<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
    <title></title>
  </head>
  <body bgcolor="#ffffff" text="#000000">
    On 09/28/2011 03:33 AM, Adam Young wrote:
    <blockquote cite="mid:4E827957.4080606@redhat.com" type="cite">
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      After talking with the PKI developer that is fixing this, I found
      out that one other file needs to be modified:<br>
      <br>
      <br>
      <p> /var/lib/pki-ca/conf/CS.cfg </p>
      <p> http.port=8080 <br>
        https.port=8443 </p>
      <br>
      <br>
      <br>
      <br>
      On 09/27/2011 07:55 PM, Adam Young wrote:
      <blockquote cite="mid:4E826272.7050100@redhat.com" type="cite">
        <meta content="text/html; charset=ISO-8859-1"
          http-equiv="Content-Type">
        <div class="comment">
          <p>Siggi,<br>
          </p>
          <p>This is my comment in the ticket: <a
              moz-do-not-send="true" class="moz-txt-link-freetext"
              href="https://fedorahosted.org/freeipa/ticket/1889">https://fedorahosted.org/freeipa/ticket/1889</a><br>
          </p>
          <p>We are working on a tool in the PKI project that will
            perform these steps in an automated fashion.<br>
          </p>
          <p><br>
          </p>
          <p>There are three files that need to be addressed. </p>
          <p> On the tomcat side, the files are in the Tomcat instance
            managed by IPA in /var/lib/pki-ca. The first is </p>
          <p> /var/lib/pki-ca/conf/server.xml </p>
          <p> It needs the addition: </p>
          <p> + <Connector port="9447" protocol="AJP/1.3"
            redirectPort="9444" /> </p>
          <p> You can place it around line 281, above the comment for
            the line <Engine name="Catalina"
            defaultHost="localhost"> </p>
          <p> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml </p>
          <p> For each of the filter entries it needs the code addition
            below: </p>
          <blockquote>
            <p> <init-param> </p>
            <blockquote>
              <p> <param-name>proxy_port</param-name>
                <param-value>443</param-value> </p>
            </blockquote>
            <p> </init-param> </p>
          </blockquote>
          <p> + <init-param> +
            <param-name>proxy_port</param-name> +
            <param-value>443</param-value> +
            </init-param> </p>
          <blockquote>
            <p> <init-param> </p>
            <blockquote>
              <p> <param-name>active</param-name>
                <param-value>true</param-value> </p>
            </blockquote>
            <p> </init-param> </p>
          </blockquote>
          <blockquote>
            <p> </filter> </p>
          </blockquote>
          <p> The third change is creating a symlink to
            /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d </p>
        </div>
        <br>
        <br>
      </blockquote>
    </blockquote>
    <br>
    Sorry for the late reply. <br>
    <br>
    I have performed the modifications you've suggested to
    /var/lib/pki-ca/conf/server.xml, and 
    /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml.<br>
    <br>
    In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already
    http.port=8080 and https.port=8443.<br>
    <br>
    I could not find the file /etc/pki-ca/proxy.conf. I did find
    /usr/share/pki/ca/conf/proxy.conf, I copied this into
    /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT]
    with localhost:9447.<br>
    <br>
    Then I restarted ipa: $ ipactl restart<br>
    <br>
    I get a different error now, same error msg both in webui and cli:<br>
    ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO)
    An I/O error occurred during security authorization.<br>
    <br>
    What do you suggest doing next? :)<br>
    <br>
  </body>
</html>