From chumsol at mail.ru Tue May 5 15:43:34 2009 From: chumsol at mail.ru (=?koi8-r?Q?=FE=D5=CD=C1=DA=C9=CB_=F3=CF=CC=D1=D2=CB=C9=CE?=) Date: Tue, 05 May 2009 19:43:34 +0400 Subject: [Pki-users] end user interface Message-ID: Hello fc10 dogtag fds 1.2 New CA (self-signed, etc) when i'm trying to access RA (https://hostname:12888) i get error about ssl auth, but i do not have any cert yet, i'm new user. Is that normal? If i use RA cert (generated for me at installation time) i can login and perform some actions (request for user, server cert, etc) (i'm noob, so just link to chapter in documentation is ok for me :)) From kchamart at redhat.com Tue May 5 16:38:37 2009 From: kchamart at redhat.com (kashyap chamarthy) Date: Tue, 05 May 2009 22:08:37 +0530 Subject: [Pki-users] end user interface In-Reply-To: References: Message-ID: <4A006B8D.5000309@redhat.com> ??????? ???????? wrote: > Hello > > fc10 > dogtag > fds 1.2 > > New CA (self-signed, etc) > > when i'm trying to access RA (https://hostname:12888) i get error about ssl auth, but i do not have any cert yet, i'm new user. Is that normal? > If i use RA cert (generated for me at installation time) i can login and perform some actions (request for user, server cert, etc) > > hi, to access RA via un secure port(12888), we need to use - http://hostname:12888 (not https) to access RA via secure port(12889) - https://hostname:12889 should do hope that helps, --kashyap > > > (i'm noob, so just link to chapter in documentation is ok for me :)) > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > From mmercier at gmail.com Wed May 20 17:54:12 2009 From: mmercier at gmail.com (Mike Mercier) Date: Wed, 20 May 2009 13:54:12 -0400 Subject: [pki-users] Error cloning CA Message-ID: <4959d1510905201054u118a8937x449ca5fdb6454ab0@mail.gmail.com> Hello, I am attempting to do some testing with the Fedora PKI and Dogtag systems and have run into an issue. My setup is as follows: Server-1 - Running fedora-ds and dogtag (dogtag uses the local fedora-ds LDAP server as for storage) Server-2 - Running the same Server-2 is acting as a LDAP replica for Server-1 (o=NetscapeRoot and the primary dc are replicated, this *seems* to work fine.. I can create an entry on Server-1 and it will show up on Server-2) On Server-1, I installed Dogtag 1.1.0 (via yum) and setup a CA - again everything *seems* to work fine. On Server-2 I then attempted to clone the CA from Server-1. Things go good until I get to the screen to specify where the backend is located. For the backend, I use the fedora-ds server located on Server-2, I enter my credentials and then it seems to hang. In /var/log/dirsrv/slapd-TEST/error on Server-2 I see some error messages I can't seem to find reference too: info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc='; entry ou=certificaterepository,ou=ca,dc= may not be added to database yet (this message shows up numerous times) info: entrydn not indexed on 'ou=ca,ou=requests,dc='; entry ou=ca,ou=requests,dc= may not be added to database yet (this message shows up numerous times) NSMMReplicationPlugin - agmt="cn=cloneAgreement1-server-2-pki-ca" (service-2:389): Replica has a different generation ID than the local data I managed to get around the replication problem by (and this is probably not the correct course of action): 1. Deleted the replication agreement on both systems 2. Exported the CA database on Server-1 and imported it into Server-2 3. Recreated the replication agreement This allowed me to finally get past the screen listed above (where the LDAP credentials have to be entered) but I still see this error on Server-2: Replica has a different generation ID than the local data And on Server-1: NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=: 1 Is there a reason that the installation is not correctly setting up the LDAP database and replication agreement? Are there steps I have missed, I followed the directions in the RedHat Certificate Server Admin Guide? Does this have something to do with replicating o=NetscapeRoot? Thanks, Mike From msauton at redhat.com Wed May 20 18:43:53 2009 From: msauton at redhat.com (Marc Sauton) Date: Wed, 20 May 2009 11:43:53 -0700 Subject: [pki-users] Error cloning CA In-Reply-To: <4959d1510905201054u118a8937x449ca5fdb6454ab0@mail.gmail.com> References: <4959d1510905201054u118a8937x449ca5fdb6454ab0@mail.gmail.com> Message-ID: <4A144F69.8080000@redhat.com> It should just work fine. Is it possible for some reason your Server-1's dse.ldif had a nsDS5ReplicaHost: localhost instead of Server-2? This is different from replicating o=NetscapeRoot, and was for your dc= M. Mike Mercier wrote: > Hello, > > I am attempting to do some testing with the Fedora PKI and Dogtag > systems and have run into an issue. > > My setup is as follows: > > Server-1 - Running fedora-ds and dogtag (dogtag uses the local > fedora-ds LDAP server as for storage) > Server-2 - Running the same > > Server-2 is acting as a LDAP replica for Server-1 (o=NetscapeRoot and > the primary dc are replicated, this *seems* to work fine.. I can > create an entry on Server-1 and it will show up on Server-2) > > On Server-1, I installed Dogtag 1.1.0 (via yum) and setup a CA - again > everything *seems* to work fine. On Server-2 I then attempted to > clone the CA from Server-1. > Things go good until I get to the screen to specify where the backend > is located. For the backend, I use the fedora-ds server located on > Server-2, I enter my credentials and then it seems to hang. > > In /var/log/dirsrv/slapd-TEST/error on Server-2 I see some error > messages I can't seem to find reference too: > > > info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc='; > entry ou=certificaterepository,ou=ca,dc= may not be added to > database yet (this message shows up numerous times) > info: entrydn not indexed on 'ou=ca,ou=requests,dc='; entry > ou=ca,ou=requests,dc= may not be added to database yet (this > message shows up numerous times) > NSMMReplicationPlugin - agmt="cn=cloneAgreement1-server-2-pki-ca" > (service-2:389): Replica has a different generation ID than the local > data > > I managed to get around the replication problem by (and this is > probably not the correct course of action): > 1. Deleted the replication agreement on both systems > 2. Exported the CA database on Server-1 and imported it into Server-2 > 3. Recreated the replication agreement > > This allowed me to finally get past the screen listed above (where the > LDAP credentials have to be entered) but I still see this error on > Server-2: > Replica has a different generation ID than the local data > > And on Server-1: > NSMMReplicationPlugin - repl_set_mtn_referrals: could not set > referrals for replica dc=: 1 > > > Is there a reason that the installation is not correctly setting up > the LDAP database and replication agreement? > Are there steps I have missed, I followed the directions in the RedHat > Certificate Server Admin Guide? > Does this have something to do with replicating o=NetscapeRoot? > > Thanks, > Mike > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From mmercier at gmail.com Wed May 20 19:17:07 2009 From: mmercier at gmail.com (Mike Mercier) Date: Wed, 20 May 2009 15:17:07 -0400 Subject: [pki-users] Error cloning CA In-Reply-To: <4A144F69.8080000@redhat.com> References: <4959d1510905201054u118a8937x449ca5fdb6454ab0@mail.gmail.com> <4A144F69.8080000@redhat.com> Message-ID: <4959d1510905201217q1c1276dawdc153189eed0979b@mail.gmail.com> Hi, I (once again) recreated the replication agreement, after initializing the agreement things seemed to go fine. I double checked the dse.ldif on both ends and all replication agreements point to the correct place. I now see (on both ends) the following message: NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=: 1 Any ideas, or should I post this to the directory-users list? Thanks, Mike On Wed, May 20, 2009 at 2:43 PM, Marc Sauton wrote: > It should just work fine. > Is it possible for some reason your Server-1's dse.ldif had a > nsDS5ReplicaHost: localhost instead of Server-2? > This is different from replicating o=NetscapeRoot, and was for your dc= > M. > > Mike Mercier wrote: >> >> Hello, >> >> I am attempting to do some testing with the Fedora PKI and Dogtag >> systems and have run into an issue. >> >> My setup is as follows: >> >> Server-1 - Running fedora-ds and dogtag (dogtag uses the local >> fedora-ds LDAP server as for storage) >> Server-2 - Running the same >> >> Server-2 is acting as a LDAP replica for Server-1 (o=NetscapeRoot and >> the primary dc are replicated, this *seems* to work fine.. I can >> create an entry on Server-1 and it will show up on Server-2) >> >> On Server-1, I installed Dogtag 1.1.0 (via yum) and setup a CA - again >> everything *seems* to work fine. ?On Server-2 I then attempted to >> clone the CA from Server-1. >> Things go good until I get to the screen to specify where the backend >> is located. ?For the backend, I use the fedora-ds server located on >> Server-2, I enter my credentials and then it seems to hang. >> >> In /var/log/dirsrv/slapd-TEST/error on Server-2 I see some error >> messages I can't seem to find reference too: >> >> >> info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc='; >> entry ou=certificaterepository,ou=ca,dc= may not be added to >> database yet ?(this message shows up numerous times) >> info: entrydn not indexed on 'ou=ca,ou=requests,dc='; entry >> ou=ca,ou=requests,dc= may not be added to database yet ?(this >> message shows up numerous times) >> NSMMReplicationPlugin - agmt="cn=cloneAgreement1-server-2-pki-ca" >> (service-2:389): Replica has a different generation ID than the local >> data >> >> I managed to get around the replication problem by (and this is >> probably not the correct course of action): >> 1. Deleted the replication agreement on both systems >> 2. Exported the CA database on Server-1 and imported it into Server-2 >> 3. Recreated the replication agreement >> >> This allowed me to finally get past the screen listed above (where the >> LDAP credentials have to be entered) but I still see this error on >> Server-2: >> Replica has a different generation ID than the local data >> >> And on Server-1: >> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set >> referrals for replica dc=: 1 >> >> >> Is there a reason that the installation is not correctly setting up >> the LDAP database and replication agreement? >> Are there steps I have missed, I followed the directions in the RedHat >> Certificate Server Admin Guide? >> Does this have something to do with replicating o=NetscapeRoot? >> >> Thanks, >> Mike >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > From mmercier at gmail.com Thu May 21 16:29:42 2009 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 21 May 2009 12:29:42 -0400 Subject: [Pki-users] Errors installing PKI Clone / chicken or egg question Message-ID: <4959d1510905210929gf5c80b4m3a32eb8c05e65503@mail.gmail.com> Hello, Note: I have cross posted this because it seems to be related to both applications. The steps I have taken: 1. Install fedora 10 on 2 servers (service-1, service-2) 2. run yum update on both systems 3. on service-1 and service-2 a) yum install fedora-ds b) setup replication agreement for i) o=NetscapeRoot ii) userRoot Everything at this point seems to be fine. 4. on service-1 yum install pki-ca a) run through setup screens i) Create new security domain ii) Configure this Instance as a New CA Subsystem iii) Make this a Self-Signed Root CA within this new PKI hierarchy iv) use 'localhost' for internal database v) use defaults for rest of screen (exporting pkcs12) b) pki-ca looks like it is running fine 5. on service-2 yum install pki-ca a) run through setup screens i) Join an Existing Security Domain (pointing to service-1:9444) ii) type username / password iii) chose to clone a system (only one option in drop down for service-1) iv) import keys v) use 'localhost' for internal database At this point, the installation seems to hang... (see /var/log/pki-ca/debug for what it is waiting for) Should I not be using 'localhost' for the internal database? An additional question: When running through the setup for dogtag, you have the option of using ssl for communication. What if you want to use your dogtag CA (which you are setting up) to provide the sign the ldap certificate? I have the following in my logs: Service-1: /var/log/dirsrv/slapd-TEST/errors [21/May/2009:12:13:30 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:13:30 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () [21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:13:31 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () [21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:13:35 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:13:41 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:13:53 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:14:17 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) Service-2: /var/log/dirsrv/slapd-TEST/errors [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allExpiredCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allInvalidCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allInValidCertsNotBefore-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allNonRevokedCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCaCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCertsNotAfter-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedExpiredCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedOrRevokedExpiredCaCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedOrRevokedExpiredCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidCertsNotAfter-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidOrRevokedCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caAll-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceled-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceledEnrollment-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceledRenewal-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceledRevocation-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caComplete-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCompleteEnrollment-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCompleteRenewal-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCompleteRevocation-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caEnrollment-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPending-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPendingEnrollment-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPendingRenewal-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPendingRevocation-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejected-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejectedEnrollment-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejectedRenewal-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejectedRevocation-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRenewal-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRevocation-pki-caIndex [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - pki-ca: Finished indexing. [21/May/2009:12:13:30 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-service-2-pki-ca" (service-1:389): Replica has a different generation ID than the local data. /var/log/pki-ca/debug - this is what shows up continuously [21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel comparetAndWaitEntries checking ou=people,dc=pki-ca [21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel comparetAndWaitEntries ou=people,dc=pki-ca not found, let's wait! Thanks, Mike From msauton at redhat.com Thu May 21 17:06:44 2009 From: msauton at redhat.com (Marc Sauton) Date: Thu, 21 May 2009 10:06:44 -0700 Subject: [Pki-users] Re: [389-users] Errors installing PKI Clone / chicken or egg question In-Reply-To: <4959d1510905210929gf5c80b4m3a32eb8c05e65503@mail.gmail.com> References: <4959d1510905210929gf5c80b4m3a32eb8c05e65503@mail.gmail.com> Message-ID: <4A158A24.1060707@redhat.com> Mike Mercier wrote: > Hello, > > Note: I have cross posted this because it seems to be related to both > applications. > > > The steps I have taken: > > 1. Install fedora 10 on 2 servers (service-1, service-2) > 2. run yum update on both systems > 3. on service-1 and service-2 > a) yum install fedora-ds > b) setup replication agreement for > i) o=NetscapeRoot > ii) userRoot > Everything at this point seems to be fine. > > 4. on service-1 yum install pki-ca > a) run through setup screens > i) Create new security domain > ii) Configure this Instance as a New CA Subsystem > iii) Make this a Self-Signed Root CA within this new PKI hierarchy > iv) use 'localhost' for internal database > v) use defaults for rest of screen (exporting pkcs12) > b) pki-ca looks like it is running fine > > 5. on service-2 yum install pki-ca > a) run through setup screens > i) Join an Existing Security Domain (pointing to service-1:9444) > ii) type username / password > iii) chose to clone a system (only one option in drop down for service-1) > iv) import keys > v) use 'localhost' for internal database > > At this point, the installation seems to hang... (see > /var/log/pki-ca/debug for what it is waiting for) > > Should I not be using 'localhost' for the internal database? > > I would not, that was likely the first issue you encountered when replication could not be initialized by the Dogtag web configuration wizard. > An additional question: > > When running through the setup for dogtag, you have the option of > using ssl for communication. What if you want to use your dogtag CA > (which you are setting up) to provide the sign the ldap certificate? > The web configuration wizard creates all the necessary certificates and keys, as well all the replication agreements. Assuming the nsDS5ReplicaHost is not localhost, you may have hit a regression with Bugzilla 454032, with modified status, for RHCS 8.0, which should also be in Dogtag, what exact version are you using? (may want to check if you have this fix) In that case, a possible work around would be to not select SSL in the Dogtag web configuration wizard, and then later configure SSL replication either manually or using the Directory Server console. > > I have the following in my logs: > > Service-1: > /var/log/dirsrv/slapd-TEST/errors > [21/May/2009:12:13:30 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:30 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389): > Replication bind with SIMPLE auth failed: LDAP error 32 (No such > object) () > [21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:31 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389): > Replication bind with SIMPLE auth failed: LDAP error 32 (No such > object) () > [21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:35 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:41 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:53 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:14:17 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > > Service-2: > /var/log/dirsrv/slapd-TEST/errors > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allExpiredCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allInvalidCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allInValidCertsNotBefore-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allNonRevokedCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedCaCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedCertsNotAfter-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedExpiredCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedOrRevokedExpiredCaCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedOrRevokedExpiredCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allValidCertsNotAfter-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allValidOrRevokedCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caAll-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceled-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCanceledEnrollment-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCanceledRenewal-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCanceledRevocation-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caComplete-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCompleteEnrollment-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCompleteRenewal-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCompleteRevocation-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caEnrollment-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPending-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caPendingEnrollment-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caPendingRenewal-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caPendingRevocation-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejected-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caRejectedEnrollment-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caRejectedRenewal-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caRejectedRevocation-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRenewal-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRevocation-pki-caIndex > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - pki-ca: Finished indexing. > [21/May/2009:12:13:30 -0400] NSMMReplicationPlugin - > agmt="cn=cloneAgreement1-service-2-pki-ca" (service-1:389): Replica > has a different generation ID than the local data. > > /var/log/pki-ca/debug - this is what shows up continuously > [21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel > comparetAndWaitEntries checking ou=people,dc=pki-ca > [21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel > comparetAndWaitEntries ou=people,dc=pki-ca not found, let's wait! > > Thanks, > Mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From mmercier at gmail.com Thu May 21 17:21:28 2009 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 21 May 2009 13:21:28 -0400 Subject: [Pki-users] Re: [389-users] Errors installing PKI Clone / chicken or egg question In-Reply-To: <4A158A24.1060707@redhat.com> References: <4959d1510905210929gf5c80b4m3a32eb8c05e65503@mail.gmail.com> <4A158A24.1060707@redhat.com> Message-ID: <4959d1510905211021m28a44113s469d6bef8593d4d3@mail.gmail.com> Hello, I am running: [root at service-1 ~]# rpm -qa|grep pki pki-selinux-1.1.0-1.fc10.noarch pki-java-tools-1.1.0-1.fc10.noarch pki-native-tools-1.1.0-1.fc10.x86_64 dogtag-pki-ca-ui-1.1.0-1.fc10.noarch pki-setup-1.1.0-1.fc10.noarch dogtag-pki-common-ui-1.1.0-1.fc10.noarch pki-common-1.1.0-1.fc10.noarch pki-util-1.1.0-1.fc10.noarch pki-ca-1.1.0-1.fc10.noarch Looking at the dse.ldif file, it shows that the replication server in *not* localhost, service-1 shows service-2 and server-2 shows service-1 I am going to retry the install using the fqdn of the local machine as the internal database on each system. Thanks, Mike On Thu, May 21, 2009 at 1:06 PM, Marc Sauton wrote: > I would not, that was likely the first issue you encountered when > replication could not be initialized by the Dogtag web configuration wizard. >> >> An additional question: >> >> When running through the setup for dogtag, you have the option of >> using ssl for communication. ?What if you want to use your dogtag CA >> (which you are setting up) to provide the sign the ldap certificate? >> > > The web configuration wizard creates all the necessary certificates and > keys, as well all the replication agreements. > Assuming the nsDS5ReplicaHost is not localhost, you may have hit a > regression with Bugzilla 454032, with modified status, for RHCS 8.0, which > should also be in Dogtag, what exact version are you using? (may want to > check if you have this fix) > In that case, a possible work around would be to not select SSL in the > Dogtag web configuration wizard, and then later configure SSL replication > either manually or using the Directory Server console. From mmercier at gmail.com Thu May 21 17:31:37 2009 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 21 May 2009 13:31:37 -0400 Subject: [Pki-users] Re: [389-users] Errors installing PKI Clone / chicken or egg question In-Reply-To: <4959d1510905211021m28a44113s469d6bef8593d4d3@mail.gmail.com> References: <4959d1510905210929gf5c80b4m3a32eb8c05e65503@mail.gmail.com> <4A158A24.1060707@redhat.com> <4959d1510905211021m28a44113s469d6bef8593d4d3@mail.gmail.com> Message-ID: <4959d1510905211031o89df0f4y84d4150caf015783@mail.gmail.com> Hello, Re-installing the application using the fqdn of the system instead of 'localhost' has resolved the problem I was seeing. Thanks for the help, Mike On Thu, May 21, 2009 at 1:21 PM, Mike Mercier wrote: > Hello, > > I am running: > > [root at service-1 ~]# rpm -qa|grep pki > pki-selinux-1.1.0-1.fc10.noarch > pki-java-tools-1.1.0-1.fc10.noarch > pki-native-tools-1.1.0-1.fc10.x86_64 > dogtag-pki-ca-ui-1.1.0-1.fc10.noarch > pki-setup-1.1.0-1.fc10.noarch > dogtag-pki-common-ui-1.1.0-1.fc10.noarch > pki-common-1.1.0-1.fc10.noarch > pki-util-1.1.0-1.fc10.noarch > pki-ca-1.1.0-1.fc10.noarch > > Looking at the dse.ldif file, it shows that the replication server in > *not* localhost, > service-1 shows service-2 and server-2 shows service-1 > > I am going to retry the install using the fqdn of the local machine as > the internal database on each system. > > Thanks, > Mike > > On Thu, May 21, 2009 at 1:06 PM, Marc Sauton wrote: > >> I would not, that was likely the first issue you encountered when >> replication could not be initialized by the Dogtag web configuration wizard. >>> >>> An additional question: >>> >>> When running through the setup for dogtag, you have the option of >>> using ssl for communication. ?What if you want to use your dogtag CA >>> (which you are setting up) to provide the sign the ldap certificate? >>> >> >> The web configuration wizard creates all the necessary certificates and >> keys, as well all the replication agreements. >> Assuming the nsDS5ReplicaHost is not localhost, you may have hit a >> regression with Bugzilla 454032, with modified status, for RHCS 8.0, which >> should also be in Dogtag, what exact version are you using? (may want to >> check if you have this fix) >> In that case, a possible work around would be to not select SSL in the >> Dogtag web configuration wizard, and then later configure SSL replication >> either manually or using the Directory Server console. > From mmercier at gmail.com Thu May 21 18:24:19 2009 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 21 May 2009 14:24:19 -0400 Subject: [Pki-users] General Cloning Question Message-ID: <4959d1510905211124ib72ee1fy8841fbddbb9a2edf@mail.gmail.com> Hello, I am in the process of setting up a dogtag system with cloning. I have the following up and running: CA (on server service-1), KRA, OCSP, RA, TKS, and TPS I have already cloned the CA (on server service-2) and have a question about what security domain to join when cloning the rest of the sub systems? Should the clone of the other sub systems join the primary domain (service-1) or the cloned domain (service-2)? Thanks, Mike From msauton at redhat.com Thu May 21 19:02:11 2009 From: msauton at redhat.com (Marc Sauton) Date: Thu, 21 May 2009 12:02:11 -0700 Subject: [Pki-users] General Cloning Question In-Reply-To: <4959d1510905211124ib72ee1fy8841fbddbb9a2edf@mail.gmail.com> References: <4959d1510905211124ib72ee1fy8841fbddbb9a2edf@mail.gmail.com> Message-ID: <4A15A533.5070403@redhat.com> Mike Mercier wrote: > Hello, > > I am in the process of setting up a dogtag system with cloning. > > I have the following up and running: > > CA (on server service-1), KRA, OCSP, RA, TKS, and TPS > > I have already cloned the CA (on server service-2) and have a question > about what security domain to join when cloning the rest of the sub > systems? > Should the clone of the other sub systems join the primary domain > (service-1) or the cloned domain (service-2)? > > Thanks, > Mike > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > That would be the primary domain as there should be no such cloned domain. The security domain is a configuration registry for the PKI services that provides with much easier configuration mechanisms to connect the different sub systems's trusted relations and policies, versus having to do all those configurations manually like in older versions of the product, this helps a lot when setting KRA, OCSP, TKS with a CA. The cloned CA must belong to the same "security domain" as the "master" CA instance. Although you can create and select any "security domain" you have, the cloned subsystems must belong to the same "security domain", or at least to the same "security domain" of their respective "masters" if you have several "security domains". (and each sub system can only belong to one "security domain" at a time) A root ca should probably have its own "security domain". It is fairly flexible and settings may depend on your needs. Some doc: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Installation_and_Configuration.html#Administration_Guide-Installation_and_Configuration-Deployment_Considerations There will be an updated documentation for RHCS 8.0 sometime soon. M. From mmercier at gmail.com Thu May 21 21:28:11 2009 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 21 May 2009 17:28:11 -0400 Subject: [Pki-users] Error cloning KRA Message-ID: <4959d1510905211428l34a2cecclad3c270f215f294e@mail.gmail.com> Hello, I am having a problem cloning a KRA. I get to the "Import Keys and Certificates" page, put in the filename and password (after copying the file to /var/lib/pki-kra/alias) and the page returns: "Clone is not ready" I see the following in /var/log/pki-kra/debug [21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet: process [21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet:service() uri = /kra/admin/console/config/wizard [21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet::service() param name='__password' value='(sensitive)' [21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet::service() param name='path' value='pki-kra-savepkcs12' [21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet::service() param name='p' value='4' [21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet::service() param name='op' value='next' [21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet: op=next [21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet: size=16 [21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet: in next 4 [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel verify the PFX. [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteExistingCerts: Exception=org.mozilla.jss.crypto.ObjectNotFoundException [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteExistingCerts: Exception=org.mozilla.jss.crypto.NoSuchItemOnTokenException [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteExistingCerts: Exception=org.mozilla.jss.crypto.ObjectNotFoundException [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteExistingCerts: Exception=org.mozilla.jss.crypto.NoSuchItemOnTokenException [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteExistingCerts: Exception=org.mozilla.jss.crypto.ObjectNotFoundException [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteExistingCerts: Exception=org.mozilla.jss.crypto.NoSuchItemOnTokenException [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteExistingCerts: Exception=org.mozilla.jss.crypto.ObjectNotFoundException [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteExistingCerts: Exception=org.mozilla.jss.crypto.NoSuchItemOnTokenException [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteCert: this is pk11store [21/May/2009:16:32:09][http-10444-Processor20]: Key Algorithm 'RSA' [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteCert: this is pk11store [21/May/2009:16:32:09][http-10444-Processor20]: Key Algorithm 'RSA' [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteCert: this is pk11store [21/May/2009:16:32:09][http-10444-Processor20]: Key Algorithm 'RSA' [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel deleteCert: this is pk11store [21/May/2009:16:32:09][http-10444-Processor20]: Key Algorithm 'RSA' [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel: this is the clone subsystem [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel isCertdbCloned: [21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel update: clone does not have all the certificates. [21/May/2009:16:32:09][http-10444-Processor20]: panel no=4 [21/May/2009:16:32:09][http-10444-Processor20]: panel name=restorekeys [21/May/2009:16:32:09][http-10444-Processor20]: total number of panels=16 Any pointers? Thanks, Mike From mmercier at gmail.com Mon May 25 13:36:32 2009 From: mmercier at gmail.com (Mike Mercier) Date: Mon, 25 May 2009 09:36:32 -0400 Subject: [Pki-users] Unable to clone pki-kra (Clone is not ready) Message-ID: <4959d1510905250636x13f5930ds50fe3d57f791fe5a@mail.gmail.com> Hello, I posted a message about this last week: I will post more details here: 2 servers: service-1: running fedora-ds and will be prime pki system (running all subsystems) service-2: running fedora-ds and will be clone for all (cloneable) subsystems on service-1 [root at service-1 pki-kra]# rpm -qa|grep pki pki-selinux-1.1.0-1.fc10.noarch pki-kra-1.1.0-1.fc10.noarch pki-common-1.1.0-1.fc10.noarch pki-native-tools-1.1.0-1.fc10.x86_64 dogtag-pki-ca-ui-1.1.0-1.fc10.noarch pki-util-1.1.0-1.fc10.noarch pki-ca-1.1.0-1.fc10.noarch dogtag-pki-common-ui-1.1.0-1.fc10.noarch pki-java-tools-1.1.0-1.fc10.noarch dogtag-pki-kra-ui-1.1.0-1.fc10.noarch pki-setup-1.1.0-1.fc10.noarch I did the following steps: 1. yum install pki-ca on service-1 and create instance - success 2. yum install pki-ca on service-2 cloning instance from step 1 - success 3. yum install pki-kra on service-1 - installation seems to be succeful using security domain from service-1 Note: on the page for the login, I get Security Domain () login (Is this correct or should it show the security domain name between the ()?) 4. yum install pki-kra on service-2 a) select security domain from service-1 b) join security domain on service-1:9444 c) select to clone domain from step 3 when clicking next on this screen service-1/var/log/pki-kra/debug shows [25/May/2009:09:19:31][http-10444-Processor23]: CMSServlet:service() uri = /kra/ee/kra/getTokenInfo [25/May/2009:09:19:31][http-10444-Processor23]: CMSServlet: kraGetTokenInfo start to service. [25/May/2009:09:19:31][http-10444-Processor23]: CMSServlet: curDate=Mon May 25 09:19:31 EDT 2009 id=kraGetTokenInfo time=3 service-1/var/log/pki-kra/localhost_access_log shows: 192.168.0.26 - - [25/May/2009:09:19:31 -0400] "POST /kra/ee/kra/getTokenInfo HTTP/1.0" 200 565 d) at "Import Keys and Certificates" page, I type in the name of the file that was copied to the system and I get "Clone is not ready" on service-2 I can run pk12util -l pki-kra-savepkcs -w and it will output the keys and shows the correct security domain I don't see anything new in the logs at this step anymore (not sure where the error came from in my last post) On service-1: [root at service-1 ~]# service pki-kra status pki-kra (pid 8444) is running ... Unsecure Port = http://service-1.internaldomain:10180/kra/ee/kra Secure Agent Port = https://service-1.internaldomain:10443/kra/agent/kra Secure EE Port = https://service-1.internaldomain:10444/kra/ee/kra Secure Admin Port = https://service-1.internaldomain:10445/kra/services Secure Admin Port = pkiconsole https://service-1.internaldomain:10445/kra Tomcat Port = 10701 (for shutdown) Thanks, Mike