Nabble - EjbCA - Dev

Re: Bug or feature : list end entities with expiring certificates

2009-12-18T02:15:09Z

Hello Maxime,

We have recently made changes to the expiration notifications and I
believe we may have missed how this affect the "Search/edit end
entities" functionality.

Thank you for pointing this out!

I have created https://jira.primekey.se/browse/ECA-1517 so that this
issue should be investigated and fixed.

Kind regards,
Tham Wickenberg

VERAC Maxime wrote:

> Hello everybody,
>
> I'm a bit disappointed by the behaviour of EJBCA.
>
> When, in the "search/edit end entities" menu, I try to list the end entities with certificates expiring within 30 days, it does not work for certificates having their status set to "21", corresponding to the certificates for which an e-mail notification has been done regarding their forthcoming expiration...
>
> Does this correspond to the normal behaviour ?
> Is it possible to use the Certificate Expiration Service without modifying the status of the certificate ?
>
> Best regards,
>
> Maxime VERAC
> Consultant
> Fixe : +33 (0)1 49 03 25 46
> maxime.verac@... <mailto:maxime.verac@...>
> solucom
> Tour Franklin : 100 - 101 terrasse Boieldieu
> 92042 Paris La Défense Cedex
>
> ________________________________
>
> De: Johan Eklund [mailto:ejbca-support@...]
> Date: jeu. 17/12/2009 09:05
> À: ejbca-develop@...
> Objet : Re: [Ejbca-develop] Error ant install - jboss web service
>
>
>
> Hi Joenateen,
>
> The error message that counts in that pretty verbose message is:
>
> "java.net.BindException: Address already in use: JVM_Bind /127.0.0.1:8080"
>
> This means that JBoss's built in Tomcat can't start since some other application (or an old running JBoss/Tomcat) is using port 8080 already..
>
> Best Regards,
> Johan
>
>
>
> Joenateen skrev:
>
>> Ok, Don't laugh me of the forum for this question. I am checking the JBOSS
>> logs after a failed attempt at installing the EJBCA and I see that it is
>> complaining about a web service here. Do I have to have a seperate web
>> server installed for this to work? Does JBOSS handle that.
>>
>> And yes I am a newbie to EJBCA.
>>
>> 2009-12-16 13:09:01,516 ERROR
>> [org.jboss.system.server.profileservice.ProfileServiceBootstrap] (main)
>> Failed to load profile: Summary of incomplete deployments (SEE PREVIOUS
>> ERRORS FOR DETAILS):
>>
>> DEPLOYMENTS MISSING DEPENDENCIES:
>> Deployment "jboss.web.deployment:war=/ROOT" is missing the following
>> dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/admin-console" is missing the
>> following dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/ejbca" is missing the following
>> dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/ejbca/adminweb" is missing the
>> following dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/ejbca/doc" is missing the following
>> dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/ejbca/ejbcaws" is missing the
>> following dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/ejbca/publicweb" is missing the
>> following dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/ejbca/publicweb/apply" is missing
>> the following dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/ejbca/publicweb/healthcheck" is
>> missing the following dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/ejbca/publicweb/status" is missing
>> the following dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/ejbca/publicweb/webdist" is missing
>> the following dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/ejbca/xkms" is missing the following
>> dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/invoker" is missing the following
>> dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/jbossws" is missing the following
>> dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/jmx-console" is missing the
>> following dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>> Deployment "jboss.web.deployment:war=/web-console" is missing the
>> following dependencies:
>> Dependency "jboss.web:service=WebServer" (should be in state "Create",
>> but is actually in state "** NOT FOUND Depends on
>> 'jboss.web:service=WebServer' **")
>>
>> DEPLOYMENTS IN ERROR:
>> Deployment "WebServer" is in error due to the following reason(s):
>> LifecycleException: Protocol handler initialization failed:
>> java.net.BindException: Address already in use: JVM_Bind /127.0.0.1:8080
>> Deployment "jboss.web:service=WebServer" is in error due to the following
>> reason(s): ** NOT FOUND Depends on 'jboss.web:service=WebServer' **
>>
>> 2009-12-16 13:09:01,516 INFO
>> [org.jboss.bootstrap.microcontainer.ServerImpl] (main) JBoss
>> (Microcontainer) [5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221053)]
>> Started in 2m:2s:506ms
>>
>>
>>
>
>
> --
> PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf
>
>
>
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Bug or feature : list end entities with expiring certificates

2009-12-18T00:37:41Z

Hello everybody,

I'm a bit disappointed by the behaviour of EJBCA.

When, in the "search/edit end entities" menu, I try to list the end entities with certificates expiring within 30 days, it does not work for certificates having their status set to "21", corresponding to the certificates for which an e-mail notification has been done regarding their forthcoming expiration...

Does this correspond to the normal behaviour ?
Is it possible to use the Certificate Expiration Service without modifying the status of the certificate ?

Best regards,

Maxime VERAC
Consultant
Fixe : +33 (0)1 49 03 25 46
maxime.verac@... <mailto:maxime.verac@...>
solucom
Tour Franklin : 100 - 101 terrasse Boieldieu
92042 Paris La Défense Cedex

________________________________

De: Johan Eklund [mailto:ejbca-support@...]
Date: jeu. 17/12/2009 09:05
À: ejbca-develop@...
Objet : Re: [Ejbca-develop] Error ant install - jboss web service

Hi Joenateen,

The error message that counts in that pretty verbose message is:

"java.net.BindException: Address already in use: JVM_Bind /127.0.0.1:8080"

This means that JBoss's built in Tomcat can't start since some other application (or an old running JBoss/Tomcat) is using port 8080 already..

Best Regards,
Johan

Joenateen skrev:

> Ok, Don't laugh me of the forum for this question. I am checking the JBOSS
> logs after a failed attempt at installing the EJBCA and I see that it is
> complaining about a web service here. Do I have to have a seperate web
> server installed for this to work? Does JBOSS handle that.
>
> And yes I am a newbie to EJBCA.
>
> 2009-12-16 13:09:01,516 ERROR
> [org.jboss.system.server.profileservice.ProfileServiceBootstrap] (main)
> Failed to load profile: Summary of incomplete deployments (SEE PREVIOUS
> ERRORS FOR DETAILS):
>
> DEPLOYMENTS MISSING DEPENDENCIES:
> Deployment "jboss.web.deployment:war=/ROOT" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/admin-console" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/adminweb" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/doc" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/ejbcaws" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/publicweb" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/publicweb/apply" is missing
> the following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/publicweb/healthcheck" is
> missing the following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/publicweb/status" is missing
> the following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/publicweb/webdist" is missing
> the following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/xkms" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/invoker" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/jbossws" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/jmx-console" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/web-console" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
>
> DEPLOYMENTS IN ERROR:
> Deployment "WebServer" is in error due to the following reason(s):
> LifecycleException: Protocol handler initialization failed:
> java.net.BindException: Address already in use: JVM_Bind /127.0.0.1:8080
> Deployment "jboss.web:service=WebServer" is in error due to the following
> reason(s): ** NOT FOUND Depends on 'jboss.web:service=WebServer' **
>
> 2009-12-16 13:09:01,516 INFO
> [org.jboss.bootstrap.microcontainer.ServerImpl] (main) JBoss
> (Microcontainer) [5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221053)]
> Started in 2m:2s:506ms
>
>

--
PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

winmail.dat (12K) Download Attachment

Re: Error ant install - jboss web service

2009-12-17T08:00:09Z

Yes this was the problem. I checked netstat and it was in use. I made the mistake of installing all of NeatBeans 6.x and it installed a service that was taking the port. I remove the install rebooted and started from scratch. I also used JBOSS 4.2.3. So basically, users beware of installing Netbeans with this. Thanks for the help!

Johan Eklund wrote:

Hi Joenateen,

The error message that counts in that pretty verbose message is:

"java.net.BindException: Address already in use: JVM_Bind /127.0.0.1:8080"

This means that JBoss's built in Tomcat can't start since some other application (or an old running JBoss/Tomcat) is using port 8080 already..

Best Regards,
Johan

Joenateen skrev:
> Ok, Don't laugh me of the forum for this question. I am checking the JBOSS
> logs after a failed attempt at installing the EJBCA and I see that it is
> complaining about a web service here. Do I have to have a seperate web
> server installed for this to work? Does JBOSS handle that.
>
> And yes I am a newbie to EJBCA.
>
> 2009-12-16 13:09:01,516 ERROR
> [org.jboss.system.server.profileservice.ProfileServiceBootstrap] (main)
> Failed to load profile: Summary of incomplete deployments (SEE PREVIOUS
> ERRORS FOR DETAILS):
>
> DEPLOYMENTS MISSING DEPENDENCIES:
> Deployment "jboss.web.deployment:war=/ROOT" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/admin-console" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/adminweb" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/doc" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/ejbcaws" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/publicweb" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/publicweb/apply" is missing
> the following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/publicweb/healthcheck" is
> missing the following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/publicweb/status" is missing
> the following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/publicweb/webdist" is missing
> the following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/ejbca/xkms" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/invoker" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/jbossws" is missing the following
> dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/jmx-console" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
> Deployment "jboss.web.deployment:war=/web-console" is missing the
> following dependencies:
> Dependency "jboss.web:service=WebServer" (should be in state "Create",
> but is actually in state "** NOT FOUND Depends on
> 'jboss.web:service=WebServer' **")
>
> DEPLOYMENTS IN ERROR:
> Deployment "WebServer" is in error due to the following reason(s):
> LifecycleException: Protocol handler initialization failed:
> java.net.BindException: Address already in use: JVM_Bind /127.0.0.1:8080
> Deployment "jboss.web:service=WebServer" is in error due to the following
> reason(s): ** NOT FOUND Depends on 'jboss.web:service=WebServer' **
>
> 2009-12-16 13:09:01,516 INFO
> [org.jboss.bootstrap.microcontainer.ServerImpl] (main) JBoss
> (Microcontainer) [5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221053)]
> Started in 2m:2s:506ms
>
>

--
PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@primekey.se for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Re: Error ant install - jboss web service

2009-12-17T00:05:11Z

Hi Joenateen,

The error message that counts in that pretty verbose message is:

"java.net.BindException: Address already in use: JVM_Bind /127.0.0.1:8080"

This means that JBoss's built in Tomcat can't start since some other application (or an old running JBoss/Tomcat) is using port 8080 already..

Best Regards,
Johan

Joenateen skrev:

smime.p7s (3K) Download Attachment

Error ant install - jboss web service

2009-12-16T14:12:47Z

Ok, Don't laugh me of the forum for this question. I am checking the JBOSS logs after a failed attempt at installing the EJBCA and I see that it is complaining about a web service here. Do I have to have a seperate web server installed for this to work? Does JBOSS handle that.

And yes I am a newbie to EJBCA.

2009-12-16 13:09:01,516 ERROR [org.jboss.system.server.profileservice.ProfileServiceBootstrap] (main) Failed to load profile: Summary of incomplete deployments (SEE PREVIOUS ERRORS FOR DETAILS):

DEPLOYMENTS MISSING DEPENDENCIES:
Deployment "jboss.web.deployment:war=/ROOT" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/admin-console" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/ejbca" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/ejbca/adminweb" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/ejbca/doc" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/ejbca/ejbcaws" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/ejbca/publicweb" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/ejbca/publicweb/apply" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/ejbca/publicweb/healthcheck" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/ejbca/publicweb/status" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/ejbca/publicweb/webdist" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/ejbca/xkms" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/invoker" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/jbossws" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/jmx-console" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
Deployment "jboss.web.deployment:war=/web-console" is missing the following dependencies:
Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")

DEPLOYMENTS IN ERROR:
Deployment "WebServer" is in error due to the following reason(s): LifecycleException: Protocol handler initialization failed: java.net.BindException: Address already in use: JVM_Bind /127.0.0.1:8080
Deployment "jboss.web:service=WebServer" is in error due to the following reason(s): ** NOT FOUND Depends on 'jboss.web:service=WebServer' **

2009-12-16 13:09:01,516 INFO [org.jboss.bootstrap.microcontainer.ServerImpl] (main) JBoss (Microcontainer) [5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221053)] Started in 2m:2s:506ms

Re: Error with EBJCA bootstrap

2009-12-16T12:01:29Z

It was the JRE being picked up in my path instead of the JDK.

Joenateen wrote:

Hello,

I am trying to install the EJBCA package on windows XP and I get an error in conversions in the adminweb.war files, "i think". Has anyone seen this error before?

publicweb.war:
[mkdir] Created dir: C:\Sun\ejbca_3_9_2\tmp\publicweb.war\WEB-INF\lib
[copy] Copying 45 files to C:\Sun\ejbca_3_9_2\tmp\publicweb.war
[copy] Copied 7 empty directories to 1 empty directory under C:\Sun\ejbca_3
_9_2\tmp\publicweb.war
[copy] Copying 2 files to C:\Sun\ejbca_3_9_2\tmp\publicweb.war\WEB-INF\lib
[war] Building war: C:\Sun\ejbca_3_9_2\dist\publicweb.war

renew.war:

scep.war:
[war] Building war: C:\Sun\ejbca_3_9_2\dist\scep.war

webdist.war:
[war] Building war: C:\Sun\ejbca_3_9_2\dist\webdist.war

status.war:
[war] Building war: C:\Sun\ejbca_3_9_2\dist\status.war

cmp.war:
[war] Building war: C:\Sun\ejbca_3_9_2\dist\cmp.war

healthcheck.war:
[war] Building war: C:\Sun\ejbca_3_9_2\dist\healthcheck.war

adminweb.war:
[mkdir] Created dir: C:\Sun\ejbca_3_9_2\tmp\adminweb.war\WEB-INF\lib
[mkdir] Created dir: C:\Sun\ejbca_3_9_2\tmp\adminweb.war\reports
[copy] Copying 127 files to C:\Sun\ejbca_3_9_2\tmp\adminweb.war
[delete] Deleting: C:\Sun\ejbca_3_9_2\tmp\adminweb.war\languages\languagefile
.zh.properties
[native2ascii] Converting 1 file from C:\Sun\ejbca_3_9_2\tmp\preprocessed\adminw
eb\languages to C:\Sun\ejbca_3_9_2\tmp\adminweb.war\languages
[native2ascii] java.io.UnsupportedEncodingException: GBK

BUILD FAILED
C:\Sun\ejbca_3_9_2\build.xml:63: The following error occurred while executing th
is line:
C:\Sun\ejbca_3_9_2\build.xml:276: conversion failed

Total time: 2 minutes 38 seconds
C:\Sun\ejbca_3_9_2>

_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/171222986/direct/01/
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Message: 7

2009-12-16T11:04:36Z

It was a JRE issue. I had to move the path variable around until I got it to use the JDK.

Hotmail: Powerful Free email with security by Microsoft. Get it now.
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Re: Error with EBJCA bootstrap

2009-12-16T08:05:44Z

Hi,

my guess is that you don't have the "international" version of java. t
The error you get is when it tries to encoe the chineese language files
for the admin-gui. "unsupported encoding". can you download the full
international jdk instead?

Cheers,
Tomas

On Wed, 16 Dec 2009, Mark Seaborn wrote:

>
> Hello,
>
> I am trying to install the EJBCA package on windows XP and I get an error in conversions in the adminweb.war files, "i think". Has anyone seen this error before?
>
>
>
>
>
>
>
>
>
> publicweb.war:
> [mkdir] Created dir: C:\Sun\ejbca_3_9_2\tmp\publicweb.war\WEB-INF\lib
> [copy] Copying 45 files to C:\Sun\ejbca_3_9_2\tmp\publicweb.war
> [copy] Copied 7 empty directories to 1 empty directory under C:\Sun\ejbca_3
> _9_2\tmp\publicweb.war
> [copy] Copying 2 files to C:\Sun\ejbca_3_9_2\tmp\publicweb.war\WEB-INF\lib
> [war] Building war: C:\Sun\ejbca_3_9_2\dist\publicweb.war
>
> renew.war:
>
> scep.war:
> [war] Building war: C:\Sun\ejbca_3_9_2\dist\scep.war
>
> webdist.war:
> [war] Building war: C:\Sun\ejbca_3_9_2\dist\webdist.war
>
> status.war:
> [war] Building war: C:\Sun\ejbca_3_9_2\dist\status.war
>
> cmp.war:
> [war] Building war: C:\Sun\ejbca_3_9_2\dist\cmp.war
>
> healthcheck.war:
> [war] Building war: C:\Sun\ejbca_3_9_2\dist\healthcheck.war
>
> adminweb.war:
> [mkdir] Created dir: C:\Sun\ejbca_3_9_2\tmp\adminweb.war\WEB-INF\lib
> [mkdir] Created dir: C:\Sun\ejbca_3_9_2\tmp\adminweb.war\reports
> [copy] Copying 127 files to C:\Sun\ejbca_3_9_2\tmp\adminweb.war
> [delete] Deleting: C:\Sun\ejbca_3_9_2\tmp\adminweb.war\languages\languagefile
> .zh.properties
> [native2ascii] Converting 1 file from C:\Sun\ejbca_3_9_2\tmp\preprocessed\adminw
> eb\languages to C:\Sun\ejbca_3_9_2\tmp\adminweb.war\languages
> [native2ascii] java.io.UnsupportedEncodingException: GBK
>
> BUILD FAILED
> C:\Sun\ejbca_3_9_2\build.xml:63: The following error occurred while executing th
> is line:
> C:\Sun\ejbca_3_9_2\build.xml:276: conversion failed
>
> Total time: 2 minutes 38 seconds
> C:\Sun\ejbca_3_9_2>
>
> _________________________________________________________________
> Hotmail: Powerful Free email with security by Microsoft.
> http://clk.atdmt.com/GBL/go/171222986/direct/01/

Error with EBJCA bootstrap

2009-12-16T07:51:20Z

Hello,
     I am trying to install the EJBCA package on windows XP and I get an error in conversions in the adminweb.war files, "i think". Has anyone seen this error before?

publicweb.war:
    [mkdir] Created dir: C:\Sun\ejbca_3_9_2\tmp\publicweb.war\WEB-INF\lib
     [copy] Copying 45 files to C:\Sun\ejbca_3_9_2\tmp\publicweb.war
     [copy] Copied 7 empty directories to 1 empty directory under C:\Sun\ejbca_3
_9_2\tmp\publicweb.war
     [copy] Copying 2 files to C:\Sun\ejbca_3_9_2\tmp\publicweb.war\WEB-INF\lib
      [war] Building war: C:\Sun\ejbca_3_9_2\dist\publicweb.war
renew.war:
scep.war:
      [war] Building war: C:\Sun\ejbca_3_9_2\dist\scep.war
webdist.war:
      [war] Building war: C:\Sun\ejbca_3_9_2\dist\webdist.war
status.war:
      [war] Building war: C:\Sun\ejbca_3_9_2\dist\status.war
cmp.war:
      [war] Building war: C:\Sun\ejbca_3_9_2\dist\cmp.war
healthcheck.war:
      [war] Building war: C:\Sun\ejbca_3_9_2\dist\healthcheck.war
adminweb.war:
    [mkdir] Created dir: C:\Sun\ejbca_3_9_2\tmp\adminweb.war\WEB-INF\lib
    [mkdir] Created dir: C:\Sun\ejbca_3_9_2\tmp\adminweb.war\reports
     [copy] Copying 127 files to C:\Sun\ejbca_3_9_2\tmp\adminweb.war
   [delete] Deleting: C:\Sun\ejbca_3_9_2\tmp\adminweb.war\languages\languagefile
.zh.properties
[native2ascii] Converting 1 file from C:\Sun\ejbca_3_9_2\tmp\preprocessed\adminw
eb\languages to C:\Sun\ejbca_3_9_2\tmp\adminweb.war\languages
[native2ascii] java.io.UnsupportedEncodingException: GBK
BUILD FAILED
C:\Sun\ejbca_3_9_2\build.xml:63: The following error occurred while executing th
is line:
C:\Sun\ejbca_3_9_2\build.xml:276: conversion failed
Total time: 2 minutes 38 seconds
C:\Sun\ejbca_3_9_2>

Re: EJBCA on JBOSS 6.0

2009-12-11T03:51:03Z

Tomas,

I have created the bug [ECA-1511].
I can spend some time to work on it, but I'm not sure to achieve the result.

I keep you informed.

Best regards,
Christophe.

-----Message d'origine-----
De : Tomas Gustavsson [mailto:tomas@...]
Envoyé : vendredi 11 décembre 2009 12:06
À : ejbca-develop@...
Objet : Re: [Ejbca-develop] EJBCA on JBOSS 6.0

Cool, I did not try JBoss 6, didn't see it was there even.

Go ahead and create an issue (jira.primekey.se), but perhaps it's a "new
feature" or "improvement" since JBoss 6 is a new thing and as such it's
not really a bug.

If you have ideas what libraries to change/fix in EJBCa please let us know.

Cheers,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
info@... for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/

Christophe PIJCKE wrote:

> Hello all,
>
> I have made a try to setup ejbca (3.9.2) on the newly available jboss 6.0 (M1).
> I encounter "Failed to create a new SAX parser" issue when deploying.
> I wonder if somebody else has tried this.
>
> Looking to internet, this error seems to come from a difference between libraries from jboss and those provided by ejbca.
>
> Being neither an active developer nor an actor of the ejbca project (actually), May I anyway create a bug relating this issue?
>
> Best regards,
> Christophe.
>
>
>
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Return on Information:
> Google Enterprise Search pays you back
> Get the facts.
> http://p.sf.net/sfu/google-dev2dev
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop

------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Re: EJBCA on JBOSS 6.0

2009-12-11T03:05:31Z

Cool, I did not try JBoss 6, didn't see it was there even.

Go ahead and create an issue (jira.primekey.se), but perhaps it's a "new
feature" or "improvement" since JBoss 6 is a new thing and as such it's
not really a bug.

If you have ideas what libraries to change/fix in EJBCa please let us know.

Cheers,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
info@... for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/

Christophe PIJCKE wrote:

EJBCA on JBOSS 6.0

2009-12-11T02:05:21Z

Hello all,

I have made a try to setup ejbca (3.9.2) on the newly available jboss 6.0 (M1).

I encounter “Failed to create a new SAX parser” issue when deploying.

I wonder if somebody else has tried this.

Looking to internet, this error seems to come from a difference between libraries from jboss and those provided by ejbca.

Being neither an active developer nor an actor of the ejbca project (actually), May I anyway create a bug relating this issue?

Best regards,

Christophe.

Re: Help on changing server cert name

2009-12-11T01:48:49Z

You can easily issue a new keystore. If you made a "default"
installation before you can simply edit the tomcat user in EJBCA and
change "CN", set password and status to new. You can then batch generate
(bin/ejbca.sh batch) the new tomcat.jks keystore and replace
keystore.jks with this new one.

You can add any new user as you like, and create a jks keystore that can
be used as ssl keystore for a jboss/tomcat server.

Regards,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
info@... for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/

khsheh wrote:

> I have been using 1 server with Windows 2003, JBOSS and EJBCA for testing. As
> I need to have 2 servers with EJBCA for tesitng, I cloned the original
> machine to another machine.
>
> But the server certificate inside the keystore.jks is bounded to the
> original machine server name. How can I update the the server cert of the
> new machine with the new server name, in the most simple way, besides
> re-installation of JBOSS and EJBCA? I think I need to use the AdminCA1 to
> sign the server cert. But where is the AdminCA1 private key? Is it stored in
> the truststore.jks? I am not familiar with JKS and keytool command for cert
> manipulation, but I have tried and could not find the private key there.
>
> Your help is much appreciated. Thanks.

Help on changing server cert name

2009-12-11T01:21:19Z

I have been using 1 server with Windows 2003, JBOSS and EJBCA for testing. As I need to have 2 servers with EJBCA for tesitng, I cloned the original machine to another machine.

But the server certificate inside the keystore.jks is bounded to the original machine server name. How can I update the the server cert of the new machine with the new server name, in the most simple way, besides re-installation of JBOSS and EJBCA? I think I need to use the AdminCA1 to sign the server cert. But where is the AdminCA1 private key? Is it stored in the truststore.jks? I am not familiar with JKS and keytool command for cert manipulation, but I have tried and could not find the private key there.

Your help is much appreciated. Thanks.

[SPAM] Small Business Magazine

2009-11-23T08:07:17Z

DiversityBusiness Member Benefits

Click here to Subscribe Now

From Super Model To Role Model
Cover Story Kathy Ireland

Global Economic Slowdown and Emerging
Economies

The Benefits of Ergonomics in the Workplace

What Women Want
Effective Marketing to Women

A History of Diversity at American Airlines

Tips for Employers to Safeguard against
Workplace Bullying!

From America's Team... to a World of Opportunity
The Evolution of Dallas Fan Fares

While international opportunities abound, companies must get local to succeed
Far beyond translation, localization respects the culture, symbolism and business environment of emerging economies

One Woman's Journey: Logistics with Technology

Bridging the Multicultural Divide in Business
The Essential Role of Communication in the Global Marketplace

Americas Top Organizations for Multicultural Business Opportunities

Multicultural Marketing In a Weak Economy
This may be the Best Opportunity for Growth.

Top 10 Tips For Growing Your Diverse Business
by Carlton L Highsmith Founder and CEO Specialized Packaging Group

How do you get the most bang out of your marketing campaign?

Click here to Subscribe Now

Our Advertisers

You are receiving this since you/or your associates subscribed your email id to receive the newsletter from DiversityBusiness or its affiliates,

To unsubscribe click HERE

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Update: TLS/SSL Man In The Middle vulnerability - How does it affect EJBCA?

2009-11-19T06:32:42Z

*TLS/SSL Man In The Middle vulnerability - How does it affect EJBCA?*

This is a follow up on the TLS/SSL MITM vulnerability posting we sent on
the 12th of November.

/Re-cap:/
For about two weeks now a description of a vulnerability in the TLS/SSL
protocol has been circulating around the Internet. This is a status
update on our investigation of this issue and potential consequences
this will have for EJBCA. We will provide you with more information
as soon as we know more.

This vulnerability is not a vulnerability in EJBCA, but in the TLS/SSL
protocol that the EJBCA Admin GUI and Web Services depend on.

/Status update:/
RedHat, Debian, Ubuntu and SuSE, and probably other distributions as
well have now released updated apache httpd packages disabling client
initiated re-negotiation. Server initiated re-negotiation is still
enabled which puts some restrictions on the configuration to be secure.

We are still waiting for information about updates to Tomcat/JBoss.

/Recommendations:/
If access to EJBCA's Admin GUI or Web Services is not protected by other
means in your setup, you could take the following precautions:
- Set up an apache httpd front end to EJBCA (using mod_proxy or mod_jk).
- Make sure you use updated apache packages with client initiated
re-negotiation disabled.
- Make sure that all parts of your site that uses SSL or requires SSL
client certificate authentication has the SSL configuration for the
entire site. In the apache httpd config this means that all SSL
directives must be on the VirtualHost. Do not use any SSL directives in
a Location or Directory directive. Never mix unprotected and protected
pages in the same VirtualHost.
- This means that you probably have to run EJBCA Admin GUI on it's own
sub-domain (admin.ca.yourdomain.com) or on it's own port, i.e. use SSL
client certificate authentication for everything on port 443 (or another
port of your choice).

With these precautions it is our understanding that you will be safe
from this vulnerability.

Best Regards,
The EJBCA support team

--
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
info@... for more information.
http://download.primekey.se/documents/ejbca_subscription.pdf
http://download.primekey.se/documents/ejbca_training.pdf

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

smime.p7s (3K) Download Attachment

TLS/SSL Man In The Middle vulnerability - How does it affect EJBCA?

2009-11-12T04:02:33Z

*TLS/SSL Man In The Middle vulnerability - How does it affect EJBCA?*

For about a week now a description of a vulnerability in the TLS/SSL
protocol has been circulating around the Internet. This is a status
update on our investigation of this issue and potential consequences
this will have for EJBCA. We will provide you with more information
as soon as we know more.

This vulnerability is not a vulnerability in EJBCA, but in the TLS/SSL
protocol that the EJBCA Admin GUI and Web Services depends on.

/Full descriptions of the vulnerability:/
- http://www.links.org/?p=780
-
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

/Cause:/
- The TLS/SSL protocol supports renegotiation by default that could be
initiated by both the client and the server. During renegotiation
plain-text can be injected. The reported issue is a TLS / SSL protocol
flaw, and not a bug of any specific implementation.

/Severity:/
This issue has been rated, by RedHat, as having moderate security impact
as successful exploitation of this flaw requires a man-in-the-middle attack.

/Effect on EJBCA:/
An attacker between an EJBCA administrator's browser / EJBCA Web Service
client and the EJBCA server can inject a request to the EJBCA server
using the administrator's credential (and administrative privileges).
This means that an attacker could do anything in the Admin GUI that
could be done by a single click/request. The attacker cannot fetch any
information using the admin's credential, and a successful attack
requires some knowledge about the victims PKI.

/Current status:/
- The underlying problems in the TLS/SSL protocol will take a
considerable amount of time to fix and roll out.
- PrimeKey has registered a support issue at Red Hat and is awaiting
further information, but from the information we got so far it is clear
that JBoss AS is vulnerable to this attack.
- EJBCA uses the Tomcat server in JBoss AS to serve web pages and web
services. Tomcat relies on the TLS/SSL implementation in Java. According
to Red Hat support they are still investigating this.
- If an Apache front end is used for EJBCA the "mod_ssl" TLS
implementation is the vulnerable part. Red Hat is tracking this as
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555 .
- RedHat has released updated httpd packages that change mod_ssl to
reject all client-initiated renegotiations, which mitigates this flaw
for the majority of configurations using mod_ssl to provide HTTPS service.

/Recommendations until JBoss/Apache can be configured safely:/
- Administrators and Web Service clients should not connect using
TLS/SSL to EJBCA over an insecure connection. Using SSH, an non-SSL
based VPN solution or physical access might be a solution.
- If using Apache as a front-end to EJBCA, you should make sure that you
update your httpd packages and ensure that client certificates
authentication is used for the whole <VirtualHost> section where EJBCA
admin resides, not only configured in a <Location> or <Directory>
context section.

Best Regards,
The EJBCA support team

--
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
info@... for more information.
http://download.primekey.se/documents/ejbca_subscription.pdf
http://download.primekey.se/documents/ejbca_training.pdf

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

smime.p7s (3K) Download Attachment

Re: CVC DN's country code in EJBCA

2009-11-11T23:44:14Z

Hi, it is true that the cert-cvc library restricts the use to ISO3166
country codes. It is because this is strictly mandated by the
specification. This will affect any issuance of cvc certificates, both 1
and 2.

I would recommend using your own country code for testing purposes.
(Personally I don't see the rationale behind using fake countries, but
that's just my personal reflection).

If you need to use fake codes you can easily (if you are a java
developer that is), modify the cert-cvc library to skip this check. The
cert-cvc library source code is in the cert-cvc release and the library
is easy to build with a simple 'ant' command. After building a new
library simply replace cert-cvc.jar in ejbca/lib and re-deploy ejbca.

Regards,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
info@... for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/

On Wed, 2009-11-11 at 20:58 -0800, khsheh wrote:

> 1. I am using ejbca 3.9.0. I want to create a CVC CVCA using country code say
> "HX" for subject DN but I get the following error:
>
> javax.ejb.EJBException: java.lang.IllegalArgumentException: Unknown country
> code: HX : java.lang.IllegalArgumentException: Unknown country code: HX
>
> I also find that I can use EJBCA to create X.509 cert with country code say
> "HX" for subject DN. It seems that there is no such restriction for X.509
> when using ejbca.
>
> Is EJBCA only support the ISO 3166 standard on 2 character country code for
> CVC and not other testing ones? My purpose is to create some kind of testing
> CVC CVCA cert with fictitious country code.
>
> 2. Moreover, could I process a foreign country's CVC DV CSR request if the
> foreign country use a fictious country code in the CSR?
>
> Thanks.

CVC DN's country code in EJBCA

2009-11-11T20:58:33Z

1. I am using ejbca 3.9.0. I want to create a CVC CVCA using country code say "HX" for subject DN but I get the following error:

javax.ejb.EJBException: java.lang.IllegalArgumentException: Unknown country code: HX : java.lang.IllegalArgumentException: Unknown country code: HX

I also find that I can use EJBCA to create X.509 cert with country code say "HX" for subject DN. It seems that there is no such restriction for X.509 when using ejbca.

Is EJBCA only support the ISO 3166 standard on 2 character country code for CVC and not other testing ones? My purpose is to create some kind of testing CVC CVCA cert with fictitious country code.

2. Moreover, could I process a foreign country's CVC DV CSR request if the foreign country use a fictious country code in the CSR?

Thanks.

Re: Help on generating IS cert and key

2009-11-04T23:35:05Z

Hi,

that value is used during installation when the server side SSL
certificate is created. In order to change the certificate in an already
installed setup you have to edit the user "tomcat".

What you need to do is the same as for "SSL certificate expire" from the
User Guide at ejbca.org. You need to set the Common Name of the tomcat
user to match you real hostname.

Regards,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
info@... for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/

On Wed, 2009-11-04 at 22:56 -0800, khsheh wrote:

> Dear Johan,
>
> I just discover there is such a a file web.properties in
> EJBCA_HOME/conf/web.properties.sample.
>
> I copy it to web.properties and no matter whether I set the
> httpsserver.hostname=devnbmbsi03 (which is my workstation name) or
> httpsserver.hostname=localhost, I stilll I get the error of "No name
> matching localhost found".
>
> Would you explain more of what I should do? Is there any documentation of
> it? In the command, "ejbcawsracli edituser isrsa1 foo123 false
> "CN=ISRSA1,C=CN" NULL NULL DV-RSA-1 1 USERGENERATED NEW IS IS", how to
> control which server to connect to? Is there anything I should set in
> C:\jboss\server\default\conf\keystore\truststore.jks like importing anything
> to it?
>
> I now only have 1 workstation, and I have tomcat.jks (devnbmbsi03),
> superadmin.jks (superadmin) and truststore.jks (AdminCA1).
>
> Thanks.
>
> Regards,
> Wilson.
>
>
> Hi khsheh,
>
> When you installed EJBCA you specified a server name that is used in the
> server side SSL certificate ( EJBCA_HOME/conf/web.properties:
> httpsserver.hostname=... ).
>
> You must connect to this hostname or the SSL connection will fail, since
> the serverside is issued for a different host than 'localhost'.
>
> Best Regards,
> Johan
>
>

Re: Help on generating IS cert and key

2009-11-04T22:56:38Z

Dear Johan,

I just discover there is such a a file web.properties in EJBCA_HOME/conf/web.properties.sample.

I copy it to web.properties and no matter whether I set the httpsserver.hostname=devnbmbsi03 (which is my workstation name) or httpsserver.hostname=localhost, I stilll I get the error of "No name matching localhost found".

Would you explain more of what I should do? Is there any documentation of it? In the command, "ejbcawsracli edituser isrsa1 foo123 false "CN=ISRSA1,C=CN" NULL NULL DV-RSA-1 1 USERGENERATED NEW IS IS", how to control which server to connect to? Is there anything I should set in C:\jboss\server\default\conf\keystore\truststore.jks like importing anything to it?

I now only have 1 workstation, and I have tomcat.jks (devnbmbsi03), superadmin.jks (superadmin) and truststore.jks (AdminCA1).

Thanks.

Regards,
Wilson.

Hi khsheh,

When you installed EJBCA you specified a server name that is used in the
server side SSL certificate ( EJBCA_HOME/conf/web.properties:
httpsserver.hostname=... ).

You must connect to this hostname or the SSL connection will fail, since
the serverside is issued for a different host than 'localhost'.

Best Regards,
Johan

Re: Help on generating IS cert and key

2009-11-04T02:30:16Z

Hi khsheh,

When you installed EJBCA you specified a server name that is used in the
server side SSL certificate ( EJBCA_HOME/conf/web.properties:
httpsserver.hostname=... ).

You must connect to this hostname or the SSL connection will fail, since
the serverside is issued for a different host than 'localhost'.

Best Regards,
Johan

khsheh skrev:

> Thanks. I now set the correct password in ejbcawsracli.properties for
> superadmin.jks, i.e.:
>
> ejbcawsracli.keystore.path = superadmin.jks
> ejbcawsracli.keystore.password = password
>
> But when I run the following command (the ejbca is in the same Windows
> workstation as I type the command):
> ejbcawsracli edituser isrsa1 foo123 false "CN=ISRSA1,C=CN" NULL NULL
> DV-RSA-1 1 USERGENERATED NEW IS IS
>
> I get the following error on localhost issue Do you have any suggestions.
> Sorry that I am new to the keystore and JBOSS areas.
>
> Thanks.
>
> Trying to add user:
> Username: isrsa
> Subject DN: CN=ISRSA1,C=CN
> Subject Altname: null
> Email: null
> CA Name: DV-RSA-1
> Type: 1
> Token: USERGENERATED
> Status: 10
> End entity profile: IS
> Certificate profile: IS
> Hard Token Issuer Alias: NONE
> Start time: NONE
> End time: NONE
> javax.xml.ws.WebServiceException: javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No name matching localhost found
> org.ejbca.ui.cli.ErrorAdminCommandException:
> javax.xml.ws.WebServiceException: javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No name matching localhost found
> at
> org.ejbca.core.protocol.ws.client.EditUserCommand.execute(EditUserCommand.java:166)
> at
> org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsracli.java:34)
> Caused by: javax.xml.ws.WebServiceException:
> javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No name matching localhost found
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:162)
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parseWSDL(RuntimeWSDLParser.java:188)
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:66)
> at com.sun.xml.ws.wsdl.WSDLContext.<init>(WSDLContext.java:57)
> at
> com.sun.xml.ws.client.ServiceContextBuilder.build(ServiceContextBuilder.java:60)
> at
> com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:103)
> at
> com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:50)
> at javax.xml.ws.Service.<init>(Service.java:57)
> at
> org.ejbca.core.protocol.ws.client.gen.EjbcaWSService.<init>(EjbcaWSService.java:36)
> at
> org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:205)
> at
> org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:187)
> at
> org.ejbca.core.protocol.ws.client.EditUserCommand.execute(EditUserCommand.java:154)
> ... 1 more
> Caused by: javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No name matching localhost found
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
> at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1041)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
> at java.net.URL.openStream(URL.java:1009)
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:159)
> ... 12 more
> Caused by: java.security.cert.CertificateException: No name matching
> localhost found
> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:210)
> at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
> ... 25 more
>
>
>
> You have configured the wrong keystore or password in
> ejbcawsracli.properties.
>
> the error is clear .-)
>
> Caused by: java.io.IOException: Keystore was tampered with, or password
> was incorrect
>
> Cheers,
> Tomas
>
>
>

--
PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

smime.p7s (3K) Download Attachment

Re: Help on generating IS cert and key

2009-11-04T02:12:37Z

Thanks. I now set the correct password in ejbcawsracli.properties for superadmin.jks, i.e.:

ejbcawsracli.keystore.path = superadmin.jks
ejbcawsracli.keystore.password = password

But when I run the following command (the ejbca is in the same Windows workstation as I type the command):
ejbcawsracli edituser isrsa1 foo123 false "CN=ISRSA1,C=CN" NULL NULL DV-RSA-1 1 USERGENERATED NEW IS IS

I get the following error on localhost issue Do you have any suggestions. Sorry that I am new to the keystore and JBOSS areas.

Thanks.

Trying to add user:
Username: isrsa
Subject DN: CN=ISRSA1,C=CN
Subject Altname: null
Email: null
CA Name: DV-RSA-1
Type: 1
Token: USERGENERATED
Status: 10
End entity profile: IS
Certificate profile: IS
Hard Token Issuer Alias: NONE
Start time: NONE
End time: NONE
javax.xml.ws.WebServiceException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found
org.ejbca.ui.cli.ErrorAdminCommandException: javax.xml.ws.WebServiceException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found
at org.ejbca.core.protocol.ws.client.EditUserCommand.execute(EditUserCommand.java:166)
at org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsracli.java:34)
Caused by: javax.xml.ws.WebServiceException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:162)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parseWSDL(RuntimeWSDLParser.java:188)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:66)
at com.sun.xml.ws.wsdl.WSDLContext.<init>(WSDLContext.java:57)
at com.sun.xml.ws.client.ServiceContextBuilder.build(ServiceContextBuilder.java:60)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:103)
at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:50)
at javax.xml.ws.Service.<init>(Service.java:57)
at org.ejbca.core.protocol.ws.client.gen.EjbcaWSService.<init>(EjbcaWSService.java:36)
at org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:205)
at org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:187)
at org.ejbca.core.protocol.ws.client.EditUserCommand.execute(EditUserCommand.java:154)
... 1 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1041)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at java.net.URL.openStream(URL.java:1009)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:159)
... 12 more
Caused by: java.security.cert.CertificateException: No name matching localhost found
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:210)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
... 25 more

You have configured the wrong keystore or password in
ejbcawsracli.properties.

the error is clear .-)

Caused by: java.io.IOException: Keystore was tampered with, or password
was incorrect

Cheers,
Tomas

Re: Help on generating IS cert and key

2009-11-02T02:16:35Z

Hi khsheh,

Last cause-by in your stacktraces are:

"Caused by: java.security.UnrecoverableKeyException: Password verification
failed"

Please verify the password use for the client-side SSL keystore.

Best Regards,
Johan

khsheh skrev:

> I am trying to create the IS cert and key. The CVCA documentation say that I
> need to create an end entity for the IS and then use it to create the IS
> cert / key. But I get the following errors when doing so. Is it related to
> my ejbca Web Services being not properly setup or is it related to some
> authentication issue like that in ejbcawsracli.properties? I cannot
> understand the documentaton of how to setup the ejbcawsracli.properties.
> Would you please help how to solve the probelms? My purpose is just to get
> the IS cert and key. Thank you.
>
> 1) Creating an end entity
>
> C:\EJBCA_~1\dist\EJBCAW~1>ejbcawsracli edituser isrsa1 foo123 false
> "CN=ISRSA1,C=CN" NULL NULL DV-RSA-1 1 USERGENERATED NEW IS IS
> Trying to add user:
> Username: isrsa1
> Subject DN: CN=ISRSA1,C=CN
> Subject Altname: null
> Email: null
> CA Name: DV-RSA-1
> Type: 1
> Token: USERGENERATED
> Status: 10
> End entity profile: IS
> Certificate profile: IS
> Hard Token Issuer Alias: NONE
> Start time: NONE
> End time: NONE
> javax.xml.ws.WebServiceException: java.net.SocketException:
> java.security.NoSuchAlgorithmException: Error constructing implementation
> (algorithm: Default, provider: SunJSSE, class:
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
> org.ejbca.ui.cli.ErrorAdminCommandException:
> javax.xml.ws.WebServiceException: java.net.SocketException:
> java.security.NoSuchAlgorithmException: Error constructing implementation
> (algorithm: Default, provider: SunJSSE, class:
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
> at
> org.ejbca.core.protocol.ws.client.EditUserCommand.execute(EditUserCommand.java:166)
> at
> org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsracli.java:34)
> Caused by: javax.xml.ws.WebServiceException: java.net.SocketException:
> java.security.NoSuchAlgorithmException: Error constructing implementation
> (algorithm: Default, provider: SunJSSE, class:
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:162)
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parseWSDL(RuntimeWSDLParser.java:188)
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:66)
> at com.sun.xml.ws.wsdl.WSDLContext.<init>(WSDLContext.java:57)
> at
> com.sun.xml.ws.client.ServiceContextBuilder.build(ServiceContextBuilder.java:60)
> at
> com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:103)
> at
> com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:50)
> at javax.xml.ws.Service.<init>(Service.java:57)
> at
> org.ejbca.core.protocol.ws.client.gen.EjbcaWSService.<init>(EjbcaWSService.java:36)
> at
> org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:205)
> at
> org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:187)
> at
> org.ejbca.core.protocol.ws.client.EditUserCommand.execute(EditUserCommand.java:154)
> ... 1 more
> Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException:
> Error constructing implementation (algorithm: Default, provider: SunJSSE,
> class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
> at
> javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:179)
> at
> javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:186)
> at
> sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:362)
> at sun.net.NetworkClient.doConnect(NetworkClient.java:145)
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:394)
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:529)
> at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:272)
> at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:329)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:172)
> at
> sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:793)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:158)
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1041)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
> at java.net.URL.openStream(URL.java:1009)
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:159)
> ... 12 more
> Caused by: java.security.NoSuchAlgorithmException: Error constructing
> implementation (algorithm: Default, provider: SunJSSE, class:
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
> at java.security.Provider$Service.newInstance(Provider.java:1245)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:147)
> at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
> at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68)
> at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102)
> at
> javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:325)
> at javax.net.ssl.HttpsURLConnection.<init>(HttpsURLConnection.java:283)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.<init>(HttpsURLConnectionImpl.java:65)
> at sun.net.www.protocol.https.Handler.openConnection(Handler.java:42)
> at sun.net.www.protocol.https.Handler.openConnection(Handler.java:37)
> at java.net.URL.openConnection(URL.java:945)
> ... 14 more
> Caused by: java.io.IOException: Keystore was tampered with, or password was
> incorrect
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
> at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
> at java.security.KeyStore.load(KeyStore.java:1185)
> at
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultKeyManager(DefaultSSLContextImpl.java:150)
> at
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
> at java.lang.Class.newInstance0(Class.java:355)
> at java.lang.Class.newInstance(Class.java:308)
> at java.security.Provider$Service.newInstance(Provider.java:1221)
> ... 25 more
> Caused by: java.security.UnrecoverableKeyException: Password verification
> failed
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
> ... 36 more
>
> 2) Due to the above problem, I have created the end entity using the admin
> web page of Add Entity. But I have the problem of creating the IS cert and
> key as follows:
>
> C:\EJBCA_~1\dist\EJBCAW~1>cvcwscli cvcrequest isrsa foo123 "C=CN,CN=HKIS"
> 00005 SHA1WithRSA 1024 true HKIS
>
> Enrolling user:
> Username: isrsa
> Subject name: C=CN,CN=HKIS
> Sequence: 00005
> Signature algorithm: SHA1WithRSA
> Key spec: 1024
> Generating a new request with base filename: HKIS
> Wrote binary request to: HKIS.cvreq
> Wrote private key in PKCS#8 format to to: HKIS.pkcs8
> Submitting CVC request for user 'isrsa'.
>
> javax.xml.ws.WebServiceException: java.net.SocketException:
> java.security.NoSuchAlgorithmException: Error constructing implementation
> (algorithm: Default, provider: SunJSSE, class:
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
> org.ejbca.ui.cli.ErrorAdminCommandException:
> javax.xml.ws.WebServiceException: java.net.SocketException:
> java.security.NoSuchAlgorithmException: Error constructing implementation
> (algorithm: Default, provider: SunJSSE, class:
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
> at
> org.ejbca.core.protocol.ws.client.CvcRequestCommand.execute(CvcRequestCommand.java:211)
> at org.ejbca.core.protocol.ws.client.cvcwscli.main(cvcwscli.java:30)
> Caused by: javax.xml.ws.WebServiceException: java.net.SocketException:
> java.security.NoSuchAlgorithmException: Error constructing implementation
> (algorithm: Default, provider: SunJSSE, class:
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:162)
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parseWSDL(RuntimeWSDLParser.java:188)
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:66)
> at com.sun.xml.ws.wsdl.WSDLContext.<init>(WSDLContext.java:57)
> at
> com.sun.xml.ws.client.ServiceContextBuilder.build(ServiceContextBuilder.java:60)
> at
> com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:103)
> at
> com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:50)
> at javax.xml.ws.Service.<init>(Service.java:57)
> at
> org.ejbca.core.protocol.ws.client.gen.EjbcaWSService.<init>(EjbcaWSService.java:36)
> at
> org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:205)
> at
> org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:187)
> at
> org.ejbca.core.protocol.ws.client.CvcRequestCommand.execute(CvcRequestCommand.java:188)
> ... 1 more
> Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException:
> Error constructing implementation (algorithm: Default, provider: SunJSSE,
> class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
> at
> javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:179)
> at
> javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:186)
> at
> sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:362)
> at sun.net.NetworkClient.doConnect(NetworkClient.java:145)
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:394)
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:529)
> at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:272)
> at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:329)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:172)
> at
> sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:793)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:158)
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1041)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
> at java.net.URL.openStream(URL.java:1009)
> at
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:159)
> ... 12 more
> Caused by: java.security.NoSuchAlgorithmException: Error constructing
> implementation (algorithm: Default, provider: SunJSSE, class:
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
> at java.security.Provider$Service.newInstance(Provider.java:1245)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:147)
> at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
> at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68)
> at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102)
> at
> javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:325)
> at javax.net.ssl.HttpsURLConnection.<init>(HttpsURLConnection.java:283)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.<init>(HttpsURLConnectionImpl.java:65)
> at sun.net.www.protocol.https.Handler.openConnection(Handler.java:42)
> at sun.net.www.protocol.https.Handler.openConnection(Handler.java:37)
> at java.net.URL.openConnection(URL.java:945)
> ... 14 more
> Caused by: java.io.IOException: Keystore was tampered with, or password was
> incorrect
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
> at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
> at java.security.KeyStore.load(KeyStore.java:1185)
> at
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultKeyManager(DefaultSSLContextImpl.java:150)
> at
> com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
> at java.lang.Class.newInstance0(Class.java:355)
> at java.lang.Class.newInstance(Class.java:308)
> at java.security.Provider$Service.newInstance(Provider.java:1221)
> ... 25 more
> Caused by: java.security.UnrecoverableKeyException: Password verification
> failed
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
> ... 36 more
>
> Thanks a lot!
>
>
>
>

--
PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

smime.p7s (3K) Download Attachment

Re: Help on generating IS cert and key

2009-11-02T02:15:13Z

You have configured the wrong keystore or password in
ejbcawsracli.properties.

the error is clear .-)

Caused by: java.io.IOException: Keystore was tampered with, or password
was incorrect

Cheers,
Tomas

khsheh wrote:

Help on generating IS cert and key

2009-11-02T01:47:07Z

I am trying to create the IS cert and key. The CVCA documentation say that I need to create an end entity for the IS and then use it to create the IS cert / key. But I get the following errors when doing so. Is it related to my ejbca Web Services being not properly setup or is it related to some authentication issue like that in ejbcawsracli.properties? I cannot understand the documentaton of how to setup the ejbcawsracli.properties. Would you please help how to solve the probelms? My purpose is just to get the IS cert and key. Thank you.

1) Creating an end entity

C:\EJBCA_~1\dist\EJBCAW~1>ejbcawsracli edituser isrsa1 foo123 false "CN=ISRSA1,C=CN" NULL NULL DV-RSA-1 1 USERGENERATED NEW IS IS
Trying to add user:
Username: isrsa1
Subject DN: CN=ISRSA1,C=CN
Subject Altname: null
Email: null
CA Name: DV-RSA-1
Type: 1
Token: USERGENERATED
Status: 10
End entity profile: IS
Certificate profile: IS
Hard Token Issuer Alias: NONE
Start time: NONE
End time: NONE
javax.xml.ws.WebServiceException: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
org.ejbca.ui.cli.ErrorAdminCommandException: javax.xml.ws.WebServiceException: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at org.ejbca.core.protocol.ws.client.EditUserCommand.execute(EditUserCommand.java:166)
at org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsracli.java:34)
Caused by: javax.xml.ws.WebServiceException: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:162)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parseWSDL(RuntimeWSDLParser.java:188)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:66)
at com.sun.xml.ws.wsdl.WSDLContext.<init>(WSDLContext.java:57)
at com.sun.xml.ws.client.ServiceContextBuilder.build(ServiceContextBuilder.java:60)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:103)
at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:50)
at javax.xml.ws.Service.<init>(Service.java:57)
at org.ejbca.core.protocol.ws.client.gen.EjbcaWSService.<init>(EjbcaWSService.java:36)
at org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:205)
at org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:187)
at org.ejbca.core.protocol.ws.client.EditUserCommand.execute(EditUserCommand.java:154)
... 1 more
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:179)
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:186)
at sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:362)
at sun.net.NetworkClient.doConnect(NetworkClient.java:145)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:394)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:529)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:272)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:329)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:172)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:793)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:158)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1041)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at java.net.URL.openStream(URL.java:1009)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:159)
... 12 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at java.security.Provider$Service.newInstance(Provider.java:1245)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:147)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102)
at javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:325)
at javax.net.ssl.HttpsURLConnection.<init>(HttpsURLConnection.java:283)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.<init>(HttpsURLConnectionImpl.java:65)
at sun.net.www.protocol.https.Handler.openConnection(Handler.java:42)
at sun.net.www.protocol.https.Handler.openConnection(Handler.java:37)
at java.net.URL.openConnection(URL.java:945)
... 14 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultKeyManager(DefaultSSLContextImpl.java:150)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at java.security.Provider$Service.newInstance(Provider.java:1221)
... 25 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
... 36 more

2) Due to the above problem, I have created the end entity using the admin web page of Add Entity. But I have the problem of creating the IS cert and key as follows:

C:\EJBCA_~1\dist\EJBCAW~1>cvcwscli cvcrequest isrsa foo123 "C=CN,CN=HKIS" 00005 SHA1WithRSA 1024 true HKIS

Enrolling user:
Username: isrsa
Subject name: C=CN,CN=HKIS
Sequence: 00005
Signature algorithm: SHA1WithRSA
Key spec: 1024
Generating a new request with base filename: HKIS
Wrote binary request to: HKIS.cvreq
Wrote private key in PKCS#8 format to to: HKIS.pkcs8
Submitting CVC request for user 'isrsa'.

javax.xml.ws.WebServiceException: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
org.ejbca.ui.cli.ErrorAdminCommandException: javax.xml.ws.WebServiceException: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at org.ejbca.core.protocol.ws.client.CvcRequestCommand.execute(CvcRequestCommand.java:211)
at org.ejbca.core.protocol.ws.client.cvcwscli.main(cvcwscli.java:30)
Caused by: javax.xml.ws.WebServiceException: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:162)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parseWSDL(RuntimeWSDLParser.java:188)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:66)
at com.sun.xml.ws.wsdl.WSDLContext.<init>(WSDLContext.java:57)
at com.sun.xml.ws.client.ServiceContextBuilder.build(ServiceContextBuilder.java:60)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:103)
at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:50)
at javax.xml.ws.Service.<init>(Service.java:57)
at org.ejbca.core.protocol.ws.client.gen.EjbcaWSService.<init>(EjbcaWSService.java:36)
at org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:205)
at org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:187)
at org.ejbca.core.protocol.ws.client.CvcRequestCommand.execute(CvcRequestCommand.java:188)
... 1 more
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:179)
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:186)
at sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:362)
at sun.net.NetworkClient.doConnect(NetworkClient.java:145)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:394)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:529)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:272)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:329)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:172)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:793)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:158)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1041)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at java.net.URL.openStream(URL.java:1009)
at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:159)
... 12 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at java.security.Provider$Service.newInstance(Provider.java:1245)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:147)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102)
at javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:325)
at javax.net.ssl.HttpsURLConnection.<init>(HttpsURLConnection.java:283)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.<init>(HttpsURLConnectionImpl.java:65)
at sun.net.www.protocol.https.Handler.openConnection(Handler.java:42)
at sun.net.www.protocol.https.Handler.openConnection(Handler.java:37)
at java.net.URL.openConnection(URL.java:945)
... 14 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultKeyManager(DefaultSSLContextImpl.java:150)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at java.security.Provider$Service.newInstance(Provider.java:1221)
... 25 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
... 36 more

Thanks a lot!

Re: Problems on ejbca ca importcvca command

2009-10-30T03:18:56Z

Great!

khsheh wrote:

> Thanks Tomas! I can now import my RSA CVCA after correcting my private key
> pkcs8 file.
>
> Regards,
> Wilson.
>
>
> khsheh wrote:
>
>>I use ejbca 3.9.0 and have the following problems:
>>
>>1. I created 2 CVC self signed root CAs by ejbca, one with RSA and other
>>with ECDSA signing algorithms. Then I exported the CA keystores of them to
>>PKCS8 files and also downloaded the CVC certs of them. I then use the
>>following commands. The import for RSA CA is successful but the import for
>>ECDSA CA failed.
>>
>>ejbca ca importcvca rsacvca rsacvca.pkcs8 resacvca.crt.cer
>>"C=SE,CN=RSACVCA"
>>Using JBoss JNDI provider...
>>Testing keys with algorithm: RSA
>>Uisng passed in self signed certificate.
>>
>>ejbca ca importcvca eccvca eccvca.pkcs8 eccvca.crt.cer "C=SE,CN=ECCVCA"
>>Using JBoss JDNI provder ...
>>Testing keys with algorithm: ECDSA
>>java.security.InvalidKeyException: Supplied key
>>(org.bouncycastle.jce.provider.JCEECPrivateKey) is not a RSAPrivateKey
>>instance
>>
>>Do you know why the import for ECDSA CA is not succesful? Is it a
>>limitation of ejbca?
>>Moreover, in the Admin page Import CA Keystore, the input field is PKCS12.
>>But for CVC cert, the Export CA Keystore is only PKCS8. Thus, I cannot use
>>the Admin page Import CA Keystore. Is it normal for ejbca or a new version
>>of ejbca will support PKCS8?
>>
>>2. My contractor provided me a set of CVC RSA 1024 certs and keys. I want
>>to import it to ejbca but have the following errors:
>>
>>ejbca ca importcvca cvcatest1 cvca1024.pkcs8 p_cvca.cvcert
>>"C=SE,CN=CVCATEST1"
>>Using JBoss JNDI provider...
>>Testing keys with algorithm: RSA
>>java.security.InvalidKeyException: Not possible to sign and then verify
>>with key pair.
>>
>>But if I use the X.509 cert (i.e. cvca1024.crt) instead of the cvc cert
>>(i.e. p_cvca.cvcert), the import is successful:
>>ejbca ca importcvca cvcatest1 cvca1024.pkcs8 cvca1024.crt
>>"C=SE,CN=CVCATEST1"
>>Using JBoss JNDI provider...
>>Testing keys with algorithm: RSA
>>Using passed in self signed certificate.
>>
>>Why I have to use the X.509 cert instead of CVC cert? How to solve the
>>problem?
>>
>>Thank you.
>>
>
>

Re: Problems on ejbca ca importcvca command

2009-10-30T03:13:24Z

Thanks Tomas! I can now import my RSA CVCA after correcting my private key pkcs8 file.

Regards,
Wilson.

khsheh wrote:

I use ejbca 3.9.0 and have the following problems:

1. I created 2 CVC self signed root CAs by ejbca, one with RSA and other with ECDSA signing algorithms. Then I exported the CA keystores of them to PKCS8 files and also downloaded the CVC certs of them. I then use the following commands. The import for RSA CA is successful but the import for ECDSA CA failed.

ejbca ca importcvca rsacvca rsacvca.pkcs8 resacvca.crt.cer "C=SE,CN=RSACVCA"
Using JBoss JNDI provider...
Testing keys with algorithm: RSA
Uisng passed in self signed certificate.

ejbca ca importcvca eccvca eccvca.pkcs8 eccvca.crt.cer "C=SE,CN=ECCVCA"
Using JBoss JDNI provder ...
Testing keys with algorithm: ECDSA
java.security.InvalidKeyException: Supplied key (org.bouncycastle.jce.provider.JCEECPrivateKey) is not a RSAPrivateKey instance

Do you know why the import for ECDSA CA is not succesful? Is it a limitation of ejbca?
Moreover, in the Admin page Import CA Keystore, the input field is PKCS12. But for CVC cert, the Export CA Keystore is only PKCS8. Thus, I cannot use the Admin page Import CA Keystore. Is it normal for ejbca or a new version of ejbca will support PKCS8?

2. My contractor provided me a set of CVC RSA 1024 certs and keys. I want to import it to ejbca but have the following errors:

ejbca ca importcvca cvcatest1 cvca1024.pkcs8 p_cvca.cvcert "C=SE,CN=CVCATEST1"
Using JBoss JNDI provider...
Testing keys with algorithm: RSA
java.security.InvalidKeyException: Not possible to sign and then verify with key pair.

But if I use the X.509 cert (i.e. cvca1024.crt) instead of the cvc cert (i.e. p_cvca.cvcert), the import is successful:
ejbca ca importcvca cvcatest1 cvca1024.pkcs8 cvca1024.crt "C=SE,CN=CVCATEST1"
Using JBoss JNDI provider...
Testing keys with algorithm: RSA
Using passed in self signed certificate.

Why I have to use the X.509 cert instead of CVC cert? How to solve the problem?

Thank you.

Re: Problems on ejbca ca importcvca command

2009-10-29T04:57:21Z

Hi, in short.

It looks to me it is a limitation that you can not import ECC CVCAs in
EJBCA currently. I opened this issue for that, sorry for the inconvenience:
https://jira.primekey.se/browse/ECA-1458
(there will be several ecc improvements in the next release).

Second, for CVCAs you have to use the command line to import the CVCA.
The GUI will only accept p12 files, which can not be used for CVC.

For your issue nr 1, it should work if the pkcs8 and the cv certificate
have the correct corresponding keys. The error message says that ejbca
ca not sign with the private key and verify with the public. Is it the
correct cv certtificate?
The JBoss server.log file will contain a more detailed error message.
Also if if is possible for you, you can email me the keys and
certificates (test keys I guess) and I can test it.

Regards,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
info@... for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/

khsheh wrote:

> I use ejbca 3.9.0 and have the following problems:
>
> 1. I created 2 CVC self signed root CAs by ejbca, one with RSA and other
> with ECDSA signing algorithms. Then I exported the CA keystores of them to
> PKCS8 files and also downloaded the CVC certs of them. I then use the
> following commands. The import for RSA CA is successful but the import for
> ECDSA CA failed.
>
> ejbca ca importcvca rsacvca rsacvca.pkcs8 resacvca.crt.cer "C=SE,CN=RSACVCA"
> Using JBoss JNDI provider...
> Testing keys with algorithm: RSA
> Uisng passed in self signed certificate.
>
> ejbca ca importcvca eccvca eccvca.pkcs8 eccvca.crt.cer "C=SE,CN=ECCVCA"
> Using JBoss JDNI provder ...
> Testing keys with algorithm: ECDSA
> java.security.InvalidKeyException: Supplied key
> (org.bouncycastle.jce.provider.JCEECPrivateKey) is not a RSAPrivateKey
> instance
>
> Do you know why the import for ECDSA CA is not succesful? Is it a limitation
> of ejbca?
> Moreover, in the Admin page Import CA Keystore, the input field is PKCS12.
> But for CVC cert, the Export CA Keystore is only PKCS8. Thus, I cannot use
> the Admin page Import CA Keystore. Is it normal for ejbca or a new version
> of ejbca will support PKCS8?
>
> 2. My contractor provided me a set of CVC RSA 1024 certs and keys. I want to
> import it to ejbca but have the following errors:
>
> ejbca ca importcvca cvcatest1 cvca1024.pkcs8 p_cvca.cvcert
> "C=SE,CN=CVCATEST1"
> Using JBoss JNDI provider...
> Testing keys with algorithm: RSA
> java.security.InvalidKeyException: Not possible to sign and then verify with
> key pair.
>
> But if I use the X.509 cert (i.e. cvca1024.crt) instead of the cvc cert
> (i.e. p_cvca.cvcert), the import is successful:
> ejbca ca importcvca cvcatest1 cvca1024.pkcs8 cvca1024.crt
> "C=SE,CN=CVCATEST1"
> Using JBoss JNDI provider...
> Testing keys with algorithm: RSA
> Using passed in self signed certificate.
>
> Why I have to use the X.509 cert instead of CVC cert? How to solve the
> problem?
>
> Thank you.

Problems on ejbca ca importcvca command

2009-10-29T01:59:18Z

I use ejbca 3.9.0 and have the following problems:

1. I created 2 CVC self signed root CAs by ejbca, one with RSA and other with ECDSA signing algorithms. Then I exported the CA keystores of them to PKCS8 files and also downloaded the CVC certs of them. I then use the following commands. The import for RSA CA is successful but the import for ECDSA CA failed.

ejbca ca importcvca rsacvca rsacvca.pkcs8 resacvca.crt.cer "C=SE,CN=RSACVCA"
Using JBoss JNDI provider...
Testing keys with algorithm: RSA
Uisng passed in self signed certificate.

ejbca ca importcvca eccvca eccvca.pkcs8 eccvca.crt.cer "C=SE,CN=ECCVCA"
Using JBoss JDNI provder ...
Testing keys with algorithm: ECDSA
java.security.InvalidKeyException: Supplied key (org.bouncycastle.jce.provider.JCEECPrivateKey) is not a RSAPrivateKey instance

Do you know why the import for ECDSA CA is not succesful? Is it a limitation of ejbca?
Moreover, in the Admin page Import CA Keystore, the input field is PKCS12. But for CVC cert, the Export CA Keystore is only PKCS8. Thus, I cannot use the Admin page Import CA Keystore. Is it normal for ejbca or a new version of ejbca will support PKCS8?

2. My contractor provided me a set of CVC RSA 1024 certs and keys. I want to import it to ejbca but have the following errors:

ejbca ca importcvca cvcatest1 cvca1024.pkcs8 p_cvca.cvcert "C=SE,CN=CVCATEST1"
Using JBoss JNDI provider...
Testing keys with algorithm: RSA
java.security.InvalidKeyException: Not possible to sign and then verify with key pair.

But if I use the X.509 cert (i.e. cvca1024.crt) instead of the cvc cert (i.e. p_cvca.cvcert), the import is successful:
ejbca ca importcvca cvcatest1 cvca1024.pkcs8 cvca1024.crt "C=SE,CN=CVCATEST1"
Using JBoss JNDI provider...
Testing keys with algorithm: RSA
Using passed in self signed certificate.

Why I have to use the X.509 cert instead of CVC cert? How to solve the problem?

Thank you.

Re: RE : Ejbca and CSR Approbation

2009-10-28T13:58:14Z

Hi,

I think you are right. The approval settings in EJBCA also handles
renewal (edit end entity) and revocation).

Regards,
Tomas

VERAC Maxime wrote:

> Ok, thanks for your explanation.
>
> So if I understand well, this let me two options :
>
> 1) Tweak a bit the certificate issuance process :
> - Step 1 : the server responsible has a browser certificate to access an administration page of ejbca (with rights limited to create/edit end-entity). He creates an end-entity corresponding to its server.
> - Step 2 : an administrator of EJBCA validates the end-entity creation.
> - Step 3 : the server responsible authenticates to the ejbca public pages with the end entity credentials and can then generate a certificate while providing the public key in a csr, or generate a PKCS12 and let EJBCA create and store the bi-key.
>
> 2) Modify the code to implement the csr validation workflow.
>
> The first option seems easier, I have to see now how I can handle the other processes : renewal (with approbation), revokation and regeneration...
>
> Let me know if I'm wrong.
>
> Regards,
> Maxime VERAC
>
> ________________________________
>
> De: Tomas Gustavsson [mailto:tomas@...]
> Date: lun. 26/10/2009 12:45
> À: ejbca-develop@...
> Objet : Re: [Ejbca-develop] Ejbca and CSR Approbation
>
>
>
>
> It is also possible to build custom workflows using the approval
> mechanism. We have done such work-flows before where the actual CSR is
> submitted as a first step and kept across when the administrator
> approves the addition of the end entity.
>
> (this was done in a project and we never got clearence to release the
> external code under lgpl unfortunately).
>
> It wasn't much though and simply demonstrates that you can custom build
> almost any work-flow with a jsp page and a servlet.
>
> /Tomas
>
> Markus Kilås wrote:
>> Hello Maxime,
>>
>> EJBCA has a concept called approvals that I think is similar but not
>> exactly what you are looking for:
>> http://www.ejbca.org/manual.html#Approving%20Actions
>>
>> You could then configure the certificate profile to require approval
>> when adding an end entity. The request for adding a new end entity will
>> then have to be approved by another administrator and first after that
>> can the certificate be downloaded by the user.
>>
>> However this validation step is before the end entity is created and not
>> after the CSR is submited.
>>
>> What do you want to have validated at the time of CSR submission?
>>
>> The parts that will go into the certificate is taken from the
>> certificate profile and only the public key is read from the CSR so I am
>> not sure if there are anything more to validate.
>>
>>
>> Best Regards,
>> Markus
>>
>>
>> Maxime_V wrote:
>>> Hello,
>>>
>>> I'm currently working on an ejbca demonstration.
>>>
>>> The CSR approbation is a feature I would like to demonstrate, but I do not
>>> know if it's possible to do so with EJBCA (at least I do not know how to do
>>> it).
>>>
>>> I have created and end entity profile and a certificate profile to manage
>>> server certificates.
>>>
>>> I would like that the certificate requesters have their request being
>>> approved by an ejbca administrator before they could download their new
>>> certificate.
>>>
>>> Currently, when I'm testing it, I go to the public pages == > create
>>> certificate from CSR, use my end entity user credentitials, add the csr, and
>>> when I click on the "OK button", I get directly the certificate file ".pem".
>>>
>>> How could I add a validation (approbation) step between the csr submission
>>> and the certificate download ?
>>>
>>> Thanks in advance for your help !
>>>
>>> Regards,
>>>
>>> Maxime
>>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
>
>
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Re: Setting the pkcs12 friendly name

2009-10-28T04:51:24Z

Hi Maxime,

There is no setting in the GUI for setting the friendly name to anything
other than the CN or if CN is empty to the username.

The method which creates the keystore is
KeyTools.createP12(String,PrivateKey,Certificate,Certificate[]) where
the first parameter is the alias (friendly name).

If you use the EJBCA public web page for retrieving the P12 the method
is called in GenerateToken.java near the end of the file.

Also if you would like to use the command line interface for generating
users you will also have to edit BatchMakeP12.java.

Best Regards,
Markus

Maxime_V wrote:

> Hi,
>
> A server application needs a p12 with a specific friendly name to deploy its
> certificate, which should be different from the CN of the certificate.
>
> When I retrieve the p12 with ejbca, the friendly name equals the CN of the
> certificate.
>
> Is there a way to set a specific friendly name for a particular end entity
> via a web interface ?
>
> If not, could you please indicate me what is the source-file responsible of
> the pkcs12 generation ?
>
> Thanks for your support.
>
> Regards,
>
> Maxime

--

PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
info@... for more information.
http://download.primekey.se/documents/ejbca_subscription.pdf
http://download.primekey.se/documents/ejbca_training.pdf

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Setting the pkcs12 friendly name

2009-10-28T03:41:33Z

Hi,

A server application needs a p12 with a specific friendly name to deploy its certificate, which should be different from the CN of the certificate.

When I retrieve the p12 with ejbca, the friendly name equals the CN of the certificate.

Is there a way to set a specific friendly name for a particular end entity via a web interface ?

If not, could you please indicate me what is the source-file responsible of the pkcs12 generation ?

Thanks for your support.

Regards,

Maxime

Re: What is the "default" password for exporting the CA keystore

2009-10-26T09:43:44Z

Hi,

I have justs fixed a small bug for this for internet explorer. IE is
really a pita for these things...
Anyhow, it will work with IE in EJBCA 3.9.3.

https://jira.primekey.se/browse/ECA-1436

Cheers,
Tomas

Ejbca support wrote:

> No EJBCA does not require any ftp server or anything. Just web. Perhaps
> IE has issues with SSL connections? (IE is very very bad at this). I
> guess it works with FireFox?
>
> What is your IE version?
>
> /Tomas
>
> stupidtss wrote:
>
>> Yes, and thanks. The message does not come out now.
>>
>> However, I still cannot download the file. There is a windows popup saying
>> that "Internet Explorer cannot download exportca from l192.168.95.137.
>> Internet Explorer was not able to open this Internet site. The request site
>> is either unavailable or cannot be found. Please try again later". In the
>> background, there is another File Download windows which is trying to
>> download the file exportca.
>>
>> I know this is not an EJBCA error message, but does EJBCA require any ftp
>> server or something else to support the CA keystore download function? In
>> my PC, I only install JBOSS and EJBCA, and I used to connent to EJBCA via
>> localhost:8080 and 8443. What else is required?
>>
>>
>> Tomas Gustavsson wrote:
>>
>>
>>> There you go, you typed it yourself "Authentication Code: 12345".
>>>
>>> Regards,
>>> Tomas
>>>
>>>
>>> stupidtss wrote:
>>>
>>>
>>>> Here is how I create a new CVC CA:
>>>> Edit Certificate Authorities -> Enter a new name (NewCVC) of the new CVC
>>>> CA
>>>> -> Create ->
>>>> Type of CA: CVC -> CA Token Type: Soft -> Authentication Code: 12345 ->
>>>> Enable auto-activation of CA Token: enable -> Signing Algorithm:
>>>> SHA1WithRSA
>>>> ->
>>>> RSA key size: 1024 -> DSA key size: 1024 -> ECDSA key spec: leave blank
>>>> ->
>>>> Key sequence: 00000 -> Subject DN: CN=foobar, C=MA -> Signed by: Self
>>>> Signed
>>>> ->
>>>> Certificate Profile: ROOTCA -> Validity: 365d -> Description: leave blank
>>>> ->
>>>> Then I click the Create button
>>>>
>>>> Here is how I try to export the keystore:
>>>> Select "NewCVC" (the newly created CVC CA) -> Edit ->
>>>> In "CA export requires the keystore password", enter foo123 ->
>>>> Then I click the Export CA keystore.. button
>>>>
>>>> The same error message come out.
>>>>
>>>> There is no place that I can enter password. Am I making any stupid
>>>> mistakes in the above?
>>>>
>>>>
>>>> Tomas Gustavsson wrote:
>>>>
>>>>
>>>>> On my cvca it work if I enter foo123 in the input field and press
>>>>> "Export CA keystore". I get a pkcs#8 file to download. If I enter the
>>>>> wrong password I get the same as you get.
>>>>>
>>>>> I guess you did not specify another keystore password when you created
>>>>> the CVCA?
>>>>>
>>>>> /Tomas
>>>>>
>>>>>
>>>>> stupidtss wrote:
>>>>>
>>>>>
>>>>>> However, the same message " ... PKCS12 key store mac invalid - wrong
>>>>>> password
>>>>>> or corrupted file." still come out even if I create another new CVC CA.
>>>>>> Is
>>>>>> there any information that may help troubleshoot this case?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> Tomas Gustavsson wrote:
>>>>>>
>>>>>>
>>>>>>> In that case yes, it is foo123
>>>>>>>
>>>>>>> stupidtss wrote:
>>>>>>>
>>>>>>>
>>>>>>>> I haven't made any change to that file. The line is still being
>>>>>>>> commented.
>>>>>>>> Is the password still foo123?
>>>>>>>>
>>>>>>>> Tomas Gustavsson wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> it is configured in conf/ejbca.properties ca.keystorepass
>>>>>>>>>
>>>>>>>>> /Tomas
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> stupidtss wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I am trying to export a CA keystore, but I do not know the
>>>>>>>>>> password.
>>>>>>>>>> I
>>>>>>>>>> used
>>>>>>>>>> to accept default in most stage of installation. I have tried
>>>>>>>>>> "ejbca"
>>>>>>>>>> but
>>>>>>>>>> it does not work.
>>>>>>>>>>
>>>>>>>>>> Can anyone tell me if there is a default password of this kind, or
>>>>>>>>>> when
>>>>>>>>>> this
>>>>>>>>>> password is set? Thanks a lot.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>> Come build with us! The BlackBerry® Developer Conference in SF,
>>>>>>>>> CA
>>>>>>>>> is the only developer event you need to attend this year. Jumpstart
>>>>>>>>> your
>>>>>>>>> developing skills, take BlackBerry mobile applications to market and
>>>>>>>>> stay
>>>>>>>>> ahead of the curve. Join us from November 9-12, 2009. Register
>>>>>>>>> now!
>>>>>>>>> http://p.sf.net/sfu/devconf
>>>>>>>>> _______________________________________________
>>>>>>>>> Ejbca-develop mailing list
>>>>>>>>> Ejbca-develop@...
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Come build with us! The BlackBerry® Developer Conference in SF, CA
>>>>>>> is the only developer event you need to attend this year. Jumpstart
>>>>>>> your
>>>>>>> developing skills, take BlackBerry mobile applications to market and
>>>>>>> stay
>>>>>>> ahead of the curve. Join us from November 9-12, 2009. Register
>>>>>>> now!
>>>>>>> http://p.sf.net/sfu/devconf
>>>>>>> _______________________________________________
>>>>>>> Ejbca-develop mailing list
>>>>>>> Ejbca-develop@...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Come build with us! The BlackBerry® Developer Conference in SF, CA
>>>>> is the only developer event you need to attend this year. Jumpstart your
>>>>> developing skills, take BlackBerry mobile applications to market and
>>>>> stay
>>>>> ahead of the curve. Join us from November 9-12, 2009. Register
>>>>> now!
>>>>> http://p.sf.net/sfu/devconf
>>>>> _______________________________________________
>>>>> Ejbca-develop mailing list
>>>>> Ejbca-develop@...
>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>>
>>>>>
>>>>>
>>>>>
>>> ------------------------------------------------------------------------------
>>> Come build with us! The BlackBerry® Developer Conference in SF, CA
>>> is the only developer event you need to attend this year. Jumpstart your
>>> developing skills, take BlackBerry mobile applications to market and stay
>>> ahead of the curve. Join us from November 9-12, 2009. Register
>>> now!
>>> http://p.sf.net/sfu/devconf
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejbca-develop@...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>>
>>>
>>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

RE : Ejbca and CSR Approbation

2009-10-26T05:42:10Z

Ok, thanks for your explanation.

So if I understand well, this let me two options :

1) Tweak a bit the certificate issuance process :
- Step 1 : the server responsible has a browser certificate to access an administration page of ejbca (with rights limited to create/edit end-entity). He creates an end-entity corresponding to its server.
- Step 2 : an administrator of EJBCA validates the end-entity creation.
- Step 3 : the server responsible authenticates to the ejbca public pages with the end entity credentials and can then generate a certificate while providing the public key in a csr, or generate a PKCS12 and let EJBCA create and store the bi-key.

2) Modify the code to implement the csr validation workflow.

The first option seems easier, I have to see now how I can handle the other processes : renewal (with approbation), revokation and regeneration...

Let me know if I'm wrong.

Regards,
Maxime VERAC

________________________________

De: Tomas Gustavsson [mailto:tomas@...]
Date: lun. 26/10/2009 12:45
À: ejbca-develop@...
Objet : Re: [Ejbca-develop] Ejbca and CSR Approbation

It is also possible to build custom workflows using the approval
mechanism. We have done such work-flows before where the actual CSR is
submitted as a first step and kept across when the administrator
approves the addition of the end entity.

(this was done in a project and we never got clearence to release the
external code under lgpl unfortunately).

It wasn't much though and simply demonstrates that you can custom build
almost any work-flow with a jsp page and a servlet.

/Tomas

Markus Kilås wrote:

> Hello Maxime,
>
> EJBCA has a concept called approvals that I think is similar but not
> exactly what you are looking for:
> http://www.ejbca.org/manual.html#Approving%20Actions
>
> You could then configure the certificate profile to require approval
> when adding an end entity. The request for adding a new end entity will
> then have to be approved by another administrator and first after that
> can the certificate be downloaded by the user.
>
> However this validation step is before the end entity is created and not
> after the CSR is submited.
>
> What do you want to have validated at the time of CSR submission?
>
> The parts that will go into the certificate is taken from the
> certificate profile and only the public key is read from the CSR so I am
> not sure if there are anything more to validate.
>
>
> Best Regards,
> Markus
>
>
> Maxime_V wrote:
>> Hello,
>>
>> I'm currently working on an ejbca demonstration.
>>
>> The CSR approbation is a feature I would like to demonstrate, but I do not
>> know if it's possible to do so with EJBCA (at least I do not know how to do
>> it).
>>
>> I have created and end entity profile and a certificate profile to manage
>> server certificates.
>>
>> I would like that the certificate requesters have their request being
>> approved by an ejbca administrator before they could download their new
>> certificate.
>>
>> Currently, when I'm testing it, I go to the public pages == > create
>> certificate from CSR, use my end entity user credentitials, add the csr, and
>> when I click on the "OK button", I get directly the certificate file ".pem".
>>
>> How could I add a validation (approbation) step between the csr submission
>> and the certificate download ?
>>
>> Thanks in advance for your help !
>>
>> Regards,
>>
>> Maxime
>
>

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

winmail.dat (10K) Download Attachment