TPS token enrollment with sslclientauth to ldap fails when the certificate nickname has an apostrophe.
pki-tps-10.5.1-5.el7pki.x86_64
Configure certmap.conf to be:
certmap default default default:DNComps default:FilterComps uid default:verifycert off
Add a user in ldap for tps client authentication.
Generate a certificate using caDirUSerCert profile from CA UI. Add the b64 blob to the ldap user.
From CA EE page Import the certificate to the browser. Browser's certificate manager shows the nick name having an apostrophe. Create a .p12 file of this certificate.
.p12 file is imported to TPS's certificate nss db.
# certutil -L -d /var/lib/pki/<TPS-instance-name>/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI 's EXAMPLE ID u,u,u ...
auths.instance.ldap1.ldap.ldapBoundConn=true auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents auths.instance.AgentCertAuth.pluginName=AgentCertAuth auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth auths.instance.TokenAuth.pluginName=TokenAuth auths.instance.ldap1.authCredName=uid auths.instance.ldap1.dnpattern= auths.instance.ldap1.externalReg.certs.recoverAttributeName=certsToAdd auths.instance.ldap1.externalReg.cuidAttributeName=tokenCUID auths.instance.ldap1.externalReg.tokenTypeAttributeName=tokenType auths.instance.ldap1.ldap.basedn=ou=people,dc=example,dc=org auths.instance.ldap1.ldap.ldapauth.authtype=SslClientAuth auths.instance.ldap1.ldap.ldapauth.bindDN= auths.instance.ldap1.ldap.ldapauth.bindPWPrompt=ldap1 auths.instance.ldap1.ldap.ldapauth.clientCertNickname='s EXAMPLE ID auths.instance.ldap1.ldap.ldapconn.host=XXXXXX.XXXXX.com auths.instance.ldap1.ldap.ldapconn.port=5636 auths.instance.ldap1.ldap.ldapconn.secureConn=True auths.instance.ldap1.ldap.ldapconn.version=3 auths.instance.ldap1.ldap.maxConns=15 auths.instance.ldap1.ldap.minConns=3 auths.instance.ldap1.ldapByteAttributes= auths.instance.ldap1.ldapStringAttributes=mail,cn,uid
7. Restart TPS.
TPS debug log shows the client auth failure:
[22/Jan/2018:15:43:50][localhost-startStop-1]: TCP Keep-Alive: true [22/Jan/2018:15:43:50][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: â<80><99>s EXAMPLE ID [22/Jan/2018:15:43:50][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname â<80><99>s EXAMPLE ID [22/Jan/2018:15:43:52][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:subsystemCert cert-rhcs93-nocp30-OCSP-ssidhaye [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:auditSigningCert cert-rhcs93-nocp30-TKS-ssidhaye TKS [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:Server-Cert cert-rhcs93-nocp30-CA-aakkiang [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:auditSigningCert cert-rhcs93-nocp30-OCSP-ssidhaye OCSP [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:ocspSigningCert cert-rhcs93-nocp30-CA-aakkiang CA [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:subsystemCert cert-rhcs93-nocp30-CA-aakkiang [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:subsystemCert cert-rhcs93-nocp30-TKS-ssidhaye [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:subsystemCert cert-rhcs93-nocp30-KRA-aakkiang [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:Server-Cert cert-rhcs93-nocp30-TKS-ssidhaye [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:subsystemCert cert-rhcs93-nocp30-TPS-ssidhaye [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:Server-Cert cert-rhcs93-nocp30-OCSP-ssidhaye [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:auditSigningCert cert-rhcs93-nocp30-KRA-aakkiang KRA [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:ocspSigningCert cert-rhcs93-nocp30-OCSP-ssidhaye OCSP [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:storageCert cert-rhcs93-nocp30-KRA-aakkiang KRA [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:transportCert cert-rhcs93-nocp30-KRA-aakkiang KRA [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:auditSigningCert cert-rhcs93-nocp30-CA-aakkiang CA [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:Server-Cert cert-rhcs93-nocp30-KRA-aakkiang [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: ldap-manager certificate [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: ’s EXAMPLE ID [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:auditSigningCert cert-rhcs93-nocp30-TPS-ssidhaye TPS [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:caSigningCert cert-rhcs93-nocp30-CA-aakkiang CA [22/Jan/2018:15:43:52][localhost-startStop-1]: Candidate cert: lunasaQE:Server-Cert cert-rhcs93-nocp30-TPS-ssidhaye [22/Jan/2018:15:43:52][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null [22/Jan/2018:15:43:52][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host XXXXXX.XXXXX.com port 5636 Error netscape.ldap.LDAPException: Authentication failed (48) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cms.authentication.DirBasedAuthentication.init(DirBasedAuthentication.java:297) at com.netscape.cms.authentication.DirBasedAuthentication.init(DirBasedAuthentication.java:256) at com.netscape.cmscore.authentication.AuthSubsystem.init(AuthSubsystem.java:220) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1175) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1081) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:582) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1620) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
TPS did not present the correct nickname for authentication. TPS client auth to the directory fails.
TPS client auth to the directory should be successful with cert nickname having apostrophe.
Metadata Update from @dmoluguw: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1537306 - Custom field type adjusted to None - Custom field version adjusted to None
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3310
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.