Red Hat Bugzilla – Bug 492543
agent authentication failing with signed CMC requests
Last modified: 2015-01-05 20:19:34 EST
Created attachment 336993 [details]
snippet of debug log from Dogtag
Description of problem:
When I send an agent-signed CMC enrollment request to the CMC servlet, it fails with "ProfileSubmitServlet: authentication error Invalid Credential."
I'm fairly confident the CMC requests are OK as we are sending the same ones to Red Hat 7.1 CAs and they are working fine. I am experiencing this error on freshly setup Dogtag CAs. We can do SSL client auth to the Agent interface webpages with our browsers and the credential we supply works fine so we're pretty sure the agent cert piece is set up correctly as well.
I'm also fairly certain this used to work when I've tested in the past. I looked through bugzilla for CMC bugs, found 4 (3 were mine), and it was fixed almost a year ago so I doubt that was it.
Version-Release number of selected component (if applicable):
I get the same behavior whether I send a DER encoded CMC request to the CMC servlet (/ca/ee/ca/profileSubmitCMCFull) or pasting a Base64 encoded request into the "Signed CMC-Authenticated User Certificate Enrollment" profile on the end entity web enrollment page.
Steps to Reproduce:
1. Create CMC request signed with credentials that are configured as agent on CA
2. send request to CA (using either DER/Base64 method above)
I've attached debug logs showing Dogtag vs RHCS7 which is the error vs success case. The Dogtag process dies relatively early. What I noticed is after they output "ProfileSubmitServlet: set sslClientCertProvider", RHCS makes an LDAP connection and comes back with my agent entry (I assume it took the cert from CMC's SignerInfo and searched in the directory for it) whereas Dogtag doesn't show the LDAP connection even being tried.
Created attachment 336994 [details]
snippet of debug log from RHCS7 for comparison
Forgot to mention, a co-worker tried sending raw CRMFs to the bulkissuance servlet and that was successful, but as that also uses SSL client auth that would be expected.
Created attachment 346685 [details]
just to make debug log messages more accurate
I just fixed https://bugzilla.redhat.com/show_bug.cgi?id=502861, and after that, CMC enrollment seems to be fine. I do not see either Authentication or Authorization error. This is working for both base 64 encoding from the caCMCUserCert profile at EE page, and for the CMC servlet (ca/ee/ca/profileSubmitCMCFull).
I am checking in changes to the log messages for profileSubmitCMCFull here since all log messages are saying "ProfileSubmitServlet" instead of "ProfileSubmitCMCServlet" and that's misleading and does not help with debugging.
attachment (id=346685) +awnuk
[cfu@jaw common]$ pwd
[cfu@jaw common]$ svn commit src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
Transmitting file data .
Committed revision 553.
I have tested and can confirm that I can both paste in Base64 CMC in webpage or hit the servlet with a DER request and I get a cert back. However, I'm still being stuck with bug 441544 which causes the freshly issued cert to be expired immediately.
Verified(with june-18-build). sending a CMC request using "Signed CMC-Authenticated User Certificate Enrolment" in the EE pages succeeds.