Discussion:
[Ejbca-develop] Interop cmpforopenssl with EJBCA
dominic peter
2012-10-09 11:59:14 UTC
Permalink
Hi,

Has anyone tried to interop cmpforopenssl client with EJBCA.

I am trying to send an 'ir' request to EJBCA from the cmpforopenssl client
using the following command,

./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp
--srvcert myAdminCA.cacert.pem --ir --user test1 --password test1
--newclcert test1.pem --newkey test1.key --subject
"C=IN,ST=KAR,L=TEST,O=TEST,OU=
EN,CN=EETest1"

I am seeing the following error on the EJBCA after sending the 'ir' request
from the client,

15:40:36,975 ERROR [CrmfMessageHandler] Could not extract password from
CRMF request using the RegTokenPwd authentication module
15:40:36,997 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process
time 217.

On the cmpclient i am seeing the following error,

INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 401
3078551176:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1319:
3078551176:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
asn1 error:tasn_dec.c:381:Type=X509
3078551176:error:32090087:CMP routines:CMP_doInitialRequestSeq:pkibody
error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection,
PKIFailureInfo: wrongAuthority"

And ideas ?

Thanks in advance.

Regards
ejbca-support
2012-10-09 12:12:52 UTC
Permalink
Post by dominic peter
Hi,
Hi Dominic,
Post by dominic peter
Has anyone tried to interop cmpforopenssl client with EJBCA.
Yes,
http://www.ejbca.org/adminguide.html#Interoperability
Post by dominic peter
I am trying to send an 'ir' request to EJBCA from the cmpforopenssl client using the following command,
./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert myAdminCA.cacert.pem --ir --user test1 --password test1 --newclcert test1.pem --newkey test1.key --subject "C=IN,ST=KAR,L=TEST,O=TEST,OU=
EN,CN=EETest1"
I am seeing the following error on the EJBCA after sending the 'ir' request from the client,
15:40:36,975 ERROR [CrmfMessageHandler] Could not extract password from CRMF request using the RegTokenPwd authentication module
15:40:36,997 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process time 217.
On the cmpclient i am seeing the following error,
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 401
3078551176 <tel:3078551176>:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509
3078551176 <tel:3078551176>:error:32090087:CMP routines:CMP_doInitialRequestSeq:pkibody error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: wrongAuthority"
And ideas ?
Check configuration.

Cheers,
Anders
tech support
Post by dominic peter
Thanks in advance.
Regards
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
dominic peter
2012-10-10 09:22:26 UTC
Permalink
Hi Anders,

Thank you very much for the reply.

*RA mode:

*I checked by updating the cmp configuration for '*RA*' mode as per the
link that you sent.
But still i am getting the same error. Following is the content of the
cmp.properties file,

cmp.operationmode=ra
cmp.responseprotection=pbe
cmp.ra.authenticationsecret=password

Am i missing something here ? Is just updating the configuration file
enough for the configurations to take effect ?

Also can you please help me understand why i am getting the following error
on the EJBC server,

*ERROR [CrmfMessageHandler] Could not extract password from CRMF request
using the RegTokenPwd authentication module
*
Is this due to some missing parameters in the 'ir' message sent from
cmpclient ?

*Client Mode:*

I also tried by configuring the EJBCA in *client mode*. In this case, the
'ir' message exchange was successful. But the 'cr' message exchange failed.
Following was the error message on the EJBCA server,

*ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer*

Any idea what is the reason for this error ?

Packet captures for both RA and client mode is attached to this mail.

Also please help me understand the necessary initializations or any other
prerequisites on the cmpclient side if any for interop with EJBCA.

Regards
Dominic
Post by ejbca-support
Post by dominic peter
Hi,
Hi Dominic,
Post by dominic peter
Has anyone tried to interop cmpforopenssl client with EJBCA.
Yes,
http://www.ejbca.org/adminguide.html#Interoperability
Post by dominic peter
I am trying to send an 'ir' request to EJBCA from the cmpforopenssl
client using the following command,
Post by dominic peter
./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp
--srvcert myAdminCA.cacert.pem --ir --user test1 --password test1
--newclcert test1.pem --newkey test1.key --subject
"C=IN,ST=KAR,L=TEST,O=TEST,OU=
Post by dominic peter
EN,CN=EETest1"
I am seeing the following error on the EJBCA after sending the 'ir'
request from the client,
Post by dominic peter
15:40:36,975 ERROR [CrmfMessageHandler] Could not extract password from
CRMF request using the RegTokenPwd authentication module
Post by dominic peter
15:40:36,997 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1,
process time 217.
Post by dominic peter
On the cmpclient i am seeing the following error,
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 401
3078551176 <tel:3078551176>:error:0D0680A8:asn1 encoding
3078551176 <tel:3078551176>:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509
Post by dominic peter
3078551176 <tel:3078551176>:error:32090087:CMP
routines:CMP_doInitialRequestSeq:pkibody error:cmp_ses.c:384:bodytype=23,
error="PKIStatus: rejection, PKIFailureInfo: wrongAuthority"
Post by dominic peter
And ideas ?
Check configuration.
Cheers,
Anders
tech support
Post by dominic peter
Thanks in advance.
Regards
------------------------------------------------------------------------------
Post by dominic peter
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Tomas Gustavsson
2012-10-10 10:08:06 UTC
Permalink
Hi,

You need to re-deploy after changing configuration.

You also must be more detailed when asking for help. If you are using
cmpforopenssl you need to give the command you are using, otherwise you
may be using an invalid command and there is no way for anyone to know.

Since you are playing around with both RA and Client mode, perhaps you
should tell what you actually want to do?

Cheers,
Tomas
-----
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se or
contact ***@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Post by dominic peter
Hi Anders,
Thank you very much for the reply.
*_RA mode:_
*I checked by updating the cmp configuration for '*RA*' mode as per the
link that you sent.
But still i am getting the same error. Following is the content of the
cmp.properties file,
cmp.operationmode=ra
cmp.responseprotection=pbe
cmp.ra.authenticationsecret=password
Am i missing something here ? Is just updating the configuration file
enough for the configurations to take effect ?
Also can you please help me understand why i am getting the following
error on the EJBC server,
*ERROR [CrmfMessageHandler] Could not extract password from CRMF request
using the RegTokenPwd authentication module
*
Is this due to some missing parameters in the 'ir' message sent from
cmpclient ?
_*Client Mode:*_
I also tried by configuring the EJBCA in */client mode/*. In this case,
the 'ir' message exchange was successful. But the 'cr' message exchange
failed. Following was the error message on the EJBCA server,
*ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer*
Any idea what is the reason for this error ?
Packet captures for both RA and client mode is attached to this mail.
Also please help me understand the necessary initializations or any
other prerequisites on the cmpclient side if any for interop with EJBCA.
Regards
Dominic
Post by dominic peter
Hi,
Hi Dominic,
Post by dominic peter
Has anyone tried to interop cmpforopenssl client with EJBCA.
Yes,
http://www.ejbca.org/adminguide.html#Interoperability
Post by dominic peter
I am trying to send an 'ir' request to EJBCA from the
cmpforopenssl client using the following command,
Post by dominic peter
./cmpclient --server localhost --port 8080 --path
ejbca/publicweb/cmp --srvcert myAdminCA.cacert.pem --ir --user test1
--password test1 --newclcert test1.pem --newkey test1.key --subject
"C=IN,ST=KAR,L=TEST,O=TEST,OU=
Post by dominic peter
EN,CN=EETest1"
I am seeing the following error on the EJBCA after sending the
'ir' request from the client,
Post by dominic peter
15:40:36,975 ERROR [CrmfMessageHandler] Could not extract
password from CRMF request using the RegTokenPwd authentication module
127.0.0.1, process time 217.
Post by dominic peter
On the cmpclient i am seeing the following error,
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c,
LINE 401
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176
<tel:3078551176>>:error:0D0680A8:asn1 encoding
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176
<tel:3078551176>>:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509
Post by dominic peter
3078551176 <tel:3078551176>:error:32090087:CMP
routines:CMP_doInitialRequestSeq:pkibody
error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection,
PKIFailureInfo: wrongAuthority"
Post by dominic peter
And ideas ?
Check configuration.
Cheers,
Anders
tech support
Post by dominic peter
Thanks in advance.
Regards
------------------------------------------------------------------------------
Post by dominic peter
Don't let slow site performance ruin your business. Deploy New
Relic APM
Post by dominic peter
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
dominic peter
2012-10-10 10:59:56 UTC
Permalink
Hi Tomas,

I tried after updating the EJBCA CMP configuration for RA mode and *
re-deploy*.
The 'ir' message exchange sequence worked fine. But a 'cr' message exchange
after this failed.

Following are the commands that i executed on the cmpforopenssl cmpclient,

*Initial request:

*./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp
--srvcert ~/Downloads/AdminCA1.cacert.pem --ir --user user1 --password
password --newclcert user1-cert.der --newkey user1-key.pem --subject
"C=IN,CN=User1"

This command was successful and the initial client certificate was
successfully received.

*Certificate request:*

./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp
--srvcert ~/Downloads/AdminCA1.cacert.pem --cr --user user1 --password
password --newclcert user1-cert-new.der --newkey user1-key-new.pem --clcert
user1-cert.der --key user1-key.pem

This command failed. and the following error was observed on the EJBCA side.

15:48:28,521 INFO [CmpServlet] CMP message received from: 127.0.0.1.
*15:48:28,535 ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer*
15:48:28,538 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process
time 15

Any idea why i am getting this error ?

I am just trying to test cmpforopenssl (basic CMP message exchanges) with
EJBCA in RA mode. I tried client mode as nothing was working for me
previously.

Regards
Dominic
Post by Tomas Gustavsson
Hi,
You need to re-deploy after changing configuration.
You also must be more detailed when asking for help. If you are using
cmpforopenssl you need to give the command you are using, otherwise you
may be using an invalid command and there is no way for anyone to know.
Since you are playing around with both RA and Client mode, perhaps you
should tell what you actually want to do?
Cheers,
Tomas
-----
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se or
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Post by dominic peter
Hi Anders,
Thank you very much for the reply.
*_RA mode:_
*I checked by updating the cmp configuration for '*RA*' mode as per the
link that you sent.
But still i am getting the same error. Following is the content of the
cmp.properties file,
cmp.operationmode=ra
cmp.responseprotection=pbe
cmp.ra.authenticationsecret=password
Am i missing something here ? Is just updating the configuration file
enough for the configurations to take effect ?
Also can you please help me understand why i am getting the following
error on the EJBC server,
*ERROR [CrmfMessageHandler] Could not extract password from CRMF request
using the RegTokenPwd authentication module
*
Is this due to some missing parameters in the 'ir' message sent from
cmpclient ?
_*Client Mode:*_
I also tried by configuring the EJBCA in */client mode/*. In this case,
the 'ir' message exchange was successful. But the 'cr' message exchange
failed. Following was the error message on the EJBCA server,
*ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer*
Any idea what is the reason for this error ?
Packet captures for both RA and client mode is attached to this mail.
Also please help me understand the necessary initializations or any
other prerequisites on the cmpclient side if any for interop with EJBCA.
Regards
Dominic
Post by dominic peter
Hi,
Hi Dominic,
Post by dominic peter
Has anyone tried to interop cmpforopenssl client with EJBCA.
Yes,
http://www.ejbca.org/adminguide.html#Interoperability
Post by dominic peter
I am trying to send an 'ir' request to EJBCA from the
cmpforopenssl client using the following command,
Post by dominic peter
./cmpclient --server localhost --port 8080 --path
ejbca/publicweb/cmp --srvcert myAdminCA.cacert.pem --ir --user test1
--password test1 --newclcert test1.pem --newkey test1.key --subject
"C=IN,ST=KAR,L=TEST,O=TEST,OU=
Post by dominic peter
EN,CN=EETest1"
I am seeing the following error on the EJBCA after sending the
'ir' request from the client,
Post by dominic peter
15:40:36,975 ERROR [CrmfMessageHandler] Could not extract
password from CRMF request using the RegTokenPwd authentication
module
Post by dominic peter
127.0.0.1, process time 217.
Post by dominic peter
On the cmpclient i am seeing the following error,
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c,
LINE 401
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176
<tel:3078551176>>:error:0D0680A8:asn1 encoding
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176
<tel:3078551176>>:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509
Post by dominic peter
3078551176 <tel:3078551176>:error:32090087:CMP
routines:CMP_doInitialRequestSeq:pkibody
error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection,
PKIFailureInfo: wrongAuthority"
Post by dominic peter
And ideas ?
Check configuration.
Cheers,
Anders
tech support
Post by dominic peter
Thanks in advance.
Regards
------------------------------------------------------------------------------
Post by dominic peter
Post by dominic peter
Don't let slow site performance ruin your business. Deploy New
Relic APM
Post by dominic peter
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET
app
Post by dominic peter
Post by dominic peter
Try New Relic at no cost today and get our sweet Data Nerd shirt
too!
Post by dominic peter
Post by dominic peter
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Post by dominic peter
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
ejbca-support
2012-10-10 11:49:18 UTC
Permalink
Post by dominic peter
Hi Tomas,
I tried after updating the EJBCA CMP configuration for RA mode and *re-deploy*.
The 'ir' message exchange sequence worked fine. But a 'cr' message exchange after this failed.
Following are the commands that i executed on the cmpforopenssl cmpclient,
*_./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --ir --user user1 --password password --newclcert user1-cert.der --newkey user1-key.pem --subject "C=IN,CN=User1"
This command was successful and the initial client certificate was successfully received.
_*Certificate request:*_
./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --cr --user user1 --password password --newclcert user1-cert-new.der --newkey user1-key-new.pem --clcert user1-cert.der --key user1-key.pem
This command failed. and the following error was observed on the EJBCA side.
15:48:28,521 INFO [CmpServlet] CMP message received from: 127.0.0.1.
*15:48:28,535 ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer*
15:48:28,538 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process time 15
Any idea why i am getting this error ?
Debugging CMP is very difficult.
Is there no strack trace?
You may need to set JBoss debug-level to DEBUG.

Cheers,
Anders
tech support
Post by dominic peter
I am just trying to test cmpforopenssl (basic CMP message exchanges) with EJBCA in RA mode. I tried client mode as nothing was working for me previously.
Regards
Dominic
Hi,
You need to re-deploy after changing configuration.
You also must be more detailed when asking for help. If you are using
cmpforopenssl you need to give the command you are using, otherwise you
may be using an invalid command and there is no way for anyone to know.
Since you are playing around with both RA and Client mode, perhaps you
should tell what you actually want to do?
Cheers,
Tomas
-----
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se <http://www.primekey.se> or
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Post by dominic peter
Hi Anders,
Thank you very much for the reply.
*_RA mode:_
*I checked by updating the cmp configuration for '*RA*' mode as per the
link that you sent.
But still i am getting the same error. Following is the content of the
cmp.properties file,
cmp.operationmode=ra
cmp.responseprotection=pbe
cmp.ra.authenticationsecret=password
Am i missing something here ? Is just updating the configuration file
enough for the configurations to take effect ?
Also can you please help me understand why i am getting the following
error on the EJBC server,
*ERROR [CrmfMessageHandler] Could not extract password from CRMF request
using the RegTokenPwd authentication module
*
Is this due to some missing parameters in the 'ir' message sent from
cmpclient ?
_*Client Mode:*_
I also tried by configuring the EJBCA in */client mode/*. In this case,
the 'ir' message exchange was successful. But the 'cr' message exchange
failed. Following was the error message on the EJBCA server,
*ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer*
Any idea what is the reason for this error ?
Packet captures for both RA and client mode is attached to this mail.
Also please help me understand the necessary initializations or any
other prerequisites on the cmpclient side if any for interop with EJBCA.
Regards
Dominic
Post by dominic peter
Hi,
Hi Dominic,
Post by dominic peter
Has anyone tried to interop cmpforopenssl client with EJBCA.
Yes,
http://www.ejbca.org/adminguide.html#Interoperability
Post by dominic peter
I am trying to send an 'ir' request to EJBCA from the
cmpforopenssl client using the following command,
Post by dominic peter
./cmpclient --server localhost --port 8080 --path
ejbca/publicweb/cmp --srvcert myAdminCA.cacert.pem --ir --user test1
--password test1 --newclcert test1.pem --newkey test1.key --subject
"C=IN,ST=KAR,L=TEST,O=TEST,OU=
Post by dominic peter
EN,CN=EETest1"
I am seeing the following error on the EJBCA after sending the
'ir' request from the client,
Post by dominic peter
15:40:36,975 ERROR [CrmfMessageHandler] Could not extract
password from CRMF request using the RegTokenPwd authentication module
127.0.0.1, process time 217.
Post by dominic peter
On the cmpclient i am seeing the following error,
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c,
LINE 401
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176 <tel:3078551176>> <tel:3078551176 <tel:3078551176>
<tel:3078551176 <tel:3078551176>>>:error:0D0680A8:asn1 encoding
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176 <tel:3078551176>> <tel:3078551176 <tel:3078551176>
<tel:3078551176 <tel:3078551176>>>:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176 <tel:3078551176>>:error:32090087:CMP
routines:CMP_doInitialRequestSeq:pkibody
error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection,
PKIFailureInfo: wrongAuthority"
Post by dominic peter
And ideas ?
Check configuration.
Cheers,
Anders
tech support
Post by dominic peter
Thanks in advance.
Regards
------------------------------------------------------------------------------
Post by dominic peter
Don't let slow site performance ruin your business. Deploy New
Relic APM
Post by dominic peter
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Tomas Gustavsson
2012-10-10 15:19:44 UTC
Permalink
Yeah, unless you have a very good reason why to use cr instead if ir I
would not spend time digging into it.

The aim with CMP is not to support every of the 10.000 options of CMP
(nobody can actually do that), but to suppport real world use cases and
work-flows.
This is why I asked the question "what you actually want to do?".

If it is not a real use case, it is not so interesting for EJBCA to try
to support it.

Cheers,
Tomas
Post by ejbca-support
Post by dominic peter
Hi Tomas,
I tried after updating the EJBCA CMP configuration for RA mode and *re-deploy*.
The 'ir' message exchange sequence worked fine. But a 'cr' message exchange after this failed.
Following are the commands that i executed on the cmpforopenssl cmpclient,
*_./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --ir --user user1 --password password --newclcert user1-cert.der --newkey user1-key.pem --subject "C=IN,CN=User1"
This command was successful and the initial client certificate was successfully received.
_*Certificate request:*_
./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --cr --user user1 --password password --newclcert user1-cert-new.der --newkey user1-key-new.pem --clcert user1-cert.der --key user1-key.pem
This command failed. and the following error was observed on the EJBCA side.
15:48:28,521 INFO [CmpServlet] CMP message received from: 127.0.0.1.
*15:48:28,535 ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer*
15:48:28,538 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process time 15
Any idea why i am getting this error ?
Debugging CMP is very difficult.
Is there no strack trace?
You may need to set JBoss debug-level to DEBUG.
Cheers,
Anders
tech support
Post by dominic peter
I am just trying to test cmpforopenssl (basic CMP message exchanges) with EJBCA in RA mode. I tried client mode as nothing was working for me previously.
Regards
Dominic
Hi,
You need to re-deploy after changing configuration.
You also must be more detailed when asking for help. If you are using
cmpforopenssl you need to give the command you are using, otherwise you
may be using an invalid command and there is no way for anyone to know.
Since you are playing around with both RA and Client mode, perhaps you
should tell what you actually want to do?
Cheers,
Tomas
-----
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se <http://www.primekey.se> or
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Post by dominic peter
Hi Anders,
Thank you very much for the reply.
*_RA mode:_
*I checked by updating the cmp configuration for '*RA*' mode as per the
link that you sent.
But still i am getting the same error. Following is the content of the
cmp.properties file,
cmp.operationmode=ra
cmp.responseprotection=pbe
cmp.ra.authenticationsecret=password
Am i missing something here ? Is just updating the configuration file
enough for the configurations to take effect ?
Also can you please help me understand why i am getting the following
error on the EJBC server,
*ERROR [CrmfMessageHandler] Could not extract password from CRMF request
using the RegTokenPwd authentication module
*
Is this due to some missing parameters in the 'ir' message sent from
cmpclient ?
_*Client Mode:*_
I also tried by configuring the EJBCA in */client mode/*. In this case,
the 'ir' message exchange was successful. But the 'cr' message exchange
failed. Following was the error message on the EJBCA server,
*ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer*
Any idea what is the reason for this error ?
Packet captures for both RA and client mode is attached to this mail.
Also please help me understand the necessary initializations or any
other prerequisites on the cmpclient side if any for interop with EJBCA.
Regards
Dominic
Post by dominic peter
Hi,
Hi Dominic,
Post by dominic peter
Has anyone tried to interop cmpforopenssl client with EJBCA.
Yes,
http://www.ejbca.org/adminguide.html#Interoperability
Post by dominic peter
I am trying to send an 'ir' request to EJBCA from the
cmpforopenssl client using the following command,
Post by dominic peter
./cmpclient --server localhost --port 8080 --path
ejbca/publicweb/cmp --srvcert myAdminCA.cacert.pem --ir --user test1
--password test1 --newclcert test1.pem --newkey test1.key --subject
"C=IN,ST=KAR,L=TEST,O=TEST,OU=
Post by dominic peter
EN,CN=EETest1"
I am seeing the following error on the EJBCA after sending the
'ir' request from the client,
Post by dominic peter
15:40:36,975 ERROR [CrmfMessageHandler] Could not extract
password from CRMF request using the RegTokenPwd authentication module
127.0.0.1, process time 217.
Post by dominic peter
On the cmpclient i am seeing the following error,
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c,
LINE 401
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176 <tel:3078551176>> <tel:3078551176 <tel:3078551176>
<tel:3078551176 <tel:3078551176>>>:error:0D0680A8:asn1 encoding
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176 <tel:3078551176>> <tel:3078551176 <tel:3078551176>
<tel:3078551176 <tel:3078551176>>>:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176 <tel:3078551176>>:error:32090087:CMP
routines:CMP_doInitialRequestSeq:pkibody
error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection,
PKIFailureInfo: wrongAuthority"
Post by dominic peter
And ideas ?
Check configuration.
Cheers,
Anders
tech support
Post by dominic peter
Thanks in advance.
Regards
------------------------------------------------------------------------------
Post by dominic peter
Don't let slow site performance ruin your business. Deploy New
Relic APM
Post by dominic peter
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
dominic peter
2012-10-11 09:22:49 UTC
Permalink
Hi Tomas,

I am planning to use cmpforopenssl CMPv2 client on an End Entity. And i
want to test the following scenarios's on the End Entity. For testing the
following scenarios, i have configured the EJBCA CMP in the client mode.

1) Get an initial client certificate from the CA
2) Request for a new certificate (eg. upon certificate expiry etc.,)
3) Update the client key
4) Get CRL update announcements
5) Get CA key update announcements etc.,

I assume that for senarios (1) 'IR' request can be used and for scenarios
(2) and (3) 'KUR' request can be used. Am i correct ?

Using the following cmpclient command i was able to get the initial client
certificate,

./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp
--srvcert ~/Downloads/AdminCA1.cacert.pem --ir --user user1 --password
password --newclcert user1-cert.der --newkey user1-key.pem --subject
"C=SE,CN=user1"

This command was successful and initial client certificate was received
successfully.

After this i tried to update the client key/get a new certificate using the
following command,

./cmpclient --kur --server localhost --port 8080 --path ejbca/publicweb/cmp
--srvcert ~/Downloads/AdminCA1.cacert.pem --key user1-key.pem --newkey
user1-key-new.pem --clcert user1-cert.der --newclcert user1-cert-new.der

But this command failed, i saw the following log messages on the server,

13:06:23,957 INFO [CmpServlet] CMP message received from: 127.0.0.1.
13:06:23,999 INFO [EndEntityCertificateAuthenticationModule] Admin user1
not authorized to resource /ca/-1688117755
13:06:23,999 INFO [EndEntityCertificateAuthenticationModule] Admin user1
is not authorized for CA -1688117755
13:06:24,000 ERROR [CrmfKeyUpdateHandler] "CN=user1,C=SE" is not an
authorized administrator.
13:06:24,003 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process
time 46.

Any idea why i am getting this error ? Is this some configuration issue ?
I am also attaching the packet capture for the same.

Regards
Dominic
Post by Tomas Gustavsson
Yeah, unless you have a very good reason why to use cr instead if ir I
would not spend time digging into it.
The aim with CMP is not to support every of the 10.000 options of CMP
(nobody can actually do that), but to suppport real world use cases and
work-flows.
This is why I asked the question "what you actually want to do?".
If it is not a real use case, it is not so interesting for EJBCA to try
to support it.
Cheers,
Tomas
Post by ejbca-support
Post by dominic peter
Hi Tomas,
I tried after updating the EJBCA CMP configuration for RA mode and
*re-deploy*.
Post by ejbca-support
Post by dominic peter
The 'ir' message exchange sequence worked fine. But a 'cr' message
exchange after this failed.
Post by ejbca-support
Post by dominic peter
Following are the commands that i executed on the cmpforopenssl
cmpclient,
Post by ejbca-support
Post by dominic peter
*_./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp
--srvcert ~/Downloads/AdminCA1.cacert.pem --ir --user user1 --password
password --newclcert user1-cert.der --newkey user1-key.pem --subject
"C=IN,CN=User1"
Post by ejbca-support
Post by dominic peter
This command was successful and the initial client certificate was
successfully received.
Post by ejbca-support
Post by dominic peter
_*Certificate request:*_
./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp
--srvcert ~/Downloads/AdminCA1.cacert.pem --cr --user user1 --password
password --newclcert user1-cert-new.der --newkey user1-key-new.pem --clcert
user1-cert.der --key user1-key.pem
Post by ejbca-support
Post by dominic peter
This command failed. and the following error was observed on the EJBCA
side.
Post by ejbca-support
Post by dominic peter
15:48:28,521 INFO [CmpServlet] CMP message received from: 127.0.0.1.
*15:48:28,535 ERROR [CrmfMessageHandler] Could not create
CmpPbeVerifyer*
Post by ejbca-support
Post by dominic peter
15:48:28,538 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1,
process time 15
Post by ejbca-support
Post by dominic peter
Any idea why i am getting this error ?
Debugging CMP is very difficult.
Is there no strack trace?
You may need to set JBoss debug-level to DEBUG.
Cheers,
Anders
tech support
Post by dominic peter
I am just trying to test cmpforopenssl (basic CMP message exchanges)
with EJBCA in RA mode. I tried client mode as nothing was working for me
previously.
Post by ejbca-support
Post by dominic peter
Regards
Dominic
Hi,
You need to re-deploy after changing configuration.
You also must be more detailed when asking for help. If you are
using
Post by ejbca-support
Post by dominic peter
cmpforopenssl you need to give the command you are using,
otherwise you
Post by ejbca-support
Post by dominic peter
may be using an invalid command and there is no way for anyone to
know.
Post by ejbca-support
Post by dominic peter
Since you are playing around with both RA and Client mode, perhaps
you
Post by ejbca-support
Post by dominic peter
should tell what you actually want to do?
Cheers,
Tomas
-----
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se <
http://www.primekey.se> or
information.
Post by ejbca-support
Post by dominic peter
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Post by dominic peter
Hi Anders,
Thank you very much for the reply.
*_RA mode:_
*I checked by updating the cmp configuration for '*RA*' mode as
per the
Post by ejbca-support
Post by dominic peter
Post by dominic peter
link that you sent.
But still i am getting the same error. Following is the content
of the
Post by ejbca-support
Post by dominic peter
Post by dominic peter
cmp.properties file,
cmp.operationmode=ra
cmp.responseprotection=pbe
cmp.ra.authenticationsecret=password
Am i missing something here ? Is just updating the configuration
file
Post by ejbca-support
Post by dominic peter
Post by dominic peter
enough for the configurations to take effect ?
Also can you please help me understand why i am getting the
following
Post by ejbca-support
Post by dominic peter
Post by dominic peter
error on the EJBC server,
*ERROR [CrmfMessageHandler] Could not extract password from CRMF
request
Post by ejbca-support
Post by dominic peter
Post by dominic peter
using the RegTokenPwd authentication module
*
Is this due to some missing parameters in the 'ir' message sent
from
Post by ejbca-support
Post by dominic peter
Post by dominic peter
cmpclient ?
_*Client Mode:*_
I also tried by configuring the EJBCA in */client mode/*. In
this case,
Post by ejbca-support
Post by dominic peter
Post by dominic peter
the 'ir' message exchange was successful. But the 'cr' message
exchange
Post by ejbca-support
Post by dominic peter
Post by dominic peter
failed. Following was the error message on the EJBCA server,
*ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer*
Any idea what is the reason for this error ?
Packet captures for both RA and client mode is attached to this
mail.
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Also please help me understand the necessary initializations or
any
Post by ejbca-support
Post by dominic peter
Post by dominic peter
other prerequisites on the cmpclient side if any for interop
with EJBCA.
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Regards
Dominic
On Tue, Oct 9, 2012 at 5:42 PM, ejbca-support <
Post by dominic peter
Hi,
Hi Dominic,
Post by dominic peter
Has anyone tried to interop cmpforopenssl client with
EJBCA.
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Yes,
http://www.ejbca.org/adminguide.html#Interoperability
Post by dominic peter
I am trying to send an 'ir' request to EJBCA from the
cmpforopenssl client using the following command,
Post by dominic peter
./cmpclient --server localhost --port 8080 --path
ejbca/publicweb/cmp --srvcert myAdminCA.cacert.pem --ir
--user test1
Post by ejbca-support
Post by dominic peter
Post by dominic peter
--password test1 --newclcert test1.pem --newkey test1.key
--subject
Post by ejbca-support
Post by dominic peter
Post by dominic peter
"C=IN,ST=KAR,L=TEST,O=TEST,OU=
Post by dominic peter
EN,CN=EETest1"
I am seeing the following error on the EJBCA after
sending the
Post by ejbca-support
Post by dominic peter
Post by dominic peter
'ir' request from the client,
Post by dominic peter
15:40:36,975 ERROR [CrmfMessageHandler] Could not extract
password from CRMF request using the RegTokenPwd
authentication module
Post by ejbca-support
Post by dominic peter
Post by dominic peter
127.0.0.1, process time 217.
Post by dominic peter
On the cmpclient i am seeing the following error,
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE
cmpclient.c,
Post by ejbca-support
Post by dominic peter
Post by dominic peter
LINE 401
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176
<tel:3078551176>> <tel:3078551176 <tel:3078551176>
Post by ejbca-support
Post by dominic peter
Post by dominic peter
<tel:3078551176 <tel:3078551176>>>:error:0D0680A8:asn1
encoding
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176
<tel:3078551176>> <tel:3078551176 <tel:3078551176>
Post by ejbca-support
Post by dominic peter
Post by dominic peter
<tel:3078551176 <tel:3078551176>>>:error:0D07803A:asn1
encoding
Post by ejbca-support
Post by dominic peter
Post by dominic peter
routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:381:Type=X509
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Post by dominic peter
3078551176 <tel:3078551176> <tel:3078551176
<tel:3078551176>>:error:32090087:CMP
Post by ejbca-support
Post by dominic peter
Post by dominic peter
routines:CMP_doInitialRequestSeq:pkibody
error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection,
PKIFailureInfo: wrongAuthority"
Post by dominic peter
And ideas ?
Check configuration.
Cheers,
Anders
tech support
Post by dominic peter
Thanks in advance.
Regards
------------------------------------------------------------------------------
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Post by dominic peter
Don't let slow site performance ruin your business.
Deploy New
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Relic APM
Post by dominic peter
Deploy New Relic app performance management and know
exactly
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Post by dominic peter
what is happening inside your Ruby, Python, PHP, Java,
and .NET app
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Post by dominic peter
Try New Relic at no cost today and get our sweet Data
Nerd shirt too!
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Post by dominic peter
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Don't let slow site performance ruin your business. Deploy New
Relic APM
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET
app
Post by ejbca-support
Post by dominic peter
Post by dominic peter
Try New Relic at no cost today and get our sweet Data Nerd shirt
too!
Post by ejbca-support
Post by dominic peter
Post by dominic peter
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Post by ejbca-support
Post by dominic peter
Don't let slow site performance ruin your business. Deploy New
Relic APM
Post by ejbca-support
Post by dominic peter
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt
too!
Post by ejbca-support
Post by dominic peter
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Post by ejbca-support
Post by dominic peter
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Post by ejbca-support
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Tomas Gustavsson
2012-10-13 10:58:56 UTC
Permalink
Hi Peter,

CMP is quite complex and usually needs different configuration for
different use cases. All use cases so far use different CMP options and
ways of operating. We are supporting several different types in EJBCA
like different card management systems, 3GPP/LTE networks and various
custom apps.

Investigating for a new use case will be a bit time consuming. We
(meaning PrimeKey) does not have time to spend a few hours on this right
now. If you like you can contact me off-line if you want to dive deeper
into the secrets of CMP.

Loading...