Hi Marc, Yep, I saw it in log, but its strange because I typed the correct password (copy and paste to avoid errors)
I also tried to use the same password of all parameters in both servers just to test, but failed. I don't know exactly if something is missing in myconfig.txt file on server01 or in server02 or iI skipped some step. The steps are configure a directory server and create a config file to be used by pkispawn, in both servers and then run pkispawn -s Ca -f myconfig.txt. Is it right or is necessary to do anything else? Many thanks! On Aug 19, 2016 10:57 PM, "Marc Sauton" <[email protected]> wrote: > the password provided for the uid caadmin may have been "incorrect" > Thanks, > M. > > On 08/19/2016 10:45 AM, Leonardo Bacha Abrantes wrote: > > Hi, bellow my debug log > > > > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor: > SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SessionContextInterceptor: > Not authenticated. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > mapping: default > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > required auth methods: [*] > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: AuthMethodInterceptor: > anonymous access allowed > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: > SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor.filter: no > authorization required > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: ACLInterceptor: No ACL > mapping; authz not required. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SignedAuditEventFactory: > create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$ > Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL > mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization > success > > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: > SecurityDomainResource.getDomainInfo() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: > content-type: null > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: > accept: [application/json] > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: MessageFormatInterceptor: > response format: application/json > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: according to ccMode, > authorization for servlet: securitydomain is LDAP based, not XML {1}, use > default authz mgr: {2}. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Creating > LdapBoundConnFactor(SecurityDomainProcessor) > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapBoundConnFactory: init > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: > LdapBoundConnFactory:doCloning true > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init begins > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: prompt > is internaldb > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: try > getting from memory cache > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: got > password from memory > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init: > password found for prompt. > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: password ok: > store in memory cache > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: LdapAuthInfo: init ends > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: init: before > makeConnection errorIfDown is false > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: makeConnection: > errorIfDown false > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: Established LDAP > connection using basic authentication to host root-ca.xxxxx.xxx.xx port 389 > as cn=ldapadmin > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: initializing with mininum > 3 and maximum 15 connections to host root-ca.xxxxx.xxx.xx port 389, secure > connection, false, authentication type 1 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: increasing minimum > connections by 3 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new total available > connections 3 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: new number of connections 3 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: In > LdapBoundConnFactory::getConn() > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: masterConn is connected: > true > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: conn is connected > true > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: getConn: mNumConns now 2 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > name: xxxxx.xxx.xx Security Domain > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: CA > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - cn=root-ca.xxxxx.xxx.xx:8443,cn=CAList,ou=Security > Domain,o=pki-RootCA-CA > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - objectClass: top > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - host: root-ca.xxxxx.xxx.xx > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - SecurePort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - SecureAgentPort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - SecureAdminPort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - SecureEEClientAuthPort: 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - UnSecurePort: 8080 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - Clone: FALSE > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - SubsystemName: CA root-ca.xxxxx.xxx.xx 8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - cn: root-ca.xxxxx.xxx.xx:8443 > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > - DomainManager: TRUE > [03/Aug/2016:11:39:14][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: OCSP > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: KRA > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: RA > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: TKS > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SecurityDomainProcessor: > subtype: TPS > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: Releasing ldap connection > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: PKIRealm: Authenticating > user caadmin with password. > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > PasswdUserDBAuthentication: UID: caadmin > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: In > LdapBoundConnFactory::getConn() > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: masterConn is connected: > true > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: conn is connected > true > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: getConn: mNumConns now 2 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 3 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > PasswdUserDBAuthentication: DN: uid=caadmin,ou=people,o=pki-RootCA-CA > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > LdapAnonConnFactory::getConn > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: > LdapAnonConnFactory.getConn(): num avail conns now 2 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: returnConn: mNumConns now 2 > [03/Aug/2016:11:39:15][http-bio-8443-exec-19]: SignedAuditEventFactory: > create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][ > Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] > authentication failure > > > > any help will be very much appreciated ! > > > On Fri, Aug 19, 2016 at 7:28 AM, Leonardo Bacha Abrantes < > [email protected]> wrote: > >> Hi guys, >> >> I'm trying to configure a subordinate CA, but am receiving the message >> "ERROR: Unable to access security domain: 401 Client Error: Unauthorized". >> >> >> I follow these steps: >> >> >> >> >> ===>> On Server01 (root-ca): >> >> >> setup-ds.pl --silent General.FullMachineName=root-ca.xxx.xxx.xx \ >> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ >> slapd.ServerPort=389 slapd.ServerIdentifier=pki-RootCA \ >> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ >> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=PASSWORD >> >> >> >> > myconfig.txt >> >> >> [DEFAULT] >> pki_admin_password=Root-CA_pwd >> pki_client_database_password=Root-CA_pwd >> pki_client_pkcs12_password=Root-CA_pwd >> pki_ds_password=Root-CA_pwd >> pki_security_domain_password=Root-CA_pwd >> pki_admin_password=Root-CA_pwd >> pki_client_database_password=Root-CA_pwd >> pki_client_pkcs12_password=Root-CA_pwd >> pki_ds_bind_dn=cn=ldapadmin >> pki_ds_password=Root-CA_pwd >> pki_security_domain_password=Root-CA_pwd >> pki_instance_name=pki-RootCA >> >> [CA] >> pki_ca_signing_subject_dn=cn=EXAMLE Root Certification >> Authority,o=XXXXXXXXXXX,c=BR >> pki_admin_nickname=PKI Administrator for EXAMPLE >> pki_admin_subject_dn=cn=PKI Administrator Root CA,[email protected],o= >> XXXXXXXXXX,c=BR >> [email protected] >> >> >> >> >> >> ===>> On Server02 (Sub-ca): >> >> >> setup-ds.pl --silent General.FullMachineName=sub-ca.xxx.xxx.xx \ >> General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody \ >> slapd.ServerPort=389 slapd.ServerIdentifier=pki-SubCA \ >> slapd.Suffix=dc=EXAMPLE,dc=xxx,dc=xx \ >> slapd.RootDN="cn=ldapadmin" slapd.RootDNPwd=OTHER_PASSWORD >> >> >> >> > myconfig.txt >> >> [DEFAULT] >> pki_admin_password=SUB-CA_Passord >> pki_client_database_password=SUB-CA_Passord >> pki_client_pkcs12_password=SUB-CA_Passord >> pki_ds_password=SUB-CA_Passord >> pki_security_domain_password=SUB-CA_Passord >> pki_admin_password=SUB-CA_Passord >> pki_client_database_password=SUB-CA_Passord >> pki_client_pkcs12_password=SUB-CA_Passord >> pki_ds_bind_dn=cn=ldapadmin >> pki_ds_password=SUB-CA_Passord >> pki_security_domain_password=SUB-CA_Passord >> pki_instance_name=pki-SubCA >> pki_security_domain_hostname=root-ca.xxxx.xxx.xx >> pki_security_domain_https_port=8443 >> pki_security_domain_user=caadmin >> >> [CA] >> pki_subordinate=True >> pki_issuing_ca=https://root-ca.xxxx.xxxv.xx:8443 >> pki_ca_signing_subject_dn=cn=EXAMPLE Certification Authority >> L2,o=XXXXXXXXXXX,c=BR >> pki_subordinate_create_new_security_domain=True >> pki_subordinate_security_domain_name=EXAMPLE Certification Authority L2 >> pki_admin_nickname=PKI Administrator for Example Sub-CA L2 >> pki_admin_subject_dn=cn=PKI Administrator CA L2,[email protected],o= >> XXXXXXXXXXX,c=BR >> [email protected] >> >> >> >> >> when I run pkispawn -v -s CA -f myconfig.txt on Server02: >> >> >> ERROR: Unable to access security domain: 401 Client Error: Unauthorized >> >> >> >> === >> >> >> >> I tried to use the same passwords on myconfig.txt in both servers just to >> test, but I receive the same message. >> >> >> Can you help me please ? >> >> many thanks! >> >> >> > > > _______________________________________________ > Pki-users mailing > [email protected]https://www.redhat.com/mailman/listinfo/pki-users > > >
_______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
