Hi,
I followed the quickstart guide for the installation of the solution and the
configuration of my realm.
I set empty value for KEY_PASSWORD (line 27) in the demo shell script named
"sampleconfig.sh" to get random passwords in all .pass files.
So, .pass files contain a random base64 password and openxpki user can read all
.pass files :
myrealm/OpenXPKI_Issuing_CA.pass
myrealm/OpenXPKI_Root_CA.pass
myrealm/OpenXPKI_SCEP_CA.pass
myrealm/OpenXPKI_Datavault.pass
I have modified the crypto.yaml file to set the different value of .pass files
, but I think I don't understand how the crypto.yaml file is constructed.
My crypto.yaml file look like this :
# API classs to be used for different types of *realm* tokens
# Undefined values default to OpenXPKI::Crypto::Backend::API
tokenapi:
certsign: OpenXPKI::Crypto::Backend::API
crlsign: OpenXPKI::Crypto::Backend::API
datasafe: OpenXPKI::Crypto::Backend::API
scep: OpenXPKI::Crypto::Tool::LibSCEP::API
#TEST <
type:
certsign: ca-signer
datasafe: vault
scep: scep
#TEST >
# System wide token (non key based tokens)
token:
default:
backend: OpenXPKI::Crypto::Backend::OpenSSL
api: OpenXPKI::Crypto::Backend::API
engine: OpenSSL
key_store: OPENXPKI
# OpenSSL binary location
shell: /usr/bin/openssl
# OpenSSL binary call gets wrapped with this command
wrapper: ''
# random file to use for OpenSSL
randfile: /var/openxpki/rand
javaks:
backend: OpenXPKI::Crypto::Tool::CreateJavaKeystore
api: OpenXPKI::Crypto::Tool::CreateJavaKeystore::API
engine: OpenSSL
key_store: OPENXPKI
shell: /usr/bin/keytool
randfile: /var/openxpki/rand
#TEST <
vault:
inherit: default
key: /etc/openxpki/ca/myrealm/OpenXPKI_DataVault.key
ca-signer:
inherit: default
key: /etc/openxpki/ca/myrealm/OpenXPKI_Root_CA.key
scep:
inherit: default
key: /etc/openxpki/ca/myrealm/OpenXPKI_SCEP_CA.key
#TEST >
# Secret group to be shared in all realms
secret:
default:
label: Global secret group
export: 0
method: literal
value: root
#value: OFyBqMr4xqaVNV+Xxxxxxxxxxxxxxxxxxb1n14fiwAtvU=
# if you want to enter the password after startup via the Webui
# replace method and value above with this block, kcv is optional
# but highly recommended as wrong passwords let the engine crash
# you can generate the kcv with "openxpkiadm hashpwd -s argon2"
# Shared secrets are avail in all realms after been unlocked in one
#method: plain
#cache: daemon
#kcv:
$argon2id$v=19$m=32768,t=3,p=1$NmwvcTxxxxxxxxxxxxxxxxxxx8uTK4DI9Ew730Q
#TEST <
ca-signer:
label: ca-signer group
export: 0
method: literal
#Value = Contain of .pass
value: DHxxx+ioxEAthxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
vault:
label: vault group
export: 0
method: literal
#Value = Contain of .pass
value: OFxxxxxxr4xqaVNxxxxxxxxxxxxxxxxxxxxxxxxxx=
scep:
label: scep
export: 0
method: literal
#Value = Contain of .pass
value: r1mxxxxcw/mtF6Lxxxxxxxxxxxxxxxxxxxxxxxxxx=
#TEST >
When i put the contents of my .pass file vault-1 in the "Global secret groupe"
; vault-1 token status is ONLINE in the openXPKI WEBUI.
Otherwise it is offline.
Can you help me to build correctly my crypto.aml file so that my ca-signer and
vault tokens are online please ?
The log file tells me the following errors :
2020/11/09 10:29:35 openxpki.application.INFO Failed to resume session
#B4INPgPrTciJHRd5iOHoIA==: unknown ID (maybe e
xpired and purged from backend) [pid=28490|]
2020/11/09 10:29:35 openxpki.system.ERROR
I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_CONTINUE_SESSION_SESSION_CONTINUE_FAIL
ED; __ID__ => B4INPgPrTciJHRd5iOHoIA==
[pid=28490|]
2020/11/09 10:29:35 openxpki.system.WARN Invalid message COMMAND received in
state WAITING_FOR_AUTHENTICATION_STACK [
pid=28490|sid=nvS8]
2020/11/09 10:29:46 openxpki.auth.INFO Login successful using authentication
stack 'Operator' (user: 'raop', role: 'R
A Operator') [pid=28490|sid=5NKl]
2020/11/09 10:29:47 openxpki.system.ERROR OpenSSL error:
139969451594880:error:08064066:object identifier routines:OB
J_create:oid exists:../crypto/objects/obj_dat.c:709:
unable to load signing key file
139969451594880:error:0D0AE0AB:asn1 encoding routines:oid_module_init:adding
object:../crypto/asn1/asn_moid.c:38:
139969451594880:error:0E07606D:configuration file routines:module_run:module
initialization error:../crypto/conf/conf
_mod.c:177:module=oid_section, value=new_oids, retcode=-1
139969451594880:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570:
139969451594880:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12
cipherfinal error:../crypto/pkcs12/p12_decr.c:
63:
139969451594880:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12
pbe crypt error:../crypto/pkcs12/p12_de
cr.c:94:
139969451594880:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1
lib:../crypto/pem/pem_pkey.c:88:
[pid=28490|sid=5NKl]
2020/11/09 10:29:47 openxpki.system.ERROR
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [pid=28490|
sid=5NKl]
2020/11/09 10:29:47 openxpki.system.ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ => OpenXPKI::Crypto::Back
end::OpenSSL::Command::pkcs7_decrypt, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [
pid=28490|sid=5NKl]
2020/11/09 10:29:47 openxpki.system.ERROR OpenSSL error:
139728422380672:error:08064066:object identifier routines:OB
J_create:oid exists:../crypto/objects/obj_dat.c:709:
unable to load signing key file
Thank you for your help.
Best regards,
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
