HP Comware 5 Debug Manual Vol 3

ManualsBrandsHP ManualsNetwork HardwareHP HSR6804 Router Chassis

211

212

213

214

215

216

217

218

219

220

attribute group '1'. Check the next attribute.

*0.38011540 Sysname PKI/7/PKI_Debug:PKI_Certificate: the attribute 2 Match in

attribute group '1'. Check the next attribute.

*0.38011706 Sysname PKI/7/PKI_Debug:PKI_Certificate: the attribute 3 Match in

attribute group '1'. Check the next attribute.

*0.38011860 Sysname PKI/7/PKI_Debug:PKI_Certificate: Match the rule id: 2, ac

tion: permit in access control policy '2'. Access Permit

// The client certificate passed the client certificate validation after failing to match Attribute 1 but

successfully matching the second rule in the policy.

# Enable PKI certificate retrieval debugging. When a local certificate is requested after a CA certificate

is retrieved, output similar to the following example is generated:

<Sysname> debugging pki retrieval

[Sysname] pki retrieval-certificate ca domain crt

Retrieving CA/RA certificates. Please wait a while......

*0.507125 Sysname PKI/7/PKI_Debug:Host: 4.4.4.133

// The host IP address of the CA server is 4.4.4.133.

*0.507141 Sysname PKI/7/PKI_Debug:Port: 446

// The port number of the SCEP protocol is 446.

*0.507141 Sysname PKI/7/PKI_Debug:Path: 6953bf7fb5b1cf514376243ce67ebed1209c292a

// The output shoes the path of the CA server.

*0.507157 Sysname PKI/7/PKI_Debug:HTTP request message is: GET

/6953bf7fb5b1cf514376243ce67ebed1209c292a/pkiclient.exe?operation=GetCACert&message=r

sa HTTP/1.0

// The content of the HTTP request message is "getting the CA certificate".

*0.507157 Sysname PKI/7/PKI_Debug:Start to send message...........

*0.507157 Sysname PKI/7/PKI_Debug:SCEP send message:IP = 0x85040404

// The PKI module sent a packet to the CA through SCEP.

The trusted CA's finger print is:

MD5 fingerprint:8FDC C669 7A95 5505 8C0A 8633 818D A0A1

SHA1 fingerprint:8CCD 07AD 6C9A 229B 3378 2430 F038 A142 D175 190E

// The certificate fingerprint of the CA was calculated by using the hash algorithm.

Is the finger print correct?(Y/N):

*0.507250 Sysname PKI/7/PKI_Debug:SCEP receive message: Server returned status code 200

// The PKI module received a status code from the CA server through SCEP, which means OK.

*0.507266 Sysname PKI/7/PKI_Debug:Get CA certificates: received 1 certificates.

//The PKI module received the CA certificate through SCEP.

Before pressing ENTER you must choose 'YES' or 'NO'[Y/N]:y

Saving CA/RA certificates chain, please wait a moment......

CA certificates retrieval success.

[Sysname]

%Aug 8 11:23:55:250 2006 Sysname PKI/4/Verify_CA_Root_Cert:CA root certificate of the

domain crt is trusted.

// The CA root certificate of PKI domain crt is trusted.

212