Hi Christian, Thanks for following up.
You are correct, I have testing UID/PWD auth with SCEP and that is working fine. As mentioned the only reason I am not able to use this method, is because the UID/IP address is using the DHCP assigned uplink IP address. For my solution we need a more deterministic UID, as such I was attempting to use the CN/PWD auth with SCEP. The way I setup the CN/PWD auth with SCEP is first get a working UID/PWD auth with SCEP setup. Then edit the “…/ca/CS.cfg”: auths.instance.flatFileAuth.authAttributes=PWD auths.instance.flatFileAuth.deferOnFailure=true auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt auths.instance.flatFileAuth.keyAttributes=CN auths.instance.flatFileAuth.pluginName=FlatFileAuth Then edit the “…/ca/flatfile.txt”: CN:dev-sec-a-2.example.com PWD:password Then I restart the service and test. Cheers, Rohan From: Christina Fu <c...@redhat.com> Date: Wednesday, December 9, 2020 at 6:16 PM To: Rohan Raymore (rraymore) <rraym...@cisco.com> Cc: pki-users@redhat.com <pki-users@redhat.com> Subject: Re: [Pki-users] Dogtag PKI CA not enrolling router with CN or when IP specified in Trustpoint confg Hi Rohan, I have only played with IP UID/PWD auth with SCEP, which I just tried and seems to be working. Could you maybe give me info on how you set up CN/PWD and I could look into that. thanks, Christina On Sun, Nov 29, 2020 at 11:57 PM Rohan Raymore (rraymore) <rraym...@cisco.com<mailto:rraym...@cisco.com>> wrote: Hello, I am looking for some guidance/assistance with a dogtag-pki CA server setup that I am testing. Environment: Cisco ASR router CentOS 7 vm PKI version 10.5.18-7.e17 installed Configured to use flatfile to authenticate Cisco router using UID/PWD via SCEP I am able to successfully authenticate and enroll the router via SCEP using UID/PWD in flatfile Issue: The UID=IP-address of the router interface toward the CA server, this IP is assigned via DHCP, thus not deterministic. When I configured an IP address of a Loopback interface under the Trustpoint configuration of the router I can see that it seen by the CA in the logs but it is not used for authentication/enroll I tried to change the CS.cfg file to use the CN/PWD to authenticate, however it appears I may have missed something as it fails with a password null. Can you please assist with providing one of two options: 1. How to authenticate/enroll router via Loopback interface IP address that is specified in the Trustpoint configuration of the router? 2. How to authenticate/enroll the router using the CN/PWD in the flatfile? Thanks in advance for your assistance! See below some output from the debug file: <snip> [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = 1 [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating: 10.0.1.1 [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key 10.0.1.1 <-------- this is the IP I have configured in flatfile [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: keys.length = 1 [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating: null [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: putting: key [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = UID [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: authenticating user: finding user from key: 10.1.1.1 <----- this is the router outside interface IP [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: FlatFileAuth: User not found in password file. [30/Nov/2020:05:49:42][http-bio-8080-exec-21]: operation failure - Invalid Credential. <snap> <snip> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Found profile=caRouterCert [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Retrieving authenticator [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1 [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating: dev-sec-a-2.example.com<http://dev-sec-a-2.example.com> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key dev-sec-a-2.example.com<http://dev-sec-a-2.example.com> [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: keys.length = 1 [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating: null [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: putting: key [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: FlatFileAuth: concatenating string i=0 keyAttrs[0] = CN [30/Nov/2020:07:24:02][http-bio-8080-exec-4]: operation failure - Authentication credential for CN is null. <snap> Regards, Rohan Raymore [signature_652684385] Rohan Raymore<http://directory.cisco.com/dir/details/rraymore> _______________________________________________ Pki-users mailing list Pki-users@redhat.com<mailto:Pki-users@redhat.com> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
