Bug 801840 - pki_silent.template missing opening brace on line 1314 for ca_external variable
pki_silent.template missing opening brace on line 1314 for ca_external variable
Status: CLOSED NEXTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: Batch Configuration (pkisilent) (Show other bugs)
9.0
All All
unspecified Severity low
: ---
: ---
Assigned To: Matthew Harmsen
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 754280
  Show dependency treegraph
 
Reported: 2012-03-09 10:52 EST by Rob Reardon
Modified: 2014-08-28 21:33 EDT (History)
7 users (show)

See Also:
Fixed In Version: pki-silent-8.1.1-1.el5pki
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-28 21:33:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob Reardon 2012-03-09 10:52:05 EST
Description of problem:

When attempting to create a 2-step external CA using pkisilent based upon the pki_silent.template, running step 2 results in an error:-

Error in CertSubjectPanel(): updateStatus returns failure
ERROR: ConfigureCA: CertSubjectPanel() failure
ERROR: unable to create CA

Version-Release number of selected component (if applicable):
pki-silent-9.0.17-1.fc16.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Create new pki-cad instance
2. Use pki_silent.template example step 1 to create a csr for external signing
3. Use pki_silent.template example step 2 to finish creation of CA
  
Actual results:
Creation of CA reports and error and does not complete:-

Error in CertSubjectPanel(): updateStatus returns failure
ERROR: ConfigureCA: CertSubjectPanel() failure
ERROR: unable to create CA

Expected results:
CA created successfully.

Additional info:
Within pki_silent.template line number 1314 reads:-

-external $ca_external} \

which should be:-

-external ${ca_external} \

With the line corrected, step 2 completes successfully and the CA instance is configured correctly.
Comment 2 Matthew Harmsen 2012-03-12 20:22:38 EDT
DOGTAG_9_BRANCH:

http://git.fedorahosted.org/git/?p=pki.git;a=commit;h=a99a83ccf6741f7361904689ed79b7dafa5f323f

author Matthew Harmsen <mharmsen@redhat.com> 
 Mon, 12 Mar 2012 22:29:57 +0000 (15:29 -0700)
committer Matthew Harmsen <mharmsen@redhat.com> 
 Mon, 12 Mar 2012 22:29:57 +0000 (15:29 -0700)
commit a99a83ccf6741f7361904689ed79b7dafa5f323f

Get DOGTAG_9_BRANCH GIT repository in-sync with SVN namesake

Migrated the following bugs:
- Bugzilla Bug #747381 - After the migration (7.1->8.1) CA agent page
  displays admin cert request with authtime attribute twice
- Bugzilla Bug #747019 - Migrated policy requests from 7.1->8.1 displays
  issuedcerts and cert_Info params as base 64 blobs.
- Bugzilla Bug #757848 - DRM re-key tool: introduces a blank line in the
  middle of an ldif entry.

- Resolved Bugzilla Bug #801840 - pki_silent.template missing opening brace
  for ca_external variable

16 files changed:
pki/CMakeLists.txt   diff | blob | history
pki/base/common/src/com/netscape/cms/servlet/request/CertReqParser.java   diff
| blob | history
pki/base/java-tools/src/com/netscape/cmstools/DRMTool.java   diff | blob |
history
pki/base/silent/templates/pki_silent.template   diff | blob | history
pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/processReq.template   diff | blob |
history
pki/scripts/compose_dogtag_pki_theme_packages   diff | blob | history
pki/scripts/compose_pki_core_packages   diff | blob | history
pki/scripts/compose_pki_kra_packages   diff | blob | history
pki/scripts/compose_pki_ocsp_packages   diff | blob | history
pki/scripts/compose_pki_tks_packages   diff | blob | history
pki/specs/dogtag-pki-theme.spec   diff | blob | history
pki/specs/dogtag-pki.spec   diff | blob | history
pki/specs/pki-core.spec   diff | blob | history
pki/specs/pki-kra.spec   diff | blob | history
pki/specs/pki-ocsp.spec   diff | blob | history
pki/specs/pki-tks.spec   diff | blob | history
Comment 3 Matthew Harmsen 2012-03-12 21:22:27 EDT
master:

# git add pki/base/silent/templates/pki_silent.template

# git commit
commit ce69d1c0f83e9dc1d66c58c40ab3b2f5f58cc8fa
Author: Matthew Harmsen <mharmsen@redhat.com>
Date:   Mon Mar 12 18:19:56 2012 -0700

    Resolved Bugzilla Bug #801840 - pki_silent.template missing opening brace
    for ca_external variable

# git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (7/7), 656 bytes, done.
Total 7 (delta 4), reused 2 (delta 1)
To ssh://git.fedorahosted.org/git/pki.git
   1f759b5..ce69d1c  master -> master
Comment 5 Niranjan Mallapadi Raghavender 2013-02-22 05:33:30 EST
Versions:
|-------------------------------------------------------------------------------|
[root@rhelcs-1 silent]# rpm -qi pki-ca
Name        : pki-ca                       Relocations: (not relocatable)
Version     : 8.1.1                             Vendor: Red Hat, Inc.
Release     : 1.ecc.el5pki                  Build Date: Tue 19 Feb 2013 02:56:12 PM EST
|-------------------------------------------------------------------------------|
[root@rhelcs-1 silent]# rpm -qi pki-silent
Name        : pki-silent                   Relocations: (not relocatable)
Version     : 8.1.0                             Vendor: Red Hat, Inc.
Release     : 2.ecc.el5pki                  Build Date: Tue 19 Feb 2013 03:09:38 PM EST
Install Date: Tue 19 Feb 2013 09:28:40 AM EST      Build Host: payday.dsdev.sjc.redhat.com
Group       : System Environment/Shells     Source RPM: pki-silent-8.1.0-2.ecc.el5pki.src.rpm
|-------------------------------------------------------------------------------|
Steps: To reproduce:

1. Configure CA subsystem  (This will be external CA subsystem)

#!/bin/bash
### script to create ca instance
pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-ca1          \
          -subsystem_type=ca                 \
          -agent_secure_port=9443            \
          -ee_secure_port=9444               \
          -ee_secure_client_auth_port=9446   \
          -admin_secure_port=9445            \
          -unsecure_port=9180                \
          -tomcat_server_port=9701           \
          -user=pkiuser1                      \
          -group=pkiuser1                     \
          -redirect conf=/etc/pki-ca1        \
          -redirect logs=/var/log/pki-ca1     \
          -verbose
|-------------------------------------------------------------------------------|
2.       Check the CA status
[root@rhelcs-1 scripts]# /etc/init.d/pki-ca1 status
pki-ca1 (pid 29326) is running ...

    Unsecure Port       = http://rhelcs-1.example.org:9180/ca/ee/ca
    Secure Agent Port   = https://rhelcs-1.example.org:9443/ca/agent/ca
    Secure EE Port      = https://rhelcs-1.example.org:9444/ca/ee/ca
    Secure Admin Port   = https://rhelcs-1.example.org:9445/ca/services
    EE Client Auth Port = https://rhelcs-1.example.org:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://rhelcs-1.example.org:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca1

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ========================================
    Name:  Example Domain
    URL:   https://rhelcs-1.example.org:9445
    ========================================
|-------------------------------------------------------------------------------|
3. Configure pki_silent.template , Copy the template as other name 

$cd /usr/share/pki/silent/
$cp pki_silent.template silent 


|-------------------------------------------------------------------------------|
4. Issue pkicreate to install the CA installation 

pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-ca        \
          -subsystem_type=ca                 \
          -agent_secure_port=19443            \
          -ee_secure_port=19444               \
          -ee_secure_client_auth_port=19446   \
          -admin_secure_port=19445            \
          -unsecure_port=19180                \
          -tomcat_server_port=19701           \
          -user=pkiuser                     \
          -group=pkiuser                    \
          -redirect conf=/etc/pki-ca         \
          -redirect logs=/var/log/pki-ca     \
          -verbose
|-------------------------------------------------------------------------------|
5. Modify the ca ports in silent to use below ports as the external CA uses defualt ports. 
Edit /usr/share/pki/silent/silent1 file and specify below CA ports

## CA ports
ca_nonssl_port=19180
ca_agent_port=19443
ca_ee_port=19444
ca_admin_port=19445          
|-------------------------------------------------------------------------------|
6. Edit /usr/share/pki/silent/silent1 and specify below parameters

pki_silent_security_database_repository="/tmp/silent"
pki_silent_security_database_password=redhat
pki_security_domain_name="Example\ Domain"
pki_security_domain_host=`hostname`
pki_security_domain_admin_name=admin
pki_security_domain_admin_password=redhat
pki_ldap_host=localhost
pki_ldap_port=389
pki_bind_dn="cn=Directory\ Manager"
pki_bind_password="redhat@123"
ca_token_name=internal
ca_token_password="302616449511"
ca_backup_password="302616449511"
pki_email_name=root
pki_email_company=example
pki_email_domain=com
pki_silent_admin_user=admin
pki_silent_admin_password=redhat
pki_silent_admin_email="${pki_email_name}\@${pki_email_company}\.${pki_email_domain}"
pki_host=`hostname`
ca_subsystem_name="Certificate\ Authority"
kra_subsystem_name="Data\ Recovery\ Manager"
ocsp_subsystem_name="OCSP\ Responder"
tks_subsystem_name="Token\ Key\ Service"
ra_subsystem_name="Registration\ Authority"
tps_subsystem_name="Token\ Processing\ System"
ca_instance_name="pki-ca"
ca_nonssl_port=19180
ca_agent_port=19443
ca_ee_port=19444
ca_admin_port=19445
pki_silent_ca_log=/tmp/ca.log
ca_external=true
ca_ext_csr_file=/tmp/ext_ca.csr
|-------------------------------------------------------------------------------|
7. Also edit the pki_silent template file silent1 to uncomment the lines that invokes CA installation to create CSR (step-1)
##  Configure CA signed by external CA (step 1)
printf "'${pki_silent_script}':  First step in configuring '${ca_instance_name}' . . .\n"
pkisilent ConfigureCA \
       -cs_hostname "${pki_host}" \
       -cs_port ${ca_admin_port} \
       -client_certdb_dir ${pki_silent_security_database_repository} \
       -client_certdb_pwd ${pki_silent_security_database_password} \
       -preop_pin ${ca_preop_pin} \
       -domain_name "${pki_security_domain_name}" \
       -admin_user ${pki_silent_admin_user} \
       -admin_password ${pki_silent_admin_password} \
       -admin_email "${pki_silent_admin_email}" \
       -agent_name ${ca_agent_name} \
       -agent_key_size ${ca_agent_key_size} \
       -agent_key_type ${ca_agent_key_type} \
       -agent_cert_subject "${ca_agent_cert_subject}" \
       -ldap_host ${pki_ldap_host} \
       -ldap_port ${pki_ldap_port} \
       -bind_dn "${pki_bind_dn}" \
       -bind_password ${pki_bind_password} \
       -base_dn "${ca_base_dn}" \
       -db_name "${ca_db_name}" \
       -key_size ${ca_key_size} \
       -key_type ${ca_key_type} \
       -key_algorithm ${ca_key_algorithm} \
       -signing_algorithm ${ca_signing_algorithm} \
        -signing_signingalgorithm ${ca_signing_signingalgorithm} \
        -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \
       -save_p12 ${ca_save_p12} \
       -subsystem_name ${ca_subsystem_name} \
       -token_name ${ca_token_name} \
       -token_pwd ${ca_token_password} \
       -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \
       -ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \
       -ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \
       -ca_server_cert_subject_name "${ca_server_cert_subject_name}" \
       -ca_audit_signing_cert_subject_name \
       "${ca_audit_signing_cert_subject_name}" \
       -external ${ca_external} \
        -ext_csr_file  ${ca_ext_csr_file} \
       | tee ${pki_silent_ca_log}

##  Restart CA
#/sbin/service ${ca_instance_name} restart
|-------------------------------------------------------------------------------|
8. Run the template
/usr/share/pki/silent/silent1 

9. The above creates the certificate request /tmp/ext_ca.csr  

10. Sign the request with external CA created in Step1. 
	A. Access the EE page: http://<hostname>:9444/ca/ee/ca
	B. Select the "Manual Certificate Manager Signing Certificate Enrollment" 
	C. Paste the request and submit to CA, 
	D. Go to the Agent page and sign the request. 
|-------------------------------------------------------------------------------|
11. Copy the signed CA certificate in below file 

cat /tmp/ca_ext_cert_file.crt
-----BEGIN CERTIFICATE-----
MIIDqjCCApKgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBLMRcwFQYDVQQKEw5FeGFt
cGxlIERvbWFpbjEQMA4GA1UECxMHcGtpLWNhMTEeMBwGA1UEAxMVQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MB4XDTEzMDIyMjE2MzM1NloXDTIxMDIyMjE2MzIwNlowOTEX
MBUGA1UEChMORXhhbXBsZSBEb21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1
dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN0cukzeEMJD
DmEqs8wnWsWwju4vNaF51gKNDKUW4B0VPBQ+JA7t6P1B6K7AaDx62d7NqgrwSIkX
rk/1fkTjgaAW/oO4ft8ScgQEa5rEPQ4W4Nkfujfj2wRHhv0+OrzfH74TGEbPba5p
USzshZmAOnpm0EZLJ7MIAzp+ls8ZbXnGQJCKT5UBY52z8VP2B20A9MQ70VKVVhiQ
2RkdZs+hLyBCU2ORke/XiRbDw46jTGAcf67ei7dJuCsA7uIYqffKN5iMq1FvlUjg
PeZu39h23/yXXxrKlQ4kLmRhd3x7uVJJBXphqvjOox/JFZu9kFoekxx02TT9ighE
5bK5RYfBLO8CAwEAAaOBqjCBpzAfBgNVHSMEGDAWgBRiUP5XoIG+nWV1hBVX3FsF
LurMvzAdBgNVHQ4EFgQUrvGmARW6wUkvwwen/8OBvYJB3skwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAcYwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAB
hihodHRwOi8vcmhlbGNzLTEuZXhhbXBsZS5vcmc6OTE4MC9jYS9vY3NwMA0GCSqG
SIb3DQEBCwUAA4IBAQCZiP+cwOIvOyaXkTgbN3POmOwvwitdXEMZd9JrIWQTTHBW
IWhBMsSSYLkV2yzHD5JIcDpPGcq+NQG2AuG9IvjmETf9s222KVlrWTZvRODUX+On
dkN3TFj4wszQfGZXPZ5CdsnCBEXsVsQ+Ib5cyfw8ltc47uPgA9RCEw1ZVCUrGmJ1
fzjTh8PE46R5DhM/R6b0mc/+9s52Bc0qXoCHVjoj6TQZsqBZLP0laUCB+hJX8JxC
RbPI/Iu/66o1/K6GYojnSZXkNOleTzS7na6TOQ84uq6zULm8/TTuYUXQBsBgLg9t
uUco/oV5NrN5DSCXHQF/1YOWLYau7qaquaHHlenq
-----END CERTIFICATE-----
|-------------------------------------------------------------------------------|
12 Copy the external CA 's Signing CA cert in below file 

$ cat /tmp/ca_ext_cert_chain_file.crt
-----BEGIN CERTIFICATE-----
MIIDvDCCAqSgAwIBAgIBATANBgkqhkiG9w0BAQsFADBLMRcwFQYDVQQKEw5FeGFt
cGxlIERvbWFpbjEQMA4GA1UECxMHcGtpLWNhMTEeMBwGA1UEAxMVQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MB4XDTEzMDIyMjE2MzIwNloXDTIxMDIyMjE2MzIwNlowSzEX
MBUGA1UEChMORXhhbXBsZSBEb21haW4xEDAOBgNVBAsTB3BraS1jYTExHjAcBgNV
BAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKan2yLHOYq99JyDHx8v2lSErWWjnEuApUoCIme58K2mBSPvQ/1E
CSzC8dEzoxq37xubVvCbRnWFWqka2ADBvnNi1stQKpp3VA91YJWRf7NqDoFGCN+e
qaNORx9a9pxqN5eAR+EIyKu6xOvchQzVikc0bik+iEFyBdX9qNrB7fpfpoLJklSQ
Ub+VWKQgQFZ3B4/fPaAciZ8xMV5Uos9bvL8IVM3bMNuW2PKVr19X/pEMK5z3dQ2B
qBtyjUr8GpRfelKWTmqozg69cNvPjyjyWAOJhz5rFafA6Cf3eX7T7CzELSNs304g
Ek7KqCfsOKg+dvpvz0nYF8sM121Pt5oPnS8CAwEAAaOBqjCBpzAfBgNVHSMEGDAW
gBRiUP5XoIG+nWV1hBVX3FsFLurMvzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
/wQEAwIBxjAdBgNVHQ4EFgQUYlD+V6CBvp1ldYQVV9xbBS7qzL8wRAYIKwYBBQUH
AQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vcmhlbGNzLTEuZXhhbXBsZS5vcmc6
OTE4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQBZeSvyZkJgGwCOSvOAo9VJ
kcmZRekpid//0dyKzQjXbxkd6wEVGCsZzRt/nH5zB++U8L4t5k33EED3amybmxkt
Szh6pdHV4JZ7vySD8vZPwnZwkV1/96Zt351/eGRMEyOJ8FGgZj4oymtvwxH+N6g+
qAv3rTy2gs0m4YGrwTdn8d4NDeCJbPdCrUP4t4ZuD3yYDkDlOsycffazc/YuzEc9
Ic/dCUM5I2MB6EXnpigr9FR+gHv6p7sGAAgKFpdP6ojoCPBc4tKhEndY2zPmSKaW
/JMaO4snEerb60LxqZPTDdYFDw6K2TM0DaSB2BMdTTvoxilLevBCztbQRb9qIOgg
-----END CERTIFICATE-----
|-------------------------------------------------------------------------------|
13. Edit the pki_silent template to specify the signed ca cert fiel and External CA chain file , Comment the below parameters

#ca_external=true
#ca_ext_csr_file=/tmp/ext_ca.csr

add below lines:

ca_external=true
ca_ext_cert_file=/tmp/ca_ext_cert_file.crt
ca_ext_cert_chain_file=/tmp/ca_ext_cert_chain_file.crt

And uncomment the pkisilent command that invokes the step2 that takes the signed cert and configures the CA. 

##  Configure an externally signed CA (step 2)
printf "'${pki_silent_script}':  Step 2 in configuring external signed '${ca_instance_name}' . . .\n"
pkisilent ConfigureCA \
        -cs_hostname "${pki_host}" \
        -cs_port ${ca_admin_port} \
        -client_certdb_dir ${pki_silent_security_database_repository} \
        -client_certdb_pwd ${pki_silent_security_database_password} \
        -preop_pin ${ca_preop_pin} \
        -domain_name "${pki_security_domain_name}" \
        -admin_user ${pki_silent_admin_user} \
        -admin_password ${pki_silent_admin_password} \
        -admin_email "${pki_silent_admin_email}" \
        -agent_name ${ca_agent_name} \
        -agent_key_size ${ca_agent_key_size} \
        -agent_key_type ${ca_agent_key_type} \
        -agent_cert_subject "${ca_agent_cert_subject}" \
        -ldap_host ${pki_ldap_host} \
        -ldap_port ${pki_ldap_port} \
        -bind_dn "${pki_bind_dn}" \
        -bind_password ${pki_bind_password} \
        -base_dn "${ca_base_dn}" \
        -db_name "${ca_db_name}" \
        -key_size ${ca_key_size} \
        -key_type ${ca_key_type} \
        -key_algorithm ${ca_key_algorithm} \
        -signing_algorithm ${ca_signing_algorithm} \
        -signing_signingalgorithm ${ca_signing_signingalgorithm} \
        -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \
        -save_p12 ${ca_save_p12} \
        -subsystem_name ${ca_subsystem_name} \
        -token_name ${ca_token_name} \
        -token_pwd ${ca_token_password} \
        -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \
        -ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \
        -ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \
        -ca_server_cert_subject_name "${ca_server_cert_subject_name}" \
        -ca_audit_signing_cert_subject_name \
        "${ca_audit_signing_cert_subject_name}" \
        -external ${ca_external} \
        -ext_ca_cert_file ${ca_ext_cert_file} \
        -ext_ca_cert_chain_file ${ca_ext_cert_chain_file} \
        | tee ${pki_silent_ca_log}

##  Restart CA
/sbin/service ${ca_instance_name} restart
|-------------------------------------------------------------------------------|
9. check /tmp/ca.log file to see the installation status


10.
[root@rhelcs-1 tmp]# /etc/init.d/pki-ca status
pki-ca (pid 30443) is running ...

    Unsecure Port       = http://rhelcs-1.example.org:19180/ca/ee/ca
    Secure Agent Port   = https://rhelcs-1.example.org:19443/ca/agent/ca
    Secure EE Port      = https://rhelcs-1.example.org:19444/ca/ee/ca
    Secure Admin Port   = https://rhelcs-1.example.org:19445/ca/services
    EE Client Auth Port = https://rhelcs-1.example.org:19446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://rhelcs-1.example.org:19445/ca
    Tomcat Port         = 19701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Subordinate CA (Security Domain)

    Registered PKI Security Domain Information:
    ==============================================
    Name:  Example Domain
    URL:   https://rhelcs-1.example.org:19445
    ==============================================
|-------------------------------------------------------------------------------|
Comment 6 Niranjan Mallapadi Raghavender 2013-04-04 05:36:11 EDT
pkisilent configuration for SubCA
=================================

1. Create user pkiuser8

	$useradd -d /usr/share/pki/pkiuser8 -s /sbin/nologin -r pkiuser8

#---------------------------------------------------------------------#

2. Copy below certicom libraries and binary "initpin" to home directory of pkiuser8

libsbcpgse.so,
libsbgse2.so 
initpin
#---------------------------------------------------------------------#

3. run initpin

[root@nocp2 pkiuser8]# ./initpin 

Security Builder API for PKCS #11 User PIN Initialization Utility
This utility can be used to set the Normal User's PIN


Please enter the directory where the token databases exist or will be created:
/usr/share/pki/pkiuser8 

Enter the Normal User's PIN: 
Re-Enter the Normal User's PIN: 
The Normal User's PIN has been set!
#---------------------------------------------------------------------#

4. change ownership of files /usr/share/pki/pkiuser1 to pkiuser1 user
	
	$cd /usr/share/pki/pkiuser8
	$chown -R pkiuser8: pkiuser8

#---------------------------------------------------------------------#

5. Create CA instance
[root@nocp2 test]# cat ca.bash 
pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-ca-Apr4-subca-inst2-nocp2          \
          -subsystem_type=ca                 \
          -agent_secure_port=39543            \
          -ee_secure_port=39544               \
          -ee_secure_client_auth_port=39546   \
          -admin_secure_port=39545            \
          -unsecure_port=39580                \
          -tomcat_server_port=39501           \
          -user=pkiuser8                      \
          -group=pkiuser8                     \
          -redirect conf=/etc/pki-ca-Apr4-subca-inst2-nocp2         \
          -redirect logs=/var/log/pki-ca-Apr4-subca-inst2-nocp2     \
          -verbose

6. Stop the CA instance

[root@nocp2 test]# /sbin/service pki-ca-Apr4-subca-inst2-nocp2 stop
Stopping pki-ca-Apr4-subca-inst2-nocp2: ..                 [  OK  ]

export HOME=/usr/share/pki/pkiuser8
cd /var/lib/pki-ca-Apr4-subca-inst2-nocp2/alias
$modutil -dbdir . -nocertdb -add certicom -libfile /usr/lib64/libsbcpgse.so

#---------------------------------------------------------------------#

7. Add the below line in CS.cfg
ca.requestVerify.token=Certicom FIPS Cert/Key Services

#---------------------------------------------------------------------#

8. Add the environment variable  NSS_USE_DECODED_CKA_EC_POINT  to /usr/bin/dtomcat5-pki-ca-Apr4-subca-inst2-nocp2

#---------------------------------------------------------------------#

9. Add line "hardware-Certicom\ FIPS\ Cert/Key\ Services=redhat" to password.conf

#---------------------------------------------------------------------#
10. Start the instance. 

#---------------------------------------------------------------------#         

11.  Login to non-root user which will administer CA. (In this example user test1)

#---------------------------------------------------------------------#
12. Check no firefox process are running
[root@nocp2 alias]# su - test1
[test1@nocp2 ~]$ ps -ef | grep firefox
test1    18751 18722  0 03:54 pts/0    00:00:00 grep firefox

#---------------------------------------------------------------------#

13.  copy one of the silentEC_ca.template from /usr/share/pki/silent/ directory to browser profile directory under a different script name 

[test1@nocp2 ~]$ cp /usr/share/pki/silent/silentEC_subca.template .mozilla/firefox/uhn8gnex.default/EC_subca.template

#---------------------------------------------------------------------#
Note: Make sure Certicom token is added to the 

[test1@nocp2 ~]$ cd .mozilla/firefox/oz5a7i6i.ECCSilent
[test1@nocp2 uhn8gnex.default]$ modutil -dbdir . -list -nocertdb

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services                            
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services                  
        token: NSS Certificate DB

  2. certicom
        library name: /usr/lib64/libsbcpgse.so
         slots: 2 slots attached
        status: loaded

         slot: FIPS Generic Crypto Services V1.0.1d
        token: Certicom FIPS Crypto Services

         slot: FIPS Certificate/Key Services V1.0.1d
        token: Certicom FIPS Cert/Key Services
#---------------------------------------------------------------------#

14. Specify below parameters in EC_subca.template

pki_silent_security_database_repository=/home/test1/.mozilla/firefox/uhn8gnex.default
pki_silent_security_database_password="redhat"
pki_silent_security_token_name="Certicom\ FIPS\ Cert/Key\ Services"

pki_security_domain_name="PKI\ Domain1"
pki_security_domain_host=`hostname`
pki_security_domain_admin_name=admin
pki_security_domain_admin_password=redhat

pki_ldap_host=localhost
pki_ldap_port=389
pki_bind_dn="cn=Directory\ Manager"
pki_bind_password=Secret123

subca_token_name=NHSM6000-OCS
subca_token_password=redhat123

subca_backup_password=redhat
pki_email_name=admin
pki_email_company=example
pki_email_domain=com

pki_silent_admin_user=admin
pki_silent_admin_password=redhat
pki_silent_admin_email="${pki_email_name}\@${pki_email_company}\.${pki_email_domain}"

subca_subsystem_name="Certificate\ Authority\ 2"
subca_instance_name="pki-ca-Apr4-subca-inst2-nocp2"

ca_nonssl_port=29180
ca_agent_port=29443
ca_ee_port=29444
ca_admin_port=29445

## Subordinate CA ports
subca_nonssl_port=39580
subca_agent_port=39543
subca_ee_port=39544
subca_admin_port=39545
subca_preop_pin=SzTFUBzk4bNwiPzAsWJX
#---------------------------------------------------------------------#

15. Execute the script
[test1@nocp2 uhn8gnex.default]$ ./EC_subca.template

WARNING:  At least one of the security databases
          (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')
          required by 'EC_subca.template' exists at the
          specified location '/home/test1/.mozilla/firefox/oz5a7i6i.ECCSilent'.

          Continue...

Removing old PKI Silent log files:
Done.

'EC_subca.template':  Configuring 'pki-ca-Apr4-subca-inst2-nocp2' . . .
libpath=/usr/lib64

#---------------------------------------------------------------------#

16. After successfull configuration we would see below output:


<snip>

caHost=nocp2.dsdev.sjc.redhat.com
caPort=39545
systemType=ca
Certificate System - Subordinate CA Instance Configured.

#######################################################################
If configured without errors, ask the OS root user to restart the CS instance:
/sbin/service 'pki-ca-Apr4-subca-inst2-nocp2' restart

</snip>
#---------------------------------------------------------------------#


17. Restart the instance.

[root@nocp2 pki-ca-Apr4-extca-inst2-nocp2]# /etc/init.d/pki-ca-Apr4-subca-inst2-nocp2 status
pki-ca-Apr4-subca-inst2-nocp2 (pid 9033) is running ...

    Unsecure Port       = http://nocp2.dsdev.sjc.redhat.com:39580/ca/ee/ca
    Secure Agent Port   = https://nocp2.dsdev.sjc.redhat.com:39543/ca/agent/ca
    Secure EE Port      = https://nocp2.dsdev.sjc.redhat.com:39544/ca/ee/ca
    Secure Admin Port   = https://nocp2.dsdev.sjc.redhat.com:39545/ca/services
    EE Client Auth Port = https://nocp2.dsdev.sjc.redhat.com:39546/ca/eeca/ca
    PKI Console Port    = pkiconsole https://nocp2.dsdev.sjc.redhat.com:39545/ca
    Tomcat Port         = 39501 (for shutdown)

    PKI Instance Name:   pki-ca-Apr4-subca-inst2-nocp2

    PKI Subsystem Type:  Subordinate CA

    Registered PKI Security Domain Information:
    =======================================
    Name:  PKI Domain1
    URL:   https://nocp2.dsdev.sjc.redhat.com:29445
    =======================================
Comment 7 Niranjan Mallapadi Raghavender 2013-04-04 05:39:37 EDT
The comment #6 was wrongly added here. Apologies.

Note You need to log in before you can comment on or make changes to this bug.