> At this point, I changed from a htauthority.tmpl to a .htauthority file > in akenti-docs directory. In .htauthority file, > "UserIdCertificateAuthority " > D/CN=IDCG-CA" Should I change /O and /OU /C=US/O=Lawrence Berkeley National > Laboratory/OU=ICSlike this, "/O=Syracuse > University/OU=NPAC" ? > Do you have your own CA and LDAP server setup? Assuming that you do not, you can use ours. But that means keep all the CA references set to /C=US/O=Lawrence Berkeley National Laboratory/OU=ICSD. > > > > When I was running "UseCondition.sh" which includes the AkentiGen > directory, Some error messages are displayed like this, > Reading Configuration Settings ... > No port > ResAttributesParser.openURL() ERROR: unable to set up > "http://osprey3.npac.syr.edu:8008/.resattributes" for reading > Error getting resource attributes file at original location > Will attempt to read from proxy > Exception occurred during event dispatching: > java.lang.NullPointerException > at > LBL.akenti.ucGen.UseCondCertificate.LDAPconfigure(UseCondCertificate.java:2530) The no port error is ok. the no .resattributes file is fatal There is a akenti-logs/resattributes.tmpl file that needs to be installed. I added the following section to the Administrator's guide right after the bit about the Policy File (which I also improved a bit) Resource Definition Files The UseCondition and Attribute Certificate generator applications need some information about the resource for which they are generating certificates. This information is stored in a file named .resattributes. There is also a template for this file in the Akenti distribution in akenti-docs/resattributes.tmpl. This file specifies a list of CA's, the attributes they can define, and the host name of their LDAP server; a list of attribute, values and who can issue attribute certificates for them; and a list of actions that can be defined for the resource. The resattributes.tmpl should be copied and renamed to .resattributes during Akenti setup and edited to reflect your CA's, users and resources. > > > Have you gotton that far and does AkentiLog show you completing the > > COLLECT_POLICY phase? > > > No, AkentiLog file has not included any data, byte size 0. You might see something of value in the access_log_cert or ssl_log. The SSL part of the web server has to accept your certificate before Akenti even gets called. The first thing Akenti will do is try to read the Akenti.conf file. I think if that fails it may just return failure. It then looks for the .htauthority file, but it should log a message COLLECTING_POLICY in AkentiLog first. Be sure logging is set to file or server (and the AKMon server is running). Oh also looke in error_log if you can't find anything else. Previous versions of apache used to put messages writen to stdout into the console log, but I think they are now directed to error_log. > > > What ID are you using as a signing authority. At the moment it needs to be a > > separate ID from your standard user one, and needs to be blessed by our CA and > > entered into our LDAP server. I am currently working on fixing all this so > > that you can just use the one ID cert I already issued you. > > > You mean that my personal certificate you already gave me is used as a > signing authority. I want you to explain it more. > This won't work yet for some reason that I am currently trying to find and fix. You must use GenKeyandRequest.sh to generate a certificate request for a different CA (say Choonyan Youn-signer), submit the request to me ( how to do this is documented in the Stakeholder's Guide). I will sign it and enter it in our ldap. You then use this identity/key to sign UseConditions and specify this CN as the UseConditionCAandIssuer in the .htauthority. Note in the example file I use "Mary R. Thompson-sa" as the UseConditionIssuer while my standard identity is "Mary R. Thompson". Mary