I am up to "register organisation CA bootstrap identity with TLS CA" section in readthe docs/cadeploy.
I get the error:
Enrollment check failed: Idemix enrollment information does not exist
Error: Enrollment information does not exist. Please execute enroll
command first. Example: fabric-ca-client enroll -u
http://user:userpw#serverAddr:serverPort
The command was:
./fabric-ca-client register -d --id.name rcaadmin --id.secret rcaadminpw -u https://localhost:7054 --tls.certfiles tls-root-cert/tls-ca-cert.pem --mspdir tls-ca/tlsadmin/msp
I have reviewed the previous steps and check the directory structure.
Related
Hi everyone I am facing some issues on solaris 11.4 implementing RBAC. I created user and role and giving profiles for the roles, but I can execute the command. I drop my RBAC Configuration below.
$useradd -m test
$passwd test
$roleadd -c "User Administrator role,User Management role local" \-m -K profiles="User Security,User Management" sec1
$passwd sec1
$usermode -R +sec1 test
I login by my new test user and my role sec1 successfully. I can create user, give password, delete user and password. The role can not add new role.
sec1#:~$ usermod -R +sec1 test
/usr/lib/passmgmt: Permission denied. Cannot set roles to sec1, requires sec1 role.
UX: usermod: ERROR: Permission denied.
UX: usermod: ERROR: Cannot update system - login cannot be modified.
How can I use usermod and rolemod for the user? If any one can help me? To which solaris profiles can have access to role related to the user?
Seems that it is some bug in usermod command while it is running from role (not user). I was succeed to delegate this privilege via user-to-user (without role)
As root user give privilege to test user directly:
/usr/sbin/usermod -K profiles="User Security,User Management" test
Also create an other user for testing
useradd -m testuseradm
Then login as test and use this privilege:
pfexec /usr/sbin/usermod -K profiles="User Security,User Management" testuseradm
Optionally you could add -K auth_profiles="User Security,User Management" to ask testuseradm to enter his password again.
The main difference of user and role - the role could not login directly. So you may create some shared user account and introduce it as role to your colleges as workaround.
When accessing a URL in my LAN using the web browser, I get a certificate error message:
In Firefox:
Warning: Potential Security Risk Ahead
In Internet Explorer:
This site is not secure
I download the certificate and import it using Windows Powershell as admin:
> certutil -addstore -enterprise -f "Root" .\certificate.pem
Root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "Certificate" added to store.
CertUtil: -addstore command completed successfully.
The issue isn't solved.
If I ping to the IP address, I get a response. However, if I telnet to the IP:port using Putty, I get a pop-up window with the following error message:
Remote side unexpectedly closed network connection
How can I get my computer to accept the certificate?
Here what i tried login to server where keyclock deploy and use the below directory /keycloak/bin/
and run following command
./kcadm.sh config credentials --server https://<IP ADRESS>:8666/auth --realm master --user admin --password admin
But this command throw error.
Client secret not provided in request [unauthorized_client]
Why client information is required ? I have to do this through Admin CLI
Login into the keycloak
Create a New realm
Create User and userGroup.
So according to me in this case client secret or any such information not require but admin-cli command complaining about same.
Here is the solution of the above problem.After installation the keycloak .Keycloak will by default create few clients(account,admin-cli,broker,master-realm,security-admin-console) and in these all clients admin-cli will be come with access-type=public So if you are trying to login through keycloak u have to fire below command from /keycloak/bin directory
./kcadm.sh config credentials --server https://<IP ADDRESS>:8666/auth --realm master --user admin --password admin --client admin-cli
As i am using https you may get the below error as well
Failed to send request - sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
To overcome this issue please generate the certificate and put inside /keycloak/security/ssl folder and then fire this command
kcadm.sh config truststore --trustpass $PASSWORD ~/.keycloak/truststore.jks
Now question how to create the realm then after login through admin-cli client use below command
./kcadm.sh create realms -s realm=demorealm -s enabled=true
I'm trying to set up a PostgreSQL db server with ssl. Or more specifically, I've successfully set up the server and ssl is working... as long as there are no intermediate certificates. It's not working if there is an intermediate cert.
Background / Setup:
I have a root CA.cert.
I used the CA to sign an intermediate.csr and create an intermediate.cert.
I used the intermediate.cert to sign a postgres.csr and create a postgres.cert.
The CA.cert, postgres.key and postgres.cert have been installed on the server.
The CA.cert has been set as a trusted certificate.
postgresql.conf has been modified to point to the above files.
I used the intermediate.cert to sign a client_0.csr and create a client_0.cert.
I used the CA.cert to sign a client_1.csr and create a client_1.cert.
I create a client chain.cert: cat client_0.cert intermediate.cert > chain.cert
Proper extensions have been used, both client certs have their common name set to the (username) of the db being connected to.
Fun, aka The Problem.
psql "sslmode=require hostname=(host) db=(db) sslcert=client_1.cert sslkey=client_1.key" -U (username): Great success!
psql "sslmode=require hostname=(host) db=(db) sslcert=client_0.cert sslkey=client_0.key" -U (username): alert unknown ca. This is expected, client_0.cert is not signed by CA.cert.
psql "sslmode=require hostname=(host) db=(db) sslcert=chain.cert sslkey=client_0.key" -U (username): alert unknown ca. Uh oh.
Confusion
Documentation for connecting to a postgresql instance with ssl enabled and intermediate certificates present:
In some cases, the client certificate might be signed by an
"intermediate" certificate authority, rather than one that is directly
trusted by the server. To use such a certificate, append the
certificate of the signing authority to the postgresql.crt file, then
its parent authority's certificate, and so on up to a certificate
authority, "root" or "intermediate", that is trusted by the server,
i.e. signed by a certificate in the server's root.crt file.
https://www.postgresql.org/docs/9.6/static/libpq-ssl.html
I have also tried cat-ing the full chain, client inter ca > chain , nothing doing.
Question
What have I done wrong here?
Thank you,
I am attempting to import a Certificate into the Current User -> Personal store using the command line: "importpfx -f [certificate name.p12] -p [password] -t USER -s Personal".
It works, but for reasons I don't understand there are now two Personal stores under the Current User, and the imported certificate is in the new Personal store.
When I try to connect to the website of [a well-known money transfer service], it fails. However, if I manually import the certificate using MMC into the original Personal store, it works.
My question is: How can I force IMPORTPFX to import the certificate into the original Personal store, and how can I delete the new Personal store?
Context:
I need to do a silent import of certificates on 3000+ remote point-of-sale Windows XP devices, so it needs to be a silent install via PSEXEC (SysInternals).
Thank you. Pieter.
“Personal” is a just friendly name of the certificate store which is internally identified as My. You need to use
importpfx -f [certificate name.p12] -p [password] -t USER -s My