fido2
fido2 copied to clipboard
StrongKey
hello I tried running skfsclient, but there was a problem, so I inquire.
I tried running the skfs client, but only the HMAC of REST doesn't work, and I get a 401 error. The execution environment is centos7. It would be great if you let me know where the problem occurred. Please.
Pinging a server is always a good start:
java -jar skfsclient.jar P https://yourhostname:8181 1 REST HMAC 162a5684336fa6e7 7edd81de1baab6ebcc76ebe3e38f41f4
Replace yourhostname with the host name you use.
If it doesn't work, send the output lines. A good response reads as:
$ java -jar skfsclient.jar P https://fidopayme.com:8181 1 REST HMAC 162a5684336fa6e7 7edd81de1baab6ebcc76ebe3e38f41f4
Copyright (c) 2001-2021 StrongAuth, Inc. All rights reserved.
REST Ping test with HMAC
******************************************
json = {"svcinfo":{"did":1,"protocol":"FIDO2_0","authtype":"HMAC"},"payload":""}
Calling ping @ https://fidopayme.com:8181/skfs/rest/ping
Ping test complete.
******************************************
Ping response : StrongKey, Inc. FIDO Server 4.4.0
Hostname: fidopayme.com (ServerID: 1)
Current time: Wed Apr 07 13:59:58 UTC 2021
Up since: Wed Apr 07 08:39:57 UTC 2021
FIDO Server Domain 1 is alive!
Hello. I tried your solution. So I succeeded in ping. And I found the difference. The difference is DID. The first attempt entered DID 1, but the program failed. I don't know what DID means. So please tell me the meaning of DID. Thank you.
2021년 4월 7일 (수) 오후 11:02, Anders Rundgren @.***>님이 작성:
Pinging a server is always a good start: java -jar skfsclient.jar P https://yourhostname:8181 1 REST HMAC 162a5684336fa6e7 7edd81de1baab6ebcc76ebe3e38f41f4
Replace https://yourhostname with the host name you use.
If it doesn't work, send the output lines. A good response reads as:
$ java -jar skfsclient.jar P https://fidopayme.com:8181 1 REST HMAC 162a5684336fa6e7 7edd81de1baab6ebcc76ebe3e38f41f4
Copyright (c) 2001-2021 StrongAuth, Inc. All rights reserved.
REST Ping test with HMAC
json = {"svcinfo":{"did":1,"protocol":"FIDO2_0","authtype":"HMAC"},"payload":""}
Calling ping @ https://fidopayme.com:8181/skfs/rest/ping
Ping test complete.
Ping response : StrongKey, Inc. FIDO Server 4.4.0 Hostname: fidopayme.com (ServerID: 1) Current time: Wed Apr 07 13:59:58 UTC 2021 Up since: Wed Apr 07 08:39:57 UTC 2021 FIDO Server Domain 1 is alive!
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/StrongKey/fido2/issues/100#issuecomment-814940180, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMCGUIEISUXVBKU3YO7MVSDTHRQWNANCNFSM42QR5IKA .
Hello, @ruya123456, The only way debugging systems like this is to provide the input and output like in my example. DID is probably domain ID.
Hi Ruya,
As Anders mentions, showing the input and output of your attempt always provides more information to help resolve the issue.
Anders is also correct about DID being "Domain ID". The domain in this context is not Active Directory or DNS domain - but something that we have created in our solutions: a cryptographic domain.
Our Tellaro appliance (https://www.strongkey.com/products/software/tokenization-and-encryption) has the concept of allowing many (hundreds) of cryptographic domains to be used for key-management for a variety of use-cases - such as using a:
- Unique domain for each application
- Unique domain for each regulation (GDPR, PSD2, PCI-DSS, etc.)
- Unique domain for each department within a company
- Unique domain for each merchant (for payment processing)
- Etc.
The cryptographic domain paradigm in our appliance allows us to create a unique Domain Master Key for each domain (which is protected by the Appliance Master Key in a FIPS certified cryptographic hardware module), and have millions of cryptographic keys protected by the Domain Master Key. In this manner, we can use HSMs (or inexpensive FIPS certified devices such as TPM) to manage billions of keys on less expensive hardware devices than network-attached HSMs.
Since the FIDO Server was originally designed to work within the Tellaro appliance (for security reasons), the cryptographic domain paradigm had to be preserved to minimize code-maintenance.
When we enabled the FIDO Server to work in a VM, we removed the dependency to use TPM/HSM keys, but retained the DID concept so others can use a single FIDO server for similar use-cases described earlier.
Hope that helps.
On 5/7/21 2:34 AM, ruya123456 wrote:
Hello. I tried your solution. So I succeeded in ping. And I found the difference. The difference is DID. The first attempt entered DID 1, but the program failed. I don't know what DID means. So please tell me the meaning of DID. Thank you.
2021년 4월 7일 (수) 오후 11:02, Anders Rundgren @.***>님이 작성:
Pinging a server is always a good start: java -jar skfsclient.jar P https://yourhostname:8181 1 REST HMAC 162a5684336fa6e7 7edd81de1baab6ebcc76ebe3e38f41f4
Replace https://yourhostname with the host name you use.
If it doesn't work, send the output lines. A good response reads as:
$ java -jar skfsclient.jar P https://fidopayme.com:8181 1 REST HMAC 162a5684336fa6e7 7edd81de1baab6ebcc76ebe3e38f41f4
Copyright (c) 2001-2021 StrongAuth, Inc. All rights reserved.
REST Ping test with HMAC
json = {"svcinfo":{"did":1,"protocol":"FIDO2_0","authtype":"HMAC"},"payload":""}
Calling ping @ https://fidopayme.com:8181/skfs/rest/ping
Ping test complete.
Ping response : StrongKey, Inc. FIDO Server 4.4.0 Hostname: fidopayme.com (ServerID: 1) Current time: Wed Apr 07 13:59:58 UTC 2021 Up since: Wed Apr 07 08:39:57 UTC 2021 FIDO Server Domain 1 is alive!
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/StrongKey/fido2/issues/100#issuecomment-814940180, or unsubscribe
https://github.com/notifications/unsubscribe-auth/AMCGUIEISUXVBKU3YO7MVSDTHRQWNANCNFSM42QR5IKA H
Ok so I have the same problem, but I cannot follow the instructions to fix...
(all passwords are default)
I can get the Ping just fine but get a Invalid user: fidoadminuser.. My assumption is that the username is right but the password is not ? I also assumed the default password is Abcd1234! The README.md file really does not help change or detail the (many) passwords used in the system.
[strongkey@fido2 skfsclient]$ java -Djavax.net.ssl.trustStore=/usr/local/strongkey/payara5/glassfish/domains/domain1/config/cacerts.jks -jar skfsclient.jar P https://fido2.*****.com:8181 1 REST HMAC 162a5684336fa6e7 7edd81de1baab6ebcc76ebe3e38f41f4
Copyright (c) 2001-2021 StrongAuth, Inc. All rights reserved.
REST Ping test with HMAC
******************************************
json = {"svcinfo":{"did":1,"protocol":"FIDO2_0","authtype":"HMAC"},"payload":""}
Calling ping @ https://fido2.*****.com:8181/skfs/rest/ping
Ping test complete.
******************************************
Ping response : StrongKey, Inc. FIDO Server 4.4.3
Hostname: fido2.*****.com (ServerID: 1)
Current time: Fri Nov 19 16:41:48 UTC 2021
Up since: Fri Nov 19 03:07:02 UTC 2021
FIDO Server Domain 1 is alive!
Done with Ping!
[strongkey@fido2 skfsclient]$
Yay a PING but....
[strongkey@fido2 skfsclient]$ java -Djavax.net.ssl.trustStore=/usr/local/strongkey/payara5/glassfish/domains/domain1/config/cacerts.jks -jar skfsclient.jar GP https://fido2.******.com:8181 1 REST PASSWORD fidoadminuser Abcd1234! false 1 1
Copyright (c) 2001-2021 StrongAuth, Inc. All rights reserved.
REST Get policy test with PASSWORD
*******************************
Calling getpolicyinfo @ https://fido2.*****.com:8181/skfs/rest/getpolicy
Error during getpolicysinfo : 400 FIDO-ERR-0003: Error during calling web service: {0}SKCEWS-ERR-3055: Invalid user: fidoadminuser
Done with get policy!
[strongkey@fido2 skfsclient]$
