Re: [OpenXPKI-users] Issues with the X509 Authentication Handler

Sat, 09 Feb 2019 11:02:19 -0800 

Hi Simon,
the x509 auth stuff is not fully working in the latest release, it is fixed in 2.3 which is already tagged on github and will be available as packages likely next week. 


If you dont want to wait or build yourself, it should work if you copy 
over the x509 and CLientX509 modules from github.


Have a look at the docs of the module for config examples.
https://github.com/openxpki/openxpki/blob/develop/core/server/OpenXPKI/Server/Authentication/X509.pm

best regards

Oliver

Am 08.02.19 um 16:50 schrieb Wessel, Simon:

Hello,


I am trying to figure out the configuration for the X509 authentication 
and am wondering if somebody can help me out.


I'm currently running into the following issues:


1) I don't know how the "ca-one-x509-roles.yaml" file is supposed to be 
formatted.



I followed the instructions from 
https://sourceforge.net/p/openxpki/mailman/message/35827782/ and they 
mention the following configuration format:


                 Joerg Eckert: RA Operator

Using this format stops the server from starting due to the following error:


                 2019/02/08 13:32:28 FATAL Exception during server 
initialization: I18N_OPENXPKI_SERVER_INIT_TASK_INIT_FAILURE; 
__EVAL_ERROR__ => requested value is not a scalar at 
/usr/share/perl5/Connector/Proxy/YAML.pm line$



                 ; __task__ => authentication 
(I18N_OPENXPKI_SERVER_INIT_TASK_INIT_FAILURE; __task__ => 
authentication; __EVAL_ERROR__ => requested value is not a scalar at 
/usr/share/perl5/Connector/Proxy/YAML.pm line 78.



                 Trace begun at 
/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server/Init.pm line 126



                 OpenXPKI::Server::Init::init('HASH(0x2d2b740)') called 
at /usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server.pm line 63



                 eval {...} at 
/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server.pm line 53



                 
OpenXPKI::Server::__init_server('OpenXPKI::Server=HASH(0x43d9280)') 
called at /usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server.pm line 109



                 
OpenXPKI::Server::start('OpenXPKI::Server=HASH(0x43d9280)') called at 
/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Control.pm line 228



                 eval {...} at 
/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Control.pm line 223



                 OpenXPKI::Control::start('HASH(0x2132e78)') called at 
/usr/bin/openxpkictl line 115


                 ) [pid=19834|]


2) When using the Signature handler (Certificate Challenge/Response) the 
following log output is generated in the webui.log file:



                 2019/02/08 16:27:38 current session status 
GET_AUTHENTICATION_STACK [pid=21306|sid=1678]



                 2019/02/08 16:27:38 not logged in - doing auth - page 
is  - action is login!stack [pid=21306|sid=1678]



                 2019/02/08 16:27:38 set auth_stack in session: 
Certificate via Webserver [pid=21306|sid=1678]



                 2019/02/08 16:27:38 Authentication stack: Certificate 
via Webserver [pid=21306|sid=1678]



                 2019/02/08 16:27:38 Selected realm , new status 
GET_CLIENT_X509_LOGIN [pid=21306|sid=1678]



                 2019/02/08 16:27:38 Requested login type CLIENT_X509 
[pid=21306|sid=1678]



                 2019/02/08 16:27:38 unhandled error during auth 
[pid=21306|sid=1678]


                 2019/02/08 16:27:38 request handled [pid=21306|sid=1678]


                 2019/02/08 16:27:38 uncaught application error 
[pid=21306|sid=1678]



 From what I understand from the source code, the login handler has not 
been called. In the handle_login function in UI.pem no $reply has been 
generated and the request just falls through until the end of the 
function where the "uncaught application error" line is being printed.



So the part below "} elsif ( $login_type eq 'CLIENT_X509' ) {" doesn't 
seem to be executed and thus a login with the X509 does not seem to be 
possible regardless of the configuration.


I'd be grateful for any help. Thank you.

Kind regards

**

*Simon Wessel
*Working Student
Bereich Compliance & Information Security


E-Mail: [email protected] 
<mailto:[email protected]>


Web: www.adesso-service.com <http://www.adesso-service.com/>

adesso as a service GmbH
Stockholmer Allee 24
44269 Dortmund



adesso as a service GmbH *·* Sitz der Gesellschaft: Dortmund 
*·* Amtsgericht Dortmund HRB 25321 *·*Geschäftsführer: Stefan Schmitt, 
Christopher Schmelter




_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users




--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to