuthorizer
WORKERGENID1.AUTHTYPE=NOAUTH

#WORKERGENID1.CRYPTOTOKEN=CryptoTokenSoft
WORKERGENID1.CRYPTOTOKEN=CryptoTokenP12
#WORKERGENID1.CRYPTOTOKEN=CryptoTokenP11

# Required. The full path to the key-store file to load.
WORKERGENID1.KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12
# The password that protects the key-store. Used for automatic activation.
WORKERGENID1.KEYSTOREPASSWORD=1234567890



From bin/signserver getconfig I get:

[root@tsa-01 signserver]# bin/signserver getconfig 1
OBSERVE that this command displays the current configuration which
doesn't have to be the same as the active configuration.
Configurations are activated with the reload command. 

The current configuration of worker with id : 1 is :
  NAME=CryptoTokenSoft

  KEYSTOREPASSWORD=1234567890

  CRYPTOTOKEN=CryptoTokenP12

  KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12

 Either this isn't a Signer or no Signer Certificate have been uploaded to it.

[root@tsa-01 signserver]# bin/signserver getconfig 2
OBSERVE that this command displays the current configuration which
doesn't have to be the same as the active configuration.
Configurations are activated with the reload command. 

The current configuration of worker with id : 2 is :
  KEYSTOREPASSWORD=1234567890

  CRYPTOTOKEN=CryptoTokenP12

  KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12

  AUTHTYPE=NOAUTH

  NAME=TimeStampSigner

  DEFAULTTSAPOLICYOID=1.2.3

 Either this isn't a Signer or no Signer Certificate have been uploaded to it.



> Wiadomość napisana przez Markus Kilås <ma...@pr...> w dniu 1 cze 2015, o godz. 12:01:
> 
> On 06/01/2015 11:19 AM, Marcin Fabianczyk wrote:
>> Hello,
> 
> Hello Marcin,
> 
>> 
>> When I try to sign a document timestamp gets
>> errors. SIGNSERVER_NODEID in the system variable is set.
>> 
>> 10:59:57,754 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
>> 10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
>> 10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
>> 10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
>> 10:59:57,756 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
>> 10:59:57,756 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
> 
> 
> The error about SIGNSERVER_NODEID is more of a warning.
> 
> If you want to get rid of it you need to define it as an environment
> variable in place that is read by the application server. For instance
> ~/.bashrc might not work but /etc/environment or similar might depending
> on the system and how the application server is started.
> 
>> 10:59:57,757 INFO  [org.signserver.server.log.IWorkerLogger]
>> (http--0.0.0.0-8080-1) AUDIT; DefaultTimeStampLogger; LOG_ID:
>> 396652c8-edc8-4559-a969-07cc17b08283; CLIENT_IP: 10.0.0.27;
>> REQUEST_FULLURL:
>> http://tsa-01.company.local/signserver/process?workerName=TimeStampSigner;
>> RequestTime: 1433149197753; ResponseTime: 1; TimeStamp: 1433149197756;
>> TimeSource: LocalComputerTimeSource; PKIStatus: ${TSA_PKISTATUS};
>> PKIFailureInfo: ${TSA_PKIFAILUREINFO}; SerialNumber: b889d6e3b9c7ea6;
>> TSA_POLICYID: 1.2.3; SIGNER_CERT_SERIALNUMBER:
>> ${SIGNER_CERT_SERIALNUMBER}; SIGNER_CERT_ISSUERDN:
>> ${SIGNER_CERT_ISSUERDN}; TIMESTAMPREQUEST_ENCODED:
>> MDECAQEwITAJBgUrDgMCGgUABBS9rHsjYWM6fCYkVPdKcSRUfwXi7wIGAU2uXXQnAQH/;
>> TSA_TIMESTAMPRESPONSE_ENCODED: ${TSA_TIMESTAMPRESPONSE_ENCODED};
>> ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED: ${PURCHASED}; TSA_EXCEPTION:
>> ${TSA_EXCEPTION}; EXCEPTION:
>> org.signserver.common.CryptoTokenOfflineException: No certificate for
>> this signer
>> 
>> 
> 
> The last sentence is the real issue you are facing:
> "No certificate for the signer".
> 
> So you need to make sure the signer has a certificate configured.
> 
> 
> Best regards,
> Markus
> PrimeKey
> 
> 
> PrimeKey Solutions offers a commercial EJBCA & SignServer support
> subscription and training. Please see www.primekey.se <http://www.primekey.se/> or contact
> in...@pr... <mailto:in...@pr...> for more information.
> https://www.primekey.se/Services/Support/ <https://www.primekey.se/Services/Support/>
> https://www.primekey.se/Services/Training/ <https://www.primekey.se/Services/Training/>
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li... <mailto:Sig...@li...>
> https://lists.sourceforge.net/lists/listinfo/signserver-develop <https://lists.sourceforge.net/lists/listinfo/signserver-develop>