[Freeipa-users] IDM/ipa slow login
Jakub Hrozek
jhrozek at redhat.com
Thu Aug 13 11:05:30 UTC 2015
On Thu, Aug 13, 2015 at 12:12:03PM +0200, seli irithyl wrote:
> In the logs, there is lots of warnings concerning pki tomcat server :
>
> Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP
> Server.
> Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting
> system-pki\x2dtomcatd.slice.
> Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice
> system-pki\x2dtomcatd.slice.
> Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server.
> Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat
> Server.
> Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server
> pki-tomcat...
> Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server
> pki-tomcat.
> Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine used:
> /usr/bin/java
> Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used:
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
> Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used:
> org.apache.catalina.startup.Bootstrap
> Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used:
> -DRESTEASY_LIB=/usr/share/java/resteasy-base
> Aug 13 09:51:57 lead.bioinf.local server[5213]: options used:
> -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
> -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
> -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
> -Djav
> Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'enableOCSP' to 'false' did not find a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not find
> a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a
> matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ocspCacheSize' to '1000' did not find a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ocspMinCacheEntryDuration' to '60' did not find a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ocspTimeout' to '10' did not find a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'strictCiphers' to 'true' did not find a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching
> property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ssl2Ciphers' to
> '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ssl3Ciphers' to
> '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'tlsCiphers' to
> '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf'
> did not find a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find
> a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did
> not find a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
> property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching
> property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'sslRangeCiphers' to
> '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.tomcat.util.digester.SetPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> 'xmlValidation' to 'false' did not find a matching property.
> Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> org.apache.tomcat.util.digester.SetPropertiesRule begin
> Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> 'xmlNamespaceAware' to 'false' did not find a matching property.
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> org.apache.coyote.AbstractProtocol init
> Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing
> ProtocolHandler ["http-bio-8080"]
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> org.apache.coyote.AbstractProtocol init
> Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing
> ProtocolHandler ["http-bio-8443"]
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> org.apache.coyote.AbstractProtocol init
> Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing
> ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> org.apache.catalina.startup.Catalina load
> Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization
> processed in 995 ms
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> org.apache.catalina.core.StandardService startInternal
> Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service
> Catalina
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> org.apache.catalina.core.StandardEngine startInternal
> Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet
> Engine: Apache Tomcat/7.0.54
> Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> org.apache.catalina.startup.HostConfig deployDescriptor
> Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying
> configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
> Aug 13 09:51:59 lead.bioinf.local server[5213]:
> SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
> Aug 13 09:51:59 lead.bioinf.local server[5213]:
> SSLAuthenticatorWithFallback: Setting container
> Aug 13 09:52:01 lead.bioinf.local server[5213]:
> SSLAuthenticatorWithFallback: Initializing authenticators
> Aug 13 09:52:01 lead.bioinf.local server[5213]:
> SSLAuthenticatorWithFallback: Starting authenticators
> Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM
> org.apache.catalina.startup.HostConfig deployDescriptor
> Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of
> configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has
> finished in 13,391 ms
> Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM
> org.apache.catalina.startup.HostConfig deployDescriptor
> Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying
> configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml
> Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> org.apache.jasper.EmbeddedServletOptions <init>
> Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir you
> specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is unusable.
> Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> org.apache.catalina.startup.HostConfig deployDescriptor
> Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of
> configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has
> finished in 2,683 ms
> Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> org.apache.coyote.AbstractProtocol start
> Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting
> ProtocolHandler ["http-bio-8080"]
> Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> org.apache.coyote.AbstractProtocol start
> Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting
> ProtocolHandler ["http-bio-8443"]
> Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> org.apache.coyote.AbstractProtocol start
> Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting
> ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
> Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> org.apache.catalina.startup.Catalina start
> Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in
> 17320 ms
>
> May this be related to my slow login problem ?
I don't think so. You really need to look into the sssd domain log,
check what requests (getAccountInfo) take the longest.
More information about the Freeipa-users
mailing list