From mharmsen at redhat.com Thu Mar 15 03:23:23 2012 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 14 Mar 2012 20:23:23 -0700 Subject: [Pki-users] Announcing 'Dogtag 10.0.0 (Alpha)' Message-ID: <4F6160AB.2010005@redhat.com> The Dogtag team is pleased to announce the availability of an Alpha Release of the Dogtag 10.0 code. This release contains the following features: 1. Extension of the functionality of the DRM to store and retrieve symmetric keys and passphrases, rather than only asymmetric keys. This feature allows the DRM to be used as a secure vault-like storage for essentially any sensitive data. The data is stored using the same secure FIPS-compliant storage mechanism used to store PKI keys. 2. The new DRM functionality is exposed through a new REST interface, provided by the RESTEasy framework. This provides an intuitive mechanism for writing clients to the interface. Both Java (using the RESTEasy client proxy framework) and Python clients have been coded. The server uses standard Java libraries to generate and parse XML or JSON input and output data. 3. Extracted authentication and authorization code from the individual servlets into a standard Tomcat authentication realm. This realm has been configured to require client certificate authentication, and is being used to secure the new DRM REST interface. In the future, this authentication realm could be extended to include other kinds of authentication (such as Kerberos). This is part of a push to refactor the code to expose the core business functionality in the servlets, while extracting the ancillary tasks (authentication, authorization, XML parsing and generation, etc.) and using standard methods and libraries to accomplish these tasks. 4. Enhanced Java subsystems so that they could connect to the internal database using a non-directory manager user, that is authenticated using client authentication. This resolves a number of issues with LDAP operations ignoring search limits. In addition, some changes have been made to allow integrating the Dogtag database with other systems such as IPA. 5. A new package pki-deploy contains the initial framework for a Python-based installer/de-installer (pkispawn/pkidestroy) that will be used to install and configure a Dogtag instance. This will ultimately replace the pki-setup installer/de-installer (pkicreate, pkidestroy) package, and the pki-silent instance configuration (pkisilent) package. 6. Much of the focus of this release was on cleaning up and modernizing the Dogtag source code. * Dogtag source code has been moved to git. * Java coding standards have been revised - and the code has been reformatted to match those standards. * Initially, Eclipse reported about 13000 warnings in the dogtag code. Those have been reduced to close to 2400. This included removing dead and unused code, replacing calls to deprecated functions and replacing raw collections with type-safe generics. NOTE: These numbers currently exclude console code. * OSUtil is a package that has certain utilities that were not available when the Dogtag code was originally written. These utilities are now available in current standard libraries - and so this package has been eliminated entirely. * Improved handling of short and long lived threads which allow threads to exit gracefully on shutdown. The builds can be found at the following links: * http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/RPMS/i686 - Fedora 16 (32-bit i686) * http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/RPMS/x86_64 - Fedora 16 (64-bit x86_64) * http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/SRPMS - Fedora 16 (Source) * http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/RPMS/i686 - Fedora 17 (32-bit i686) * http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/RPMS/x86_64 - Fedora 17 (64-bit x86_64) * http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/SRPMS - Fedora 17 (Source) From riccardo.brunetti at to.infn.it Tue Mar 20 10:54:47 2012 From: riccardo.brunetti at to.infn.it (Riccardo Brunetti) Date: Tue, 20 Mar 2012 11:54:47 +0100 Subject: [Pki-users] Problem with Subject Alternative Name Extension Message-ID: Dear pki-users. I'm trying to setup a pki-ca instance to produce X509 certificates which include a Subject Alternative Name Extension with the following attributes: Criticality = not critical Type = RFC822Name Value = the email of the requestor. I'm using the Signed CMC-Authenticated User Certificate Enrollment profile and this is the relevant section of my /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file: policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl policyset.cmcUserCertSet.8.constraint.name=Extension Constraint policyset.cmcUserCertSet.8.constraint.params.extCritical=false policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17 policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl policyset.cmcUserCertSet.8.default.name=Subject Alternative Name Extension Default policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1 The input certificate request is generated using certutil and CMCEnroll and the command used is the following: certutil -R -g 2048 -s "" -7 "" -d ?? The certificate is generated, but the extension is not populated with the email address and I always get: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: RFC822Name: $request.requestor_email$ These are the installed packages: pki-java-tools-9.0.18-1.fc15.noarch pki-selinux-9.0.18-1.fc15.noarch pki-setup-9.0.18-1.fc15.noarch pki-ca-9.0.18-1.fc15.noarch dogtag-pki-common-theme-9.0.10-1.fc15.noarch pki-symkey-9.0.18-1.fc15.x86_64 pki-native-tools-9.0.18-1.fc15.x86_64 dogtag-pki-ca-theme-9.0.10-1.fc15.noarch pki-console-9.0.5-1.fc15.noarch pki-util-9.0.18-1.fc15.noarch dogtag-pki-console-theme-9.0.10-1.fc15.noarch pki-common-9.0.18-1.fc15.noarch Does anybody have some suggestion on how to solve this issue? Any input would be very appreciated. Best Regards Riccardo Riccardo Brunetti INFN-Torino Tel: +390116707295 riccardo.brunetti at to.infn.it From Joshua.Roys at gtri.gatech.edu Tue Mar 20 11:29:23 2012 From: Joshua.Roys at gtri.gatech.edu (Joshua Roys) Date: Tue, 20 Mar 2012 07:29:23 -0400 Subject: [Pki-users] Problem with Subject Alternative Name Extension In-Reply-To: References: Message-ID: <4F686A13.8060801@gtri.gatech.edu> On 03/20/2012 06:54 AM, Riccardo Brunetti wrote: > > Dear pki-users. > > I'm trying to setup a pki-ca instance to produce X509 certificates which include a Subject Alternative Name Extension with the following attributes: > > Criticality = not critical > Type = RFC822Name > Value = the email of the requestor. > > I'm using the Signed CMC-Authenticated User Certificate Enrollment profile and this is the relevant section of my /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file: > > policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl > policyset.cmcUserCertSet.8.constraint.name=Extension Constraint > policyset.cmcUserCertSet.8.constraint.params.extCritical=false > policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17 > policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl > policyset.cmcUserCertSet.8.default.name=Subject Alternative Name Extension Default > policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true > policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ > policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name > policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false > policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1 > > The input certificate request is generated using certutil and CMCEnroll and the command used is the following: > > certutil -R -g 2048 -s "" -7"" -d ?? > > The certificate is generated, but the extension is not populated with the email address and I always get: > > Identifier: Subject Alternative Name - 2.5.29.17 > Critical: no > Value: > RFC822Name: $request.requestor_email$ > Hello, In short, the email is not being looked at because $request.requestor_email$ is created through the WebUI through an input box (Requestor Email). See [1] for some more variables. You may want to configure the caFullCMCUserCert to copy all subjAltNames in the input to the output certificate using the User Supplied Extension Default (with 2.5.29.17 as the argument): "This default populates a User-Supplied Extension (2.5.29.17) to the request." Josh [1] http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html#tab.Variables_Used_to_Populate_Certificates -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5045 bytes Desc: S/MIME Cryptographic Signature URL: From riccardo.brunetti at to.infn.it Tue Mar 20 14:27:45 2012 From: riccardo.brunetti at to.infn.it (Riccardo Brunetti) Date: Tue, 20 Mar 2012 15:27:45 +0100 Subject: [Pki-users] Problem with Subject Alternative Name Extension In-Reply-To: <4F686A13.8060801@gtri.gatech.edu> References: <4F686A13.8060801@gtri.gatech.edu> Message-ID: <6097BEF1-A97A-4FA0-AA39-31EB8B6A4A2F@to.infn.it> Thanks Joshua for the prompt reply and answer. I used the User Supplied Extension Default and it works. Thank you very much again Best Regards Riccardo Riccardo Brunetti INFN-Torino Tel: +390116707295 riccardo.brunetti at to.infn.it On 20/mar/2012 12, at 12:29, Joshua Roys wrote: > On 03/20/2012 06:54 AM, Riccardo Brunetti wrote: >> >> Dear pki-users. >> >> I'm trying to setup a pki-ca instance to produce X509 certificates which include a Subject Alternative Name Extension with the following attributes: >> >> Criticality = not critical >> Type = RFC822Name >> Value = the email of the requestor. >> >> I'm using the Signed CMC-Authenticated User Certificate Enrollment profile and this is the relevant section of my /var/lib/pki-ca/profiles/ca/caFullCMCUserCert.cfg file: >> >> policyset.cmcUserCertSet.8.constraint.class_id=extensionConstraintImpl >> policyset.cmcUserCertSet.8.constraint.name=Extension Constraint >> policyset.cmcUserCertSet.8.constraint.params.extCritical=false >> policyset.cmcUserCertSet.8.constraint.params.extOID=2.5.29.17 >> policyset.cmcUserCertSet.8.default.class_id=subjectAltNameExtDefaultImpl >> policyset.cmcUserCertSet.8.default.name=Subject Alternative Name Extension Default >> policyset.cmcUserCertSet.8.default.params.subjAltExtGNEnable_0=true >> policyset.cmcUserCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ >> policyset.cmcUserCertSet.8.default.params.subjAltExtType_0=RFC822Name >> policyset.cmcUserCertSet.8.default.params.subjAltNameExtCritical=false >> policyset.cmcUserCertSet.8.default.params.subjAltNameNumGNs=1 >> >> The input certificate request is generated using certutil and CMCEnroll and the command used is the following: >> >> certutil -R -g 2048 -s "" -7"" -d ?? >> >> The certificate is generated, but the extension is not populated with the email address and I always get: >> >> Identifier: Subject Alternative Name - 2.5.29.17 >> Critical: no >> Value: >> RFC822Name: $request.requestor_email$ >> > > Hello, > > In short, the email is not being looked at because $request.requestor_email$ is created through the WebUI through an input box (Requestor Email). See [1] for some more variables. You may want to configure the caFullCMCUserCert to copy all subjAltNames in the input to the output certificate using the User Supplied Extension Default (with 2.5.29.17 as the argument): > "This default populates a User-Supplied Extension (2.5.29.17) to the request." > > Josh > > [1] http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_Subject_Names_and_Subject_Alternative_Names.html#tab.Variables_Used_to_Populate_Certificates > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmercier at gmail.com Wed Mar 28 17:46:29 2012 From: mmercier at gmail.com (Mike Mercier) Date: Wed, 28 Mar 2012 13:46:29 -0400 Subject: [Pki-users] Error installing alpha 10 Message-ID: Hello, I tried to setup an instance of alpha 10 without success: [root at localhost log]# more /etc/redhat-release Fedora release 16 (Verne) [root at localhost log]# rpm -qa|grep pki pki-common-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch dogtag-pki-ca-theme-10.0.0-0.1.a1.20120315T0001z.git4f7ada5.fc16.noarch pki-selinux-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch pki-deploy-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch pki-symkey-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.x86_64 pki-util-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch pki-setup-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch dogtag-pki-common-theme-10.0.0-0.1.a1.20120315T0001z.git4f7ada5.fc16.noarch pki-native-tools-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.x86_64 pki-ca-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch pki-java-tools-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch [root at localhost ~]# pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ca -subsystem_type=ca -agent_secure_port=9443 -ee_secure_port=9444 -ee_secure_client_auth_port=9446 -admin_secure_port=9445 -unsecure_port=9180 -tomcat_server_port=9701 -user=pliuser -group=pkiuser -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca -verbose I see the following errors when running the above command: [debug] Attempting to add hardware security modules to system if applicable ... [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST! [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! [debug] configuring SELinux ... [error] Failed setting selinux context pki_ca_port_t for 9180. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9701. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9443. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9444. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9446. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9445. Port already defined otherwise. [debug] Selinux contexts already set. No need to run semanage. [debug] Running restorecon commands [error] FAILED run_command("/bin/systemctl restart pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system logs and 'systemctl status' for details." [root at localhost log]# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost.localdomain:ipp *:* LISTEN tcp 0 0 localhost.localdomain:smtp *:* LISTEN tcp 0 0 *:9830 *:* LISTEN tcp 0 0 *:47372 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:ipp *:* LISTEN tcp 0 0 *:45602 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:ssh *:* LISTEN udp 0 0 *:64440 *:* udp 0 0 *:mdns *:* udp 0 0 *:42572 *:* udp 0 0 *:bootpc *:* udp 0 0 *:sunrpc *:* udp 0 0 *:ntp *:* udp 0 0 *:323 *:* udp 0 0 *:51643 *:* udp 0 0 *:ipp *:* udp 0 0 *:entrust-kmsh *:* udp 0 0 localhost.localdomain:733 *:* udp 0 0 *:38474 *:* udp 0 0 *:sunrpc *:* udp 0 0 *:ntp *:* udp 0 0 *:323 *:* udp 0 0 *:23085 *:* udp 0 0 *:entrust-kmsh *:* Any ideas? Note: I have already perfomed a pkiremove. Thanks, Mike From jmagne at redhat.com Wed Mar 28 18:08:56 2012 From: jmagne at redhat.com (John Magne) Date: Wed, 28 Mar 2012 14:08:56 -0400 (EDT) Subject: [Pki-users] Error installing alpha 10 In-Reply-To: Message-ID: <99e19f68-48b8-4792-937f-78e97e72d183@zmail15.collab.prod.int.phx2.redhat.com> The stuff about the hardware modules such as lunasa is expected, a non issue. If you could try it again and give us the output of the /var/lib/pki-ca/logs/catalina.out after the failed system command below, that would provide some clues. ----- Original Message ----- From: "Mike Mercier" To: "pki-users" Sent: Wednesday, March 28, 2012 10:46:29 AM Subject: [Pki-users] Error installing alpha 10 Hello, I tried to setup an instance of alpha 10 without success: [root at localhost log]# more /etc/redhat-release Fedora release 16 (Verne) [root at localhost log]# rpm -qa|grep pki pki-common-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch dogtag-pki-ca-theme-10.0.0-0.1.a1.20120315T0001z.git4f7ada5.fc16.noarch pki-selinux-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch pki-deploy-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch pki-symkey-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.x86_64 pki-util-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch pki-setup-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch dogtag-pki-common-theme-10.0.0-0.1.a1.20120315T0001z.git4f7ada5.fc16.noarch pki-native-tools-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.x86_64 pki-ca-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch pki-java-tools-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch [root at localhost ~]# pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ca -subsystem_type=ca -agent_secure_port=9443 -ee_secure_port=9444 -ee_secure_client_auth_port=9446 -admin_secure_port=9445 -unsecure_port=9180 -tomcat_server_port=9701 -user=pliuser -group=pkiuser -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca -verbose I see the following errors when running the above command: [debug] Attempting to add hardware security modules to system if applicable ... [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST! [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! [debug] configuring SELinux ... [error] Failed setting selinux context pki_ca_port_t for 9180. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9701. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9443. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9444. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9446. Port already defined otherwise. [error] Failed setting selinux context pki_ca_port_t for 9445. Port already defined otherwise. [debug] Selinux contexts already set. No need to run semanage. [debug] Running restorecon commands [error] FAILED run_command("/bin/systemctl restart pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system logs and 'systemctl status' for details." [root at localhost log]# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost.localdomain:ipp *:* LISTEN tcp 0 0 localhost.localdomain:smtp *:* LISTEN tcp 0 0 *:9830 *:* LISTEN tcp 0 0 *:47372 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:ipp *:* LISTEN tcp 0 0 *:45602 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:ssh *:* LISTEN udp 0 0 *:64440 *:* udp 0 0 *:mdns *:* udp 0 0 *:42572 *:* udp 0 0 *:bootpc *:* udp 0 0 *:sunrpc *:* udp 0 0 *:ntp *:* udp 0 0 *:323 *:* udp 0 0 *:51643 *:* udp 0 0 *:ipp *:* udp 0 0 *:entrust-kmsh *:* udp 0 0 localhost.localdomain:733 *:* udp 0 0 *:38474 *:* udp 0 0 *:sunrpc *:* udp 0 0 *:ntp *:* udp 0 0 *:323 *:* udp 0 0 *:23085 *:* udp 0 0 *:entrust-kmsh *:* Any ideas? Note: I have already perfomed a pkiremove. Thanks, Mike _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From alee at redhat.com Wed Mar 28 18:12:07 2012 From: alee at redhat.com (Ade Lee) Date: Wed, 28 Mar 2012 14:12:07 -0400 Subject: [Pki-users] Error installing alpha 10 In-Reply-To: References: Message-ID: <1332958328.352.10.camel@aleeredhat.laptop> I had noticed those selinux errors in the past, but I don't think they would have prevented the server from coming up. We'd need to look at the logs to figure out why that happened. So please try a pkicreate again, and then look at /var/log/pki-ca/catalina.out (or whatever files are under /var/log/pki-ca and /var/log/messages Thanks, Ade On Wed, 2012-03-28 at 13:46 -0400, Mike Mercier wrote: > Hello, > > I tried to setup an instance of alpha 10 without success: > > [root at localhost log]# more /etc/redhat-release > Fedora release 16 (Verne) > [root at localhost log]# rpm -qa|grep pki > pki-common-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch > dogtag-pki-ca-theme-10.0.0-0.1.a1.20120315T0001z.git4f7ada5.fc16.noarch > pki-selinux-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch > pki-deploy-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch > pki-symkey-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.x86_64 > pki-util-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch > pki-setup-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch > dogtag-pki-common-theme-10.0.0-0.1.a1.20120315T0001z.git4f7ada5.fc16.noarch > pki-native-tools-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.x86_64 > pki-ca-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch > pki-java-tools-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch > > [root at localhost ~]# pkicreate -pki_instance_root=/var/lib > -pki_instance_name=pki-ca -subsystem_type=ca -agent_secure_port=9443 > -ee_secure_port=9444 -ee_secure_client_auth_port=9446 > -admin_secure_port=9445 -unsecure_port=9180 -tomcat_server_port=9701 > -user=pliuser -group=pkiuser -redirect conf=/etc/pki-ca -redirect > logs=/var/log/pki-ca -verbose > > I see the following errors when running the above command: > > [debug] Attempting to add hardware security modules to system if > applicable ... > [debug] module name: lunasa lib: > /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST! > [debug] module name: nfast lib: > /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! > [debug] configuring SELinux ... > [error] Failed setting selinux context pki_ca_port_t for 9180. Port > already defined otherwise. > [error] Failed setting selinux context pki_ca_port_t for 9701. Port > already defined otherwise. > [error] Failed setting selinux context pki_ca_port_t for 9443. Port > already defined otherwise. > [error] Failed setting selinux context pki_ca_port_t for 9444. Port > already defined otherwise. > [error] Failed setting selinux context pki_ca_port_t for 9446. Port > already defined otherwise. > [error] Failed setting selinux context pki_ca_port_t for 9445. Port > already defined otherwise. > [debug] Selinux contexts already set. No need to run semanage. > [debug] Running restorecon commands > > [error] FAILED run_command("/bin/systemctl restart > pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system > logs and 'systemctl status' for details." > > [root at localhost log]# netstat -l > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address > State > tcp 0 0 localhost.localdomain:ipp *:* > LISTEN > tcp 0 0 localhost.localdomain:smtp *:* > LISTEN > tcp 0 0 *:9830 *:* > LISTEN > tcp 0 0 *:47372 *:* > LISTEN > tcp 0 0 *:sunrpc *:* > LISTEN > tcp 0 0 *:ssh *:* > LISTEN > tcp 0 0 *:ipp *:* > LISTEN > tcp 0 0 *:45602 *:* > LISTEN > tcp 0 0 *:sunrpc *:* > LISTEN > tcp 0 0 *:ssh *:* > LISTEN > udp 0 0 *:64440 *:* > udp 0 0 *:mdns *:* > udp 0 0 *:42572 *:* > udp 0 0 *:bootpc *:* > udp 0 0 *:sunrpc *:* > udp 0 0 *:ntp *:* > udp 0 0 *:323 *:* > udp 0 0 *:51643 *:* > udp 0 0 *:ipp *:* > udp 0 0 *:entrust-kmsh *:* > udp 0 0 localhost.localdomain:733 *:* > udp 0 0 *:38474 *:* > udp 0 0 *:sunrpc *:* > udp 0 0 *:ntp *:* > udp 0 0 *:323 *:* > udp 0 0 *:23085 *:* > udp 0 0 *:entrust-kmsh *:* > > Any ideas? > > Note: I have already perfomed a pkiremove. > > Thanks, > Mike > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From mmercier at gmail.com Wed Mar 28 18:50:35 2012 From: mmercier at gmail.com (Mike Mercier) Date: Wed, 28 Mar 2012 14:50:35 -0400 Subject: [Pki-users] Error installing alpha 10 In-Reply-To: <1332958328.352.10.camel@aleeredhat.laptop> References: <1332958328.352.10.camel@aleeredhat.laptop> Message-ID: Hello, On Wed, Mar 28, 2012 at 2:12 PM, Ade Lee wrote: > I had noticed those selinux errors in the past, but I don't think they > would have prevented the server from coming up. > > We'd need to look at the logs to figure out why that happened. ?So > please try a pkicreate again, and then look > at /var/log/pki-ca/catalina.out (or whatever files are > under /var/log/pki-ca and /var/log/messages [root at localhost ~]# more /var/log/pki-ca/catalina.out /usr/sbin/tomcat6: line 41: /var/run/pki-ca.pid: Permission denied /usr/sbin/tomcat6: line 30: /var/lib/pki-ca/logs/catalina.out: Permission denied /var/log/message Mar 28 14:34:33 localhost pkicontrol[2678]: chown: invalid group: `pliuser:pliuser' Mar 28 14:34:33 localhost pkicontrol[2678]: chown: invalid group: `pliuser:pliuser' Mar 28 14:34:33 localhost systemd[1]: pki-cad at pki-ca.service: control process exited, code=exited status=1 Mar 28 14:34:33 localhost systemd[1]: Unit pki-cad at pki-ca.service entered failed state. I seem to have done the following in my command line: -user=pliuser -group=pkiuser l <-> k changing user to pkiuser resolved the issue. Thanks, Mike > > Thanks, > Ade > > On Wed, 2012-03-28 at 13:46 -0400, Mike Mercier wrote: >> Hello, >> >> I tried to setup an instance of alpha 10 without success: >> >> [root at localhost log]# more /etc/redhat-release >> Fedora release 16 (Verne) >> [root at localhost log]# rpm -qa|grep pki >> pki-common-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch >> dogtag-pki-ca-theme-10.0.0-0.1.a1.20120315T0001z.git4f7ada5.fc16.noarch >> pki-selinux-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch >> pki-deploy-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch >> pki-symkey-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.x86_64 >> pki-util-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch >> pki-setup-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch >> dogtag-pki-common-theme-10.0.0-0.1.a1.20120315T0001z.git4f7ada5.fc16.noarch >> pki-native-tools-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.x86_64 >> pki-ca-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch >> pki-java-tools-10.0.0-0.10.a1.20120314T2243z.git4f7ada5.fc16.noarch >> >> [root at localhost ~]# pkicreate -pki_instance_root=/var/lib >> -pki_instance_name=pki-ca -subsystem_type=ca -agent_secure_port=9443 >> -ee_secure_port=9444 -ee_secure_client_auth_port=9446 >> -admin_secure_port=9445 -unsecure_port=9180 -tomcat_server_port=9701 >> -user=pliuser -group=pkiuser -redirect conf=/etc/pki-ca -redirect >> logs=/var/log/pki-ca -verbose >> >> I see the following errors when running the above command: >> >> [debug] ? ? Attempting to add hardware security modules to system if >> applicable ... >> [debug] ? ? ? ? module name: lunasa ?lib: >> /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST! >> [debug] ? ? ? ? module name: nfast ?lib: >> /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! >> [debug] configuring SELinux ... >> [error] Failed setting selinux context pki_ca_port_t for 9180. ?Port >> already defined otherwise. >> [error] Failed setting selinux context pki_ca_port_t for 9701. ?Port >> already defined otherwise. >> [error] Failed setting selinux context pki_ca_port_t for 9443. ?Port >> already defined otherwise. >> [error] Failed setting selinux context pki_ca_port_t for 9444. ?Port >> already defined otherwise. >> [error] Failed setting selinux context pki_ca_port_t for 9446. ?Port >> already defined otherwise. >> [error] Failed setting selinux context pki_ca_port_t for 9445. ?Port >> already defined otherwise. >> [debug] Selinux contexts already set. No need to run semanage. >> [debug] Running restorecon commands >> >> [error] FAILED run_command("/bin/systemctl restart >> pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system >> logs and 'systemctl status' for details." >> >> [root at localhost log]# netstat -l >> Active Internet connections (only servers) >> Proto Recv-Q Send-Q Local Address ? ? ? ? ? ? ? Foreign Address >> ? ? ?State >> tcp ? ? ? ?0 ? ? ?0 localhost.localdomain:ipp ? *:* >> ? ? ?LISTEN >> tcp ? ? ? ?0 ? ? ?0 localhost.localdomain:smtp ?*:* >> ? ? ?LISTEN >> tcp ? ? ? ?0 ? ? ?0 *:9830 ? ? ? ? ? ? ? ? ? ? ?*:* >> ? ? ?LISTEN >> tcp ? ? ? ?0 ? ? ?0 *:47372 ? ? ? ? ? ? ? ? ? ? *:* >> ? ? ?LISTEN >> tcp ? ? ? ?0 ? ? ?0 *:sunrpc ? ? ? ? ? ? ? ? ? ?*:* >> ? ? ?LISTEN >> tcp ? ? ? ?0 ? ? ?0 *:ssh ? ? ? ? ? ? ? ? ? ? ? *:* >> ? ? ?LISTEN >> tcp ? ? ? ?0 ? ? ?0 *:ipp ? ? ? ? ? ? ? ? ? ? ? *:* >> ? ? ?LISTEN >> tcp ? ? ? ?0 ? ? ?0 *:45602 ? ? ? ? ? ? ? ? ? ? *:* >> ? ? ?LISTEN >> tcp ? ? ? ?0 ? ? ?0 *:sunrpc ? ? ? ? ? ? ? ? ? ?*:* >> ? ? ?LISTEN >> tcp ? ? ? ?0 ? ? ?0 *:ssh ? ? ? ? ? ? ? ? ? ? ? *:* >> ? ? ?LISTEN >> udp ? ? ? ?0 ? ? ?0 *:64440 ? ? ? ? ? ? ? ? ? ? *:* >> udp ? ? ? ?0 ? ? ?0 *:mdns ? ? ? ? ? ? ? ? ? ? ?*:* >> udp ? ? ? ?0 ? ? ?0 *:42572 ? ? ? ? ? ? ? ? ? ? *:* >> udp ? ? ? ?0 ? ? ?0 *:bootpc ? ? ? ? ? ? ? ? ? ?*:* >> udp ? ? ? ?0 ? ? ?0 *:sunrpc ? ? ? ? ? ? ? ? ? ?*:* >> udp ? ? ? ?0 ? ? ?0 *:ntp ? ? ? ? ? ? ? ? ? ? ? *:* >> udp ? ? ? ?0 ? ? ?0 *:323 ? ? ? ? ? ? ? ? ? ? ? *:* >> udp ? ? ? ?0 ? ? ?0 *:51643 ? ? ? ? ? ? ? ? ? ? *:* >> udp ? ? ? ?0 ? ? ?0 *:ipp ? ? ? ? ? ? ? ? ? ? ? *:* >> udp ? ? ? ?0 ? ? ?0 *:entrust-kmsh ? ? ? ? ? ? ?*:* >> udp ? ? ? ?0 ? ? ?0 localhost.localdomain:733 ? *:* >> udp ? ? ? ?0 ? ? ?0 *:38474 ? ? ? ? ? ? ? ? ? ? *:* >> udp ? ? ? ?0 ? ? ?0 *:sunrpc ? ? ? ? ? ? ? ? ? ?*:* >> udp ? ? ? ?0 ? ? ?0 *:ntp ? ? ? ? ? ? ? ? ? ? ? *:* >> udp ? ? ? ?0 ? ? ?0 *:323 ? ? ? ? ? ? ? ? ? ? ? *:* >> udp ? ? ? ?0 ? ? ?0 *:23085 ? ? ? ? ? ? ? ? ? ? *:* >> udp ? ? ? ?0 ? ? ?0 *:entrust-kmsh ? ? ? ? ? ? ?*:* >> >> Any ideas? >> >> Note: I have already perfomed a pkiremove. >> >> Thanks, >> Mike >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > >