signserver-develop

[SignServer-develop] Security Notice

[Markus K. <ma...@pr...>]

Recently a vulnerability was documented by Foxglove Security [1] in
regards to Java object deserialization. The basis of this vulnerability
is that the Apache commons-collections library contains certain classes
that can, due to a design flaw in how deserialization is performed, used
to run remote code on a machine.  While we don't use any of the
offending classes from commons-collections in EJBCA or SignServer,
merely the fact that they exist on the classpath presents a risk.

The commons-collections library is also included in most application
servers, including Oracle Weblogic [2] and JBoss.

Existing support customers has been notified and patches provided. The
next Community Edition releases will either contained patched versions
of the library or a later version where the issue has been resolved. If
you can't wait for those we recommend you follow Red Hat's
recommendation [3] and remove the vulnerable classes your self. Note
that both the commons-collections in the application server and in
EJBCA/SignServer needs to be patched.


[1]
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[2]
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31779&sh=&cmid=WWMK14064193MPP032C013
[3] https://access.redhat.com/solutions/2045023


Regards,
The PrimeKey EJBCA and SignServer Teams


PrimeKey will exhibit as partner together with Utimaco at Cartes,
November 17-19, 2015.
Take the opportunity to meet us in Paris @ Cartes Secure Connexions,
Paris Nord, Villepinte, Hall 4, Booth 4 J 078.
More information on the conference and exhibition is to be found at
www.cartes.com.

Re: [SignServer-develop] Signserver support for MSSQL

[Martin R. <mar...@gm...>]

On 05.11.2015 16:16, Markus Kilås wrote:
> On 11/05/2015 02:28 PM, Martin Rublik wrote:
> <snip>
> We will probably not, at least at this point, have the resources to set
> up a proper automated test job for MSSQL, but we could mark the
> instructions to be "community maintained" or similar and when we make
> database changes we would make a best effort try to also update the orm
> files for MSSQL.
> 
> How does that sound?

I fine with that I'll do some minor changes and prepare instructions and send
them as soon as they are ready.

Looking forward

Kind regards

Martin

Re: [SignServer-develop] Signserver support for MSSQL

[Markus K. <ma...@pr...>]

On 11/05/2015 02:28 PM, Martin Rublik wrote:
> Dear all,
> 
> Recently I tried to run signserver with MSSQL database backend. I had some
> issues but I believe I managed to solve them. As far as I understand current
> version of signserver is missing java hibernate support for MSSQL (especially
> cesecore-orm-mssql.xml in
> signserver/modules/SignServer-Entities/src/main/resources/META-INF) thus it is
> unable to deploy correctly (on JBoss) even though it compiles.
> 
> I prepared the orm files based on information from mysql, I can also provide
> information on MSSQL JDBC installation a integration with JBoss.
> 
> Would anyone be interested?
> 
> Kind regards
> 
> Martin Rublik
Hi Martin,

That is interesting information.

We haven't seen that much interest for MSSQL though, but if you have
something that is working we are open for contributions in that area as
well. We could for sure add the orm files and maybe some instructions
either as a separate howto document or in to the installation guide if
you provide this.

We will probably not, at least at this point, have the resources to set
up a proper automated test job for MSSQL, but we could mark the
instructions to be "community maintained" or similar and when we make
database changes we would make a best effort try to also update the orm
files for MSSQL.

How does that sound?


Best regards,
Markus
PrimeKey Solutions

PrimeKey Solutions offers a commercial EJBCA & SignServer support
subscription and training. Please see www.primekey.se or contact
in...@pr... for more information.
https://www.primekey.se/Services/Support/
https://www.primekey.se/Services/Training/

[SignServer-develop] Signserver support for MSSQL

[Martin R. <mar...@gm...>]

Dear all,

Recently I tried to run signserver with MSSQL database backend. I had some
issues but I believe I managed to solve them. As far as I understand current
version of signserver is missing java hibernate support for MSSQL (especially
cesecore-orm-mssql.xml in
signserver/modules/SignServer-Entities/src/main/resources/META-INF) thus it is
unable to deploy correctly (on JBoss) even though it compiles.

I prepared the orm files based on information from mysql, I can also provide
information on MSSQL JDBC installation a integration with JBoss.

Would anyone be interested?

Kind regards

Martin Rublik

Re: [SignServer-develop] Problem AdminWS

[Markus K. <ma...@pr...>]

On 11/02/2015 12:20 AM, Arnaud Defos wrote:
> Hi,
> 
> I would like to use Admin WS. I have an error when I call one WS
> : Administrator not authorized to resource. Client certificate
> authentication required.
> 
> I try to add several certificate client with wsadmins -add -cert command
> line.
> 
> Then, I disable certificate client verification, I use : wsadmins -allowany
> 
> But I still have the same message.
> 
> I try with Jax-WS and SoapUI with the same result.
> 
> Thanks !
> 
> 
> Arnaud
> 


Hi Arnaud,
"Client Certificate authentication required." means that the client did
not authenticate using a certificate. This for instance happens if you
try to connect to SignServer on a port not requiring client
authentication such as port 8080 or 8442. If you followed the
installation guide there should be a port 8443 which requires client
auth. Try using that port and configure SoapUI with the keystore to use.


Regards,
Markus
PrimeKey Solutions

Save time and money with an Enterprise support subscription. Please see
www.primekey.se for more information.
https://www.primekey.se/technologies/products-overview/
https://www.primekey.se/service-support/support/

[SignServer-develop] Problem AdminWS

[Arnaud D. <arn...@gm...>]

Hi,

I would like to use Admin WS. I have an error when I call one WS
: Administrator not authorized to resource. Client certificate
authentication required.

I try to add several certificate client with wsadmins -add -cert command
line.

Then, I disable certificate client verification, I use : wsadmins -allowany

But I still have the same message.

I try with Jax-WS and SoapUI with the same result.

Thanks !


Arnaud

Re: [SignServer-develop] Error when work with HSM

[Markus K. <ma...@pr...>]

On 10/24/2015 02:42 PM, Bùi Sĩ Tuấn wrote:
> Hi all,
>  
> Thanks Markus for your reply,
>  
> This issue just come when run on JBOSS.
> And It worked correctly until deploy on server. I think it failed
> because of xmlsec's version.

Yes, I can confirm that I am also getting that error with your
XpathSigner. Not sure why though as DTMManagerDefault is a subclass of
DTMManager so the full class name matches. But it could maybe be a class
loader issue.

If you have access to it, you could also try a later version of JBoss
which already has xmlsec/xalan in the right versions. I think JBoss EAP
6.4 should have that. If that solves the issue the problem is with the
xmlsec/xalan upgrade.


Cheers,
Markus

> Here is my XpathSingner's source code. Hope it helpful
>  

Re: [SignServer-develop] [Spam] Re: [Spam] Re: Error when work with HSM

[Markus K. <ma...@pr...>]

On 10/23/2015 05:30 PM, Bùi Sĩ Tuấn wrote:
> Hi Markus,
>  
> This error happen when I try to create a XPath Signature.
> Signserver is deployed on JBOSS AS 7.1.1 and Java 7 (32 bits) and I
> fixed XML Security issues before.
>  
> And here is full server log:
>  
> 13:50:35,877 ERROR [org.signserver.ejb.WorkerProcessImpl]
> (http--127.0.0.1-8080-1) SignServerException calling signer with id 14 :
> Signature generation error: org.signserver.common.SignServerException:
> SignServerException calling signer with id 14 : Signature generation error
>  at
> org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:288)
> [SignServer-ejb.jar:]
>  at
> org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:114)
> [SignServer-ejb.jar:]
>  at
> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:156)
> [SignServer-ejb.jar:]
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.7.0_79]
>  at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.7.0_79]
>  at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_79]
>  at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_79]
>  at
> org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
> [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:202)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:306) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:190)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.signserver.ejb.interfaces.IWorkerSession$ILocal$$$view23.process(Unknown
> Source) [SignServer-ejb-interfaces.jar:]
>  at org.signserver.clientws.ClientWS.processData(ClientWS.java:94)
> [SignServer-ejb-ClientWS.jar:]
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.7.0_79]
>  at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.7.0_79]
>  at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_79]
>  at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_79]
>  at
> org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
> [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:228)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:304) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:190)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>  at
> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>  at
> org.jboss.as.webservices.invocation.AbstractInvocationHandlerEJB.invoke(AbstractInvocationHandlerEJB.java:112)
>  at
> org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:181)
>  at org.jboss.wsf.stack.cxf.JBossWSInvoker.invoke(JBossWSInvoker.java:127)
>  at
> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
>  at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> [rt.jar:1.7.0_79]
>  at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> [rt.jar:1.7.0_79]
>  at
> org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
>  at
> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)
>  at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
>  at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
>  at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207)
>  at
> org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)
>  at
> org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169)
>  at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
>  at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185)
>  at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)
>  at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
>  at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)
>  at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
> [jbossws-spi-2.0.3.GA.jar:2.0.3.GA]
>  at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
>  at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
>  at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
>  at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
>  at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
>  at
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>  at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>  at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>  at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>  at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>  at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
>  at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
>  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>  at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]
> Caused by: org.signserver.common.SignServerException: Signature
> generation error
>  at
> com.bkav.signserver.xml.xpathsigner.XpathSigner.processData(XpathSigner.java:225)
> [SignServer-Module-Bkav-XMLSigner.jar:]
>  at
> org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:284)
> [SignServer-ejb.jar:]
>  ... 109 more
> Caused by: javax.xml.crypto.dsig.XMLSignatureException:
> javax.xml.crypto.dsig.TransformException: java.lang.ClassCastException:
> org.apache.xml.dtm.ref.DTMManagerDefault cannot be cast to
> org.apache.xml.dtm.DTMManager
>  at
> org.apache.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:561)
> [xmlsec-1.5.8.jar:1.5.8]
>  at
> org.apache.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:368)
> [xmlsec-1.5.8.jar:1.5.8]
>  at
> org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:386)
> [xmlsec-1.5.8.jar:1.5.8]
>  at
> com.bkav.signserver.xml.xpathsigner.XpathSigner.processData(XpathSigner.java:188)
> [SignServer-Module-Bkav-XMLSigner.jar:]
>  ... 110 more
> Caused by: javax.xml.crypto.dsig.TransformException:
> java.lang.ClassCastException: org.apache.xml.dtm.ref.DTMManagerDefault
> cannot be cast to org.apache.xml.dtm.DTMManager
>  at
> org.apache.jcp.xml.dsig.internal.dom.ApacheTransform.transformIt(ApacheTransform.java:210)
> [xmlsec-1.5.8.jar:1.5.8]
>  at
> org.apache.jcp.xml.dsig.internal.dom.ApacheTransform.transform(ApacheTransform.java:110)
> [xmlsec-1.5.8.jar:1.5.8]
>  at
> org.apache.jcp.xml.dsig.internal.dom.DOMTransform.transform(DOMTransform.java:147)
> [xmlsec-1.5.8.jar:1.5.8]
>  at
> org.apache.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:471)
> [xmlsec-1.5.8.jar:1.5.8]
>  ... 113 more
> Caused by: java.lang.ClassCastException:
> org.apache.xml.dtm.ref.DTMManagerDefault cannot be cast to
> org.apache.xml.dtm.DTMManager
>  at org.apache.xml.dtm.DTMManager.newInstance(DTMManager.java:137)
> [xalan-2.7.2.jar:]
>  at org.apache.xpath.XPathContext.<init>(XPathContext.java:102)
> [xalan-2.7.2.jar:2.7.2]
>  at org.apache.xpath.XPathContext.<init>(XPathContext.java:349)
> [xalan-2.7.2.jar:2.7.2]
>  at org.apache.xpath.XPathContext.<init>(XPathContext.java:337)
> [xalan-2.7.2.jar:2.7.2]
>  at
> org.apache.xml.security.utils.XalanXPathAPI.eval(XalanXPathAPI.java:117)
> [xmlsec-1.5.8.jar:1.5.8]
>  at
> org.apache.xml.security.utils.XalanXPathAPI.selectNodeList(XalanXPathAPI.java:82)
> [xmlsec-1.5.8.jar:1.5.8]
>  at
> org.apache.xml.security.transforms.implementations.TransformXPath2Filter.enginePerformTransform(TransformXPath2Filter.java:117)
> [xmlsec-1.5.8.jar:1.5.8]
>  at
> org.apache.xml.security.transforms.Transform.performTransform(Transform.java:313)
> [xmlsec-1.5.8.jar:1.5.8]
>  at
> org.apache.xml.security.transforms.Transform.performTransform(Transform.java:289)
> [xmlsec-1.5.8.jar:1.5.8]
>  at
> org.apache.jcp.xml.dsig.internal.dom.ApacheTransform.transformIt(ApacheTransform.java:202)
> [xmlsec-1.5.8.jar:1.5.8]
>  ... 116 more
>  
> Best Regard,
>  
> *Bùi Sĩ Tuấn*
>  
> *    CA Tech - Ban HTCA - Bkav Security*
> *Office:  Bkav Building - Yen Hoa New Town, Cau Giay Dist, Hanoi  *
> *Mobile: 0126.620.7292*
> 
> /*____________________________________________*/
> 
> <http://www.bkav.com.vn/>
> 
> /*Do your best, the rest will come !  */
> 

Hi,

Please remember to respond to the mailing list so that everybody can
benefit from the discussion.

The issue seems to be in your custom code XpathSigner.java, so without
that one it is hard to say what the problem could be more than that
there are some transformation or similar being applied.


Regards,
Markus
PrimeKey Solutions

Re: [SignServer-develop] [Spam] Re: Error when work with HSM

[Markus K. <ma...@pr...>]

> ----- /*Thông điệp gốc :*/ -----
> *Gửi từ   : *Markus Kil3s <mailto:ma...@pr...> [ma...@pr...]
> *Gửi lúc  : *12/10/2015 03:30 PM
> *Gửi tới  : *sig...@li...;ma...@pr...
> <mailto:sig...@li...;ma...@pr...>
> *Chủ đề : *[Spam] Re: [SignServer-develop] Error when work with HSM
>  
> On 10/10/2015 02:57 PM, Bùi Sĩ Tuấn wrote:
>> Hi All,
>> I'm testing signserver CE 3.7.0 with Utimaco HSM Simulator. I created a
>> CryptoToken Worker and it active.
>> Then, I create a XML Signer with this CryptoToken worker, upload cert
>> and certchain.
>> (cert and certchain created from .p12 file which imported in HSM)
>> but I got message error:
>> - No signer certificate available
>> And when rung singing test, it got error:
>> org.cesecore.keys.token.CryptoTokenOfflineException: No key with alias ''.
>> Anyone can help me. Thanks
>> I'm a VietNamese. And my English not good :D
> 
> Hi Bùi,
> 
> Your XML Signer needs to have a property DEFAULTKEY with the name of the
> key in the HSM to use. If you don't have such a property that could be
> the issue.
> 
> An other issue could be if the key is not visible to SignServer/Java. In
> the SignServer Admin GUI you can select the CryptoToken Worker and click
> the CryptoToken tab to see all the keys available in the HSM. You should
> then see the name (key alias/label) of your key.
> 
> 
> Best regards,
> Markus
> PrimeKey Solutions
> 
> PrimeKey Solutions offers a commercial EJBCA & SignServer support
> subscription and training. Please see www.primekey.se or contact
> in...@pr... for more information.
> https://www.primekey.se/Services/Support/
> https://www.primekey.se/Services/Training/
> 
> 
>>
>>
>> *Bùi Sĩ Tuấn*
>>
>> * CA Tech - Ban HTCA - Bkav Security*
>> *Office: Bkav Building - Yen Hoa New Town, Cau Giay Dist, Hanoi *
>> *Mobile: 0126.620.7292*
>>
>> /*____________________________________________*/
>>
>> <http://www.bkav.com.vn/>
>>
>> /*Do your best, the rest will come ! */
>>
>> /*Hay làm việc hết mình, những điều tốt đẹp sẽ đến với bạn ! */
>>
>>
>>
>> /*Disclaimer:This e-mail and any files transmitted with it are
>> confidential and may contain privileged information. It is intended
>> solely for the use of the individual to whom it is addressed and others
>> authorized to receive it. If you are not the intended recipient you are
>> notified that disclosing, copying, distributing or taking any action in
>> reliance on the contents of this information is strictly prohibited. If
>> you have received this message in error, please notify the sender
>> immediately by reply e-mail and delete completely this e-mail from your
>> system, without reproducing, distributing or retaining copies.*/
>>

On 10/21/2015 05:47 PM, Bùi Sĩ Tuấn wrote:
> Hi Markus,
> Frst at all, I'm sorry for my delay and thanks you so much for your help.
> It worked very good!
> Now I need to custom XMLSigner, then I create new module, but get a
> exception when call service
> It here:
>  javax.xml.crypto.dsig.TransformException: java.lang.ClassCastException:
> org.apache.xml.dtm.ref.DTMManagerDefault cannot be cast to
> org.apache.xml.dtm.DTMManager
>  
> Can you help me to fix it. Thanks!
> Best regards,
>  
> *Bùi Sĩ Tuấn*
>  
> *    CA Tech - Ban HTCA - Bkav Security*
> *Office:  Bkav Building - Yen Hoa New Town, Cau Giay Dist, Hanoi  *
> *Mobile: 0126.620.7292*
> 
> /*____________________________________________*/
> 
> <http://www.bkav.com.vn/>
> 
> /*Do your best, the rest will come !  */
> 
> /*Hay làm việc hết mình, những điều tốt đẹp sẽ đến với bạn ! */
> 
>  
> 
> /*Disclaimer:This e-mail and any files transmitted with it are
> confidential and may contain privileged information. It is intended
> solely for the use of the individual to whom it is addressed and others
> authorized to receive it. If you are not the intended recipient you are
> notified that disclosing, copying, distributing or taking any action in
> reliance on the contents of this information is strictly prohibited. If
> you have received this message in error, please notify the sender
> immediately by reply e-mail and delete completely this e-mail from your
> system, without reproducing, distributing or retaining copies.*/
> 
>  
>
Can't remember I have seen that one. A complete stacktrace from the
error in the server log would be helpful if you could send.

Also, what application server and Java version are you using?


Cheers,
Markus
PrimeKey Solutions

PrimeKey will exhibit as partner together with Utimaco at Cartes,
November 17-19, 2015.
Take the opportunity to meet us in Paris @ Cartes Secure Connexions,
Paris Nord, Villepinte, Hall 4, Booth 4 J 078.
More information on the conference and exhibition is to be found at
www.cartes.com.

[SignServer-develop] signserver.org now using HTTPS

[Markus K. <ma...@pr...>]

The PrimeKey SignServer team is happy to announce that signserver.org is
now available with HTTPS.

This was made possible after the move of the web site to PrimeKey's
infrastructure. A big thanks also to GlobalSign for providing SignServer
with a free TLS certificate for open source projects.

Visit the site:
https://www.signserver.org


Regards,
PrimeKey SignServer Team

Re: [SignServer-develop] Error when work with HSM

[Markus K. <ma...@pr...>]

On 10/10/2015 02:57 PM, Bùi Sĩ Tuấn wrote:
> Hi All,
> I'm testing signserver CE 3.7.0 with Utimaco HSM Simulator. I created a
> CryptoToken Worker and it active.
> Then, I create a XML Signer with this CryptoToken worker, upload cert
> and certchain.
> (cert and certchain created from .p12 file which imported in HSM)
> but I got message error:
>  - No signer certificate available
> And when rung singing test, it got error:
> org.cesecore.keys.token.CryptoTokenOfflineException: No key with alias ''.
> Anyone can help me. Thanks
> I'm a VietNamese. And my English not good :D

Hi Bùi,

Your XML Signer needs to have a property DEFAULTKEY with the name of the
key in the HSM to use. If you don't have such a property that could be
the issue.

An other issue could be if the key is not visible to SignServer/Java. In
the SignServer Admin GUI you can select the CryptoToken Worker and click
the CryptoToken tab to see all the keys available in the HSM. You should
then see the name (key alias/label) of your key.


Best regards,
Markus
PrimeKey Solutions

PrimeKey Solutions offers a commercial EJBCA & SignServer support
subscription and training. Please see www.primekey.se or contact
in...@pr... for more information.
https://www.primekey.se/Services/Support/
https://www.primekey.se/Services/Training/


>  
>  
> *Bùi Sĩ Tuấn*
>  
> *    CA Tech - Ban HTCA - Bkav Security*
> *Office:  Bkav Building - Yen Hoa New Town, Cau Giay Dist, Hanoi  *
> *Mobile: 0126.620.7292*
> 
> /*____________________________________________*/
> 
> <http://www.bkav.com.vn/>
> 
> /*Do your best, the rest will come !  */
> 
> /*Hay làm việc hết mình, những điều tốt đẹp sẽ đến với bạn ! */
> 
>  
> 
> /*Disclaimer:This e-mail and any files transmitted with it are
> confidential and may contain privileged information. It is intended
> solely for the use of the individual to whom it is addressed and others
> authorized to receive it. If you are not the intended recipient you are
> notified that disclosing, copying, distributing or taking any action in
> reliance on the contents of this information is strictly prohibited. If
> you have received this message in error, please notify the sender
> immediately by reply e-mail and delete completely this e-mail from your
> system, without reproducing, distributing or retaining copies.*/
> 
>  
> 
> 
> ------------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Lundagatan 16
SE-171 63 Solna
Sweden

Phone: +46 70 424 94 85
Email: mar...@pr...

https://www.primekey.se

[SignServer-develop] SignServer 3.7.0 released

[Markus K. <ma...@pr...>]

The PrimeKey SignServer team is happy to announce the release of
SignServer 3.7.0 community and enterprise editions!

SignServer 3.7.0 introduces improvements to the user interfaces and
internal API:s to support multiple keys and certificates per worker, as
well as the ability to store certificates in the HSM. The CLI client now
has support for batch signing.
Starting from this version, SignServer can now be used for personal
signing of documents and code. In addition, batch signing enables new
use cases where documents are collected and then digitally signed all at
once, at a specific time.

Running on the latest technology platforms, SignServer is so flexible it
is suitable for any organization, cloud, social or mobile system.
Faster, more resource efficient, secure and user friendly than ever.

SignServer 3.7.0 is a major release with 67 issues resolved, the most
noteworthy listed below.

New Features and Improvements:
 - Individual keys and certificates
   (including CLI/GUI for managing those in a token).
 - Batch signing support in the client CLI.
 - Password prompts in the client CLI.
 - Initial support for building using Maven.
 - Improved logging options in PlainSigner and MSAuthCodeSigner.
 - Various GUI improvements.

Bug fixes:
 - Performance issue in XAdES signer has been fixed.
 - Client CLI startup issue on some systems is resolved.
 - Bundled versions of Apache Santuario (XML Security) and Xalan upgraded.

Security notice:

The Xalan 2.7.1 library previously bundled with SignServer is subject to
a potential security issue (CVE-2014-0107).
SignServer does not by itself use the vulnerable functions from Xalan
and there is thus no real vulnerability in SignServer.
We have anyway chosen to update to the latest versions as those
libraries are provided with SignServer.
As the application server also uses Xalan, users are recommended to
upgrade to JBoss EAP 6.3 or later which includes the newer Xalan
version. Alternatively, Red Hat provides patches for earlier EAP
versions. For JBoss AS 7.1.1 it is possible to follow our instructions
in the installation guide for how to instead use the libraries bundled
with SignServer.

Read the changelog in our issue tracker for full details:
https://jira.primekey.se/browse/DSS

Regards,
PrimeKey SignServer Team

Re: [SignServer-develop] TimeStamp ACCEPTEDPOLICIES

[Martin R. <mar...@gm...>]

> Thanks Martin,
> 
> I updated the documentation with the following explanation:
> 
> A ';' separated string containing accepted policies. Note that only
> policies listed in this property are allowed to be requested. If the
> property does not contain any policies then no policy can be requested.
> Requests not including any policy would use the default policy
> regardless of this property but requests explicitly requesting the
> default policy would still not be allowed unless it is listed in this
> property. (OPTIONAL, Recommended)
> 

Great,

Thank you.

Martin

Re: [SignServer-develop] TimeStamp ACCEPTEDPOLICIES

[Markus K. <ma...@pr...>]

On 08/27/2015 02:37 PM, Martin Rublik wrote:
> On 27. 8. 2015 16:06, Markus Kilås wrote:
>> Yes, I think this is the expected behaviour. The rational is that you
>> would only sign the time-stamp according to the policies you have
>> decided to support. If a request comes in with a policy that you have
>> not listed as a policy that you support (and thus claim to fulfil), then
>> the request is rejected. If the request contains a policy OID then this
>> must be the policy used in the token as explained in RFC#3161:
>>
>> "The policy field MUST indicate the TSA's policy under which the
>>    response was produced.  If a similar field was present in the
>>    TimeStampReq, then it MUST have the same value, otherwise an error
>>    (unacceptedPolicy) MUST be returned. "
>>
>>
>> Let me know if you think I missed something.
>>
>> Cheers,
>> Markus
> 
> 
> Hi,
> 
> thank you for your response, I think this is correct behaviour.
> 
> I was just a little confused. The confusion was because if ACCEPTEDPOLICIES are
> null then even requests that contain DEFAULTTSAPOLICYOID are rejected.
> 
> Perhaps more explicit text would be fine in documentation:
> 
> ACCEPTEDPOLICIES = A ';' separated string containing accepted policies, can be
> null if it shouldn't be used. When not used, time stamp request MUST NOT include
> a policy identifier. (OPTIONAL, Recommended)
> 
> Thanks
> 
> Martin
> 

Thanks Martin,

I updated the documentation with the following explanation:

A ';' separated string containing accepted policies. Note that only
policies listed in this property are allowed to be requested. If the
property does not contain any policies then no policy can be requested.
Requests not including any policy would use the default policy
regardless of this property but requests explicitly requesting the
default policy would still not be allowed unless it is listed in this
property. (OPTIONAL, Recommended)


Cheers,
Markus
PrimeKey Solutions

Re: [SignServer-develop] TimeStamp ACCEPTEDPOLICIES

[Martin R. <mar...@gm...>]

On 27. 8. 2015 16:06, Markus Kilås wrote:
> Yes, I think this is the expected behaviour. The rational is that you
> would only sign the time-stamp according to the policies you have
> decided to support. If a request comes in with a policy that you have
> not listed as a policy that you support (and thus claim to fulfil), then
> the request is rejected. If the request contains a policy OID then this
> must be the policy used in the token as explained in RFC#3161:
> 
> "The policy field MUST indicate the TSA's policy under which the
>    response was produced.  If a similar field was present in the
>    TimeStampReq, then it MUST have the same value, otherwise an error
>    (unacceptedPolicy) MUST be returned. "
> 
> 
> Let me know if you think I missed something.
> 
> Cheers,
> Markus


Hi,

thank you for your response, I think this is correct behaviour.

I was just a little confused. The confusion was because if ACCEPTEDPOLICIES are
null then even requests that contain DEFAULTTSAPOLICYOID are rejected.

Perhaps more explicit text would be fine in documentation:

ACCEPTEDPOLICIES = A ';' separated string containing accepted policies, can be
null if it shouldn't be used. When not used, time stamp request MUST NOT include
a policy identifier. (OPTIONAL, Recommended)

Thanks

Martin

Re: [SignServer-develop] TimeStamp ACCEPTEDPOLICIES

[Markus K. <ma...@pr...>]

On 08/24/2015 11:34 AM, Martin Rublik wrote:
> Dear all,

Hi Martin,

> 
> according to
> http://www.signserver.org/manual/complete.en.html#Time-stamp%20Signer it is
> possible to set/limit timestamping policies by modifiying ACCEPTEDPOLICIES property.
> 
> If this property is null does it mean that TimeStampReq (TSR) cannot include
> policy (reqPolicy)?

Yes, I think that would be the case as no policy is then allowed to be
requested.

> 
> I've tested the beahviour with signserver-ce-3.6.2 and the result was following.
> If I crafted a TSR without reqPolicy a tiemstamp was issued with
> DEFAULTTSAPOLICYOID. If I crafted a TSR with a dummy policy (1.2.3) the
> timestamp was denied with following error message:
> "request contains unknown policy."
> 
> following debug message is logged:
> "11:15:50,908 DEBUG [org.signserver.module.tsa.TimeStampSigner]
> (http--0.0.0.0-8080-1) Time stamp response status: 2: request contains unknown
> policy."
> 
> I guess it is because private method makeSetOfProperty of TimeStampSigner class
> creates an empty set if ACCEPTEDPOLICIES are null. Therefore validation method
> (validate method of TimeStampRequest class) fails.
> 
> Is this expected beahviour?

Yes, I think this is the expected behaviour. The rational is that you
would only sign the time-stamp according to the policies you have
decided to support. If a request comes in with a policy that you have
not listed as a policy that you support (and thus claim to fulfil), then
the request is rejected. If the request contains a policy OID then this
must be the policy used in the token as explained in RFC#3161:

"The policy field MUST indicate the TSA's policy under which the
   response was produced.  If a similar field was present in the
   TimeStampReq, then it MUST have the same value, otherwise an error
   (unacceptedPolicy) MUST be returned. "


Let me know if you think I missed something.

Cheers,
Markus

> 
> 
> Thank you for the clarification, kind regards
> 
> Martin Rublik
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Lundagatan 16
SE-171 63 Solna
Sweden

Phone: +46 70 424 94 85
Email: mar...@pr...

https://www.primekey.se

[SignServer-develop] TimeStamp ACCEPTEDPOLICIES

[Martin R. <mar...@gm...>]

Dear all,

according to
http://www.signserver.org/manual/complete.en.html#Time-stamp%20Signer it is
possible to set/limit timestamping policies by modifiying ACCEPTEDPOLICIES property.

If this property is null does it mean that TimeStampReq (TSR) cannot include
policy (reqPolicy)?

I've tested the beahviour with signserver-ce-3.6.2 and the result was following.
If I crafted a TSR without reqPolicy a tiemstamp was issued with
DEFAULTTSAPOLICYOID. If I crafted a TSR with a dummy policy (1.2.3) the
timestamp was denied with following error message:
"request contains unknown policy."

following debug message is logged:
"11:15:50,908 DEBUG [org.signserver.module.tsa.TimeStampSigner]
(http--0.0.0.0-8080-1) Time stamp response status: 2: request contains unknown
policy."

I guess it is because private method makeSetOfProperty of TimeStampSigner class
creates an empty set if ACCEPTEDPOLICIES are null. Therefore validation method
(validate method of TimeStampRequest class) fails.

Is this expected beahviour?


Thank you for the clarification, kind regards

Martin Rublik

Re: [SignServer-develop] Completing signatures

[Jose L. G. R. <jg...@gm...>]

Thanks Markus for the fast response.

The crypto in client side => signserver (transformation to xades or pades
including timestamp, revocation info, etc)

Regards,


--
Jose Luis Gordo Romero
@jgordor <http://twitter.com/jgordor> - http://www.freemindsystems.com

2015-07-13 15:58 GMT+02:00 Markus Kilås <ma...@pr...>:

> On 07/13/2015 02:56 PM, Jose Luis Gordo Romero wrote:
> > Hi,
> >
> > I'm evaluating signserver for a project, where the signature is
> > performed in client-side (only the crypto), so, I need that signserver
> > completes the signature (for example to xades or pades).
> >
> > Reading the documentation I don't see this method, can be possible?
> >
> > Best Regards,
> >
> >
> > --
> > Jose Luis Gordo Romero
> >
>
> Hi Jose,
>
> All current signers in SignServer (that I can think of at least)
> performs the crypto on the server-side.
>
> That being said it could still be possible to create a signer where the
> crypto is done on the client side while everything else around the
> signature is created by SignServer.
>
> Or are you referring to taking for instance a complete XAdES-B (basic
> level) and having SignServer upgrading it by including a time-stamp and
> revocation information etc?
>
> Some more background on your use case could be useful.
>
> Regards,
> Markus
> PrimeKey Solutions
>
> PrimeKey Solutions offers a commercial EJBCA & SignServer support
> subscription and training. Please see www.primekey.se or contact
> in...@pr... for more information.
> https://www.primekey.se/Services/Support/
> https://www.primekey.se/Services/Training/
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>

Re: [SignServer-develop] Completing signatures

[Markus K. <ma...@pr...>]

On 07/13/2015 02:56 PM, Jose Luis Gordo Romero wrote:
> Hi,
> 
> I'm evaluating signserver for a project, where the signature is
> performed in client-side (only the crypto), so, I need that signserver
> completes the signature (for example to xades or pades).
> 
> Reading the documentation I don't see this method, can be possible?
> 
> Best Regards,
> 
> 
> --
> Jose Luis Gordo Romero
> 

Hi Jose,

All current signers in SignServer (that I can think of at least)
performs the crypto on the server-side.

That being said it could still be possible to create a signer where the
crypto is done on the client side while everything else around the
signature is created by SignServer.

Or are you referring to taking for instance a complete XAdES-B (basic
level) and having SignServer upgrading it by including a time-stamp and
revocation information etc?

Some more background on your use case could be useful.

Regards,
Markus
PrimeKey Solutions

PrimeKey Solutions offers a commercial EJBCA & SignServer support
subscription and training. Please see www.primekey.se or contact
in...@pr... for more information.
https://www.primekey.se/Services/Support/
https://www.primekey.se/Services/Training/

[SignServer-develop] Completing signatures

[Jose L. G. R. <jg...@gm...>]

Hi,

I'm evaluating signserver for a project, where the signature is performed
in client-side (only the crypto), so, I need that signserver completes the
signature (for example to xades or pades).

Reading the documentation I don't see this method, can be possible?

Best Regards,


--
Jose Luis Gordo Romero

Re: [SignServer-develop] SignServer ( TimeStamp)

[Markus K. <ma...@pr...>]

On 06/16/2015 10:35 AM, Ebtehal Hassan wrote:
> 
> Hello all,
> I want asked about how time stamp was working and how it was put its
> stamp on the document,
> for example when i deploy signserver as PDF Signer & time  stamper what
> exactly appears to me 
> please help me  
> 
> 

Hello Ebtehal,

The process of signing and time-stamping a PDF document could be
described something like this:

1. The PDF document is uploaded to the PDF Signer by the client.

2. After the document has been recieved by the PDF Signer a new PDF is
created with the same content as the original but some space made
available to insert the signature as well as additional attributes.

3. The signature is then created and inserterted into the document.

4. A hash of the signature is created and sent in a request to the
time-stamp authority (TSA). Either an external TSA operated by somebody
else or an internal one in SignServer.

5. The TSA recieves the time-stamp request and produces a time-stamp
token containing the hash, the time-stamp and the signature of it and
returns it to the PDF Signer.

6. The PDF Signer inserts the time-stamp token into the document.

7. The signed & time-stamped PDF document is returned to the client.

Now a PDF reader with support for digital signatures can verify the
signature of the document as well as verify the time-stamp token.

Regards,
Markus


PrimeKey Solutions offers a commercial EJBCA & SignServer support
subscription and training. Please see www.primekey.se or contact
in...@pr... for more information.
https://www.primekey.se/Services/Support/
https://www.primekey.se/Services/Training/

[SignServer-develop] SignServer ( TimeStamp)

[Ebtehal H. <h.e...@ya...>]

Hello all,I want asked about how time stamp was working and how it was put its stamp on the document,for example when i deploy signserver as PDF Signer & time  stamper what exactly appears to me please help me  

  

Re: [SignServer-develop] Issue with Timestamping

[Markus K. <ejb...@pr...>]

Hi Marcin,

There seems to be some issues with the configuration of your workers.

>From the stacktrace it can be seen that you are still using the
SoftCryptoToken but in fact you want to use the P12CryptoToken.

Notice that when you apply a configuration with the "setproperties"
command and it contains properties containing "WORKERGENID" in its name
a new worker ID will be generate every time.

If you run the command "bin/signserver getstatus brief all" you can see
all configured workers. It could then happpen that you in fact have
multiple workers. In that case use the "remove" command.

One of the issues could also been if you forget to run the "reload"
command after any configuration change such as setproperties, remove,
setproperty etc.

The next issue is in your time-stamp configuration where you point out a
cryptotoken with the name "CryptoTokenP12" while from your confoguration
it looks like you have given it the name "CryptoTokenSoft".


Cheers,
Markus
PrimeKey


On 06/01/2015 07:27 PM, Marcin Fabiańczyk wrote:
> Hello Markus
> 
>  
> 
> I changed the p12 certificate for key, server certificate andt
> certificate of CA. This change solved problem with recognizing of
> certificate but another error appeared.
> 
>  
> 
> 19:15:39,022 ERROR [org.jboss.ejb3.invocation] (http--0.0.0.0-8080-1)
> JBAS014134: EJB Invocation failed on component WorkerSessionBean for
> method public abstract org.signserver.common.ProcessResponse
> org.signserver.ejb.interfaces.IWorkerSession$ILocal.process(org.signserver.server.log.AdminInfo,int,org.signserver.common.ProcessRequest,org.signserver.common.RequestContext)
> throws
> org.signserver.common.IllegalRequestException,org.signserver.common.CryptoTokenOfflineException,org.signserver.common.SignServerException:
> javax.ejb.EJBException: java.lang.NullPointerException
> 
>         at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:166)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         
> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:230)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:304) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:190)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.signserver.ejb.interfaces.IWorkerSession$ILocal$$$view23.process(Unknown
> Source) [SignServer-ejb-interfaces.jar:]
> 
>         at
> org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:473)
> 
>         at
> org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:360)
> 
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
> 
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
> 
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
> 
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
> 
>         at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
> 
>         at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
> 
>         at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397)
> 
>         at
> org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
> [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> 
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> 
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> 
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> 
>         at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> 
>         at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> 
>         at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
> 
>         at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
> 
>         at java.lang.Thread.run(Thread.java:701) [rt.jar:1.6.0_35]
> 
> Caused by: java.lang.NullPointerException
> 
>         at
> org.signserver.server.cryptotokens.SoftCryptoToken.getPrivateKey(SoftCryptoToken.java:176)
> [SignServer-Server.jar:]
> 
>         at
> org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator(TimeStampSigner.java:741)
> [SignServer-Module-TSA.jar:]
> 
>         at
> org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:474)
> [SignServer-Module-TSA.jar:]
> 
>         at
> org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:280)
> [SignServer-ejb.jar:]
> 
>         at
> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:138)
> [SignServer-ejb.jar:]
> 
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.6.0_35]
> 
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.6.0_35]
> 
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.6.0_35]
> 
>         at java.lang.reflect.Method.invoke(Method.java:622)
> [rt.jar:1.6.0_35]
> 
>         at
> org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
> [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:228)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         ... 39 more
> 
>  
> 
> 19:15:39,040 ERROR
> [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/signserver].[GenericProcessServlet]]
> (http--0.0.0.0-8080-1) Servlet.service() for servlet
> GenericProcessServlet threw exception: javax.ejb.EJBException:
> java.lang.NullPointerException
> 
>         at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:166)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:230)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:304) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:190)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.signserver.ejb.interfaces.IWorkerSession$ILocal$$$view23.process(Unknown
> Source)
> 
>         at
> org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:473)
> [classes:]
> 
>         at
> org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:360)
> [classes:]
> 
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
> 
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
> 
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at
> org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
> [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
> [jbossweb-7.0.13.Final.jar:]
> 
>         at java.lang.Thread.run(Thread.java:701) [rt.jar:1.6.0_35]
> 
> Caused by: java.lang.NullPointerException
> 
>         at
> org.signserver.server.cryptotokens.SoftCryptoToken.getPrivateKey(SoftCryptoToken.java:176)
> [SignServer-Server.jar:]
> 
>         at
> org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator(TimeStampSigner.java:741)
> [SignServer-Module-TSA.jar:]
> 
>         at
> org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:474)
> [SignServer-Module-TSA.jar:]
> 
>         at
> org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:280)
> [SignServer-ejb.jar:]
> 
>         at
> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:138)
> [SignServer-ejb.jar:]
> 
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.6.0_35]
> 
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.6.0_35]
> 
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.6.0_35]
> 
>         at java.lang.reflect.Method.invoke(Method.java:622)
> [rt.jar:1.6.0_35]
> 
>         at
> org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
> [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> 
>         at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:228)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> 
>         ... 39 more
> 
>  
> 
> Any suggestions what could go wrong?
> 
>  
> 
> Regards,
> 
> Martin
> 
>  
> 
>  
> 
> ____________________________________________________________________________________________________________________________
> 
> I used p12 to configure signer certyfikate.
> 
>  
> 
> soft-crypto-configuration.properties
> 
>  
> 
> # This worker will not perform any operations on its own and indicates
> this by
> 
> # using the worker type CryptoWorker
> 
> GLOB.WORKERGENID1.CLASSPATH=org.signserver.server.signers.CryptoWorker
> 
>  
> 
> # Uses a soft keystore:
> 
> #GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.SoftCryptoToken
> 
> GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.P12CryptoToken
> 
>  
> 
> # Name for other workers to reference this worker:
> 
> WORKERGENID1.NAME=CryptoTokenSoft
> 
> WORKERGENID1.CRYPTOTOKEN=CryptoTokenP12
> 
>  
> 
> # Required. The full path to the key-store file to load.
> 
> WORKERGENID1.KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12
> 
> # The password that protects the key-store. Used for automatic activation.
> 
> WORKERGENID1.KEYSTOREPASSWORD=1234567890
> 
>  
> 
>  
> 
>  
> 
> qs_timestamp_configuration.properties
> 
> 
> ## Global properties
> 
>  
> 
> GLOB.WORKERGENID1.CLASSPATH= org.signserver.module.tsa.TimeStampSigner
> 
>  
> 
> ## General properties
> 
>  
> 
> # Name of the worker if referenced by name instead of Id.
> 
> WORKERGENID1.NAME=TimeStampSigner
> 
>  
> 
> # Authentication. One of NOAUTH, CLIENTCERT,
> org.signserver.server.UsernamePasswordAuthorizer,
> org.signserver.server.UsernameAuthorizer
> 
> WORKERGENID1.AUTHTYPE=NOAUTH
> 
>  
> 
> #WORKERGENID1.CRYPTOTOKEN=CryptoTokenSoft
> 
> WORKERGENID1.CRYPTOTOKEN=CryptoTokenP12
> 
> #WORKERGENID1.CRYPTOTOKEN=CryptoTokenP11
> 
>  
> 
> # Required. The full path to the key-store file to load.
> 
> WORKERGENID1.KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12
> 
> # The password that protects the key-store. Used for automatic activation.
> 
> WORKERGENID1.KEYSTOREPASSWORD=1234567890
> 
>  
> 
> 
> 
>  
> 
> From bin/signserver getconfig I get:
> 
>  
> 
> [root@tsa-01 signserver]# bin/signserver getconfig 1
> 
> OBSERVE that this command displays the current configuration which
> 
> doesn't have to be the same as the active configuration.
> 
> Configurations are activated with the reload command. 
> 
>  
> 
> The current configuration of worker with id : 1 is :
> 
>   NAME=CryptoTokenSoft
> 
>  
> 
>   KEYSTOREPASSWORD=1234567890
> 
>  
> 
>   CRYPTOTOKEN=CryptoTokenP12
> 
>  
> 
>   KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12
> 
>  
> 
>  Either this isn't a Signer or no Signer Certificate have been uploaded
> to it.
> 
>  
> 
> [root@tsa-01 signserver]# bin/signserver getconfig 2
> 
> OBSERVE that this command displays the current configuration which
> 
> doesn't have to be the same as the active configuration.
> 
> Configurations are activated with the reload command. 
> 
>  
> 
> The current configuration of worker with id : 2 is :
> 
>   KEYSTOREPASSWORD=1234567890
> 
>  
> 
>   CRYPTOTOKEN=CryptoTokenP12
> 
>  
> 
>   KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12
> 
>  
> 
>   AUTHTYPE=NOAUTH
> 
>  
> 
>   NAME=TimeStampSigner
> 
>  
> 
>   DEFAULTTSAPOLICYOID=1.2.3
> 
>  
> 
>  Either this isn't a Signer or no Signer Certificate have been uploaded
> to it.
> 
>  
> 
>  
> 
>  
> 
>     Wiadomość napisana przez Markus Kilås <ma...@pr...
>     <mailto:ma...@pr...>> w dniu 1 cze 2015, o godz. 12:01:
> 
>      
> 
>     On 06/01/2015 11:19 AM, Marcin Fabianczyk wrote:
> 
>         Hello,
> 
> 
>     Hello Marcin,
> 
> 
> 
>         When I try to sign a document timestamp gets
>         errors. SIGNSERVER_NODEID in the system variable is set.
> 
>         10:59:57,754 ERROR [org.signserver.common.WorkerConfig]
>         (http--0.0.0.0-8080-1) Error, required environment variable
>         SIGNSERVER_NODEID isn't set.
>         10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
>         (http--0.0.0.0-8080-1) Error, required environment variable
>         SIGNSERVER_NODEID isn't set.
>         10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
>         (http--0.0.0.0-8080-1) Error, required environment variable
>         SIGNSERVER_NODEID isn't set.
>         10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
>         (http--0.0.0.0-8080-1) Error, required environment variable
>         SIGNSERVER_NODEID isn't set.
>         10:59:57,756 ERROR [org.signserver.common.WorkerConfig]
>         (http--0.0.0.0-8080-1) Error, required environment variable
>         SIGNSERVER_NODEID isn't set.
>         10:59:57,756 ERROR [org.signserver.common.WorkerConfig]
>         (http--0.0.0.0-8080-1) Error, required environment variable
>         SIGNSERVER_NODEID isn't set.
> 
> 
> 
>     The error about SIGNSERVER_NODEID is more of a warning.
> 
>     If you want to get rid of it you need to define it as an environment
>     variable in place that is read by the application server. For instance
>     ~/.bashrc might not work but /etc/environment or similar might depending
>     on the system and how the application server is started.
> 
> 
>         10:59:57,757 INFO  [org.signserver.server.log.IWorkerLogger]
>         (http--0.0.0.0-8080-1) AUDIT; DefaultTimeStampLogger; LOG_ID:
>         396652c8-edc8-4559-a969-07cc17b08283; CLIENT_IP: 10.0.0.27;
>         REQUEST_FULLURL:
>         http://tsa-01.company.local/signserver/process?workerName=TimeStampSigner;
>         RequestTime: 1433149197753; ResponseTime: 1; TimeStamp:
>         1433149197756;
>         TimeSource: LocalComputerTimeSource; PKIStatus: ${TSA_PKISTATUS};
>         PKIFailureInfo: ${TSA_PKIFAILUREINFO}; SerialNumber:
>         b889d6e3b9c7ea6;
>         TSA_POLICYID: 1.2.3; SIGNER_CERT_SERIALNUMBER:
>         ${SIGNER_CERT_SERIALNUMBER}; SIGNER_CERT_ISSUERDN:
>         ${SIGNER_CERT_ISSUERDN}; TIMESTAMPREQUEST_ENCODED:
>         MDECAQEwITAJBgUrDgMCGgUABBS9rHsjYWM6fCYkVPdKcSRUfwXi7wIGAU2uXXQnAQH/;
>         TSA_TIMESTAMPRESPONSE_ENCODED: ${TSA_TIMESTAMPRESPONSE_ENCODED};
>         ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED: ${PURCHASED}; TSA_EXCEPTION:
>         ${TSA_EXCEPTION}; EXCEPTION:
>         org.signserver.common.CryptoTokenOfflineException: No
>         certificate for
>         this signer
> 
> 
>     The last sentence is the real issue you are facing:
>     "No certificate for the signer".
> 
>     So you need to make sure the signer has a certificate configured.
> 
> 
>     Best regards,
>     Markus
>     PrimeKey
> 
> 
>     PrimeKey Solutions offers a commercial EJBCA & SignServer support
>     subscription and training. Please see www.primekey.se
>     <http://www.primekey.se/> or contact
>     in...@pr... <mailto:in...@pr...> for more information.
>     https://www.primekey.se/Services/Support/
>     https://www.primekey.se/Services/Training/
> 
>     ------------------------------------------------------------------------------
>     _______________________________________________
>     SignServer-develop mailing list
>     Sig...@li...
>     <mailto:Sig...@li...>
>     https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 

Re: [SignServer-develop] Issue with Timestamping

[Marcin F. <mar...@en...>]

Hello Markus

 

I changed the p12 certificate for key, server certificate and certificate of CA. This change solved problem with recognizing of certificate but another error appeared. 

 

19:15:39,022 ERROR [org.jboss.ejb3.invocation] (http--0.0.0.0-8080-1) JBAS014134: EJB Invocation failed on component WorkerSessionBean for method public abstract org.signserver.common.ProcessResponse org.signserver.ejb.interfaces.IWorkerSession$ILocal.process(org.signserver.server.log.AdminInfo,int,org.signserver.common.ProcessRequest,org.signserver.common.RequestContext) throws org.signserver.common.IllegalRequestException,org.signserver.common.CryptoTokenOfflineException,org.signserver.common.SignServerException: javax.ejb.EJBException: java.lang.NullPointerException

        at org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:166) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:230) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:304) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:190) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.signserver.ejb.interfaces.IWorkerSession$ILocal$$$view23.process(Unknown Source) [SignServer-ejb-interfaces.jar:]

        at org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:473)

        at org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:360)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397)

        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)

        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)

        at java.lang.Thread.run(Thread.java:701) [rt.jar:1.6.0_35]

Caused by: java.lang.NullPointerException

        at org.signserver.server.cryptotokens.SoftCryptoToken.getPrivateKey(SoftCryptoToken.java:176) [SignServer-Server.jar:]

        at org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator(TimeStampSigner.java:741) [SignServer-Module-TSA.jar:]

        at org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:474) [SignServer-Module-TSA.jar:]

        at org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:280) [SignServer-ejb.jar:]

        at org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:138) [SignServer-ejb.jar:]

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_35]

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.6.0_35]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.6.0_35]

        at java.lang.reflect.Method.invoke(Method.java:622) [rt.jar:1.6.0_35]

        at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:228) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        ... 39 more

 

19:15:39,040 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/signserver].[GenericProcessServlet]] (http--0.0.0.0-8080-1) Servlet.service() for servlet GenericProcessServlet threw exception: javax.ejb.EJBException: java.lang.NullPointerException

        at org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:166) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:230) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:304) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:190) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.signserver.ejb.interfaces.IWorkerSession$ILocal$$$view23.process(Unknown Source)

        at org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:473) [classes:]

        at org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:360) [classes:]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) [jbossweb-7.0.13.Final.jar:]

        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]

        at java.lang.Thread.run(Thread.java:701) [rt.jar:1.6.0_35]

Caused by: java.lang.NullPointerException

        at org.signserver.server.cryptotokens.SoftCryptoToken.getPrivateKey(SoftCryptoToken.java:176) [SignServer-Server.jar:]

        at org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator(TimeStampSigner.java:741) [SignServer-Module-TSA.jar:]

        at org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:474) [SignServer-Module-TSA.jar:]

        at org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:280) [SignServer-ejb.jar:]

        at org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:138) [SignServer-ejb.jar:]

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_35]

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.6.0_35]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.6.0_35]

        at java.lang.reflect.Method.invoke(Method.java:622) [rt.jar:1.6.0_35]

        at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

        at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:228) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

        ... 39 more

 

Any suggestions what could go wrong?

 

Regards,

Martin

 

 

____________________________________________________________________________________________________________________________

I used p12 to configure signer certyfikate.

 

soft-crypto-configuration.properties

 

# This worker will not perform any operations on its own and indicates this by

# using the worker type CryptoWorker

GLOB.WORKERGENID1.CLASSPATH=org.signserver.server.signers.CryptoWorker

 

# Uses a soft keystore:

#GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.SoftCryptoToken

GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.P12CryptoToken

 

# Name for other workers to reference this worker:

WORKERGENID1.NAME=CryptoTokenSoft

WORKERGENID1.CRYPTOTOKEN=CryptoTokenP12

 

# Required. The full path to the key-store file to load.

WORKERGENID1.KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12

# The password that protects the key-store. Used for automatic activation.

WORKERGENID1.KEYSTOREPASSWORD=1234567890

 

 

 

qs_timestamp_configuration.properties




## Global properties

 

GLOB.WORKERGENID1.CLASSPATH = org.signserver.module.tsa.TimeStampSigner

 

## General properties

 

# Name of the worker if referenced by name instead of Id.

WORKERGENID1.NAME=TimeStampSigner

 

# Authentication. One of NOAUTH, CLIENTCERT, org.signserver.server.UsernamePasswordAuthorizer, org.signserver.server.UsernameAuthorizer

WORKERGENID1.AUTHTYPE=NOAUTH

 

#WORKERGENID1.CRYPTOTOKEN=CryptoTokenSoft

WORKERGENID1.CRYPTOTOKEN=CryptoTokenP12

#WORKERGENID1.CRYPTOTOKEN=CryptoTokenP11

 

# Required. The full path to the key-store file to load.

WORKERGENID1.KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12

# The password that protects the key-store. Used for automatic activation.

WORKERGENID1.KEYSTOREPASSWORD=1234567890

 





 

>From bin/signserver getconfig I get:

 

[root@tsa-01 signserver]# bin/signserver getconfig 1

OBSERVE that this command displays the current configuration which

doesn't have to be the same as the active configuration.

Configurations are activated with the reload command. 

 

The current configuration of worker with id : 1 is :

  NAME=CryptoTokenSoft

 

  KEYSTOREPASSWORD=1234567890

 

  CRYPTOTOKEN=CryptoTokenP12

 

  KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12

 

 Either this isn't a Signer or no Signer Certificate have been uploaded to it.

 

[root@tsa-01 signserver]# bin/signserver getconfig 2

OBSERVE that this command displays the current configuration which

doesn't have to be the same as the active configuration.

Configurations are activated with the reload command. 

 

The current configuration of worker with id : 2 is :

  KEYSTOREPASSWORD=1234567890

 

  CRYPTOTOKEN=CryptoTokenP12

 

  KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12

 

  AUTHTYPE=NOAUTH

 

  NAME=TimeStampSigner

 

  DEFAULTTSAPOLICYOID=1.2.3

 

 Either this isn't a Signer or no Signer Certificate have been uploaded to it.

 

 

 

Wiadomość napisana przez Markus Kilås <ma...@pr... <mailto:ma...@pr...> > w dniu 1 cze 2015, o godz. 12:01:

 

On 06/01/2015 11:19 AM, Marcin Fabianczyk wrote:



Hello,


Hello Marcin,





When I try to sign a document timestamp gets
errors. SIGNSERVER_NODEID in the system variable is set.

10:59:57,754 ERROR [org.signserver.common.WorkerConfig]
(http--0.0.0.0-8080-1) Error, required environment variable
SIGNSERVER_NODEID isn't set.
10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
(http--0.0.0.0-8080-1) Error, required environment variable
SIGNSERVER_NODEID isn't set.
10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
(http--0.0.0.0-8080-1) Error, required environment variable
SIGNSERVER_NODEID isn't set.
10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
(http--0.0.0.0-8080-1) Error, required environment variable
SIGNSERVER_NODEID isn't set.
10:59:57,756 ERROR [org.signserver.common.WorkerConfig]
(http--0.0.0.0-8080-1) Error, required environment variable
SIGNSERVER_NODEID isn't set.
10:59:57,756 ERROR [org.signserver.common.WorkerConfig]
(http--0.0.0.0-8080-1) Error, required environment variable
SIGNSERVER_NODEID isn't set.



The error about SIGNSERVER_NODEID is more of a warning.

If you want to get rid of it you need to define it as an environment
variable in place that is read by the application server. For instance
~/.bashrc might not work but /etc/environment or similar might depending
on the system and how the application server is started.




10:59:57,757 INFO  [org.signserver.server.log.IWorkerLogger]
(http--0.0.0.0-8080-1) AUDIT; DefaultTimeStampLogger; LOG_ID:
396652c8-edc8-4559-a969-07cc17b08283; CLIENT_IP: 10.0.0.27;
REQUEST_FULLURL:
http://tsa-01.company.local/signserver/process?workerName=TimeStampSigner;
RequestTime: 1433149197753; ResponseTime: 1; TimeStamp: 1433149197756;
TimeSource: LocalComputerTimeSource; PKIStatus: ${TSA_PKISTATUS};
PKIFailureInfo: ${TSA_PKIFAILUREINFO}; SerialNumber: b889d6e3b9c7ea6;
TSA_POLICYID: 1.2.3; SIGNER_CERT_SERIALNUMBER:
${SIGNER_CERT_SERIALNUMBER}; SIGNER_CERT_ISSUERDN:
${SIGNER_CERT_ISSUERDN}; TIMESTAMPREQUEST_ENCODED:
MDECAQEwITAJBgUrDgMCGgUABBS9rHsjYWM6fCYkVPdKcSRUfwXi7wIGAU2uXXQnAQH/;
TSA_TIMESTAMPRESPONSE_ENCODED: ${TSA_TIMESTAMPRESPONSE_ENCODED};
ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED: ${PURCHASED}; TSA_EXCEPTION:
${TSA_EXCEPTION}; EXCEPTION:
org.signserver.common.CryptoTokenOfflineException: No certificate for
this signer




The last sentence is the real issue you are facing:
"No certificate for the signer".

So you need to make sure the signer has a certificate configured.


Best regards,
Markus
PrimeKey


PrimeKey Solutions offers a commercial EJBCA & SignServer support
subscription and training. Please see  <http://www.primekey.se/> www.primekey.se or contact
 <mailto:in...@pr...> in...@pr... for more information.
 <https://www.primekey.se/Services/Support/> https://www.primekey.se/Services/Support/
 <https://www.primekey.se/Services/Training/> https://www.primekey.se/Services/Training/

------------------------------------------------------------------------------
_______________________________________________
SignServer-develop mailing list
 <mailto:Sig...@li...> Sig...@li...
 <https://lists.sourceforge.net/lists/listinfo/signserver-develop> https://lists.sourceforge.net/lists/listinfo/signserver-develop

 

Re: [SignServer-develop] Issue with Timestamping

[Marcin F. <mar...@en...>]

I used p12 to configure signer certyfikate.

soft-crypto-configuration.properties

# This worker will not perform any operations on its own and indicates this by
# using the worker type CryptoWorker
GLOB.WORKERGENID1.CLASSPATH=org.signserver.server.signers.CryptoWorker

# Uses a soft keystore:
#GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.SoftCryptoToken
GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.P12CryptoToken

# Name for other workers to reference this worker:
WORKERGENID1.NAME=CryptoTokenSoft
WORKERGENID1.CRYPTOTOKEN=CryptoTokenP12

# Required. The full path to the key-store file to load.
WORKERGENID1.KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12
# The password that protects the key-store. Used for automatic activation.
WORKERGENID1.KEYSTOREPASSWORD=1234567890



qs_timestamp_configuration.properties

## Global properties

GLOB.WORKERGENID1.CLASSPATH = org.signserver.module.tsa.TimeStampSigner

## General properties

# Name of the worker if referenced by name instead of Id.
WORKERGENID1.NAME=TimeStampSigner

# Authentication. One of NOAUTH, CLIENTCERT, org.signserver.server.UsernamePasswordAuthorizer, org.signserver.server.UsernameAuthorizer
WORKERGENID1.AUTHTYPE=NOAUTH

#WORKERGENID1.CRYPTOTOKEN=CryptoTokenSoft
WORKERGENID1.CRYPTOTOKEN=CryptoTokenP12
#WORKERGENID1.CRYPTOTOKEN=CryptoTokenP11

# Required. The full path to the key-store file to load.
WORKERGENID1.KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12
# The password that protects the key-store. Used for automatic activation.
WORKERGENID1.KEYSTOREPASSWORD=1234567890



From bin/signserver getconfig I get:

[root@tsa-01 signserver]# bin/signserver getconfig 1
OBSERVE that this command displays the current configuration which
doesn't have to be the same as the active configuration.
Configurations are activated with the reload command. 

The current configuration of worker with id : 1 is :
  NAME=CryptoTokenSoft

  KEYSTOREPASSWORD=1234567890

  CRYPTOTOKEN=CryptoTokenP12

  KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12

 Either this isn't a Signer or no Signer Certificate have been uploaded to it.

[root@tsa-01 signserver]# bin/signserver getconfig 2
OBSERVE that this command displays the current configuration which
doesn't have to be the same as the active configuration.
Configurations are activated with the reload command. 

The current configuration of worker with id : 2 is :
  KEYSTOREPASSWORD=1234567890

  CRYPTOTOKEN=CryptoTokenP12

  KEYSTOREPATH=/opt/signserver/p12/TimeStampCA.p12

  AUTHTYPE=NOAUTH

  NAME=TimeStampSigner

  DEFAULTTSAPOLICYOID=1.2.3

 Either this isn't a Signer or no Signer Certificate have been uploaded to it.



> Wiadomość napisana przez Markus Kilås <ma...@pr...> w dniu 1 cze 2015, o godz. 12:01:
> 
> On 06/01/2015 11:19 AM, Marcin Fabianczyk wrote:
>> Hello,
> 
> Hello Marcin,
> 
>> 
>> When I try to sign a document timestamp gets
>> errors. SIGNSERVER_NODEID in the system variable is set.
>> 
>> 10:59:57,754 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
>> 10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
>> 10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
>> 10:59:57,755 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
>> 10:59:57,756 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
>> 10:59:57,756 ERROR [org.signserver.common.WorkerConfig]
>> (http--0.0.0.0-8080-1) Error, required environment variable
>> SIGNSERVER_NODEID isn't set.
> 
> 
> The error about SIGNSERVER_NODEID is more of a warning.
> 
> If you want to get rid of it you need to define it as an environment
> variable in place that is read by the application server. For instance
> ~/.bashrc might not work but /etc/environment or similar might depending
> on the system and how the application server is started.
> 
>> 10:59:57,757 INFO  [org.signserver.server.log.IWorkerLogger]
>> (http--0.0.0.0-8080-1) AUDIT; DefaultTimeStampLogger; LOG_ID:
>> 396652c8-edc8-4559-a969-07cc17b08283; CLIENT_IP: 10.0.0.27;
>> REQUEST_FULLURL:
>> http://tsa-01.company.local/signserver/process?workerName=TimeStampSigner;
>> RequestTime: 1433149197753; ResponseTime: 1; TimeStamp: 1433149197756;
>> TimeSource: LocalComputerTimeSource; PKIStatus: ${TSA_PKISTATUS};
>> PKIFailureInfo: ${TSA_PKIFAILUREINFO}; SerialNumber: b889d6e3b9c7ea6;
>> TSA_POLICYID: 1.2.3; SIGNER_CERT_SERIALNUMBER:
>> ${SIGNER_CERT_SERIALNUMBER}; SIGNER_CERT_ISSUERDN:
>> ${SIGNER_CERT_ISSUERDN}; TIMESTAMPREQUEST_ENCODED:
>> MDECAQEwITAJBgUrDgMCGgUABBS9rHsjYWM6fCYkVPdKcSRUfwXi7wIGAU2uXXQnAQH/;
>> TSA_TIMESTAMPRESPONSE_ENCODED: ${TSA_TIMESTAMPRESPONSE_ENCODED};
>> ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED: ${PURCHASED}; TSA_EXCEPTION:
>> ${TSA_EXCEPTION}; EXCEPTION:
>> org.signserver.common.CryptoTokenOfflineException: No certificate for
>> this signer
>> 
>> 
> 
> The last sentence is the real issue you are facing:
> "No certificate for the signer".
> 
> So you need to make sure the signer has a certificate configured.
> 
> 
> Best regards,
> Markus
> PrimeKey
> 
> 
> PrimeKey Solutions offers a commercial EJBCA & SignServer support
> subscription and training. Please see www.primekey.se <http://www.primekey.se/> or contact
> in...@pr... <mailto:in...@pr...> for more information.
> https://www.primekey.se/Services/Support/ <https://www.primekey.se/Services/Support/>
> https://www.primekey.se/Services/Training/ <https://www.primekey.se/Services/Training/>
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li... <mailto:Sig...@li...>
> https://lists.sourceforge.net/lists/listinfo/signserver-develop <https://lists.sourceforge.net/lists/listinfo/signserver-develop>