From Nicholas.Ritter at americantv.com Fri Feb 3 16:24:26 2012 From: Nicholas.Ritter at americantv.com (Ritter, Nicholas) Date: Fri, 3 Feb 2012 10:24:26 -0600 Subject: [Pki-users] Dogtag 9 and CentOS 6 WebUI 'XXXX' issue and selinux Message-ID: <1A99CB3964EC5648B719C84C765D0CEBD484D7@mail4.ds.atv> Back on 1/23/12, Matt posted a response to Nathanael and Mike with a URL reference to the PKI FAQ about dogtag-pki v9 packages that come with CentOSv6 and the CA web interface problems (see https://www.redhat.com/archives/pki-users/2012-January/ms00011.html and http://pki.fedoraproject.org/wiki/PKI_Known_Issues#Miscellaneous ) My question is, has anyone been able to fix this issue using the prescribed methods (listed in the second URL above, ) especially when considering the desire to have it working with SELINUX? I would like to get dogtag v9 working on centos v6.2, but not sure if it is worth the time to use non-centos packages if it serves to only cause SELinux errors. I was hoping someone could elaborate on their experiences with this. RedHat told me they are not selling their Certificate Server product anymore because they are working on a grand identity management solution, and I can afford either anyway. Nick From nathanael at gnat.ca Fri Feb 3 16:31:16 2012 From: nathanael at gnat.ca (Nathanael D. Noblet) Date: Fri, 03 Feb 2012 09:31:16 -0700 Subject: [Pki-users] Dogtag 9 and CentOS 6 WebUI 'XXXX' issue and selinux In-Reply-To: <1A99CB3964EC5648B719C84C765D0CEBD484D7@mail4.ds.atv> References: <1A99CB3964EC5648B719C84C765D0CEBD484D7@mail4.ds.atv> Message-ID: <4F2C0BD4.60801@gnat.ca> On 02/03/2012 09:24 AM, Ritter, Nicholas wrote: > Back on 1/23/12, Matt posted a response to Nathanael and Mike with a URL > reference to the PKI FAQ about dogtag-pki v9 packages that come with > CentOSv6 and the CA web interface problems (see > https://www.redhat.com/archives/pki-users/2012-January/ms00011.html and > http://pki.fedoraproject.org/wiki/PKI_Known_Issues#Miscellaneous ) > > My question is, has anyone been able to fix this issue using the > prescribed methods (listed in the second URL above, ) especially when > considering the desire to have it working with SELINUX? I couldn't get it working because the required packages (dogtag*theme) aren't available. I've been toying with even using dogtag because it is so complex I'm not sure how necessary it is for our situation. I've been looking at perhaps using TinyCA2 instead. Either way I haven't decided but the complexity of the dogtag system is something I'm not yet sure if its justified for our use case. -- Nathanael d. Noblet t 403.875.4613 From dan.whitmire at sonshineaccess.com Wed Feb 8 01:51:43 2012 From: dan.whitmire at sonshineaccess.com (Dan Whitmire) Date: Tue, 07 Feb 2012 19:51:43 -0600 Subject: [Pki-users] TKS Not Starting Correctly Message-ID: <4F31D52F.1040405@sonshineaccess.com> I'd really appreciate it is anyone can help with a problem I'm having with the TKS Subsystem. I have CA, RA, TKS, and TPS installed. However, when starting the pki-tksd service I get the message that is started [ok] but when I try to complete the configuration after install, I get: # service pki-tksd status pki-tks-SonshineAccess dead but subsys locked [WARNING] Log files: # tail /var/log/pki-tks-SonshineAccess/selftests.log 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: Initializing self test plugins: 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: loading all self test plugin instances 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] TKSKnownSessionKey: TKS self test called TKSKnownSessionKey FAILED! 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.TKSKnownSessionKey running at startup FAILED # tail /var/log/pki-tks-SonshineAccess/system 9458.main - [02/Feb/2012:21:46:46 CST] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value # tail /var/log/pki-tks-SonshineAccess/debug [07/Feb/2012:19:23:54][main]: TKSKnownSessionKey self test FAILED [07/Feb/2012:19:23:54][main]: SignedAuditEventFactory: create() message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details) [07/Feb/2012:19:23:54][main]: CMSEngine.shutdown() [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown From dlackey at redhat.com Wed Feb 8 02:22:48 2012 From: dlackey at redhat.com (E Deon Lackey) Date: Tue, 07 Feb 2012 20:22:48 -0600 Subject: [Pki-users] TKS Not Starting Correctly In-Reply-To: <4F31D52F.1040405@sonshineaccess.com> References: <4F31D52F.1040405@sonshineaccess.com> Message-ID: <4F31DC78.7060408@redhat.com> Hey, Dan. It failed at the SessionKey test, so I *think* you need to create a shared secret for the TKS and TPS to use. When you configure the TKS (go through the wizard), then the last step is #13, here: http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/setting-up-others.html That creates a shared secret key. Without it, the TKS fails to start. Once the TKS is set up, you can set up the TPS, which are steps 17/18 here: http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/setting-up-tps.html I think. If it doesn't work, then someone with more knowledge can help you out. :) Deon On 2/7/2012 7:51 PM, Dan Whitmire wrote: > I'd really appreciate it is anyone can help with a problem I'm having > with the TKS Subsystem. I have CA, RA, TKS, and TPS installed. > However, when starting the pki-tksd service I get the message that is > started [ok] but when I try to complete the configuration after > install, I get: > > # service pki-tksd status > pki-tks-SonshineAccess dead but subsys locked [WARNING] > > > Log files: > # tail /var/log/pki-tks-SonshineAccess/selftests.log > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > Initializing self test plugins: > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading all self test plugin logger parameters > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading all self test plugin instances > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading all self test plugin instance parameters > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading self test plugins in on-demand order > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading self test plugins in startup order > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > Self test plugins have been successfully loaded! > 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: > Running self test plugins specified to be executed at startup: > 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] TKSKnownSessionKey: > TKS self test called TKSKnownSessionKey FAILED! > 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: > The CRITICAL self test plugin called > selftests.container.instance.TKSKnownSessionKey running at startup FAILED > > # tail /var/log/pki-tks-SonshineAccess/system > 9458.main - [02/Feb/2012:21:46:46 CST] [13] [3] authz instance > DirAclAuthz initialization failed and skipped, error=Property > internaldb.ldapconn.port missing value > # tail /var/log/pki-tks-SonshineAccess/debug > [07/Feb/2012:19:23:54][main]: TKSKnownSessionKey self test FAILED > [07/Feb/2012:19:23:54][main]: SignedAuditEventFactory: create() > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > self tests execution (see selftests.log for details) > > [07/Feb/2012:19:23:54][main]: CMSEngine.shutdown() > [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown > [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() > message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] > audit function shutdown > > [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown > [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() > message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] > audit function shutdown > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From dan.whitmire at sonshineaccess.com Thu Feb 9 02:39:19 2012 From: dan.whitmire at sonshineaccess.com (Dan Whitmire) Date: Wed, 08 Feb 2012 20:39:19 -0600 Subject: [Pki-users] Pki-users Digest, Vol 47, Issue 2 In-Reply-To: References: Message-ID: <4F3331D7.70805@sonshineaccess.com> On 02/08/2012 11:00 AM, pki-users-request at redhat.com wrote: > Send Pki-users mailing list submissions to > pki-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/pki-users > or, via email, send a message with subject or body 'help' to > pki-users-request at redhat.com > > You can reach the person managing the list at > pki-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Pki-users digest..." > > > Today's Topics: > > 1. TKS Not Starting Correctly (Dan Whitmire) > 2. Re: TKS Not Starting Correctly (E Deon Lackey) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 07 Feb 2012 19:51:43 -0600 > From: Dan Whitmire > To: pki-users at redhat.com > Subject: [Pki-users] TKS Not Starting Correctly > Message-ID:<4F31D52F.1040405 at sonshineaccess.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > I'd really appreciate it is anyone can help with a problem I'm having > with the TKS Subsystem. I have CA, RA, TKS, and TPS installed. > However, when starting the pki-tksd service I get the message that is > started [ok] but when I try to complete the configuration after install, > I get: > > # service pki-tksd status > pki-tks-SonshineAccess dead but subsys locked [WARNING] > > > Log files: > # tail /var/log/pki-tks-SonshineAccess/selftests.log > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > Initializing self test plugins: > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading all self test plugin logger parameters > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading all self test plugin instances > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading all self test plugin instance parameters > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading self test plugins in on-demand order > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading self test plugins in startup order > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: Self > test plugins have been successfully loaded! > 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: > Running self test plugins specified to be executed at startup: > 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] TKSKnownSessionKey: > TKS self test called TKSKnownSessionKey FAILED! > 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: The > CRITICAL self test plugin called > selftests.container.instance.TKSKnownSessionKey running at startup FAILED > > # tail /var/log/pki-tks-SonshineAccess/system > 9458.main - [02/Feb/2012:21:46:46 CST] [13] [3] authz instance > DirAclAuthz initialization failed and skipped, error=Property > internaldb.ldapconn.port missing value > # tail /var/log/pki-tks-SonshineAccess/debug > [07/Feb/2012:19:23:54][main]: TKSKnownSessionKey self test FAILED > [07/Feb/2012:19:23:54][main]: SignedAuditEventFactory: create() > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > self tests execution (see selftests.log for details) > > [07/Feb/2012:19:23:54][main]: CMSEngine.shutdown() > [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown > [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() > message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] > audit function shutdown > > [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown > [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() > message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] > audit function shutdown > > > > > ------------------------------ > > Message: 2 > Date: Tue, 07 Feb 2012 20:22:48 -0600 > From: E Deon Lackey > To: pki-users at redhat.com > Subject: Re: [Pki-users] TKS Not Starting Correctly > Message-ID:<4F31DC78.7060408 at redhat.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hey, Dan. > > It failed at the SessionKey test, so I *think* you need to create a > shared secret for the TKS and TPS to use. > > When you configure the TKS (go through the wizard), then the last step > is #13, here: > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/setting-up-others.html > > That creates a shared secret key. Without it, the TKS fails to start. > > Once the TKS is set up, you can set up the TPS, which are steps 17/18 here: > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/setting-up-tps.html > > I think. If it doesn't work, then someone with more knowledge can help > you out. :) > Deon > > > On 2/7/2012 7:51 PM, Dan Whitmire wrote: >> I'd really appreciate it is anyone can help with a problem I'm having >> with the TKS Subsystem. I have CA, RA, TKS, and TPS installed. >> However, when starting the pki-tksd service I get the message that is >> started [ok] but when I try to complete the configuration after >> install, I get: >> >> # service pki-tksd status >> pki-tks-SonshineAccess dead but subsys locked [WARNING] >> >> >> Log files: >> # tail /var/log/pki-tks-SonshineAccess/selftests.log >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> Initializing self test plugins: >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> loading all self test plugin logger parameters >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> loading all self test plugin instances >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> loading all self test plugin instance parameters >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> loading self test plugins in on-demand order >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> loading self test plugins in startup order >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> Self test plugins have been successfully loaded! >> 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: >> Running self test plugins specified to be executed at startup: >> 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] TKSKnownSessionKey: >> TKS self test called TKSKnownSessionKey FAILED! >> 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: >> The CRITICAL self test plugin called >> selftests.container.instance.TKSKnownSessionKey running at startup FAILED >> >> # tail /var/log/pki-tks-SonshineAccess/system >> 9458.main - [02/Feb/2012:21:46:46 CST] [13] [3] authz instance >> DirAclAuthz initialization failed and skipped, error=Property >> internaldb.ldapconn.port missing value >> # tail /var/log/pki-tks-SonshineAccess/debug >> [07/Feb/2012:19:23:54][main]: TKSKnownSessionKey self test FAILED >> [07/Feb/2012:19:23:54][main]: SignedAuditEventFactory: create() >> message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] >> self tests execution (see selftests.log for details) >> >> [07/Feb/2012:19:23:54][main]: CMSEngine.shutdown() >> [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown >> [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() >> message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] >> audit function shutdown >> >> [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown >> [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() >> message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] >> audit function shutdown >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > > ------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > End of Pki-users Digest, Vol 47, Issue 2 > **************************************** I entered the command found in the documentation # tkstool -T -d /var/lib/pki-tks-SonshineAccess/alias -n sharedSecret Enter Password or Pin for "NSS Certificate DB": I enter a password and it continues to ask "Enter Password or Pin for "NSS Certificate DB":" Is there something I'm ding wrong when I setup my system? Everything looks the same as the document. I don't recall having this problem when I set this up on Fedora 13. I'm using Fedora 15. From dan.whitmire at sonshineaccess.com Tue Feb 14 02:31:42 2012 From: dan.whitmire at sonshineaccess.com (Dan Whitmire) Date: Mon, 13 Feb 2012 20:31:42 -0600 Subject: [Pki-users] TKS Not Starting Correctly In-Reply-To: References: Message-ID: <4F39C78E.3010800@sonshineaccess.com> On 02/08/2012 11:00 AM, pki-users-request at redhat.com wrote: > Send Pki-users mailing list submissions to > pki-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/pki-users > or, via email, send a message with subject or body 'help' to > pki-users-request at redhat.com > > You can reach the person managing the list at > pki-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Pki-users digest..." > > > Today's Topics: > > 1. TKS Not Starting Correctly (Dan Whitmire) > 2. Re: TKS Not Starting Correctly (E Deon Lackey) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 07 Feb 2012 19:51:43 -0600 > From: Dan Whitmire > To: pki-users at redhat.com > Subject: [Pki-users] TKS Not Starting Correctly > Message-ID:<4F31D52F.1040405 at sonshineaccess.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > I'd really appreciate it is anyone can help with a problem I'm having > with the TKS Subsystem. I have CA, RA, TKS, and TPS installed. > However, when starting the pki-tksd service I get the message that is > started [ok] but when I try to complete the configuration after install, > I get: > > # service pki-tksd status > pki-tks-SonshineAccess dead but subsys locked [WARNING] > > > Log files: > # tail /var/log/pki-tks-SonshineAccess/selftests.log > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > Initializing self test plugins: > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading all self test plugin logger parameters > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading all self test plugin instances > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading all self test plugin instance parameters > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading self test plugins in on-demand order > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: > loading self test plugins in startup order > 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: Self > test plugins have been successfully loaded! > 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: > Running self test plugins specified to be executed at startup: > 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] TKSKnownSessionKey: > TKS self test called TKSKnownSessionKey FAILED! > 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: The > CRITICAL self test plugin called > selftests.container.instance.TKSKnownSessionKey running at startup FAILED > > # tail /var/log/pki-tks-SonshineAccess/system > 9458.main - [02/Feb/2012:21:46:46 CST] [13] [3] authz instance > DirAclAuthz initialization failed and skipped, error=Property > internaldb.ldapconn.port missing value > # tail /var/log/pki-tks-SonshineAccess/debug > [07/Feb/2012:19:23:54][main]: TKSKnownSessionKey self test FAILED > [07/Feb/2012:19:23:54][main]: SignedAuditEventFactory: create() > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > self tests execution (see selftests.log for details) > > [07/Feb/2012:19:23:54][main]: CMSEngine.shutdown() > [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown > [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() > message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] > audit function shutdown > > [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown > [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() > message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] > audit function shutdown > > > > > ------------------------------ > > Message: 2 > Date: Tue, 07 Feb 2012 20:22:48 -0600 > From: E Deon Lackey > To: pki-users at redhat.com > Subject: > Message-ID:<4F31DC78.7060408 at redhat.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hey, Dan. > > It failed at the SessionKey test, so I *think* you need to create a > shared secret for the TKS and TPS to use. > > When you configure the TKS (go through the wizard), then the last step > is #13, here: > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/setting-up-others.html > > That creates a shared secret key. Without it, the TKS fails to start. > > Once the TKS is set up, you can set up the TPS, which are steps 17/18 here: > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/setting-up-tps.html > > I think. If it doesn't work, then someone with more knowledge can help > you out. :) > Deon > > > On 2/7/2012 7:51 PM, Dan Whitmire wrote: >> I'd really appreciate it is anyone can help with a problem I'm having >> with the TKS Subsystem. I have CA, RA, TKS, and TPS installed. >> However, when starting the pki-tksd service I get the message that is >> started [ok] but when I try to complete the configuration after >> install, I get: >> >> # service pki-tksd status >> pki-tks-SonshineAccess dead but subsys locked [WARNING] >> >> >> Log files: >> # tail /var/log/pki-tks-SonshineAccess/selftests.log >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> Initializing self test plugins: >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> loading all self test plugin logger parameters >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> loading all self test plugin instances >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> loading all self test plugin instance parameters >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> loading self test plugins in on-demand order >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> loading self test plugins in startup order >> 28141.main - [07/Feb/2012:19:23:53 CST] [20] [1] SelfTestSubsystem: >> Self test plugins have been successfully loaded! >> 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: >> Running self test plugins specified to be executed at startup: >> 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] TKSKnownSessionKey: >> TKS self test called TKSKnownSessionKey FAILED! >> 28141.main - [07/Feb/2012:19:23:54 CST] [20] [1] SelfTestSubsystem: >> The CRITICAL self test plugin called >> selftests.container.instance.TKSKnownSessionKey running at startup FAILED >> >> # tail /var/log/pki-tks-SonshineAccess/system >> 9458.main - [02/Feb/2012:21:46:46 CST] [13] [3] authz instance >> DirAclAuthz initialization failed and skipped, error=Property >> internaldb.ldapconn.port missing value >> # tail /var/log/pki-tks-SonshineAccess/debug >> [07/Feb/2012:19:23:54][main]: TKSKnownSessionKey self test FAILED >> [07/Feb/2012:19:23:54][main]: SignedAuditEventFactory: create() >> message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] >> self tests execution (see selftests.log for details) >> >> [07/Feb/2012:19:23:54][main]: CMSEngine.shutdown() >> [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown >> [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() >> message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] >> audit function shutdown >> >> [07/Feb/2012:19:23:55][main]: LogFile:In log shutdown >> [07/Feb/2012:19:23:55][main]: SignedAuditEventFactory: create() >> message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] >> audit function shutdown >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > I entered the command found in the documentation > > # tkstool -T -d /var/lib/pki-tks-SonshineAccess/alias -n sharedSecret > > Enter Password or Pin for "NSS Certificate DB": > > > > I enter a password and it continues to ask "Enter Password or Pin for > "NSS Certificate DB":" Is there something I'm ding wrong when I setup > my system? Everything looks the same as the document. I don't recall > having this problem when I set this up on Fedora 13. I'm using Fedora 15. > > > > > ------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > End of Pki-users Digest, Vol 47, Issue 2 > **************************************** From dlackey at redhat.com Tue Feb 14 02:48:22 2012 From: dlackey at redhat.com (E Deon Lackey) Date: Mon, 13 Feb 2012 20:48:22 -0600 Subject: [Pki-users] TKS Not Starting Correctly In-Reply-To: <4F39C78E.3010800@sonshineaccess.com> References: <4F39C78E.3010800@sonshineaccess.com> Message-ID: <4F39CB76.7010400@redhat.com> On 2/13/2012 8:31 PM, Dan Whitmire wrote: >> >> # tkstool -T -d /var/lib/pki-tks-SonshineAccess/alias -n sharedSecret >> >> Enter Password or Pin for "NSS Certificate DB": >> >> >> >> I enter a password and it continues to ask "Enter Password or Pin for >> "NSS Certificate DB":" Is there something I'm ding wrong when I setup >> my system? Everything looks the same as the document. I don't recall >> having this problem when I set this up on Fedora 13. I'm using >> Fedora 15. The NSS cert db is cert8.db. I think the password is in /var/lib/pki-tks/password.conf in the 'internal' parameter. Just copy whatever is there, and use that at the prompt. (pki-tks is whatever your subsystem is named.) Hope that helps. Deon From dan.whitmire at sonshineaccess.com Tue Feb 14 03:21:55 2012 From: dan.whitmire at sonshineaccess.com (Dan Whitmire) Date: Mon, 13 Feb 2012 21:21:55 -0600 Subject: [Pki-users] TKS Not Starting Correctly In-Reply-To: <4F39CB76.7010400@redhat.com> References: <4F39C78E.3010800@sonshineaccess.com> <4F39CB76.7010400@redhat.com> Message-ID: <4F39D353.3010600@sonshineaccess.com> On 02/13/2012 08:48 PM, E Deon Lackey wrote: > tkstool -T -d /var/lib/pki-tks-SonshineAccess/alias -n sharedSecret Thanks Deon... That seems to have resolved my problem. Now onto working why the esc application doesn't run. From dan.whitmire at sonshineaccess.com Tue Feb 21 02:32:30 2012 From: dan.whitmire at sonshineaccess.com (Dan Whitmire) Date: Mon, 20 Feb 2012 20:32:30 -0600 Subject: [Pki-users] TPS Final Configuration Help Needed Message-ID: <4F43023E.8040900@sonshineaccess.com> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bfifiegj.png Type: image/png Size: 760 bytes Desc: not available URL: From alee at redhat.com Tue Feb 21 19:27:43 2012 From: alee at redhat.com (Ade Lee) Date: Tue, 21 Feb 2012 14:27:43 -0500 Subject: [Pki-users] TPS Final Configuration Help Needed In-Reply-To: <4F43023E.8040900@sonshineaccess.com> References: <4F43023E.8040900@sonshineaccess.com> Message-ID: <1329852463.3757.8.camel@aleeredhat.laptop> I'm not entirely sure I understand why your installation requires so many manual steps. Usually, the installation wizard code does a pretty good job of creating all the relevant keys etc. In this case, whats happening is that the TPS has contacted the CA and requested the security domain info. This info contains a list of subsystems that were added to the domain - including the TKS. The error below tells me that the TKS subsystem was not added to the security domain. This was supposed to happen in the final panel of the TKS installation. You could add the subsystem manually to the security domain using ldapmodify, but considering that we do not know what else failed in your TKS installation - it may be worth figuring out what went wrong there. If you can, attach the logs for the CA and TKS subsystems, and I can take a quick look. Ade On Mon, 2012-02-20 at 20:32 -0600, Dan Whitmire wrote: > When completing the final steps of configuring the TPS, I get the > following: > no TKS found. CA, TKS and optionally DRM must be installed prior to > TPS installation > > The TKS and CA are both up and running. I checked my firewall > settings and all ports are configured correctly. I have created the > shared keys for both TKS and TPS. What else am I missing to complete > the installation? > > I also am having problems with esc (Smart Card Manger) not running. > Any ideas would be greatly appreciated. > > I'm running fedora 15. > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users