Bug 801840
| Summary: | pki_silent.template missing opening brace on line 1314 for ca_external variable | ||
|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Rob Reardon <rob.j.reardon> |
| Component: | Batch Configuration (pkisilent) | Assignee: | Matthew Harmsen <mharmsen> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | dennis, dpal, jgalipea, kwright, mharmsen, mniranja, nkinder |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | pki-silent-8.1.1-1.el5pki | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-08-29 01:33:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 754280 | ||
DOGTAG_9_BRANCH: http://git.fedorahosted.org/git/?p=pki.git;a=commit;h=a99a83ccf6741f7361904689ed79b7dafa5f323f author Matthew Harmsen <mharmsen> Mon, 12 Mar 2012 22:29:57 +0000 (15:29 -0700) committer Matthew Harmsen <mharmsen> Mon, 12 Mar 2012 22:29:57 +0000 (15:29 -0700) commit a99a83ccf6741f7361904689ed79b7dafa5f323f Get DOGTAG_9_BRANCH GIT repository in-sync with SVN namesake Migrated the following bugs: - Bugzilla Bug #747381 - After the migration (7.1->8.1) CA agent page displays admin cert request with authtime attribute twice - Bugzilla Bug #747019 - Migrated policy requests from 7.1->8.1 displays issuedcerts and cert_Info params as base 64 blobs. - Bugzilla Bug #757848 - DRM re-key tool: introduces a blank line in the middle of an ldif entry. - Resolved Bugzilla Bug #801840 - pki_silent.template missing opening brace for ca_external variable 16 files changed: pki/CMakeLists.txt diff | blob | history pki/base/common/src/com/netscape/cms/servlet/request/CertReqParser.java diff | blob | history pki/base/java-tools/src/com/netscape/cmstools/DRMTool.java diff | blob | history pki/base/silent/templates/pki_silent.template diff | blob | history pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/processReq.template diff | blob | history pki/scripts/compose_dogtag_pki_theme_packages diff | blob | history pki/scripts/compose_pki_core_packages diff | blob | history pki/scripts/compose_pki_kra_packages diff | blob | history pki/scripts/compose_pki_ocsp_packages diff | blob | history pki/scripts/compose_pki_tks_packages diff | blob | history pki/specs/dogtag-pki-theme.spec diff | blob | history pki/specs/dogtag-pki.spec diff | blob | history pki/specs/pki-core.spec diff | blob | history pki/specs/pki-kra.spec diff | blob | history pki/specs/pki-ocsp.spec diff | blob | history pki/specs/pki-tks.spec diff | blob | history master:
# git add pki/base/silent/templates/pki_silent.template
# git commit
commit ce69d1c0f83e9dc1d66c58c40ab3b2f5f58cc8fa
Author: Matthew Harmsen <mharmsen>
Date: Mon Mar 12 18:19:56 2012 -0700
Resolved Bugzilla Bug #801840 - pki_silent.template missing opening brace
for ca_external variable
# git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (7/7), 656 bytes, done.
Total 7 (delta 4), reused 2 (delta 1)
To ssh://git.fedorahosted.org/git/pki.git
1f759b5..ce69d1c master -> master
Versions:
|-------------------------------------------------------------------------------|
[root@rhelcs-1 silent]# rpm -qi pki-ca
Name : pki-ca Relocations: (not relocatable)
Version : 8.1.1 Vendor: Red Hat, Inc.
Release : 1.ecc.el5pki Build Date: Tue 19 Feb 2013 02:56:12 PM EST
|-------------------------------------------------------------------------------|
[root@rhelcs-1 silent]# rpm -qi pki-silent
Name : pki-silent Relocations: (not relocatable)
Version : 8.1.0 Vendor: Red Hat, Inc.
Release : 2.ecc.el5pki Build Date: Tue 19 Feb 2013 03:09:38 PM EST
Install Date: Tue 19 Feb 2013 09:28:40 AM EST Build Host: payday.dsdev.sjc.redhat.com
Group : System Environment/Shells Source RPM: pki-silent-8.1.0-2.ecc.el5pki.src.rpm
|-------------------------------------------------------------------------------|
Steps: To reproduce:
1. Configure CA subsystem (This will be external CA subsystem)
#!/bin/bash
### script to create ca instance
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-ca1 \
-subsystem_type=ca \
-agent_secure_port=9443 \
-ee_secure_port=9444 \
-ee_secure_client_auth_port=9446 \
-admin_secure_port=9445 \
-unsecure_port=9180 \
-tomcat_server_port=9701 \
-user=pkiuser1 \
-group=pkiuser1 \
-redirect conf=/etc/pki-ca1 \
-redirect logs=/var/log/pki-ca1 \
-verbose
|-------------------------------------------------------------------------------|
2. Check the CA status
[root@rhelcs-1 scripts]# /etc/init.d/pki-ca1 status
pki-ca1 (pid 29326) is running ...
Unsecure Port = http://rhelcs-1.example.org:9180/ca/ee/ca
Secure Agent Port = https://rhelcs-1.example.org:9443/ca/agent/ca
Secure EE Port = https://rhelcs-1.example.org:9444/ca/ee/ca
Secure Admin Port = https://rhelcs-1.example.org:9445/ca/services
EE Client Auth Port = https://rhelcs-1.example.org:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://rhelcs-1.example.org:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca1
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
========================================
Name: Example Domain
URL: https://rhelcs-1.example.org:9445
========================================
|-------------------------------------------------------------------------------|
3. Configure pki_silent.template , Copy the template as other name
$cd /usr/share/pki/silent/
$cp pki_silent.template silent
|-------------------------------------------------------------------------------|
4. Issue pkicreate to install the CA installation
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-ca \
-subsystem_type=ca \
-agent_secure_port=19443 \
-ee_secure_port=19444 \
-ee_secure_client_auth_port=19446 \
-admin_secure_port=19445 \
-unsecure_port=19180 \
-tomcat_server_port=19701 \
-user=pkiuser \
-group=pkiuser \
-redirect conf=/etc/pki-ca \
-redirect logs=/var/log/pki-ca \
-verbose
|-------------------------------------------------------------------------------|
5. Modify the ca ports in silent to use below ports as the external CA uses defualt ports.
Edit /usr/share/pki/silent/silent1 file and specify below CA ports
## CA ports
ca_nonssl_port=19180
ca_agent_port=19443
ca_ee_port=19444
ca_admin_port=19445
|-------------------------------------------------------------------------------|
6. Edit /usr/share/pki/silent/silent1 and specify below parameters
pki_silent_security_database_repository="/tmp/silent"
pki_silent_security_database_password=redhat
pki_security_domain_name="Example\ Domain"
pki_security_domain_host=`hostname`
pki_security_domain_admin_name=admin
pki_security_domain_admin_password=redhat
pki_ldap_host=localhost
pki_ldap_port=389
pki_bind_dn="cn=Directory\ Manager"
pki_bind_password="redhat@123"
ca_token_name=internal
ca_token_password="302616449511"
ca_backup_password="302616449511"
pki_email_name=root
pki_email_company=example
pki_email_domain=com
pki_silent_admin_user=admin
pki_silent_admin_password=redhat
pki_silent_admin_email="${pki_email_name}\@${pki_email_company}\.${pki_email_domain}"
pki_host=`hostname`
ca_subsystem_name="Certificate\ Authority"
kra_subsystem_name="Data\ Recovery\ Manager"
ocsp_subsystem_name="OCSP\ Responder"
tks_subsystem_name="Token\ Key\ Service"
ra_subsystem_name="Registration\ Authority"
tps_subsystem_name="Token\ Processing\ System"
ca_instance_name="pki-ca"
ca_nonssl_port=19180
ca_agent_port=19443
ca_ee_port=19444
ca_admin_port=19445
pki_silent_ca_log=/tmp/ca.log
ca_external=true
ca_ext_csr_file=/tmp/ext_ca.csr
|-------------------------------------------------------------------------------|
7. Also edit the pki_silent template file silent1 to uncomment the lines that invokes CA installation to create CSR (step-1)
## Configure CA signed by external CA (step 1)
printf "'${pki_silent_script}': First step in configuring '${ca_instance_name}' . . .\n"
pkisilent ConfigureCA \
-cs_hostname "${pki_host}" \
-cs_port ${ca_admin_port} \
-client_certdb_dir ${pki_silent_security_database_repository} \
-client_certdb_pwd ${pki_silent_security_database_password} \
-preop_pin ${ca_preop_pin} \
-domain_name "${pki_security_domain_name}" \
-admin_user ${pki_silent_admin_user} \
-admin_password ${pki_silent_admin_password} \
-admin_email "${pki_silent_admin_email}" \
-agent_name ${ca_agent_name} \
-agent_key_size ${ca_agent_key_size} \
-agent_key_type ${ca_agent_key_type} \
-agent_cert_subject "${ca_agent_cert_subject}" \
-ldap_host ${pki_ldap_host} \
-ldap_port ${pki_ldap_port} \
-bind_dn "${pki_bind_dn}" \
-bind_password ${pki_bind_password} \
-base_dn "${ca_base_dn}" \
-db_name "${ca_db_name}" \
-key_size ${ca_key_size} \
-key_type ${ca_key_type} \
-key_algorithm ${ca_key_algorithm} \
-signing_algorithm ${ca_signing_algorithm} \
-signing_signingalgorithm ${ca_signing_signingalgorithm} \
-ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \
-save_p12 ${ca_save_p12} \
-subsystem_name ${ca_subsystem_name} \
-token_name ${ca_token_name} \
-token_pwd ${ca_token_password} \
-ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \
-ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \
-ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \
-ca_server_cert_subject_name "${ca_server_cert_subject_name}" \
-ca_audit_signing_cert_subject_name \
"${ca_audit_signing_cert_subject_name}" \
-external ${ca_external} \
-ext_csr_file ${ca_ext_csr_file} \
| tee ${pki_silent_ca_log}
## Restart CA
#/sbin/service ${ca_instance_name} restart
|-------------------------------------------------------------------------------|
8. Run the template
/usr/share/pki/silent/silent1
9. The above creates the certificate request /tmp/ext_ca.csr
10. Sign the request with external CA created in Step1.
A. Access the EE page: http://<hostname>:9444/ca/ee/ca
B. Select the "Manual Certificate Manager Signing Certificate Enrollment"
C. Paste the request and submit to CA,
D. Go to the Agent page and sign the request.
|-------------------------------------------------------------------------------|
11. Copy the signed CA certificate in below file
cat /tmp/ca_ext_cert_file.crt
-----BEGIN CERTIFICATE-----
MIIDqjCCApKgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBLMRcwFQYDVQQKEw5FeGFt
cGxlIERvbWFpbjEQMA4GA1UECxMHcGtpLWNhMTEeMBwGA1UEAxMVQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MB4XDTEzMDIyMjE2MzM1NloXDTIxMDIyMjE2MzIwNlowOTEX
MBUGA1UEChMORXhhbXBsZSBEb21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1
dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN0cukzeEMJD
DmEqs8wnWsWwju4vNaF51gKNDKUW4B0VPBQ+JA7t6P1B6K7AaDx62d7NqgrwSIkX
rk/1fkTjgaAW/oO4ft8ScgQEa5rEPQ4W4Nkfujfj2wRHhv0+OrzfH74TGEbPba5p
USzshZmAOnpm0EZLJ7MIAzp+ls8ZbXnGQJCKT5UBY52z8VP2B20A9MQ70VKVVhiQ
2RkdZs+hLyBCU2ORke/XiRbDw46jTGAcf67ei7dJuCsA7uIYqffKN5iMq1FvlUjg
PeZu39h23/yXXxrKlQ4kLmRhd3x7uVJJBXphqvjOox/JFZu9kFoekxx02TT9ighE
5bK5RYfBLO8CAwEAAaOBqjCBpzAfBgNVHSMEGDAWgBRiUP5XoIG+nWV1hBVX3FsF
LurMvzAdBgNVHQ4EFgQUrvGmARW6wUkvwwen/8OBvYJB3skwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAcYwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAB
hihodHRwOi8vcmhlbGNzLTEuZXhhbXBsZS5vcmc6OTE4MC9jYS9vY3NwMA0GCSqG
SIb3DQEBCwUAA4IBAQCZiP+cwOIvOyaXkTgbN3POmOwvwitdXEMZd9JrIWQTTHBW
IWhBMsSSYLkV2yzHD5JIcDpPGcq+NQG2AuG9IvjmETf9s222KVlrWTZvRODUX+On
dkN3TFj4wszQfGZXPZ5CdsnCBEXsVsQ+Ib5cyfw8ltc47uPgA9RCEw1ZVCUrGmJ1
fzjTh8PE46R5DhM/R6b0mc/+9s52Bc0qXoCHVjoj6TQZsqBZLP0laUCB+hJX8JxC
RbPI/Iu/66o1/K6GYojnSZXkNOleTzS7na6TOQ84uq6zULm8/TTuYUXQBsBgLg9t
uUco/oV5NrN5DSCXHQF/1YOWLYau7qaquaHHlenq
-----END CERTIFICATE-----
|-------------------------------------------------------------------------------|
12 Copy the external CA 's Signing CA cert in below file
$ cat /tmp/ca_ext_cert_chain_file.crt
-----BEGIN CERTIFICATE-----
MIIDvDCCAqSgAwIBAgIBATANBgkqhkiG9w0BAQsFADBLMRcwFQYDVQQKEw5FeGFt
cGxlIERvbWFpbjEQMA4GA1UECxMHcGtpLWNhMTEeMBwGA1UEAxMVQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MB4XDTEzMDIyMjE2MzIwNloXDTIxMDIyMjE2MzIwNlowSzEX
MBUGA1UEChMORXhhbXBsZSBEb21haW4xEDAOBgNVBAsTB3BraS1jYTExHjAcBgNV
BAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKan2yLHOYq99JyDHx8v2lSErWWjnEuApUoCIme58K2mBSPvQ/1E
CSzC8dEzoxq37xubVvCbRnWFWqka2ADBvnNi1stQKpp3VA91YJWRf7NqDoFGCN+e
qaNORx9a9pxqN5eAR+EIyKu6xOvchQzVikc0bik+iEFyBdX9qNrB7fpfpoLJklSQ
Ub+VWKQgQFZ3B4/fPaAciZ8xMV5Uos9bvL8IVM3bMNuW2PKVr19X/pEMK5z3dQ2B
qBtyjUr8GpRfelKWTmqozg69cNvPjyjyWAOJhz5rFafA6Cf3eX7T7CzELSNs304g
Ek7KqCfsOKg+dvpvz0nYF8sM121Pt5oPnS8CAwEAAaOBqjCBpzAfBgNVHSMEGDAW
gBRiUP5XoIG+nWV1hBVX3FsFLurMvzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
/wQEAwIBxjAdBgNVHQ4EFgQUYlD+V6CBvp1ldYQVV9xbBS7qzL8wRAYIKwYBBQUH
AQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vcmhlbGNzLTEuZXhhbXBsZS5vcmc6
OTE4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQBZeSvyZkJgGwCOSvOAo9VJ
kcmZRekpid//0dyKzQjXbxkd6wEVGCsZzRt/nH5zB++U8L4t5k33EED3amybmxkt
Szh6pdHV4JZ7vySD8vZPwnZwkV1/96Zt351/eGRMEyOJ8FGgZj4oymtvwxH+N6g+
qAv3rTy2gs0m4YGrwTdn8d4NDeCJbPdCrUP4t4ZuD3yYDkDlOsycffazc/YuzEc9
Ic/dCUM5I2MB6EXnpigr9FR+gHv6p7sGAAgKFpdP6ojoCPBc4tKhEndY2zPmSKaW
/JMaO4snEerb60LxqZPTDdYFDw6K2TM0DaSB2BMdTTvoxilLevBCztbQRb9qIOgg
-----END CERTIFICATE-----
|-------------------------------------------------------------------------------|
13. Edit the pki_silent template to specify the signed ca cert fiel and External CA chain file , Comment the below parameters
#ca_external=true
#ca_ext_csr_file=/tmp/ext_ca.csr
add below lines:
ca_external=true
ca_ext_cert_file=/tmp/ca_ext_cert_file.crt
ca_ext_cert_chain_file=/tmp/ca_ext_cert_chain_file.crt
And uncomment the pkisilent command that invokes the step2 that takes the signed cert and configures the CA.
## Configure an externally signed CA (step 2)
printf "'${pki_silent_script}': Step 2 in configuring external signed '${ca_instance_name}' . . .\n"
pkisilent ConfigureCA \
-cs_hostname "${pki_host}" \
-cs_port ${ca_admin_port} \
-client_certdb_dir ${pki_silent_security_database_repository} \
-client_certdb_pwd ${pki_silent_security_database_password} \
-preop_pin ${ca_preop_pin} \
-domain_name "${pki_security_domain_name}" \
-admin_user ${pki_silent_admin_user} \
-admin_password ${pki_silent_admin_password} \
-admin_email "${pki_silent_admin_email}" \
-agent_name ${ca_agent_name} \
-agent_key_size ${ca_agent_key_size} \
-agent_key_type ${ca_agent_key_type} \
-agent_cert_subject "${ca_agent_cert_subject}" \
-ldap_host ${pki_ldap_host} \
-ldap_port ${pki_ldap_port} \
-bind_dn "${pki_bind_dn}" \
-bind_password ${pki_bind_password} \
-base_dn "${ca_base_dn}" \
-db_name "${ca_db_name}" \
-key_size ${ca_key_size} \
-key_type ${ca_key_type} \
-key_algorithm ${ca_key_algorithm} \
-signing_algorithm ${ca_signing_algorithm} \
-signing_signingalgorithm ${ca_signing_signingalgorithm} \
-ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \
-save_p12 ${ca_save_p12} \
-subsystem_name ${ca_subsystem_name} \
-token_name ${ca_token_name} \
-token_pwd ${ca_token_password} \
-ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \
-ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \
-ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \
-ca_server_cert_subject_name "${ca_server_cert_subject_name}" \
-ca_audit_signing_cert_subject_name \
"${ca_audit_signing_cert_subject_name}" \
-external ${ca_external} \
-ext_ca_cert_file ${ca_ext_cert_file} \
-ext_ca_cert_chain_file ${ca_ext_cert_chain_file} \
| tee ${pki_silent_ca_log}
## Restart CA
/sbin/service ${ca_instance_name} restart
|-------------------------------------------------------------------------------|
9. check /tmp/ca.log file to see the installation status
10.
[root@rhelcs-1 tmp]# /etc/init.d/pki-ca status
pki-ca (pid 30443) is running ...
Unsecure Port = http://rhelcs-1.example.org:19180/ca/ee/ca
Secure Agent Port = https://rhelcs-1.example.org:19443/ca/agent/ca
Secure EE Port = https://rhelcs-1.example.org:19444/ca/ee/ca
Secure Admin Port = https://rhelcs-1.example.org:19445/ca/services
EE Client Auth Port = https://rhelcs-1.example.org:19446/ca/eeca/ca
PKI Console Port = pkiconsole https://rhelcs-1.example.org:19445/ca
Tomcat Port = 19701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Subordinate CA (Security Domain)
Registered PKI Security Domain Information:
==============================================
Name: Example Domain
URL: https://rhelcs-1.example.org:19445
==============================================
|-------------------------------------------------------------------------------|
pkisilent configuration for SubCA
=================================
1. Create user pkiuser8
$useradd -d /usr/share/pki/pkiuser8 -s /sbin/nologin -r pkiuser8
#---------------------------------------------------------------------#
2. Copy below certicom libraries and binary "initpin" to home directory of pkiuser8
libsbcpgse.so,
libsbgse2.so
initpin
#---------------------------------------------------------------------#
3. run initpin
[root@nocp2 pkiuser8]# ./initpin
Security Builder API for PKCS #11 User PIN Initialization Utility
This utility can be used to set the Normal User's PIN
Please enter the directory where the token databases exist or will be created:
/usr/share/pki/pkiuser8
Enter the Normal User's PIN:
Re-Enter the Normal User's PIN:
The Normal User's PIN has been set!
#---------------------------------------------------------------------#
4. change ownership of files /usr/share/pki/pkiuser1 to pkiuser1 user
$cd /usr/share/pki/pkiuser8
$chown -R pkiuser8: pkiuser8
#---------------------------------------------------------------------#
5. Create CA instance
[root@nocp2 test]# cat ca.bash
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-ca-Apr4-subca-inst2-nocp2 \
-subsystem_type=ca \
-agent_secure_port=39543 \
-ee_secure_port=39544 \
-ee_secure_client_auth_port=39546 \
-admin_secure_port=39545 \
-unsecure_port=39580 \
-tomcat_server_port=39501 \
-user=pkiuser8 \
-group=pkiuser8 \
-redirect conf=/etc/pki-ca-Apr4-subca-inst2-nocp2 \
-redirect logs=/var/log/pki-ca-Apr4-subca-inst2-nocp2 \
-verbose
6. Stop the CA instance
[root@nocp2 test]# /sbin/service pki-ca-Apr4-subca-inst2-nocp2 stop
Stopping pki-ca-Apr4-subca-inst2-nocp2: .. [ OK ]
export HOME=/usr/share/pki/pkiuser8
cd /var/lib/pki-ca-Apr4-subca-inst2-nocp2/alias
$modutil -dbdir . -nocertdb -add certicom -libfile /usr/lib64/libsbcpgse.so
#---------------------------------------------------------------------#
7. Add the below line in CS.cfg
ca.requestVerify.token=Certicom FIPS Cert/Key Services
#---------------------------------------------------------------------#
8. Add the environment variable NSS_USE_DECODED_CKA_EC_POINT to /usr/bin/dtomcat5-pki-ca-Apr4-subca-inst2-nocp2
#---------------------------------------------------------------------#
9. Add line "hardware-Certicom\ FIPS\ Cert/Key\ Services=redhat" to password.conf
#---------------------------------------------------------------------#
10. Start the instance.
#---------------------------------------------------------------------#
11. Login to non-root user which will administer CA. (In this example user test1)
#---------------------------------------------------------------------#
12. Check no firefox process are running
[root@nocp2 alias]# su - test1
[test1@nocp2 ~]$ ps -ef | grep firefox
test1 18751 18722 0 03:54 pts/0 00:00:00 grep firefox
#---------------------------------------------------------------------#
13. copy one of the silentEC_ca.template from /usr/share/pki/silent/ directory to browser profile directory under a different script name
[test1@nocp2 ~]$ cp /usr/share/pki/silent/silentEC_subca.template .mozilla/firefox/uhn8gnex.default/EC_subca.template
#---------------------------------------------------------------------#
Note: Make sure Certicom token is added to the
[test1@nocp2 ~]$ cd .mozilla/firefox/oz5a7i6i.ECCSilent
[test1@nocp2 uhn8gnex.default]$ modutil -dbdir . -list -nocertdb
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. certicom
library name: /usr/lib64/libsbcpgse.so
slots: 2 slots attached
status: loaded
slot: FIPS Generic Crypto Services V1.0.1d
token: Certicom FIPS Crypto Services
slot: FIPS Certificate/Key Services V1.0.1d
token: Certicom FIPS Cert/Key Services
#---------------------------------------------------------------------#
14. Specify below parameters in EC_subca.template
pki_silent_security_database_repository=/home/test1/.mozilla/firefox/uhn8gnex.default
pki_silent_security_database_password="redhat"
pki_silent_security_token_name="Certicom\ FIPS\ Cert/Key\ Services"
pki_security_domain_name="PKI\ Domain1"
pki_security_domain_host=`hostname`
pki_security_domain_admin_name=admin
pki_security_domain_admin_password=redhat
pki_ldap_host=localhost
pki_ldap_port=389
pki_bind_dn="cn=Directory\ Manager"
pki_bind_password=Secret123
subca_token_name=NHSM6000-OCS
subca_token_password=redhat123
subca_backup_password=redhat
pki_email_name=admin
pki_email_company=example
pki_email_domain=com
pki_silent_admin_user=admin
pki_silent_admin_password=redhat
pki_silent_admin_email="${pki_email_name}\@${pki_email_company}\.${pki_email_domain}"
subca_subsystem_name="Certificate\ Authority\ 2"
subca_instance_name="pki-ca-Apr4-subca-inst2-nocp2"
ca_nonssl_port=29180
ca_agent_port=29443
ca_ee_port=29444
ca_admin_port=29445
## Subordinate CA ports
subca_nonssl_port=39580
subca_agent_port=39543
subca_ee_port=39544
subca_admin_port=39545
subca_preop_pin=SzTFUBzk4bNwiPzAsWJX
#---------------------------------------------------------------------#
15. Execute the script
[test1@nocp2 uhn8gnex.default]$ ./EC_subca.template
WARNING: At least one of the security databases
(i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')
required by 'EC_subca.template' exists at the
specified location '/home/test1/.mozilla/firefox/oz5a7i6i.ECCSilent'.
Continue...
Removing old PKI Silent log files:
Done.
'EC_subca.template': Configuring 'pki-ca-Apr4-subca-inst2-nocp2' . . .
libpath=/usr/lib64
#---------------------------------------------------------------------#
16. After successfull configuration we would see below output:
<snip>
caHost=nocp2.dsdev.sjc.redhat.com
caPort=39545
systemType=ca
Certificate System - Subordinate CA Instance Configured.
#######################################################################
If configured without errors, ask the OS root user to restart the CS instance:
/sbin/service 'pki-ca-Apr4-subca-inst2-nocp2' restart
</snip>
#---------------------------------------------------------------------#
17. Restart the instance.
[root@nocp2 pki-ca-Apr4-extca-inst2-nocp2]# /etc/init.d/pki-ca-Apr4-subca-inst2-nocp2 status
pki-ca-Apr4-subca-inst2-nocp2 (pid 9033) is running ...
Unsecure Port = http://nocp2.dsdev.sjc.redhat.com:39580/ca/ee/ca
Secure Agent Port = https://nocp2.dsdev.sjc.redhat.com:39543/ca/agent/ca
Secure EE Port = https://nocp2.dsdev.sjc.redhat.com:39544/ca/ee/ca
Secure Admin Port = https://nocp2.dsdev.sjc.redhat.com:39545/ca/services
EE Client Auth Port = https://nocp2.dsdev.sjc.redhat.com:39546/ca/eeca/ca
PKI Console Port = pkiconsole https://nocp2.dsdev.sjc.redhat.com:39545/ca
Tomcat Port = 39501 (for shutdown)
PKI Instance Name: pki-ca-Apr4-subca-inst2-nocp2
PKI Subsystem Type: Subordinate CA
Registered PKI Security Domain Information:
=======================================
Name: PKI Domain1
URL: https://nocp2.dsdev.sjc.redhat.com:29445
=======================================
The comment #6 was wrongly added here. Apologies. |
Description of problem: When attempting to create a 2-step external CA using pkisilent based upon the pki_silent.template, running step 2 results in an error:- Error in CertSubjectPanel(): updateStatus returns failure ERROR: ConfigureCA: CertSubjectPanel() failure ERROR: unable to create CA Version-Release number of selected component (if applicable): pki-silent-9.0.17-1.fc16.noarch How reproducible: Every time Steps to Reproduce: 1. Create new pki-cad instance 2. Use pki_silent.template example step 1 to create a csr for external signing 3. Use pki_silent.template example step 2 to finish creation of CA Actual results: Creation of CA reports and error and does not complete:- Error in CertSubjectPanel(): updateStatus returns failure ERROR: ConfigureCA: CertSubjectPanel() failure ERROR: unable to create CA Expected results: CA created successfully. Additional info: Within pki_silent.template line number 1314 reads:- -external $ca_external} \ which should be:- -external ${ca_external} \ With the line corrected, step 2 completes successfully and the CA instance is configured correctly.