Hi Rohan, I have only played with IP UID/PWD auth with SCEP, which I just tried and seems to be working. Could you maybe give me info on how you set up CN/PWD and I could look into that.
thanks, Christina On Sun, Nov 29, 2020 at 11:57 PM Rohan Raymore (rraymore) < rraym...@cisco.com> wrote: > Hello, > > > > I am looking for some guidance/assistance with a dogtag-pki CA server > setup that I am testing. > > > > Environment: > > Cisco ASR router > > CentOS 7 vm > > PKI version 10.5.18-7.e17 installed > > Configured to use flatfile to authenticate Cisco router using UID/PWD via > SCEP > > I am able to successfully authenticate and enroll the router via SCEP > using UID/PWD in flatfile > > > > Issue: > > The UID=IP-address of the router interface toward the CA server, this IP > is assigned via DHCP, thus not deterministic. > > When I configured an IP address of a Loopback interface under the > Trustpoint configuration of the router I can see that it seen by the CA in > the logs but it is not used for authentication/enroll > > I tried to change the CS.cfg file to use the CN/PWD to authenticate, > however it appears I may have missed something as it fails with a password > null. > > > > Can you please assist with providing one of two options: > > 1. How to authenticate/enroll router via Loopback interface IP address > that is specified in the Trustpoint configuration of the router? > 2. How to authenticate/enroll the router using the CN/PWD in the > flatfile? > > > > > > Thanks in advance for your assistance! > > > > See below some output from the debug file: > > <snip> > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: Got > authenticator=com.netscape.cms.authentication.FlatFileAuth > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = > 1 > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: > concatenating: 10.0.1.1 > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key > 10.0.1.1 <-------- this is the IP I have configured in flatfile > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = > 1 > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: > concatenating: null > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating > string i=0 keyAttrs[0] = UID > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: > authenticating user: finding user from key: 10.1.1.1 <----- this is the > router outside interface IP > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: User not > found in password file. > > [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: operation failure - Invalid > Credential. > > <snap> > > > > <snip> > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Found profile=caRouterCert > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Retrieving authenticator > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Got > authenticator=com.netscape.cms.authentication.FlatFileAuth > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1 > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: > concatenating: dev-sec-a-2.example.com > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key > dev-sec-a-2.example.com > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1 > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: > concatenating: null > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating > string i=0 keyAttrs[0] = CN > > [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: operation failure - > Authentication credential for CN is null. > > <snap> > > > > Regards, > > Rohan Raymore > > [image: signature_652684385] > > > > Rohan Raymore <http://directory.cisco.com/dir/details/rraymore> > > > > > _______________________________________________ > Pki-users mailing list > Pki-users@redhat.com > https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
