Hi,
Thank you for your help Oliver !!
I have modified my
realms.crypto file and the status of my system is good.
My tokens are online. I didn't use the import function but
I directly added my tokens and .pass file in the same file.
Is there any special documentation for
the configuration of the crypto file?
Here is the result below, do you think it is correct
and do you have recommendations if not?
(i also have a doubt about SCEP section)
type:
certsign: ca-signer
datasafe: vault
scep: scep
token:
ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL
api: OpenXPKI::Crypto::Backend::API
engine: OpenSSL
engine_section: ''
engine_usage: ''
key_store: OPENXPKI
shell: /usr/bin/openssl
wrapper: ''
randfile: /var/openxpki/rand
secret: ca-signer
key: /etc/openxpki/ca/prod/openXPKI_Issuing_CA.key
vault:
backend: OpenXPKI::Crypto::Backend::OpenSSL
api: OpenXPKI::Crypto::Backend::API
engine: OpenSSL
engine_section: ''
engine_usage: ''
key_store: OPENXPKI
shell: /usr/bin/openssl
wrapper: ''
randfile: /var/openxpki/rand
secret: vault
key: /etc/openxpki/ca/prod/vault-1.pem
scep:
backend: OpenXPKI::Crypto::Tool::LibSCEP
api: OpenXPKI::Crypto::Tool::LibSCEP::API
engine: OpenSSL
engine_section: ''
engine_usage: ''
key_store: DATAPOOL
shell: /usr/bin/openssl
wrapper: ''
randfile: /var/openxpki/rand
secret: scep
key: /etc/openxpki/ca/prod/openXPKI_SCEP_CA.key
#############################
secret:
vault:
label: VAULT SECRET
export: 0
method: literal
value: XvDSzVLn3xxxxxxxxxxxxxxxxxxxxxxxxx=
ca-signer:
label: CA-SIGNER SECRET
export: 0
method: literal
value: /WhT6xxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
scep:
label: SCEP SECRET
export: 0
method: literal
value: 7rEXLV1xxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Thank you for your help.
Best regards,
________________________________
From: Oliver Welter <[email protected]>
Sent: Monday, November 9, 2020 4:43 PM
To: [email protected] <[email protected]>
Subject: Re: [OpenXPKI-users] edit : Token not available - Unable to load
signing key file
Hi,
it looks like you are mixing up the cryto.yaml in system and in your realm -
those are separate files!
Your key/token definitions MUST be in the realms crypto.yaml, the secrets MUST
also be defined there but CAN use the "import" syntax which loads the
definitions from the system/crypto.yaml.
Oliver
Am 09.11.20 um 12:08 schrieb John Lemona:
Hi,
I followed the quickstart guide for the installation of the solution and the
configuration of my realm.
I set empty value for KEY_PASSWORD (line 27) in the demo shell script
named "sampleconfig.sh" to get random passwords in all .pass files.
So, .pass files contain a random base64 password and openxpki user
can read all .pass files :
myrealm/OpenXPKI_Issuing_CA.pass
myrealm/OpenXPKI_Root_CA.pass
myrealm/OpenXPKI_SCEP_CA.pass
myrealm/OpenXPKI_Datavault.pass
I have modified the crypto.yaml file to set the different value
of .pass files, but I think I don't understand how
the crypto.yaml file is constructed.
My crypto.yaml file look like this :
# API classs to be used for different types of *realm* tokens
# Undefined values default to OpenXPKI::Crypto::Backend::API
tokenapi:
certsign: OpenXPKI::Crypto::Backend::API
crlsign: OpenXPKI::Crypto::Backend::API
datasafe: OpenXPKI::Crypto::Backend::API
scep: OpenXPKI::Crypto::Tool::LibSCEP::API
#TEST <
type:
certsign: ca-signer
datasafe: vault
scep: scep
#TEST >
# System wide token (non key based tokens)
token:
default:
backend: OpenXPKI::Crypto::Backend::OpenSSL
api: OpenXPKI::Crypto::Backend::API
engine: OpenSSL
key_store: OPENXPKI
# OpenSSL binary location
shell: /usr/bin/openssl
# OpenSSL binary call gets wrapped with this command
wrapper: ''
# random file to use for OpenSSL
randfile: /var/openxpki/rand
javaks:
backend: OpenXPKI::Crypto::Tool::CreateJavaKeystore
api: OpenXPKI::Crypto::Tool::CreateJavaKeystore::API
engine: OpenSSL
key_store: OPENXPKI
shell: /usr/bin/keytool
randfile: /var/openxpki/rand
#TEST <
vault:
inherit: default
key: /etc/openxpki/ca/myrealm/OpenXPKI_DataVault.key
ca-signer:
inherit: default
key: /etc/openxpki/ca/myrealm/OpenXPKI_Root_CA.key
scep:
inherit: default
key: /etc/openxpki/ca/myrealm/OpenXPKI_SCEP_CA.key
#TEST >
# Secret group to be shared in all realms
secret:
default:
label: Global secret group
export: 0
method: literal
value: root
#value: OFyBqMr4xqaVNV+Xxxxxxxxxxxxxxxxxxb1n14fiwAtvU=
# if you want to enter the password after startup via the Webui
# replace method and value above with this block, kcv is optional
# but highly recommended as wrong passwords let the engine crash
# you can generate the kcv with "openxpkiadm hashpwd -s argon2"
# Shared secrets are avail in all realms after been unlocked in one
#method: plain
#cache: daemon
#kcv:
$argon2id$v=19$m=32768,t=3,p=1$NmwvcTxxxxxxxxxxxxxxxxxxx8uTK4DI9Ew730Q
#TEST <
ca-signer:
label: ca-signer group
export: 0
method: literal
#Value = Contain of .pass
value: DHxxx+ioxEAthxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
vault:
label: vault group
export: 0
method: literal
#Value = Contain of .pass
value: OFxxxxxxr4xqaVNxxxxxxxxxxxxxxxxxxxxxxxxxx=
scep:
label: scep
export: 0
method: literal
#Value = Contain of .pass
value: r1mxxxxcw/mtF6Lxxxxxxxxxxxxxxxxxxxxxxxxxx=
#TEST >
When i put the contents of my .pass file vault-1 in the
"Global secret groupe" ; vault-1 token status is ONLINE
in the openXPKI WEBUI.Otherwise it is offline.
Can you help me to build correctly my crypto.aml file
so that my ca-signer and vault tokens are online please ?
The log file tells me the following errors :
2020/11/09 10:29:47 openxpki.system.ERROR
OpenSSL error: 139969451594880:error:08064066:object identifier routines:OB
J_create:oid
exists:../crypto/objects/obj_dat.c:709:
unable to load signing key file
139969451594880:error:0D0AE0AB:asn1 encoding
routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38:
139969451594880:error:0E07606D:configuration file
routines:module_run:module initialization error:../crypto/conf/conf
_mod.c:177:module=oid_section, value=new_oids,
retcode=-1
139969451594880:error:06065064:digital envelope routines:
EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570:
139969451594880:error:23077074:PKCS12 routines:
PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:
63:
139969451594880:error:2306A075:PKCS12 routines:
PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_de
cr.c:94:
139969451594880:error:0907B00D:PEM routines:
PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88:
[pid=28490|sid=5NKl]
2020/11/09 10:29:47 openxpki.system.ERROR I18N_OPE
NXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [pid=28490|
sid=5NKl]
2020/11/09 10:29:47 openxpki.system.ERROR I18N_
OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Back
end::OpenSSL::
Command::pkcs7_decrypt, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [
pid=28490|sid=5NKl]
2020/11/09 10:29:47 openxpki.system.ERROR OpenSSL
error: 139728422380672:error:08064066:object identifier routines:OB
J_create:oid exists:../crypto/objects/obj_dat.c:709:
unable to load signing key file
Thank you for your help.
Best regards,
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
