After Installing and configuring CA using ECC, Unable to access Admin interface using pkiconsole. The username/password prompt never comes up.
Steps to Reproduce:
1.Setup CA using below configuration [DEFAULT] pki_instance_name=Foobar1 pki_https_port=8443 pki_http_port=8080 #NSS DB Token Password pki_token_password=Secret123 #Admin Password pki_admin_password=Secret123 #Security Domain pki_hostname=pki2.example.org pki_security_domain_name=Foobar.org pki_security_domain_password=Secret123 #client Dir pki_client_dir=/opt/Foobar1 pki_client_pkcs12_password=Secret123 #Backup pki_backup_keys=True pki_backup_password=Secret123 [Tomcat] pki_ajp_port=8009 pki_tomcat_server_port=8005 [CA] pki_import_admin_cert=False pki_ca_signing_key_type=ecc pki_ca_signing_key_size=nistp256 pki_ca_signing_key_algorithm=SHA256withEC pki_ca_signing_signing_algorithm=SHA256withEC pki_ocsp_signing_key_type=ecc pki_ocsp_signing_key_size=nistp256 pki_ocsp_signing_key_algorithm=SHA256withEC pki_ocsp_signing_signing_algorithm=SHA256withEC pki_audit_signing_key_type=ecc pki_audit_signing_key_size=nistp256 pki_audit_signing_key_algorithm=SHA256withEC pki_audit_signing_signing_algorithm=SHA256withEC pki_ssl_server_key_type=ecc pki_ssl_server_key_size=nistp256 pki_ssl_server_key_algorithm=SHA256withEC pki_ssl_server_signing_algorithm=SHA256withEC pki_ssl_server_nickname=Server-Cert cert-pki-RootCA pki_subsystem_key_type=ecc pki_subsystem_key_size=nistp256 pki_subsystem_key_algorithm=SHA256withEC pki_subsystem_signing_algorithm=SHA256withEC pki_ds_hostname=localhost pki_ds_ldap_port=389 pki_ds_password=Secret123 2. issue pkiconsole command , below error is seen. pkiconsole https://pki2.example.org:8443/ca 76 18:04:47.080 (0.088) L5 (JSSConnection.java:122) JSSConnection Debug: end of JSSConnection constructor 77 18:04:47.183 (0.103) L5 (JSSConnection.java:122) JSSConnection Debug: end of JSSConnection constructor java.io.IOException: SocketException cannot read on socket at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1072) at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:70) at com.netscape.admin.certsrv.connection.JSSConnection.readLineFromStre am(JSSConnection.java:456) at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSCo nnection.java:473) at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse (JSSConnection.java:445) at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSC onnection.java:359) at com.netscape.admin.certsrv.connection.AdminConnection.processRequest (AdminConnection.java:770) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(Ad minConnection.java:672) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(Ad minConnection.java:639) at com.netscape.admin.certsrv.connection.AdminConnection.authType(Admin Connection.java:372) at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:120) at com.netscape.admin.certsrv.CMSAdmin.run(CMSAdmin.java:511) at com.netscape.admin.certsrv.CMSAdmin.run(CMSAdmin.java:560) at com.netscape.admin.certsrv.Console.main(Console.java:1724)
Actual results:
Unable to login to CA admin interface
Expected results:
Should be able to login CA Admin interface.
Per CS/DS Meeting of 07/06/2015: 10.2.6 (low priority)
Turns out this issue affects all ssl clients provided by Dogtag: cli's, java console, and HttpClient.
for example if you try to run pki cert-find you will get: ProcessingException: Unable to invoke request
if you try to run HttpClient, you will get: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12286) Cannot communicate securely with peer: no common encryption algorithm(s). at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method) at com.netscape.cmstools.HttpClient.send(HttpClient.java:174) at com.netscape.cmstools.HttpClient.main(HttpClient.java:431) Error: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12286) Cannot communicate securely with peer: no common encryption algorithm(s).
committed to master
commit e62b40b9249d0f0b394275da35fa7c2ee99842b5 Author: Christina Fu cfu@redhat.com Date: Fri Jul 10 11:41:22 2015 -0700
Ticket 1459 Dogtag clients cannot connect when CS is configured with ECC clients are: cli, HttpClient, and java console
commit 8c9e59cfaff9ecda1483c07238ad0b58ea4f5f73 Author: Christina Fu cfu@redhat.com Date: Wed Jul 8 17:45:59 2015 -0700
ecc Console - 1. clean up the tabs in the JSSConnection constructor
Metadata Update from @mrniranjan: - Issue assigned to cfu - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2018
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.