Description of problem: After editing /var/lib/rhpki-ca/conf/flatfile.txt to use and IPv6 address with a password as follows: UID=2001:a::1 PWD=123456 The pki-ca component Version-Release number of selected component (if applicable): 1.1.0 How reproducible: Steps to Reproduce: 1. tail -f /var/log/pki-ca/debug 2. Attempt to enroll using a Juniper Networks SCEP client Actual results: [23/Apr/2009:18:30:03][http-9180-Processor24]: Found profile=caRouterCert [23/Apr/2009:18:30:03][http-9180-Processor24]: Retrieving authenticator [23/Apr/2009:18:30:03][http-9180-Processor24]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth [23/Apr/2009:18:30:03][http-9180-Processor24]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = UID [23/Apr/2009:18:30:03][http-9180-Processor24]: FlatFileAuth: authenticating user: finding user from key: 2001:a:0:0:0:0:0:1 [23/Apr/2009:18:30:03][http-9180-Processor24]: handlePKIMessage exception java.lang.NullPointerException java.lang.NullPointerException at com.netscape.cms.authentication.FlatFileAuth.authenticate(FlatFileAuth.java:462) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.authenticate(CRSEnrollment.java:276) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.postRequest(CRSEnrollment.java:1378) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKCSReq(CRSEnrollment.java:1282) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:671) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:231) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:636) [23/Apr/2009:18:30:03][http-9180-Processor24]: Service exception javax.servlet.ServletException: Failed to process message in CEP servlet: null Expected results: Additional info:
OK, I was able to get this working with the latest CS 8.0 code after doing the following: 1. Experiment with the next CS release of JSS with Ipv6. 2. Modify a test scep client to be able to use ipv6 addresses. 3. Set flatfile.txt to look like: UID:3ffe:1111:2222:2000:230:48ff:fe8c:39 PWD:netscape 4. Restarted the server. 5. Issued the following command with the test client: ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u "http://gamma6:9180/ca/cgi-bin/pkiclient.exe" The following log trace shows that the Ipv6 IP address is being accepted just fine: [23/Jun/2009:15:33:43][http-9180-Processor25]: Found profile=caRouterCert [23/Jun/2009:15:33:43][http-9180-Processor25]: Retrieving authenticator [23/Jun/2009:15:33:43][http-9180-Processor25]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth [23/Jun/2009:15:33:43][http-9180-Processor25]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = UID [23/Jun/2009:15:33:43][http-9180-Processor25]: FlatFileAuth: authenticating user: finding user from key: 3ffe:1111:2222:2000:230:48ff:fe8c:39 [23/Jun/2009:15:33:43][http-9180-Processor25]: CRSEnrollment: Creating profile requests [23/Jun/2009:15:33:43][http-9180-Processor25]: xx Start parsePKCS10 MIIBuTCCASICAQAwLzEtMCsGA1UEAxMkM2ZmZToxMTExOjIyMjI6MjAwMDoyMzA6^M NDhmZjpmZThjOjM5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6fWhARHAJ^M f+R072/XsTTjtk8b5CPQ4NkokFu13qzBThZ2HzaHJcbzxltROsGgin5phGSGU6gp^M 1hN4O9yW5A4OJYOARdOspKGdfkQ+Q3WgsNGbmMieoLKB64epWDrkgt32r6a177SR^M AO4wVBK5TiTl3w2RAg+DQrlCTRmXzI2OdwIDAQABoEowFwYJKoZIhvcNAQkHMQoT^M CG5ldHNjYXBlMC8GCSqGSIb3DQEJDjEiMCAwHgYDVR0RAQH/BBQwEocQP/4RESIi^M IAACMEj//owAOTANBgkqhkiG9w0BAQUFAAOBgQCi57X5u6Rp+HnHl3E0jQMPCVqd^M G8GsfmMjQhujNBwJWeStIolmFhkqnFKU9isRB2C4jG2DoRXL7Qk9FMv+tnV30C52^M lsemKXiOVrJbebpIMZj6lKVXfRZZeEL31jigxGMBT+Wbkwpq/4PR6fH6keT8Nlnl^M 09YlpzsS6MqejzKAGgMDAw== The local printout of the client invocation looked like: ./sscep: sending certificate request ./sscep: valid response from server ./sscep: pkistatus: SUCCESS ./sscep: certificate written as cert.crt
Once we fix #469456, we can close this one with the caveat that the user will need a client that can connect over IPv6.
#469456 has been resolved. The next build of CS 8.0 should make this issue testable.