From cfu at redhat.com Thu Oct 2 00:00:07 2014 From: cfu at redhat.com (Christina Fu) Date: Wed, 01 Oct 2014 17:00:07 -0700 Subject: [Pki-users] SCEP Enrollment fails with Certificate not found . In-Reply-To: <85C87A9995875247B2DD471950E0AE4D1B844DC5@M0182.s-mxs.net> References: <85C87A9995875247B2DD471950E0AE4D1B844DC5@M0182.s-mxs.net> Message-ID: <542C9587.6080107@redhat.com> What's your scep config values, specifically: ca.scep.nickname ca.scep.tokenname Christina On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote: > > Hello, > > We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs > setup for SCEP enrollment. But, no matter whether we try the older > HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a > successful SCEP request. The following exception occurs in the debug log: > > [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation > > [29/Sep/2014:13:41:17][http-9180-1]: > message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ > > KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w > > ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt > > dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG > > SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH > > 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP > > RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs > > HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r > > SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g > > rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF > > Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM > > X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW > > m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu > > udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc > > AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT > > l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61 > > JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz > > cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z > > gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB > > dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG > > NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy > > MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx > > MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF > > gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM > > rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip > > 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB > > gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN > > L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp > > e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w > > GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG > > OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC > > MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw > > OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg > > hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0 > > QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB > > gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH > > eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm > > /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+ > > [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: > token name: osstest' > > [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: > mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1' > > [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: > Certificate not found: osstest:caSigningCert cert-pki-testca1 > > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: > Certificate not found: osstest:caSigningCert cert-pki-testca1 > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.(CRSEnrollment.java:2026) > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) > > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) > > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > > at java.lang.Thread.run(Thread.java:701) > > [29/Sep/2014:13:41:17][http-9180-1]: ServletException > javax.servlet.ServletException: Failed to process message in CEP > servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 > > What stands out is the line with mNickname. After restarting the > service, with the first request, the HSM token name appears to be > listed twice in the *mNickname* string. Interestingly, with each new > request, the number of token names increases by one in the string. > i.e. with the 2^nd attempt, the same exception occurs but the token > name appears three times: > > [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: > token name: osstest' > > [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: > mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1' > > [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: > Certificate not found: osstest:caSigningCert cert-pki-testca1 > > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: > Certificate not found: osstest:caSigningCert cert-pki-testca1 > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.(CRSEnrollment.java:2026) > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) > > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) > > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > > at java.lang.Thread.run(Thread.java:701) > > [29/Sep/2014:13:41:17][http-9180-1]: ServletException > javax.servlet.ServletException: Failed to process message in CEP > servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 > > As mentioned, the exception occurs with both versions 4 and 5 of > LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating > with SCEP enrollment.) With local tokens, (no HSMs) the error does not > occur. > > Any Ideas, how we can track this down? We definitely need to get this > running. > > Best regards! > > William Elliott > > s IT Solutions > > Open System Services > > s IT Solutions AT Spardat GmbH > > A-1110 Wien, Geiselbergstra?e 21 - 25 > > Phone: +43 (0)5 0100 - 39376 > > Fax: +43 (0)5 0100 9 - 39376 > > Mobile: +43 (0)5 0100 6 - 39376 > > _mailto:william.elliott at s-itsolutions.at > _ > > www.s-itsolutions.com > > Head Office: Vienna Commercial Register No.: 152289f Commercial Court > of Vienna > > This message and any attached files are confidential and intended > solely for the addressee(s). Any publication, transmission or other > use of the information by a person or entity other than the intended > addressee is prohibited. If you receive this in error please contact > the sender and delete the material. The sender does not accept > liability for any errors or omissions as a result of the transmission. > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Thu Oct 2 00:14:52 2014 From: cfu at redhat.com (Christina Fu) Date: Wed, 01 Oct 2014 17:14:52 -0700 Subject: [Pki-users] SCEP Enrollment fails with Certificate not found . In-Reply-To: <542C9587.6080107@redhat.com> References: <85C87A9995875247B2DD471950E0AE4D1B844DC5@M0182.s-mxs.net> <542C9587.6080107@redhat.com> Message-ID: <542C98FC.3040209@redhat.com> btw, I'm not suggesting that you need either or both config params. three sets of config you can try: 1. don't specify either ca.scep.nickname or ca.scep.tokenname (I think by default it takes the ca signing cert, if that's what you intend to use anyway) 2. specify nickname only ca.scep.nickname (without the token) ca.scep.nickname=caSigningCert cert-pki-testca1 (I think by default, if the nickname you specified matches that of the ca, it will find the token for you) 3. specify both nickname and token: ca.scep.nickname=caSigningCert cert-pki-testca1 ca.scep.tokenname=osstest (last resort, because when you do this, it thinks it's not using the ca signing cert.. ) Let us know. Christina On 10/01/2014 05:00 PM, Christina Fu wrote: > What's your scep config values, specifically: > ca.scep.nickname > ca.scep.tokenname > > Christina > > On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote: >> >> Hello, >> >> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs >> setup for SCEP enrollment. But, no matter whether we try the older >> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a >> successful SCEP request. The following exception occurs in the debug log: >> >> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation >> >> [29/Sep/2014:13:41:17][http-9180-1]: >> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ >> >> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w >> >> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt >> >> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG >> >> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH >> >> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP >> >> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs >> >> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r >> >> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g >> >> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF >> >> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM >> >> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW >> >> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu >> >> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc >> >> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT >> >> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61 >> >> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz >> >> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z >> >> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB >> >> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG >> >> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy >> >> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx >> >> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF >> >> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM >> >> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip >> >> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB >> >> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN >> >> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp >> >> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w >> >> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG >> >> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC >> >> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw >> >> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg >> >> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0 >> >> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB >> >> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH >> >> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm >> >> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+ >> >> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: >> token name: osstest' >> >> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: >> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1' >> >> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: >> Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: >> Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.(CRSEnrollment.java:2026) >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> >> at >> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >> >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >> >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) >> >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) >> >> at >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) >> >> at >> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) >> >> at >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) >> >> at java.lang.Thread.run(Thread.java:701) >> >> [29/Sep/2014:13:41:17][http-9180-1]: ServletException >> javax.servlet.ServletException: Failed to process message in CEP >> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> What stands out is the line with mNickname. After restarting the >> service, with the first request, the HSM token name appears to be >> listed twice in the *mNickname* string. Interestingly, with each new >> request, the number of token names increases by one in the string. >> i.e. with the 2^nd attempt, the same exception occurs but the token >> name appears three times: >> >> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: >> token name: osstest' >> >> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: >> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1' >> >> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: >> Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: >> Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.(CRSEnrollment.java:2026) >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> >> at >> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >> >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >> >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) >> >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) >> >> at >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) >> >> at >> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) >> >> at >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) >> >> at java.lang.Thread.run(Thread.java:701) >> >> [29/Sep/2014:13:41:17][http-9180-1]: ServletException >> javax.servlet.ServletException: Failed to process message in CEP >> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> As mentioned, the exception occurs with both versions 4 and 5 of >> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating >> with SCEP enrollment.) With local tokens, (no HSMs) the error does >> not occur. >> >> Any Ideas, how we can track this down? We definitely need to get this >> running. >> >> Best regards! >> >> William Elliott >> >> s IT Solutions >> >> Open System Services >> >> s IT Solutions AT Spardat GmbH >> >> A-1110 Wien, Geiselbergstra?e 21 - 25 >> >> Phone: +43 (0)5 0100 - 39376 >> >> Fax: +43 (0)5 0100 9 - 39376 >> >> Mobile: +43 (0)5 0100 6 - 39376 >> >> _mailto:william.elliott at s-itsolutions.at >> _ >> >> www.s-itsolutions.com >> >> Head Office: Vienna Commercial Register No.: 152289f Commercial Court >> of Vienna >> >> This message and any attached files are confidential and intended >> solely for the addressee(s). Any publication, transmission or other >> use of the information by a person or entity other than the intended >> addressee is prohibited. If you receive this in error please contact >> the sender and delete the material. The sender does not accept >> liability for any errors or omissions as a result of the transmission. >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From techpkiuser at gmail.com Fri Oct 10 05:20:18 2014 From: techpkiuser at gmail.com (pki tech) Date: Fri, 10 Oct 2014 10:50:18 +0530 Subject: [Pki-users] Renew expired OCSP system certificates Message-ID: Hi all, Good day to you all. What is the process to renew all the four system certificates (SubsystemCert, ServerCert, ocspSigningCert and AuditsigningCert) when those existing certificates are currently expired. I cant access the pkiconsole also as the system is not up and running. I have used the certutil to generate the certificate requests and get it signed by the CA. But it didn't work as expected. I believe the procedure that i have followed to request generation or the signing profiles used for the generation, may have some issues. Cheers. Regards, Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: From kriteejhawar at gmail.com Fri Oct 10 11:18:30 2014 From: kriteejhawar at gmail.com (kritee jhawar) Date: Fri, 10 Oct 2014 16:48:30 +0530 Subject: [Pki-users] Fwd: [HELP NEEDED] External CA configuration for Dogtag In-Reply-To: References: Message-ID: Hello, I am an engineer from India and I have been struggling with this for the past 2 weeks. Request you to help me out. *USE-CASE: * Dogtag is the private CA for multiple services in a cluster. Trust is established by providing the root certificate of dogtag to all the services. What happens if dogtag crashes? All the services will have to be given the root certificate of the new dogatg. How can we avoid this? Can we bring up multiple instances dogtag with a static certificate every time? The only way I could find is by using the* external CA* option. I am following the 2-step pkispawn process with 2 config files (deployment-1.cfg and deployment-2.cfg) In the first step the csr is generated. I take the csr and get a certificate from the external CA and place it in the required location. The root certificate of the CA has also been placed in the required location. Step 2 of pkispawn goes through and the ca_admin cert is generated and signed. However, when i make a REST call to list the certificates, I get 2 different errors: (Please note that I replicated the same steps with same files on 2 setups and got 2 errors) curl -k --request GET https://localhost:9443/ca/rest/certs *ERROR 1* standalone="yes"?>com.netscape.certsrv.base.PKIException500Error listing certs in CertsResourceService.listCerts! *ERROR 2* With the same steps i also get a NullPointerException as well (Attached logs - null-pointer-error.txt) When i see the status of my pki-instance after pkispawn step-2, It says the Instance is loaded and needs to be configured. (attched logs : post-pkispawn-2.txt) However it starts using systemctl without any errors I suspect I am missing some part in the configuration. Any help/pointers would be very helpful! Thanks Kritee *Attached files : * deployment-1.txt - config file for pkispawn step 1 deployment-2.txt - config file for pkispawn step 2 pkispawn-1-log.txt - logs for pkisppawn step 1 pkispan-2-log.txt - logs for pkispawn step 2 dogtag-cert.txt - root certificate of dogtag generated by external CA ca-admin-cert.txt - admin cert signed by dogtag null-pointer-error.txt - null pointer exception while making a REST call to list certs post-pkispawn-2.txt - status of pki-instance after pkispawn step 2 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- [root at dogtag-ext1 fedora]# pkispawn -s CA -f deployment.cfg -v Loading deployment configuration from deployment.cfg. Installing CA into /var/lib/pki/pki-tomcat. pkispawn : INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . pkispawn : INFO ... initializing 'pki.deployment.initialization' pkispawn : INFO ....... adding GID 'pkiuser' for group '17' . . . pkispawn : INFO ....... adding UID 'pkiuser' for user '17' . . . pkispawn : ERROR ....... Selinux is disabled. Not checking port contexts pkispawn : INFO ... populating 'pki.deployment.infrastructure_layout' pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca pkispawn : INFO ....... cp -p /etc/pki/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. pkispawn : INFO ....... mkdir -p /var/lib/pki pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/ca pkispawn : INFO ....... ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/ca/registry pkispawn : INFO ... populating 'pki.deployment.instance_layout' pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat pkispawn : INFO ....... cp -rp /usr/share/pki/server/conf /etc/pki/pki-tomcat pkispawn : INFO ....... setting ownerships, permissions, and acls on '/etc/pki/pki-tomcat' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/common pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/common/lib pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/lib pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-ja.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-ja.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-ant.jar /var/lib/pki/pki-tomcat/lib/catalina-ant.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-collections.jar /var/lib/pki/pki-tomcat/lib/commons-collections.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-tribes.jar /var/lib/pki/pki-tomcat/lib/catalina-tribes.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/annotations-api.jar /var/lib/pki/pki-tomcat/lib/annotations-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-el-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper.jar /var/lib/pki/pki-tomcat/lib/jasper.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-es.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-es.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-pool.jar /var/lib/pki/pki-tomcat/lib/commons-pool.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-juli.jar /var/lib/pki/pki-tomcat/lib/tomcat-juli.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-jdbc.jar /var/lib/pki/pki-tomcat/lib/tomcat-jdbc.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-coyote.jar /var/lib/pki/pki-tomcat/lib/tomcat-coyote.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-dbcp.jar /var/lib/pki/pki-tomcat/lib/commons-dbcp.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-fr.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-fr.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/log4j.jar /var/lib/pki/pki-tomcat/lib/log4j.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper-el.jar /var/lib/pki/pki-tomcat/lib/jasper-el.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-util.jar /var/lib/pki/pki-tomcat/lib/tomcat-util.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-ha.jar /var/lib/pki/pki-tomcat/lib/catalina-ha.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina.jar /var/lib/pki/pki-tomcat/lib/catalina.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper-jdt.jar /var/lib/pki/pki-tomcat/lib/jasper-jdt.jar pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/log4j.properties /var/lib/pki/pki-tomcat/lib/log4j.properties pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/temp pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/_ pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca pkispawn : INFO ....... ln -s /usr/share/tomcat/bin /var/lib/pki/pki-tomcat/bin pkispawn : INFO ....... ln -s /usr/sbin/tomcat-sysd /var/lib/pki/pki-tomcat/pki-tomcat pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-collections.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-collections.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-io.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-io.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-lang.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-lang.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-logging.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-logging.jar pkispawn : INFO ....... ln -s /usr/share/java/commons-codec.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-codec.jar pkispawn : INFO ....... ln -s /usr/share/java/httpcomponents/httpclient.jar /var/lib/pki/pki-tomcat/common/lib/httpclient.jar pkispawn : INFO ....... ln -s /usr/share/java/httpcomponents/httpcore.jar /var/lib/pki/pki-tomcat/common/lib/httpcore.jar pkispawn : INFO ....... ln -s /usr/share/java/javassist.jar /var/lib/pki/pki-tomcat/common/lib/javassist.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/jaxrs-api.jar /var/lib/pki/pki-tomcat/common/lib/jaxrs-api.jar pkispawn : INFO ....... ln -s /usr/share/java/jettison.jar /var/lib/pki/pki-tomcat/common/lib/jettison.jar pkispawn : INFO ....... ln -s /usr/lib/java/jss4.jar /var/lib/pki/pki-tomcat/common/lib/jss4.jar pkispawn : INFO ....... ln -s /usr/share/java/ldapjdk.jar /var/lib/pki/pki-tomcat/common/lib/ldapjdk.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-tomcat.jar /var/lib/pki/pki-tomcat/common/lib/pki-tomcat.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-atom-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-atom-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jaxb-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxb-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jaxrs.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxrs.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jettison-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jettison-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/scannotation.jar /var/lib/pki/pki-tomcat/common/lib/scannotation.jar pkispawn : INFO ....... ln -s /usr/share/java/tomcatjss.jar /var/lib/pki/pki-tomcat/common/lib/tomcatjss.jar pkispawn : INFO ....... ln -s /usr/share/java/velocity.jar /var/lib/pki/pki-tomcat/common/lib/velocity.jar pkispawn : INFO ....... ln -s /usr/share/java/xerces-j2.jar /var/lib/pki/pki-tomcat/common/lib/xerces-j2.jar pkispawn : INFO ....... ln -s /usr/share/java/xml-commons-apis.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-apis.jar pkispawn : INFO ....... ln -s /usr/share/java/xml-commons-resolver.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-resolver.jar pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat /var/lib/pki/pki-tomcat/conf pkispawn : INFO ....... ln -s /var/log/pki/pki-tomcat /var/lib/pki/pki-tomcat/logs pkispawn : INFO ... populating 'pki.deployment.subsystem_layout' pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca/archive pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca/signedAudit pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat/ca pkispawn : INFO ....... cp -rp /usr/share/pki/ca/emails /var/lib/pki/pki-tomcat/ca/emails pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/emails' pkispawn : INFO ....... cp -rp /usr/share/pki/ca/profiles /var/lib/pki/pki-tomcat/ca/profiles pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/profiles' pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/flatfile.txt /etc/pki/pki-tomcat/ca/flatfile.txt pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caAuditSigningCert.profile /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caCert.profile /etc/pki/pki-tomcat/ca/caCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/serverCert.profile /etc/pki/pki-tomcat/ca/serverCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/subsystemCert.profile /etc/pki/pki-tomcat/ca/subsystemCert.profile pkispawn : INFO ....... ln -s /var/lib/pki/pki-tomcat/webapps /var/lib/pki/pki-tomcat/ca/webapps pkispawn : INFO ....... ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/ca/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/conf pkispawn : INFO ....... ln -s /var/log/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/logs pkispawn : INFO ... selinux disabled. skipping labelling 'pki.deployment.selinux_setup' pkispawn : INFO ... deploying 'pki.deployment.webapp_deployment' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ROOT pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/ROOT /var/lib/pki/pki-tomcat/webapps/ROOT pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ROOT' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/pki pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/js /var/lib/pki/pki-tomcat/webapps/pki/js pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/js' pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/META-INF /var/lib/pki/pki-tomcat/webapps/pki/META-INF pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/META-INF' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/admin /var/lib/pki/pki-tomcat/webapps/ca/admin pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca/admin' pkispawn : INFO ....... cp -rp /usr/share/pki/ca/webapps/ca /var/lib/pki/pki-tomcat/webapps/ca pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/classes pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-certsrv.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-certsrv.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmsbundle.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsbundle.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmscore.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmscore.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cms.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cms.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsutil.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-nsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-nsutil.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-ca.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-ca.jar pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca' pkispawn : INFO ... assigning slots for 'pki.deployment.slot_substitution' pkispawn : INFO ....... copying '/usr/share/pki/ca/conf/CS.cfg' --> '/etc/pki/pki-tomcat/ca/CS.cfg' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/catalina.properties' --> '/etc/pki/pki-tomcat/catalina.properties' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/serverCertNick.conf' --> '/etc/pki/pki-tomcat/serverCertNick.conf' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/server.xml' --> '/etc/pki/pki-tomcat/server.xml' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/context.xml' --> '/etc/pki/pki-tomcat/context.xml' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/sysconfig/pki-tomcat' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/pki/pki-tomcat/tomcat.conf' with slot substitution pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/velocity.properties' pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/web.xml' pkispawn : INFO ....... copying '/usr/share/pki/ca/conf/proxy.conf' --> '/etc/pki/pki-tomcat/ca/proxy.conf' with slot substitution pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/ee/ca/ProfileSelect.template' pkispawn : INFO ... generating 'pki.deployment.security_databases' pkispawn : INFO ....... generating '/etc/pki/pki-tomcat/password.conf' pkispawn : INFO ....... generating '/etc/pki/pki-tomcat/pfile' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/password.conf' pkispawn : INFO ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/key3.db' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db' pkispawn : INFO ....... generating noise file called '/etc/pki/pki-tomcat/ca/noise' and filling it with '1024' random bytes pkispawn : INFO ....... executing 'certutil -S -d /etc/pki/pki-tomcat/alias -h 'internal' -n 'Server-Cert cert-pki-tomcat' -s 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -m 0 -v 12 -c 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -t 'CTu,CTu,CTu' -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x > /dev/null 2>&1' pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/ca/noise pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile pkispawn : INFO ... configuring 'pki.deployment.configuration' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias pkispawn : INFO ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... ln -s /lib/systemd/system/pki-tomcatd at .service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service' pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes pkispawn : INFO ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']' pkispawn : INFO ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc'] pkispawn : INFO ....... configuring PKI configuration data. pkispawn : INFO ....... request: -----BEGIN CERTIFICATE REQUEST----- MIICmDCCAYACAQAwUzEPMA0GA1UEBxMGS3JpdGVlMQ0wCwYDVQQLEwRDSUJVMRYwFAYDVQQKEw1D aXNjbyBTeXN0ZW1zMRkwFwYDVQQDExBkb2d0YWcuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAmLgfNwidSyR47kwVAOGor/kHOiTJS5qc4fsCJM6gQDnsC7lXbC6XcdYK tQHs9Y7/HbzQDiMZNGS/hHRRGh68qZdr/pCxSbONobMczM7thjUQ5crUgJCI1tG2XaMKBRQMtqNA fJY/SBaVEBpRzp+0DJ51D+qGjyJaq2Pzzj+pCJLMQPv/rQ9BSFLr8Js+QErn7j5JQwZ7k4wkZCoK wcAVgwDzQ3xCtKew+M5Xgj9OzmkQgZk1SViPBLXl58gy+ukuBHBHSXWAY+b34N9IQnW1rozz073e fD8ZSgHQYWsjRxCdniOvgd37gviyDlMIaOh7+HapYj1k+VCzmKimU4ZrJQIDAQABoAAwDQYJKoZI hvcNAQELBQADggEBAFI5HrchG9WxTzgtCf6v21V8PFsWHEPVBr1gM+ihgiSXSp7sSmvjBvEUN+Ik mHbo4ssq+KpHWeQZmKc1tlmiF5IBoP6yiAvkHelphdqRM+DkrkMYnR8cabx4amFOEfmPBE38hLHA +eaFiVxHSorbkoZsBnSrYDz1/+5xD+4/VJrMvQiP9eRp1hG0sXjH5sLoV70LoHhO94yga0w26Gpj xkzxSrxFVFH7walY0J09rqvtGOfJ7y4Pg4hy24L0WLDux063uUjNVmRs8zmYHB5AgX2Ke1YI2XYP AHPTL9m3+wdVUuPCYVrf6njZS7CFygcG5c4W6prdu5ZcJ7cqYdSgiho= -----END CERTIFICATE REQUEST----- pkispawn : INFO ....... saving CA Signing CSR to file: '/home/fedora/ca_signing.csr' pkispawn : INFO ... finalizing 'pki.deployment.finalization' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092058 pkispawn : INFO ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092058 pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service' pkispawn : INFO ....... rm -rf /root/.dogtag/pki-tomcat/ca pkispawn : INFO END spawning subsystem 'CA' of instance 'pki-tomcat' ========================================================================== -----BEGIN CERTIFICATE REQUEST----- [root at dogtag-ext1 fedora]# pkispawn -s CA -f dep.cfg -v Loading deployment configuration from dep.cfg. Installing CA into /var/lib/pki/pki-tomcat. pkispawn : INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . pkispawn : INFO ... initializing 'pki.deployment.initialization' pkispawn : INFO ....... adding GID 'pkiuser' for group '17' . . . pkispawn : INFO ....... adding UID 'pkiuser' for user '17' . . . pkispawn : ERROR ....... Selinux is disabled. Not checking port contexts pkispawn : INFO ... skip populating 'pki.deployment.infrastructure_layout' pkispawn : INFO ... skip populating 'pki.deployment.instance_layout' pkispawn : INFO ... skip populating 'pki.deployment.subsystem_layout' pkispawn : INFO ... skip populating 'pki.deployment.selinux_setup' pkispawn : INFO ... skip deploying 'pki.deployment.webapp_deployment' pkispawn : INFO ... skip assigning slots for 'pki.deployment.slot_substitution' pkispawn : INFO ... skip generating 'pki.deployment.security_databases' pkispawn : INFO ... configuring 'pki.deployment.configuration' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias pkispawn : INFO ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service' pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes pkispawn : INFO ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com Security Domain', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']' pkispawn : INFO ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc'] loading external CA signing certificate from file: '/home/fedora/dogtag.cisco.com.cer' loading external CA signing certificate chain from file: '/home/fedora/test-root-ca-2048.cer' pkispawn : INFO ....... configuring PKI configuration data. pkispawn : INFO ....... ['AtoB', '/root/.dogtag/pki-tomcat/ca_admin.cert', '/root/.dogtag/pki-tomcat/ca_admin.cert.der'] pkispawn : INFO ....... ['certutil', '-A', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-n', 'PKI Administrator', '-t', 'u,u,u', '-i', '/root/.dogtag/pki-tomcat/ca_admin.cert.der', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf'] pkispawn : INFO ....... ['pk12util', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-o', '/root/.dogtag/pki-tomcat/ca_admin_cert.p12', '-n', 'PKI Administrator', '-w', '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf', '-k', '/root/.dogtag/pki-tomcat/ca/password.conf'] pkispawn : INFO ... finalizing 'pki.deployment.finalization' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092609 pkispawn : INFO ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092609 pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service' Job for pki-tomcatd at pki-tomcat.service canceled. pkispawn : INFO ....... rm -rf /root/.dogtag/pki-tomcat/ca pkispawn : INFO END spawning subsystem 'CA' of instance 'pki-tomcat' ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: caadmin Administrator's PKCS #12 file: /root/.dogtag/pki-tomcat/ca_admin_cert.p12 To check the status of the subsystem: systemctl status pki-tomcatd\@pki-tomcat.service To restart the subsystem: systemctl restart pki-tomcatd\@pki-tomcat.service The URL for the subsystem is: https://dogtag-ext1.novalocal:9443/ca ========================================================================== -------------- next part -------------- [root at dogtag-ext1 fedora]# systemctl status pki-tomcatd\@pki-tomcat.service pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled) Active: inactive (dead) since Fri 2014-10-10 09:26:19 UTC; 41s ago Process: 24551 ExecStop=/usr/bin/pkidaemon stop tomcat %i (code=exited, status=0/SUCCESS) Main PID: 24361 (code=exited, status=143) CGroup: name=systemd:/system/pki-tomcatd at .service/pki-tomcatd at pki-tomcat.service Oct 10 09:21:38 dogtag-ext1.novalocal systemd[1]: Starting PKI Tomcat Server pki-tomcat... Oct 10 09:21:39 dogtag-ext1.novalocal pkidaemon[24193]: 'pki-tomcat' must still be CONFIGURED! Oct 10 09:21:39 dogtag-ext1.novalocal pkidaemon[24193]: (see /var/log/pki-tomcat-install.log) Oct 10 09:21:39 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat. Oct 10 09:26:09 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat. Oct 10 09:26:18 dogtag-ext1.novalocal systemd[1]: Stopping PKI Tomcat Server pki-tomcat... Oct 10 09:26:18 dogtag-ext1.novalocal systemd[1]: Stopping PKI Tomcat Server pki-tomcat... Oct 10 09:26:19 dogtag-ext1.novalocal systemd[1]: Stopped PKI Tomcat Server pki-tomcat. [root at dogtag-ext1 fedora]# systemctl start pki-tomcatd\@pki-tomcat.service [root at dogtag-ext1 fedora]# systemctl status pki-tomcatd\@pki-tomcat.service pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled) Active: active (running) since Fri 2014-10-10 09:28:18 UTC; 5s ago Process: 24551 ExecStop=/usr/bin/pkidaemon stop tomcat %i (code=exited, status=0/SUCCESS) Process: 24616 ExecStart=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS) Main PID: 24784 (java) CGroup: name=systemd:/system/pki-tomcatd at .service/pki-tomcatd at pki-tomcat.service ??24784 /usr/lib/jvm/jre/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/... Oct 10 09:28:15 dogtag-ext1.novalocal systemd[1]: Starting PKI Tomcat Server pki-tomcat... Oct 10 09:28:18 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat. -------------- next part -------------- [root at dogtag-ext1 fedora]# openssl pkcs12 -info -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 Enter Import Password: MAC Iteration 2000 MAC verified OK PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 Bag Attributes friendlyName: PKI Administrator localKeyID: 41 11 6B 4D 01 78 64 1E 77 7B 17 6F D9 B9 AC 5C F5 9B 88 3F Key Attributes: Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQItOgp54c/WGICAggA MBQGCCqGSIb3DQMHBAjDFi6FqfuIjASCBMgvHxHvir3peQMZX7OQsbTOCHQreAIx aIrkNZHAzLfKBOCsDmMINysCLW7bjOL8dokYtuCYlGDNYAQLLkPBbAgrqKcVDFTF 162m8qcxfiBJrlcRbnoVpFumuexayYC/WESfM8S1YpL3oY62t/h0acKeGW5GG3a/ M8od8ddnlEa2lSR/x/eiBqLDDVgpgaUVuDZtkyvRvbZzyoh8FK7obZbwjjGYqb2q CbDLmqLkqkXVuQ0DC+u98PF0RPmQjOQ5QyyYvIKSzdqC5SXqtHZEOAOpHwGzcWoV +a6Bn6sVtvQSVJN6tV90LUx3OE7r/WzsUAk8Juf6kU69vIg8bUbXe7cPPiKX1sMj aO+5a/o/T6tkXMS7D1smW65TkMDEnI2XPBPPo4tmhofnng+CRdBMbzxqabZ2PYZD rKFs3L9eK9XaPBHpIGa2RPq0vCyR8nfHtcVtgnLeFlmoRqVi6/CQCl0Yz7SMl+7R TdVGoBYpR/EvlmfQd6PxpublMWHmrA5vq7kgz58FTwH058U4IXCgYz1qJjEZhslf xoNd2u8pBPlSlidCX2KuS2MqF3BmlpkydT61MW/Re+h2Dn8ShNdjuFSXSDRH1W8t XmuzmIRl1dPZTLPt3PKos3j4vrokoBJLJaX6XLD5OZ3uj0aOual540PsCZRZjeCY 4KjVVCUzwGibjfE5Wh6GJb2rP+FbOJS7hVxM0EA+MKlEZRtnxP05bl0griuUOHvL 6GDJnUO6cSecVXdLlRa0qoD3hqPNvQ02LrhuCskEZz2Ndf+tPgNIcNNlytz1sKx2 Sk/BXVjbqL3UwY9hVqp5Z9CZ7RIQLm8/YrFTaMVs796Z9GcvwElXMhC+TsfQ8QE0 86YCw8KaZchA3mvzKYWIe2mwEBF0TX1WT0/xPLdRfT6uDhbZvcu3iFOAxMwCRdXR rFWenhCNp9oKYQJQZ/WhNYPC9Y38MNJ4CXIuGbT8B2IUqhN/26Y//8oU09HDSFxB DB1xHKj/vi8lUiVZgZIpUcXtRwPuzAecqHUNsfcSIA6Xx1+s2GnVbTXELNMyS7jG 8ol6IPJh9JIjJ8zT7YXlDyT9AR6vBYBcEylYZqjq2IvcjvNLm3qrxMYWJMfNoxxi B80nfNnZQkUNqlC6bFM3R9ip+7aAYZeRchpB4LcmjmeIhaXK3EMhKXsezTjfWOKE qrSh6pFPwcMeDQwSeEk0LdCA+rq1Aazgse5RbAB/fAMh0OctE/D5UxB/VoI/NKTJ vNc4aZp5GwADu7ydJbP3t3OTP5YkHegGkih8BUVNumDIoLWFUw/WRvfXXRdYTuPQ z9lzl4qWES6/J/hZCLGSgFZpYxdB2At1lG20DYcdHtxdR5o10ZGIBJ2n6Eb4ol/7 kn+OVTBUbdDIixoE2c4UV5g+WvukscJ7gIW4xTgeIw48XsznHpwyt3E6J6OY1L4c kbrBGhsJrlXfvx/BuLJUEU8hi8Rj4x20b+y2xmULilUN7/BPT6ug+9eMB8WuAa9s RKgKBTGtBfbPLl1URG8RGD/ZmO0xYlFg80qzOQXE9ZUDiKawR3ZEAxAEJClaYSO1 KwBUUMC9XEG49SCjrmIzgoBWZlpgQkmAvlwnr7tWuIFOdzv9wScDtoK84On0Hfno Lzo= -----END ENCRYPTED PRIVATE KEY----- PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000 Certificate bag Bag Attributes friendlyName: PKI Administrator localKeyID: 41 11 6B 4D 01 78 64 1E 77 7B 17 6F D9 B9 AC 5C F5 9B 88 3F subject=/O=cisco.com Security Domain/CN=PKI Administrator issuer=/L=Kritee/OU=CIBU/O=Cisco Systems/CN=dogtag.cisco.com -----BEGIN CERTIFICATE----- MIIDqTCCApGgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBTMQ8wDQYDVQQHEwZLcml0 ZWUxDTALBgNVBAsTBENJQlUxFjAUBgNVBAoTDUNpc2NvIFN5c3RlbXMxGTAXBgNV BAMTEGRvZ3RhZy5jaXNjby5jb20wHhcNMTQxMDEwMDkyNjE3WhcNMTYwOTI5MDky NjE3WjBAMSIwIAYDVQQKExljaXNjby5jb20gU2VjdXJpdHkgRG9tYWluMRowGAYD VQQDExFQS0kgQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALk6tHHrgmQSrOzTnGIWKZ/zMbry1EnoRaALSqn7Mwb38tFN+NgOqDOk Np8DbFBfA4B7Myw0lxkRkCCnUIf4etTQ3tnZroN6hd5hKNl+GiIdtyHOI+xQ9H5e +U48/RyLPLtaG+hQR3bNPJVJ+zGiKynwxSjrTMHoa/mJX3YkCYhKIImbkbNiBnN8 JgW3NGX9CxxdvHfcBN9jK0O+90bQuuWudZi34FQLxMLcI33cN0GfruErvyH/YgMZ ZitwvTMUx1kOreTNv4IG4AIIs154eIg3hdugSVITg7lNiNXk8AUu2gB0QtrISjEv nMEkey5wWypjdDmT8nwY3V7fWP7684ECAwEAAaOBmjCBlzAfBgNVHSMEGDAWgBQL VyuTi45bmeGZ+tYuLVIktqlw+TBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAGG KWh0dHA6Ly9kb2d0YWctZXh0MS5ub3ZhbG9jYWw6OTA4MC9jYS9vY3NwMA4GA1Ud DwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI hvcNAQELBQADggEBAGxtujrjwKvyL7w4wi26uYi5+CiJUeoYt15GoVUL9KgYiT7l l4RAvhYweClqtVl/oh9IBkYP8CpIZdQGTOm/WBz3a5HnzOkiQ5021mp57+2q4E71 BYxP2kziJ50CMD2SD27kI183NNSPxiFKaXbsww+wecOR+9eUi9RJwSwYs5YNhQbl 8+xUAmtI8umlyVxuVMg21tib71ESJSrZ7Pj40MOZLpkLf5EW6kuuQJCMCmJVUXT8 1pELwwG0q2ttzwxaKl4mN8q1Rhs0DxZ3Je/A9HyyoGpGP4dKKUlKyomQ5/JQ7yYB zAqSGkubASTn0IErwIRkqf31ZcP8Xe62CuJECb8= -----END CERTIFICATE----- -------------- next part -------------- [DEFAULT] pki_instance_name = pki_http_port = 9080 pki_https_port = 9443 pki_ajp_port = 9009 pki_tomcat_server_port = 9005 [CA] pki_admin_uid = pki_admin_password = pki_backup_password = pki_client_database_password = pki_client_pkcs12_password = pki_import_admin_cert = False pki_client_admin_cert = //ca_admin.cert pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator pki_admin_subject_dn=cn=PKI Administrator,o=%(pki_security_domain_name)s pki_ds_hostname = pki_ds_ldap_port = pki_ds_bind_dn = cn= pki_ds_password = pki_ds_base_dn = o= pki_security_domain_name = pki_security_domain_password = pki_client_pin = pki_clone_pkcs12_password = pki_one_time_pin = pki_pin = pki_token_password = pki_ca_signing_key_algorithm=SHA256withRSA pki_ca_signing_key_size=2048 pki_ca_signing_key_type=rsa pki_ca_signing_signing_algorithm=SHA256withRSA pki_ca_signing_subject_dn=cn=,o=,ou=,L= pki_ca_signing_token=Internal Key Storage Token pki_external=True pki_external_csr_path=/home/fedora/ca_signing.csr -------------- next part -------------- [DEFAULT] pki_instance_name = pki_http_port = 9080 pki_https_port = 9443 pki_ajp_port = 9009 pki_tomcat_server_port = 9005 [CA] pki_admin_uid = pki_admin_password = pki_backup_password = pki_client_database_password = pki_client_pkcs12_password = pki_import_admin_cert = False pki_client_admin_cert = //ca_admin.cert pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator pki_admin_subject_dn=cn=PKI Administrator,o=%(pki_security_domain_name)s pki_ds_hostname = pki_ds_ldap_port = pki_ds_bind_dn = cn= pki_ds_password = pki_ds_base_dn = o= pki_security_domain_name = pki_security_domain_password = pki_client_pin = pki_clone_pkcs12_password = pki_one_time_pin = pki_pin = pki_token_password = pki_ca_signing_key_algorithm=SHA256withRSA pki_ca_signing_key_size=2048 pki_ca_signing_key_type=rsa pki_ca_signing_signing_algorithm=SHA256withRSA pki_ca_signing_subject_dn=cn=,o=,ou=,L= pki_ca_signing_token=Internal Key Storage Token pki_external=True pki_external_ca_cert_chain_path=/home/fedora/test-root-ca-2048.cer pki_external_ca_cert_path=/home/fedora/dogtag.cisco.com.cer pki_external_step_two=True -------------- next part -------------- -----BEGIN CERTIFICATE----- MIIEFDCCAvygAwIBAgIKUZIHHgADAAAOXjANBgkqhkiG9w0BAQUFADAuMRYwFAYD VQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQDEwtURVNULVNTTC1DQTAeFw0xNDEw MTAwOTEzMDNaFw0xNjEwMTAwOTIzMDNaMFMxDzANBgNVBAcTBktyaXRlZTEWMBQG A1UEChMNQ2lzY28gU3lzdGVtczENMAsGA1UECxMEQ0lCVTEZMBcGA1UEAxMQZG9n dGFnLmNpc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJi4 HzcInUskeO5MFQDhqK/5BzokyUuanOH7AiTOoEA57Au5V2wul3HWCrUB7PWO/x28 0A4jGTRkv4R0URoevKmXa/6QsUmzjaGzHMzO7YY1EOXK1ICQiNbRtl2jCgUUDLaj QHyWP0gWlRAaUc6ftAyedQ/qho8iWqtj884/qQiSzED7/60PQUhS6/CbPkBK5+4+ SUMGe5OMJGQqCsHAFYMA80N8QrSnsPjOV4I/Ts5pEIGZNUlYjwS15efIMvrpLgRw R0l1gGPm9+DfSEJ1ta6M89O93nw/GUoB0GFrI0cQnZ4jr4Hd+4L4sg5TCGjoe/h2 qWI9ZPlQs5ioplOGayUCAwEAAaOCAQ0wggEJMB0GA1UdDgQWBBQLVyuTi45bmeGZ +tYuLVIktqlw+TAfBgNVHSMEGDAWgBSOyU4uaEbJcL9gdzJhERmzyilLEjBKBgNV HR8EQzBBMD+gPaA7hjlodHRwOi8vdGVzdC1zc2wtY2EuY2lzY28uY29tL2NlcnRp ZmljYXRlcy90ZXN0LXNzbC1jYS5jcmwwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQEA MEMwQQYIKwYBBQUHAgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3Br aS9wb2xpY2llcy9pbmRleC5odG1sMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAnaizhTLtuAWk24gQ1eCERmzdRcU4AQux 6LTUV9iSM8UYQGZohtL4YPSq2UUG70zBZrxiXNIsdDgF7HoRte3GmcjAekT4xSL6 27W9emMLIaQARwCMN80y/S81ksDdwRPYuy3t/7QOY5fUeoxJ4OtZyq8V5f+oqmxc ngiYlnF7B6dhxDldZ7IR4ON0v2jTaXUPQmR/In7OsQiFKpiaSTfuOuEoeFvoieeh l0H5f32ex0HJOFm66e/GSBKKqFExJaIbzLaZSgCjLojSuqJvUj0SfnqMZDiKsfUa Wpuv0LrsD/AcOLeD+SDa2TCG7JHrbPT7frZ+Xomx8uKYd8FbK7+zHA== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 51:92:07:1e:00:03:00:00:0e:5e Signature Algorithm: sha1WithRSAEncryption Issuer: O=Cisco Systems, CN=TEST-SSL-CA Validity Not Before: Oct 10 09:13:03 2014 GMT Not After : Oct 10 09:23:03 2016 GMT Subject: L=Kritee, O=Cisco Systems, OU=CIBU, CN=dogtag.cisco.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:98:b8:1f:37:08:9d:4b:24:78:ee:4c:15:00:e1: a8:af:f9:07:3a:24:c9:4b:9a:9c:e1:fb:02:24:ce: a0:40:39:ec:0b:b9:57:6c:2e:97:71:d6:0a:b5:01: ec:f5:8e:ff:1d:bc:d0:0e:23:19:34:64:bf:84:74: 51:1a:1e:bc:a9:97:6b:fe:90:b1:49:b3:8d:a1:b3: 1c:cc:ce:ed:86:35:10:e5:ca:d4:80:90:88:d6:d1: b6:5d:a3:0a:05:14:0c:b6:a3:40:7c:96:3f:48:16: 95:10:1a:51:ce:9f:b4:0c:9e:75:0f:ea:86:8f:22: 5a:ab:63:f3:ce:3f:a9:08:92:cc:40:fb:ff:ad:0f: 41:48:52:eb:f0:9b:3e:40:4a:e7:ee:3e:49:43:06: 7b:93:8c:24:64:2a:0a:c1:c0:15:83:00:f3:43:7c: 42:b4:a7:b0:f8:ce:57:82:3f:4e:ce:69:10:81:99: 35:49:58:8f:04:b5:e5:e7:c8:32:fa:e9:2e:04:70: 47:49:75:80:63:e6:f7:e0:df:48:42:75:b5:ae:8c: f3:d3:bd:de:7c:3f:19:4a:01:d0:61:6b:23:47:10: 9d:9e:23:af:81:dd:fb:82:f8:b2:0e:53:08:68:e8: 7b:f8:76:a9:62:3d:64:f9:50:b3:98:a8:a6:53:86: 6b:25 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 0B:57:2B:93:8B:8E:5B:99:E1:99:FA:D6:2E:2D:52:24:B6:A9:70:F9 X509v3 Authority Key Identifier: keyid:8E:C9:4E:2E:68:46:C9:70:BF:60:77:32:61:11:19:B3:CA:29:4B:12 X509v3 CRL Distribution Points: Full Name: URI:http://test-ssl-ca.cisco.com/certificates/test-ssl-ca.crl X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.9.21.1.1.0 CPS: http://www.cisco.com/security/pki/policies/index.html X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 9d:a8:b3:85:32:ed:b8:05:a4:db:88:10:d5:e0:84:46:6c:dd: 45:c5:38:01:0b:b1:e8:b4:d4:57:d8:92:33:c5:18:40:66:68: 86:d2:f8:60:f4:aa:d9:45:06:ef:4c:c1:66:bc:62:5c:d2:2c: 74:38:05:ec:7a:11:b5:ed:c6:99:c8:c0:7a:44:f8:c5:22:fa: db:b5:bd:7a:63:0b:21:a4:00:47:00:8c:37:cd:32:fd:2f:35: 92:c0:dd:c1:13:d8:bb:2d:ed:ff:b4:0e:63:97:d4:7a:8c:49: e0:eb:59:ca:af:15:e5:ff:a8:aa:6c:5c:9e:08:98:96:71:7b: 07:a7:61:c4:39:5d:67:b2:11:e0:e3:74:bf:68:d3:69:75:0f: 42:64:7f:22:7e:ce:b1:08:85:2a:98:9a:49:37:ee:3a:e1:28: 78:5b:e8:89:e7:a1:97:41:f9:7f:7d:9e:c7:41:c9:38:59:ba: e9:ef:c6:48:12:8a:a8:51:31:25:a2:1b:cc:b6:99:4a:00:a3: 2e:88:d2:ba:a2:6f:52:3d:12:7e:7a:8c:64:38:8a:b1:f5:1a: 5a:9b:af:d0:ba:ec:0f:f0:1c:38:b7:83:f9:20:da:d9:30:86: ec:91:eb:6c:f4:fb:7e:b6:7e:5e:89:b1:f2:e2:98:77:c1:5b: 2b:bf:b3:1c -------------- next part -------------- [root at dogtag-ext1 fedora]# curl -k --request GET https://localhost:9443/ca/rest/certs Apache Tomcat/7.0.47 - Error report

HTTP Status 500 - java.lang.NullPointerException


type Exception report

message java.lang.NullPointerException

description The server encountered an internal error that prevented it from fulfilling this request.

exception

org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
[root at dogtag-ext1 fedora]# hostname
dogtag-ext1.novalocal
[root at dogtag-ext1 fedora]# curl -k --request GET https://dogtag-ext1.novalocal:9443/ca/rest/certs
Apache Tomcat/7.0.47 - Error report 

HTTP Status 500 - java.lang.NullPointerException


type Exception report

message java.lang.NullPointerException

description The server encountered an internal error that prevented it from fulfilling this request.

exception

org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
[DEFAULT]
[root at dogtag-ext1 fedora]# curl -k --request GET https://dogtag-ext1.novalocal:9443/ca/rest/certs
Apache Tomcat/7.0.47 - Error report 

HTTP Status 500 - java.lang.NullPointerException


type Exception report

message java.lang.NullPointerException

description The server encountered an internal error that prevented it from fulfilling this request.

exception

org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)

root cause

java.lang.NullPointerException
        com.netscape.cms.servlet.cert.CertService.<init>(CertService.java:92)
        sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:82)
        org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.createResource(POJOResourceFactory.java:43)
        org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:210)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)

note The full stack trace of the root cause is available in the Apache Tomcat/7.0.47 logs.


Apache Tomcat/7.0.47

-------------- next part -------------- [root at dogtag-ext1 fedora]# pkispawn -s CA -f deployment.cfg -v Loading deployment configuration from deployment.cfg. Installing CA into /var/lib/pki/pki-tomcat. pkispawn : INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . pkispawn : INFO ... initializing 'pki.deployment.initialization' pkispawn : INFO ....... adding GID 'pkiuser' for group '17' . . . pkispawn : INFO ....... adding UID 'pkiuser' for user '17' . . . pkispawn : ERROR ....... Selinux is disabled. Not checking port contexts pkispawn : INFO ... populating 'pki.deployment.infrastructure_layout' pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca pkispawn : INFO ....... cp -p /etc/pki/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. pkispawn : INFO ....... mkdir -p /var/lib/pki pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/ca pkispawn : INFO ....... ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/ca/registry pkispawn : INFO ... populating 'pki.deployment.instance_layout' pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat pkispawn : INFO ....... cp -rp /usr/share/pki/server/conf /etc/pki/pki-tomcat pkispawn : INFO ....... setting ownerships, permissions, and acls on '/etc/pki/pki-tomcat' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/common pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/common/lib pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/lib pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-ja.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-ja.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-ant.jar /var/lib/pki/pki-tomcat/lib/catalina-ant.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-collections.jar /var/lib/pki/pki-tomcat/lib/commons-collections.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-tribes.jar /var/lib/pki/pki-tomcat/lib/catalina-tribes.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/annotations-api.jar /var/lib/pki/pki-tomcat/lib/annotations-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-el-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper.jar /var/lib/pki/pki-tomcat/lib/jasper.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-es.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-es.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-pool.jar /var/lib/pki/pki-tomcat/lib/commons-pool.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-juli.jar /var/lib/pki/pki-tomcat/lib/tomcat-juli.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-jdbc.jar /var/lib/pki/pki-tomcat/lib/tomcat-jdbc.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-coyote.jar /var/lib/pki/pki-tomcat/lib/tomcat-coyote.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-dbcp.jar /var/lib/pki/pki-tomcat/lib/commons-dbcp.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-fr.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-fr.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/log4j.jar /var/lib/pki/pki-tomcat/lib/log4j.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper-el.jar /var/lib/pki/pki-tomcat/lib/jasper-el.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-util.jar /var/lib/pki/pki-tomcat/lib/tomcat-util.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-ha.jar /var/lib/pki/pki-tomcat/lib/catalina-ha.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina.jar /var/lib/pki/pki-tomcat/lib/catalina.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper-jdt.jar /var/lib/pki/pki-tomcat/lib/jasper-jdt.jar pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/log4j.properties /var/lib/pki/pki-tomcat/lib/log4j.properties pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/temp pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/_ pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca pkispawn : INFO ....... ln -s /usr/share/tomcat/bin /var/lib/pki/pki-tomcat/bin pkispawn : INFO ....... ln -s /usr/sbin/tomcat-sysd /var/lib/pki/pki-tomcat/pki-tomcat pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-collections.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-collections.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-io.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-io.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-lang.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-lang.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-logging.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-logging.jar pkispawn : INFO ....... ln -s /usr/share/java/commons-codec.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-codec.jar pkispawn : INFO ....... ln -s /usr/share/java/httpcomponents/httpclient.jar /var/lib/pki/pki-tomcat/common/lib/httpclient.jar pkispawn : INFO ....... ln -s /usr/share/java/httpcomponents/httpcore.jar /var/lib/pki/pki-tomcat/common/lib/httpcore.jar pkispawn : INFO ....... ln -s /usr/share/java/javassist.jar /var/lib/pki/pki-tomcat/common/lib/javassist.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/jaxrs-api.jar /var/lib/pki/pki-tomcat/common/lib/jaxrs-api.jar pkispawn : INFO ....... ln -s /usr/share/java/jettison.jar /var/lib/pki/pki-tomcat/common/lib/jettison.jar pkispawn : INFO ....... ln -s /usr/lib/java/jss4.jar /var/lib/pki/pki-tomcat/common/lib/jss4.jar pkispawn : INFO ....... ln -s /usr/share/java/ldapjdk.jar /var/lib/pki/pki-tomcat/common/lib/ldapjdk.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-tomcat.jar /var/lib/pki/pki-tomcat/common/lib/pki-tomcat.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-atom-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-atom-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jaxb-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxb-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jaxrs.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxrs.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jettison-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jettison-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/scannotation.jar /var/lib/pki/pki-tomcat/common/lib/scannotation.jar pkispawn : INFO ....... ln -s /usr/share/java/tomcatjss.jar /var/lib/pki/pki-tomcat/common/lib/tomcatjss.jar pkispawn : INFO ....... ln -s /usr/share/java/velocity.jar /var/lib/pki/pki-tomcat/common/lib/velocity.jar pkispawn : INFO ....... ln -s /usr/share/java/xerces-j2.jar /var/lib/pki/pki-tomcat/common/lib/xerces-j2.jar pkispawn : INFO ....... ln -s /usr/share/java/xml-commons-apis.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-apis.jar pkispawn : INFO ....... ln -s /usr/share/java/xml-commons-resolver.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-resolver.jar pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat /var/lib/pki/pki-tomcat/conf pkispawn : INFO ....... ln -s /var/log/pki/pki-tomcat /var/lib/pki/pki-tomcat/logs pkispawn : INFO ... populating 'pki.deployment.subsystem_layout' pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca/archive pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca/signedAudit pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat/ca pkispawn : INFO ....... cp -rp /usr/share/pki/ca/emails /var/lib/pki/pki-tomcat/ca/emails pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/emails' pkispawn : INFO ....... cp -rp /usr/share/pki/ca/profiles /var/lib/pki/pki-tomcat/ca/profiles pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/profiles' pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/flatfile.txt /etc/pki/pki-tomcat/ca/flatfile.txt pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caAuditSigningCert.profile /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caCert.profile /etc/pki/pki-tomcat/ca/caCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/serverCert.profile /etc/pki/pki-tomcat/ca/serverCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/subsystemCert.profile /etc/pki/pki-tomcat/ca/subsystemCert.profile pkispawn : INFO ....... ln -s /var/lib/pki/pki-tomcat/webapps /var/lib/pki/pki-tomcat/ca/webapps pkispawn : INFO ....... ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/ca/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/conf pkispawn : INFO ....... ln -s /var/log/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/logs pkispawn : INFO ... selinux disabled. skipping labelling 'pki.deployment.selinux_setup' pkispawn : INFO ... deploying 'pki.deployment.webapp_deployment' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ROOT pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/ROOT /var/lib/pki/pki-tomcat/webapps/ROOT pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ROOT' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/pki pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/js /var/lib/pki/pki-tomcat/webapps/pki/js pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/js' pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/META-INF /var/lib/pki/pki-tomcat/webapps/pki/META-INF pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/META-INF' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/admin /var/lib/pki/pki-tomcat/webapps/ca/admin pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca/admin' pkispawn : INFO ....... cp -rp /usr/share/pki/ca/webapps/ca /var/lib/pki/pki-tomcat/webapps/ca pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/classes pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-certsrv.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-certsrv.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmsbundle.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsbundle.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmscore.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmscore.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cms.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cms.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsutil.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-nsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-nsutil.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-ca.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-ca.jar pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca' pkispawn : INFO ... assigning slots for 'pki.deployment.slot_substitution' pkispawn : INFO ....... copying '/usr/share/pki/ca/conf/CS.cfg' --> '/etc/pki/pki-tomcat/ca/CS.cfg' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/catalina.properties' --> '/etc/pki/pki-tomcat/catalina.properties' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/serverCertNick.conf' --> '/etc/pki/pki-tomcat/serverCertNick.conf' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/server.xml' --> '/etc/pki/pki-tomcat/server.xml' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/context.xml' --> '/etc/pki/pki-tomcat/context.xml' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/sysconfig/pki-tomcat' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/pki/pki-tomcat/tomcat.conf' with slot substitution pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/velocity.properties' pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/web.xml' pkispawn : INFO ....... copying '/usr/share/pki/ca/conf/proxy.conf' --> '/etc/pki/pki-tomcat/ca/proxy.conf' with slot substitution pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/ee/ca/ProfileSelect.template' pkispawn : INFO ... generating 'pki.deployment.security_databases' pkispawn : INFO ....... generating '/etc/pki/pki-tomcat/password.conf' pkispawn : INFO ....... generating '/etc/pki/pki-tomcat/pfile' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/password.conf' pkispawn : INFO ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/key3.db' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db' pkispawn : INFO ....... generating noise file called '/etc/pki/pki-tomcat/ca/noise' and filling it with '1024' random bytes pkispawn : INFO ....... executing 'certutil -S -d /etc/pki/pki-tomcat/alias -h 'internal' -n 'Server-Cert cert-pki-tomcat' -s 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -m 0 -v 12 -c 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -t 'CTu,CTu,CTu' -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x > /dev/null 2>&1' pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/ca/noise pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile pkispawn : INFO ... configuring 'pki.deployment.configuration' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias pkispawn : INFO ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... ln -s /lib/systemd/system/pki-tomcatd at .service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service' pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes pkispawn : INFO ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']' pkispawn : INFO ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc'] pkispawn : INFO ....... configuring PKI configuration data. pkispawn : INFO ....... request: -----BEGIN CERTIFICATE REQUEST----- MIICmDCCAYACAQAwUzEPMA0GA1UEBxMGS3JpdGVlMQ0wCwYDVQQLEwRDSUJVMRYwFAYDVQQKEw1D aXNjbyBTeXN0ZW1zMRkwFwYDVQQDExBkb2d0YWcuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAmLgfNwidSyR47kwVAOGor/kHOiTJS5qc4fsCJM6gQDnsC7lXbC6XcdYK tQHs9Y7/HbzQDiMZNGS/hHRRGh68qZdr/pCxSbONobMczM7thjUQ5crUgJCI1tG2XaMKBRQMtqNA fJY/SBaVEBpRzp+0DJ51D+qGjyJaq2Pzzj+pCJLMQPv/rQ9BSFLr8Js+QErn7j5JQwZ7k4wkZCoK wcAVgwDzQ3xCtKew+M5Xgj9OzmkQgZk1SViPBLXl58gy+ukuBHBHSXWAY+b34N9IQnW1rozz073e fD8ZSgHQYWsjRxCdniOvgd37gviyDlMIaOh7+HapYj1k+VCzmKimU4ZrJQIDAQABoAAwDQYJKoZI hvcNAQELBQADggEBAFI5HrchG9WxTzgtCf6v21V8PFsWHEPVBr1gM+ihgiSXSp7sSmvjBvEUN+Ik mHbo4ssq+KpHWeQZmKc1tlmiF5IBoP6yiAvkHelphdqRM+DkrkMYnR8cabx4amFOEfmPBE38hLHA +eaFiVxHSorbkoZsBnSrYDz1/+5xD+4/VJrMvQiP9eRp1hG0sXjH5sLoV70LoHhO94yga0w26Gpj xkzxSrxFVFH7walY0J09rqvtGOfJ7y4Pg4hy24L0WLDux063uUjNVmRs8zmYHB5AgX2Ke1YI2XYP AHPTL9m3+wdVUuPCYVrf6njZS7CFygcG5c4W6prdu5ZcJ7cqYdSgiho= -----END CERTIFICATE REQUEST----- pkispawn : INFO ....... saving CA Signing CSR to file: '/home/fedora/ca_signing.csr' pkispawn : INFO ... finalizing 'pki.deployment.finalization' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092058 pkispawn : INFO ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092058 pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service' pkispawn : INFO ....... rm -rf /root/.dogtag/pki-tomcat/ca pkispawn : INFO END spawning subsystem 'CA' of instance 'pki-tomcat' ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: caadmin To check the status of the subsystem: systemctl status pki-tomcatd\@pki-tomcat.service To restart the subsystem: systemctl restart pki-tomcatd\@pki-tomcat.service The URL for the subsystem is: https://dogtag-ext1.novalocal:9443/ca ========================================================================== From gaiseric.vandal at gmail.com Fri Oct 10 12:43:55 2014 From: gaiseric.vandal at gmail.com (Gaiseric Vandal) Date: Fri, 10 Oct 2014 08:43:55 -0400 Subject: [Pki-users] Fwd: [HELP NEEDED] External CA configuration for Dogtag In-Reply-To: References: Message-ID: <5437D48B.8060907@gmail.com> The CA needs to generate or sign certificates for other servers- e.g. a web server. Clients of those servers should trust the CA's certificate as the CA certificate that signs the server certificates. They don't need to communicate with the CA directly. (The exception might be if the CA is also an online certificate revocation server - but that is beyond my experience.) You should assume that your CA will eventually crash- or that you might make a configuration change or an update that you want to roll back. As with any server, you should back up the critical files. if this is a virtual machine, it makes backing up the entire machine much easier. I wouldn't imagine that the entire CA configuration and database directories are very big. On 10/10/14 07:18, kritee jhawar wrote: > > Hello, > > I am an engineer from India and I have been struggling with this for > the past 2 weeks. Request you to help me out. > > *USE-CASE: * > > Dogtag is the private CA for multiple services in a cluster. Trust is > established by providing the root certificate of dogtag to all the > services. What happens if dogtag crashes? All the services will have > to be given the root certificate of the new dogatg. > > How can we avoid this? > > Can we bring up multiple instances dogtag with a static certificate > every time? > > The only way I could find is by using the*external CA* option. > > I am following the 2-step pkispawn process with 2 config files > (deployment-1.cfg and deployment-2.cfg) > > In the first step the csr is generated. I take the csr and get a > certificate from the external CA and place it in the required > location. The root certificate of the CA has also been placed in the > required location. Step 2 of pkispawn goes through and the ca_admin > cert is generated and signed. > > However, when i make a REST call to list the certificates, I get 2 > different errors: > > (Please note that I replicated the same steps with same files on 2 > setups and got 2 errors) > > curl -k --request GET https://localhost:9443/ca/rest/certs > > *_ERROR 1_* > > > standalone="yes"?>com.netscape.certsrv.base.PKIException500Error listing certs in CertsResourceService.listCerts! > > *_ERROR 2_* > > With the same steps i also get a NullPointerException as well > (Attached logs - null-pointer-error.txt) > > > > When i see the status of my pki-instance after pkispawn step-2, It > says the Instance is loaded and needs to be configured. (attched logs > : post-pkispawn-2.txt) > However it starts using systemctl without any errors > > I suspect I am missing some part in the configuration. > > Any help/pointers would be very helpful! > > Thanks > > Kritee > > *Attached files : * > > deployment-1.txt - config file for pkispawn step 1 > > deployment-2.txt - config file for pkispawn step 2 > > pkispawn-1-log.txt - logs for pkisppawn step 1 > > pkispan-2-log.txt - logs for pkispawn step 2 > > dogtag-cert.txt - root certificate of dogtag generated by external CA > > ca-admin-cert.txt - admin cert signed by dogtag > > null-pointer-error.txt- null pointer exception while making a REST > call to list certs > > post-pkispawn-2.txt - status of pki-instance after pkispawn step 2 > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From kriteejhawar at gmail.com Sat Oct 11 04:45:34 2014 From: kriteejhawar at gmail.com (kritee jhawar) Date: Sat, 11 Oct 2014 10:15:34 +0530 Subject: [Pki-users] Fwd: [HELP NEEDED] External CA configuration for Dogtag In-Reply-To: <5437D48B.8060907@gmail.com> References: <5437D48B.8060907@gmail.com> Message-ID: Hi Thanks for the response.I am inline with what you said, that the clients just need to trust the CA and need not communicate with it. However my clients are physical devices which will need the trust store burnt into them which is why i need to have a constant trust chain. External CA seems like the best way to go. Please let me know if you could figure out why my configuartion won't go through with the data I have provided. Regards Kritee On Fri, Oct 10, 2014 at 6:13 PM, Gaiseric Vandal wrote: > The CA needs to generate or sign certificates for other servers- e.g. a > web server. Clients of those servers should trust the CA's certificate as > the CA certificate that signs the server certificates. They don't need to > communicate with the CA directly. (The exception might be if the CA is > also an online certificate revocation server - but that is beyond my > experience.) > > You should assume that your CA will eventually crash- or that you might > make a configuration change or an update that you want to roll back. As > with any server, you should back up the critical files. if this is a > virtual machine, it makes backing up the entire machine much easier. > > > I wouldn't imagine that the entire CA configuration and database > directories are very big. > > > > > > > On 10/10/14 07:18, kritee jhawar wrote: > > > Hello, > > I am an engineer from India and I have been struggling with this for the > past 2 weeks. Request you to help me out. > > *USE-CASE: * > > Dogtag is the private CA for multiple services in a cluster. Trust is > established by providing the root certificate of dogtag to all the > services. What happens if dogtag crashes? All the services will have to be > given the root certificate of the new dogatg. > > How can we avoid this? > > Can we bring up multiple instances dogtag with a static certificate every > time? > > The only way I could find is by using the* external CA* option. > > I am following the 2-step pkispawn process with 2 config files > (deployment-1.cfg and deployment-2.cfg) > > In the first step the csr is generated. I take the csr and get a > certificate from the external CA and place it in the required location. The > root certificate of the CA has also been placed in the required location. > Step 2 of pkispawn goes through and the ca_admin cert is generated and > signed. > > However, when i make a REST call to list the certificates, I get 2 > different errors: > > (Please note that I replicated the same steps with same files on 2 setups > and got 2 errors) > > curl -k --request GET https://localhost:9443/ca/rest/certs > > *ERROR 1* > > > > standalone="yes"?>com.netscape.certsrv.base.PKIException500Error > listing certs in > CertsResourceService.listCerts! > > > > *ERROR 2* > > With the same steps i also get a NullPointerException as well (Attached > logs - null-pointer-error.txt) > > > > When i see the status of my pki-instance after pkispawn step-2, It says > the Instance is loaded and needs to be configured. (attched logs : > post-pkispawn-2.txt) > However it starts using systemctl without any errors > > > > I suspect I am missing some part in the configuration. > > Any help/pointers would be very helpful! > > Thanks > > Kritee > > *Attached files : * > > deployment-1.txt - config file for pkispawn step 1 > > deployment-2.txt - config file for pkispawn step 2 > > pkispawn-1-log.txt - logs for pkisppawn step 1 > > pkispan-2-log.txt - logs for pkispawn step 2 > > dogtag-cert.txt - root certificate of dogtag generated by external CA > > ca-admin-cert.txt - admin cert signed by dogtag > > null-pointer-error.txt - null pointer exception while making a REST call > to list certs > > post-pkispawn-2.txt - status of pki-instance after pkispawn step 2 > > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kriteejhawar at gmail.com Mon Oct 13 17:38:27 2014 From: kriteejhawar at gmail.com (kritee jhawar) Date: Mon, 13 Oct 2014 23:08:27 +0530 Subject: [Pki-users] Fwd: [HELP NEEDED] External CA configuration for Dogtag In-Reply-To: References: <5437D48B.8060907@gmail.com> Message-ID: Hi After a little more debugging came to the conclusion that post external CA configuration there seems to be some issue with the directory service Upon making a rest call to list the certs, I get an LDAP exception with 'Bad Search Filter' message. Has anyone faced this? Regards Kritee On Sat, Oct 11, 2014 at 10:15 AM, kritee jhawar wrote: > Hi > > Thanks for the response.I am inline with what you said, that the clients > just need to trust the CA and need not communicate with it. However my > clients are physical devices which will need the trust store burnt into > them which is why i need to have a constant trust chain. > External CA seems like the best way to go. Please let me know if you could > figure out why my configuartion won't go through with the data I have > provided. > > Regards > Kritee > > On Fri, Oct 10, 2014 at 6:13 PM, Gaiseric Vandal < > gaiseric.vandal at gmail.com> wrote: > >> The CA needs to generate or sign certificates for other servers- e.g. >> a web server. Clients of those servers should trust the CA's certificate >> as the CA certificate that signs the server certificates. They don't need >> to communicate with the CA directly. (The exception might be if the CA >> is also an online certificate revocation server - but that is beyond my >> experience.) >> >> You should assume that your CA will eventually crash- or that you might >> make a configuration change or an update that you want to roll back. As >> with any server, you should back up the critical files. if this is a >> virtual machine, it makes backing up the entire machine much easier. >> >> >> I wouldn't imagine that the entire CA configuration and database >> directories are very big. >> >> >> >> >> >> >> On 10/10/14 07:18, kritee jhawar wrote: >> >> >> Hello, >> >> I am an engineer from India and I have been struggling with this for the >> past 2 weeks. Request you to help me out. >> >> *USE-CASE: * >> >> Dogtag is the private CA for multiple services in a cluster. Trust is >> established by providing the root certificate of dogtag to all the >> services. What happens if dogtag crashes? All the services will have to be >> given the root certificate of the new dogatg. >> >> How can we avoid this? >> >> Can we bring up multiple instances dogtag with a static certificate every >> time? >> >> The only way I could find is by using the* external CA* option. >> >> I am following the 2-step pkispawn process with 2 config files >> (deployment-1.cfg and deployment-2.cfg) >> >> In the first step the csr is generated. I take the csr and get a >> certificate from the external CA and place it in the required location. The >> root certificate of the CA has also been placed in the required location. >> Step 2 of pkispawn goes through and the ca_admin cert is generated and >> signed. >> >> However, when i make a REST call to list the certificates, I get 2 >> different errors: >> >> (Please note that I replicated the same steps with same files on 2 setups >> and got 2 errors) >> >> curl -k --request GET https://localhost:9443/ca/rest/certs >> >> *ERROR 1* >> >> > > >> standalone="yes"?>com.netscape.certsrv.base.PKIException500Error >> listing certs in >> CertsResourceService.listCerts! >> >> >> >> *ERROR 2* >> >> With the same steps i also get a NullPointerException as well (Attached >> logs - null-pointer-error.txt) >> >> >> >> When i see the status of my pki-instance after pkispawn step-2, It says >> the Instance is loaded and needs to be configured. (attched logs : >> post-pkispawn-2.txt) >> However it starts using systemctl without any errors >> >> >> >> I suspect I am missing some part in the configuration. >> >> Any help/pointers would be very helpful! >> >> Thanks >> >> Kritee >> >> *Attached files : * >> >> deployment-1.txt - config file for pkispawn step 1 >> >> deployment-2.txt - config file for pkispawn step 2 >> >> pkispawn-1-log.txt - logs for pkisppawn step 1 >> >> pkispan-2-log.txt - logs for pkispawn step 2 >> >> dogtag-cert.txt - root certificate of dogtag generated by external CA >> >> ca-admin-cert.txt - admin cert signed by dogtag >> >> null-pointer-error.txt - null pointer exception while making a REST call >> to list certs >> >> post-pkispawn-2.txt - status of pki-instance after pkispawn step 2 >> >> >> >> _______________________________________________ >> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tjaalton at ubuntu.com Tue Oct 14 08:17:06 2014 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Tue, 14 Oct 2014 11:17:06 +0300 Subject: [Pki-users] failure trying to install instances other than CA Message-ID: <543CDC02.1010801@ubuntu.com> Hi While porting to Debian/Ubuntu I noticed this when installing a new instance (KRA/TPS..): Security Domain: Hostname [sid.tyrell]: Secure HTTP port [8443]: /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html (This warning will only appear once by default.) InsecureRequestWarning) Traceback (most recent call last): File "/usr/sbin/pkispawn", line 586, in main(sys.argv) File "/usr/sbin/pkispawn", line 268, in main info = parser.sd_get_info() File "/usr/lib/python2.7/dist-packages/pki/server/deployment/pkiparser.py", line 465, in sd_get_info config.pki_log.info( AttributeError: 'NoneType' object has no attribute 'info' I'm no python expert, but looks like config.pki_log is still uninitialized (pki_log = None in pkiconfig.py)? What am I missing? -- t From alee at redhat.com Tue Oct 14 20:53:35 2014 From: alee at redhat.com (Ade Lee) Date: Tue, 14 Oct 2014 16:53:35 -0400 Subject: [Pki-users] failure trying to install instances other than CA In-Reply-To: <543CDC02.1010801@ubuntu.com> References: <543CDC02.1010801@ubuntu.com> Message-ID: <1413320015.11430.11.camel@aleeredhat.laptop> On Tue, 2014-10-14 at 11:17 +0300, Timo Aaltonen wrote: > Hi > > While porting to Debian/Ubuntu I noticed this when installing a new > instance (KRA/TPS..): > > > Security Domain: > Hostname [sid.tyrell]: > Secure HTTP port [8443]: > /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html (This warning > will only appear once by default.) > InsecureRequestWarning) > Traceback (most recent call last): > File "/usr/sbin/pkispawn", line 586, in > main(sys.argv) > File "/usr/sbin/pkispawn", line 268, in main > info = parser.sd_get_info() > File > "/usr/lib/python2.7/dist-packages/pki/server/deployment/pkiparser.py", > line 465, in sd_get_info > config.pki_log.info( > AttributeError: 'NoneType' object has no attribute 'info' > > > I'm no python expert, but looks like config.pki_log is still > uninitialized (pki_log = None in pkiconfig.py)? What am I missing? > What this means is that the KRA attempted to contact the security domain CA at sid.tyrell port 8443, and received an error about an unverified HTTPS request. Is this where your security domain (CA) resides? Are you installing the KRA in a separate instance from the CA? Which version of dogtag are you using? Ade > From tjaalton at ubuntu.com Wed Oct 15 10:55:57 2014 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Wed, 15 Oct 2014 13:55:57 +0300 Subject: [Pki-users] failure trying to install instances other than CA In-Reply-To: <1413320015.11430.11.camel@aleeredhat.laptop> References: <543CDC02.1010801@ubuntu.com> <1413320015.11430.11.camel@aleeredhat.laptop> Message-ID: <543E52BD.1060509@ubuntu.com> On 14.10.2014 23:53, Ade Lee wrote: > On Tue, 2014-10-14 at 11:17 +0300, Timo Aaltonen wrote: >> Hi >> >> While porting to Debian/Ubuntu I noticed this when installing a new >> instance (KRA/TPS..): >> >> >> Security Domain: >> Hostname [sid.tyrell]: >> Secure HTTP port [8443]: >> /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: >> InsecureRequestWarning: Unverified HTTPS request is being made. Adding >> certificate verification is strongly advised. See: >> https://urllib3.readthedocs.org/en/latest/security.html (This warning >> will only appear once by default.) >> InsecureRequestWarning) >> Traceback (most recent call last): >> File "/usr/sbin/pkispawn", line 586, in >> main(sys.argv) >> File "/usr/sbin/pkispawn", line 268, in main >> info = parser.sd_get_info() >> File >> "/usr/lib/python2.7/dist-packages/pki/server/deployment/pkiparser.py", >> line 465, in sd_get_info >> config.pki_log.info( >> AttributeError: 'NoneType' object has no attribute 'info' >> >> >> I'm no python expert, but looks like config.pki_log is still >> uninitialized (pki_log = None in pkiconfig.py)? What am I missing? >> > > What this means is that the KRA attempted to contact the security domain > CA at sid.tyrell port 8443, and received an error about an unverified > HTTPS request. Is this where your security domain (CA) resides? Yep. I can access the CA ui just fine with a browser though, so it should be up and running.. > Are you installing the KRA in a separate instance from the CA? > Which version of dogtag are you using? 10.2. -- t From kriteejhawar at gmail.com Fri Oct 10 11:14:10 2014 From: kriteejhawar at gmail.com (kritee jhawar) Date: Fri, 10 Oct 2014 16:44:10 +0530 Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag Message-ID: Hello, I am an engineer from India and I have been struggling with this for the past 2 weeks. Request you to help me out. *USE-CASE: * Dogtag is the private CA for multiple services in a cluster. Trust is established by providing the root certificate of dogtag to all the services. What happens if dogtag crashes? All the services will have to be given the root certificate of the new dogatg. How can we avoid this? Can we bring up multiple instances dogtag with a static certificate every time? The only way I could find is by using the* external CA* option. I am following the 2-step pkispawn process with 2 config files (deployment-1.cfg and deployment-2.cfg) In the first step the csr is generated. I take the csr and get a certificate from the external CA and place it in the required location. The root certificate of the CA has also been placed in the required location. Step 2 of pkispawn goes through and the ca_admin cert is generated and signed. However, when i make a REST call to list the certificates, I get 2 different errors: (Please note that I replicated the same steps with same files on 2 setups and got 2 errors) curl -k --request GET https://localhost:9443/ca/rest/certs *ERROR 1* standalone="yes"?>com.netscape.certsrv.base.PKIException500Error listing certs in CertsResourceService.listCerts! *ERROR 2* With the same steps i also get a NullPointerException as well (Attached logs - null-pointer-error.txt) When i see the status of my pki-instance after pkispawn step-2, It says the Instance is loaded and needs to be configured. (attched logs : post-pkispawn-2.txt) However it starts using systemctl without any errors I suspect I am missing some part in the configuration. Any help/pointers would be very helpful! Thanks Kritee *Attached files : * deployment-1.txt - config file for pkispawn step 1 deployment-2.txt - config file for pkispawn step 2 pkispawn-1-log.txt - logs for pkisppawn step 1 pkispan-2-log.txt - logs for pkispawn step 2 dogtag-cert.txt - root certificate of dogtag generated by external CA ca-admin-cert.txt - admin cert signed by dogtag null-pointer-error.txt - null pointer exception while making a REST call to list certs post-pkispawn-2.txt - status of pki-instance after pkispawn step 2 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- [root at dogtag-ext1 fedora]# pkispawn -s CA -f deployment.cfg -v Loading deployment configuration from deployment.cfg. Installing CA into /var/lib/pki/pki-tomcat. pkispawn : INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . pkispawn : INFO ... initializing 'pki.deployment.initialization' pkispawn : INFO ....... adding GID 'pkiuser' for group '17' . . . pkispawn : INFO ....... adding UID 'pkiuser' for user '17' . . . pkispawn : ERROR ....... Selinux is disabled. Not checking port contexts pkispawn : INFO ... populating 'pki.deployment.infrastructure_layout' pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca pkispawn : INFO ....... cp -p /etc/pki/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. pkispawn : INFO ....... mkdir -p /var/lib/pki pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/ca pkispawn : INFO ....... ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/ca/registry pkispawn : INFO ... populating 'pki.deployment.instance_layout' pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat pkispawn : INFO ....... cp -rp /usr/share/pki/server/conf /etc/pki/pki-tomcat pkispawn : INFO ....... setting ownerships, permissions, and acls on '/etc/pki/pki-tomcat' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/common pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/common/lib pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/lib pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-ja.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-ja.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-ant.jar /var/lib/pki/pki-tomcat/lib/catalina-ant.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-collections.jar /var/lib/pki/pki-tomcat/lib/commons-collections.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-tribes.jar /var/lib/pki/pki-tomcat/lib/catalina-tribes.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/annotations-api.jar /var/lib/pki/pki-tomcat/lib/annotations-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-el-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper.jar /var/lib/pki/pki-tomcat/lib/jasper.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-es.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-es.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-pool.jar /var/lib/pki/pki-tomcat/lib/commons-pool.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-juli.jar /var/lib/pki/pki-tomcat/lib/tomcat-juli.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-jdbc.jar /var/lib/pki/pki-tomcat/lib/tomcat-jdbc.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-coyote.jar /var/lib/pki/pki-tomcat/lib/tomcat-coyote.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-dbcp.jar /var/lib/pki/pki-tomcat/lib/commons-dbcp.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-fr.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-fr.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/log4j.jar /var/lib/pki/pki-tomcat/lib/log4j.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper-el.jar /var/lib/pki/pki-tomcat/lib/jasper-el.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-util.jar /var/lib/pki/pki-tomcat/lib/tomcat-util.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-ha.jar /var/lib/pki/pki-tomcat/lib/catalina-ha.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina.jar /var/lib/pki/pki-tomcat/lib/catalina.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper-jdt.jar /var/lib/pki/pki-tomcat/lib/jasper-jdt.jar pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/log4j.properties /var/lib/pki/pki-tomcat/lib/log4j.properties pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/temp pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/_ pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca pkispawn : INFO ....... ln -s /usr/share/tomcat/bin /var/lib/pki/pki-tomcat/bin pkispawn : INFO ....... ln -s /usr/sbin/tomcat-sysd /var/lib/pki/pki-tomcat/pki-tomcat pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-collections.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-collections.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-io.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-io.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-lang.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-lang.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-logging.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-logging.jar pkispawn : INFO ....... ln -s /usr/share/java/commons-codec.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-codec.jar pkispawn : INFO ....... ln -s /usr/share/java/httpcomponents/httpclient.jar /var/lib/pki/pki-tomcat/common/lib/httpclient.jar pkispawn : INFO ....... ln -s /usr/share/java/httpcomponents/httpcore.jar /var/lib/pki/pki-tomcat/common/lib/httpcore.jar pkispawn : INFO ....... ln -s /usr/share/java/javassist.jar /var/lib/pki/pki-tomcat/common/lib/javassist.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/jaxrs-api.jar /var/lib/pki/pki-tomcat/common/lib/jaxrs-api.jar pkispawn : INFO ....... ln -s /usr/share/java/jettison.jar /var/lib/pki/pki-tomcat/common/lib/jettison.jar pkispawn : INFO ....... ln -s /usr/lib/java/jss4.jar /var/lib/pki/pki-tomcat/common/lib/jss4.jar pkispawn : INFO ....... ln -s /usr/share/java/ldapjdk.jar /var/lib/pki/pki-tomcat/common/lib/ldapjdk.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-tomcat.jar /var/lib/pki/pki-tomcat/common/lib/pki-tomcat.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-atom-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-atom-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jaxb-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxb-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jaxrs.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxrs.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jettison-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jettison-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/scannotation.jar /var/lib/pki/pki-tomcat/common/lib/scannotation.jar pkispawn : INFO ....... ln -s /usr/share/java/tomcatjss.jar /var/lib/pki/pki-tomcat/common/lib/tomcatjss.jar pkispawn : INFO ....... ln -s /usr/share/java/velocity.jar /var/lib/pki/pki-tomcat/common/lib/velocity.jar pkispawn : INFO ....... ln -s /usr/share/java/xerces-j2.jar /var/lib/pki/pki-tomcat/common/lib/xerces-j2.jar pkispawn : INFO ....... ln -s /usr/share/java/xml-commons-apis.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-apis.jar pkispawn : INFO ....... ln -s /usr/share/java/xml-commons-resolver.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-resolver.jar pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat /var/lib/pki/pki-tomcat/conf pkispawn : INFO ....... ln -s /var/log/pki/pki-tomcat /var/lib/pki/pki-tomcat/logs pkispawn : INFO ... populating 'pki.deployment.subsystem_layout' pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca/archive pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca/signedAudit pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat/ca pkispawn : INFO ....... cp -rp /usr/share/pki/ca/emails /var/lib/pki/pki-tomcat/ca/emails pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/emails' pkispawn : INFO ....... cp -rp /usr/share/pki/ca/profiles /var/lib/pki/pki-tomcat/ca/profiles pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/profiles' pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/flatfile.txt /etc/pki/pki-tomcat/ca/flatfile.txt pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caAuditSigningCert.profile /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caCert.profile /etc/pki/pki-tomcat/ca/caCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/serverCert.profile /etc/pki/pki-tomcat/ca/serverCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/subsystemCert.profile /etc/pki/pki-tomcat/ca/subsystemCert.profile pkispawn : INFO ....... ln -s /var/lib/pki/pki-tomcat/webapps /var/lib/pki/pki-tomcat/ca/webapps pkispawn : INFO ....... ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/ca/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/conf pkispawn : INFO ....... ln -s /var/log/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/logs pkispawn : INFO ... selinux disabled. skipping labelling 'pki.deployment.selinux_setup' pkispawn : INFO ... deploying 'pki.deployment.webapp_deployment' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ROOT pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/ROOT /var/lib/pki/pki-tomcat/webapps/ROOT pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ROOT' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/pki pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/js /var/lib/pki/pki-tomcat/webapps/pki/js pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/js' pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/META-INF /var/lib/pki/pki-tomcat/webapps/pki/META-INF pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/META-INF' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/admin /var/lib/pki/pki-tomcat/webapps/ca/admin pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca/admin' pkispawn : INFO ....... cp -rp /usr/share/pki/ca/webapps/ca /var/lib/pki/pki-tomcat/webapps/ca pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/classes pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-certsrv.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-certsrv.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmsbundle.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsbundle.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmscore.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmscore.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cms.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cms.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsutil.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-nsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-nsutil.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-ca.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-ca.jar pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca' pkispawn : INFO ... assigning slots for 'pki.deployment.slot_substitution' pkispawn : INFO ....... copying '/usr/share/pki/ca/conf/CS.cfg' --> '/etc/pki/pki-tomcat/ca/CS.cfg' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/catalina.properties' --> '/etc/pki/pki-tomcat/catalina.properties' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/serverCertNick.conf' --> '/etc/pki/pki-tomcat/serverCertNick.conf' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/server.xml' --> '/etc/pki/pki-tomcat/server.xml' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/context.xml' --> '/etc/pki/pki-tomcat/context.xml' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/sysconfig/pki-tomcat' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/pki/pki-tomcat/tomcat.conf' with slot substitution pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/velocity.properties' pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/web.xml' pkispawn : INFO ....... copying '/usr/share/pki/ca/conf/proxy.conf' --> '/etc/pki/pki-tomcat/ca/proxy.conf' with slot substitution pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/ee/ca/ProfileSelect.template' pkispawn : INFO ... generating 'pki.deployment.security_databases' pkispawn : INFO ....... generating '/etc/pki/pki-tomcat/password.conf' pkispawn : INFO ....... generating '/etc/pki/pki-tomcat/pfile' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/password.conf' pkispawn : INFO ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/key3.db' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db' pkispawn : INFO ....... generating noise file called '/etc/pki/pki-tomcat/ca/noise' and filling it with '1024' random bytes pkispawn : INFO ....... executing 'certutil -S -d /etc/pki/pki-tomcat/alias -h 'internal' -n 'Server-Cert cert-pki-tomcat' -s 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -m 0 -v 12 -c 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -t 'CTu,CTu,CTu' -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x > /dev/null 2>&1' pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/ca/noise pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile pkispawn : INFO ... configuring 'pki.deployment.configuration' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias pkispawn : INFO ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... ln -s /lib/systemd/system/pki-tomcatd at .service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service' pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes pkispawn : INFO ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']' pkispawn : INFO ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc'] pkispawn : INFO ....... configuring PKI configuration data. pkispawn : INFO ....... request: -----BEGIN CERTIFICATE REQUEST----- MIICmDCCAYACAQAwUzEPMA0GA1UEBxMGS3JpdGVlMQ0wCwYDVQQLEwRDSUJVMRYwFAYDVQQKEw1D aXNjbyBTeXN0ZW1zMRkwFwYDVQQDExBkb2d0YWcuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAmLgfNwidSyR47kwVAOGor/kHOiTJS5qc4fsCJM6gQDnsC7lXbC6XcdYK tQHs9Y7/HbzQDiMZNGS/hHRRGh68qZdr/pCxSbONobMczM7thjUQ5crUgJCI1tG2XaMKBRQMtqNA fJY/SBaVEBpRzp+0DJ51D+qGjyJaq2Pzzj+pCJLMQPv/rQ9BSFLr8Js+QErn7j5JQwZ7k4wkZCoK wcAVgwDzQ3xCtKew+M5Xgj9OzmkQgZk1SViPBLXl58gy+ukuBHBHSXWAY+b34N9IQnW1rozz073e fD8ZSgHQYWsjRxCdniOvgd37gviyDlMIaOh7+HapYj1k+VCzmKimU4ZrJQIDAQABoAAwDQYJKoZI hvcNAQELBQADggEBAFI5HrchG9WxTzgtCf6v21V8PFsWHEPVBr1gM+ihgiSXSp7sSmvjBvEUN+Ik mHbo4ssq+KpHWeQZmKc1tlmiF5IBoP6yiAvkHelphdqRM+DkrkMYnR8cabx4amFOEfmPBE38hLHA +eaFiVxHSorbkoZsBnSrYDz1/+5xD+4/VJrMvQiP9eRp1hG0sXjH5sLoV70LoHhO94yga0w26Gpj xkzxSrxFVFH7walY0J09rqvtGOfJ7y4Pg4hy24L0WLDux063uUjNVmRs8zmYHB5AgX2Ke1YI2XYP AHPTL9m3+wdVUuPCYVrf6njZS7CFygcG5c4W6prdu5ZcJ7cqYdSgiho= -----END CERTIFICATE REQUEST----- pkispawn : INFO ....... saving CA Signing CSR to file: '/home/fedora/ca_signing.csr' pkispawn : INFO ... finalizing 'pki.deployment.finalization' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092058 pkispawn : INFO ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092058 pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service' pkispawn : INFO ....... rm -rf /root/.dogtag/pki-tomcat/ca pkispawn : INFO END spawning subsystem 'CA' of instance 'pki-tomcat' ========================================================================== -----BEGIN CERTIFICATE REQUEST----- [root at dogtag-ext1 fedora]# pkispawn -s CA -f dep.cfg -v Loading deployment configuration from dep.cfg. Installing CA into /var/lib/pki/pki-tomcat. pkispawn : INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . pkispawn : INFO ... initializing 'pki.deployment.initialization' pkispawn : INFO ....... adding GID 'pkiuser' for group '17' . . . pkispawn : INFO ....... adding UID 'pkiuser' for user '17' . . . pkispawn : ERROR ....... Selinux is disabled. Not checking port contexts pkispawn : INFO ... skip populating 'pki.deployment.infrastructure_layout' pkispawn : INFO ... skip populating 'pki.deployment.instance_layout' pkispawn : INFO ... skip populating 'pki.deployment.subsystem_layout' pkispawn : INFO ... skip populating 'pki.deployment.selinux_setup' pkispawn : INFO ... skip deploying 'pki.deployment.webapp_deployment' pkispawn : INFO ... skip assigning slots for 'pki.deployment.slot_substitution' pkispawn : INFO ... skip generating 'pki.deployment.security_databases' pkispawn : INFO ... configuring 'pki.deployment.configuration' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias pkispawn : INFO ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service' pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes pkispawn : INFO ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com Security Domain', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']' pkispawn : INFO ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc'] loading external CA signing certificate from file: '/home/fedora/dogtag.cisco.com.cer' loading external CA signing certificate chain from file: '/home/fedora/test-root-ca-2048.cer' pkispawn : INFO ....... configuring PKI configuration data. pkispawn : INFO ....... ['AtoB', '/root/.dogtag/pki-tomcat/ca_admin.cert', '/root/.dogtag/pki-tomcat/ca_admin.cert.der'] pkispawn : INFO ....... ['certutil', '-A', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-n', 'PKI Administrator', '-t', 'u,u,u', '-i', '/root/.dogtag/pki-tomcat/ca_admin.cert.der', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf'] pkispawn : INFO ....... ['pk12util', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-o', '/root/.dogtag/pki-tomcat/ca_admin_cert.p12', '-n', 'PKI Administrator', '-w', '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf', '-k', '/root/.dogtag/pki-tomcat/ca/password.conf'] pkispawn : INFO ... finalizing 'pki.deployment.finalization' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092609 pkispawn : INFO ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092609 pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service' Job for pki-tomcatd at pki-tomcat.service canceled. pkispawn : INFO ....... rm -rf /root/.dogtag/pki-tomcat/ca pkispawn : INFO END spawning subsystem 'CA' of instance 'pki-tomcat' ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: caadmin Administrator's PKCS #12 file: /root/.dogtag/pki-tomcat/ca_admin_cert.p12 To check the status of the subsystem: systemctl status pki-tomcatd\@pki-tomcat.service To restart the subsystem: systemctl restart pki-tomcatd\@pki-tomcat.service The URL for the subsystem is: https://dogtag-ext1.novalocal:9443/ca ========================================================================== -------------- next part -------------- [root at dogtag-ext1 fedora]# systemctl status pki-tomcatd\@pki-tomcat.service pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled) Active: inactive (dead) since Fri 2014-10-10 09:26:19 UTC; 41s ago Process: 24551 ExecStop=/usr/bin/pkidaemon stop tomcat %i (code=exited, status=0/SUCCESS) Main PID: 24361 (code=exited, status=143) CGroup: name=systemd:/system/pki-tomcatd at .service/pki-tomcatd at pki-tomcat.service Oct 10 09:21:38 dogtag-ext1.novalocal systemd[1]: Starting PKI Tomcat Server pki-tomcat... Oct 10 09:21:39 dogtag-ext1.novalocal pkidaemon[24193]: 'pki-tomcat' must still be CONFIGURED! Oct 10 09:21:39 dogtag-ext1.novalocal pkidaemon[24193]: (see /var/log/pki-tomcat-install.log) Oct 10 09:21:39 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat. Oct 10 09:26:09 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat. Oct 10 09:26:18 dogtag-ext1.novalocal systemd[1]: Stopping PKI Tomcat Server pki-tomcat... Oct 10 09:26:18 dogtag-ext1.novalocal systemd[1]: Stopping PKI Tomcat Server pki-tomcat... Oct 10 09:26:19 dogtag-ext1.novalocal systemd[1]: Stopped PKI Tomcat Server pki-tomcat. [root at dogtag-ext1 fedora]# systemctl start pki-tomcatd\@pki-tomcat.service [root at dogtag-ext1 fedora]# systemctl status pki-tomcatd\@pki-tomcat.service pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled) Active: active (running) since Fri 2014-10-10 09:28:18 UTC; 5s ago Process: 24551 ExecStop=/usr/bin/pkidaemon stop tomcat %i (code=exited, status=0/SUCCESS) Process: 24616 ExecStart=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS) Main PID: 24784 (java) CGroup: name=systemd:/system/pki-tomcatd at .service/pki-tomcatd at pki-tomcat.service ??24784 /usr/lib/jvm/jre/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/... Oct 10 09:28:15 dogtag-ext1.novalocal systemd[1]: Starting PKI Tomcat Server pki-tomcat... Oct 10 09:28:18 dogtag-ext1.novalocal systemd[1]: Started PKI Tomcat Server pki-tomcat. -------------- next part -------------- [root at dogtag-ext1 fedora]# openssl pkcs12 -info -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 Enter Import Password: MAC Iteration 2000 MAC verified OK PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 Bag Attributes friendlyName: PKI Administrator localKeyID: 41 11 6B 4D 01 78 64 1E 77 7B 17 6F D9 B9 AC 5C F5 9B 88 3F Key Attributes: Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQItOgp54c/WGICAggA MBQGCCqGSIb3DQMHBAjDFi6FqfuIjASCBMgvHxHvir3peQMZX7OQsbTOCHQreAIx aIrkNZHAzLfKBOCsDmMINysCLW7bjOL8dokYtuCYlGDNYAQLLkPBbAgrqKcVDFTF 162m8qcxfiBJrlcRbnoVpFumuexayYC/WESfM8S1YpL3oY62t/h0acKeGW5GG3a/ M8od8ddnlEa2lSR/x/eiBqLDDVgpgaUVuDZtkyvRvbZzyoh8FK7obZbwjjGYqb2q CbDLmqLkqkXVuQ0DC+u98PF0RPmQjOQ5QyyYvIKSzdqC5SXqtHZEOAOpHwGzcWoV +a6Bn6sVtvQSVJN6tV90LUx3OE7r/WzsUAk8Juf6kU69vIg8bUbXe7cPPiKX1sMj aO+5a/o/T6tkXMS7D1smW65TkMDEnI2XPBPPo4tmhofnng+CRdBMbzxqabZ2PYZD rKFs3L9eK9XaPBHpIGa2RPq0vCyR8nfHtcVtgnLeFlmoRqVi6/CQCl0Yz7SMl+7R TdVGoBYpR/EvlmfQd6PxpublMWHmrA5vq7kgz58FTwH058U4IXCgYz1qJjEZhslf xoNd2u8pBPlSlidCX2KuS2MqF3BmlpkydT61MW/Re+h2Dn8ShNdjuFSXSDRH1W8t XmuzmIRl1dPZTLPt3PKos3j4vrokoBJLJaX6XLD5OZ3uj0aOual540PsCZRZjeCY 4KjVVCUzwGibjfE5Wh6GJb2rP+FbOJS7hVxM0EA+MKlEZRtnxP05bl0griuUOHvL 6GDJnUO6cSecVXdLlRa0qoD3hqPNvQ02LrhuCskEZz2Ndf+tPgNIcNNlytz1sKx2 Sk/BXVjbqL3UwY9hVqp5Z9CZ7RIQLm8/YrFTaMVs796Z9GcvwElXMhC+TsfQ8QE0 86YCw8KaZchA3mvzKYWIe2mwEBF0TX1WT0/xPLdRfT6uDhbZvcu3iFOAxMwCRdXR rFWenhCNp9oKYQJQZ/WhNYPC9Y38MNJ4CXIuGbT8B2IUqhN/26Y//8oU09HDSFxB DB1xHKj/vi8lUiVZgZIpUcXtRwPuzAecqHUNsfcSIA6Xx1+s2GnVbTXELNMyS7jG 8ol6IPJh9JIjJ8zT7YXlDyT9AR6vBYBcEylYZqjq2IvcjvNLm3qrxMYWJMfNoxxi B80nfNnZQkUNqlC6bFM3R9ip+7aAYZeRchpB4LcmjmeIhaXK3EMhKXsezTjfWOKE qrSh6pFPwcMeDQwSeEk0LdCA+rq1Aazgse5RbAB/fAMh0OctE/D5UxB/VoI/NKTJ vNc4aZp5GwADu7ydJbP3t3OTP5YkHegGkih8BUVNumDIoLWFUw/WRvfXXRdYTuPQ z9lzl4qWES6/J/hZCLGSgFZpYxdB2At1lG20DYcdHtxdR5o10ZGIBJ2n6Eb4ol/7 kn+OVTBUbdDIixoE2c4UV5g+WvukscJ7gIW4xTgeIw48XsznHpwyt3E6J6OY1L4c kbrBGhsJrlXfvx/BuLJUEU8hi8Rj4x20b+y2xmULilUN7/BPT6ug+9eMB8WuAa9s RKgKBTGtBfbPLl1URG8RGD/ZmO0xYlFg80qzOQXE9ZUDiKawR3ZEAxAEJClaYSO1 KwBUUMC9XEG49SCjrmIzgoBWZlpgQkmAvlwnr7tWuIFOdzv9wScDtoK84On0Hfno Lzo= -----END ENCRYPTED PRIVATE KEY----- PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000 Certificate bag Bag Attributes friendlyName: PKI Administrator localKeyID: 41 11 6B 4D 01 78 64 1E 77 7B 17 6F D9 B9 AC 5C F5 9B 88 3F subject=/O=cisco.com Security Domain/CN=PKI Administrator issuer=/L=Kritee/OU=CIBU/O=Cisco Systems/CN=dogtag.cisco.com -----BEGIN CERTIFICATE----- MIIDqTCCApGgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBTMQ8wDQYDVQQHEwZLcml0 ZWUxDTALBgNVBAsTBENJQlUxFjAUBgNVBAoTDUNpc2NvIFN5c3RlbXMxGTAXBgNV BAMTEGRvZ3RhZy5jaXNjby5jb20wHhcNMTQxMDEwMDkyNjE3WhcNMTYwOTI5MDky NjE3WjBAMSIwIAYDVQQKExljaXNjby5jb20gU2VjdXJpdHkgRG9tYWluMRowGAYD VQQDExFQS0kgQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALk6tHHrgmQSrOzTnGIWKZ/zMbry1EnoRaALSqn7Mwb38tFN+NgOqDOk Np8DbFBfA4B7Myw0lxkRkCCnUIf4etTQ3tnZroN6hd5hKNl+GiIdtyHOI+xQ9H5e +U48/RyLPLtaG+hQR3bNPJVJ+zGiKynwxSjrTMHoa/mJX3YkCYhKIImbkbNiBnN8 JgW3NGX9CxxdvHfcBN9jK0O+90bQuuWudZi34FQLxMLcI33cN0GfruErvyH/YgMZ ZitwvTMUx1kOreTNv4IG4AIIs154eIg3hdugSVITg7lNiNXk8AUu2gB0QtrISjEv nMEkey5wWypjdDmT8nwY3V7fWP7684ECAwEAAaOBmjCBlzAfBgNVHSMEGDAWgBQL VyuTi45bmeGZ+tYuLVIktqlw+TBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAGG KWh0dHA6Ly9kb2d0YWctZXh0MS5ub3ZhbG9jYWw6OTA4MC9jYS9vY3NwMA4GA1Ud DwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI hvcNAQELBQADggEBAGxtujrjwKvyL7w4wi26uYi5+CiJUeoYt15GoVUL9KgYiT7l l4RAvhYweClqtVl/oh9IBkYP8CpIZdQGTOm/WBz3a5HnzOkiQ5021mp57+2q4E71 BYxP2kziJ50CMD2SD27kI183NNSPxiFKaXbsww+wecOR+9eUi9RJwSwYs5YNhQbl 8+xUAmtI8umlyVxuVMg21tib71ESJSrZ7Pj40MOZLpkLf5EW6kuuQJCMCmJVUXT8 1pELwwG0q2ttzwxaKl4mN8q1Rhs0DxZ3Je/A9HyyoGpGP4dKKUlKyomQ5/JQ7yYB zAqSGkubASTn0IErwIRkqf31ZcP8Xe62CuJECb8= -----END CERTIFICATE----- -------------- next part -------------- [DEFAULT] pki_instance_name = pki_http_port = 9080 pki_https_port = 9443 pki_ajp_port = 9009 pki_tomcat_server_port = 9005 [CA] pki_admin_uid = pki_admin_password = pki_backup_password = pki_client_database_password = pki_client_pkcs12_password = pki_import_admin_cert = False pki_client_admin_cert = //ca_admin.cert pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator pki_admin_subject_dn=cn=PKI Administrator,o=%(pki_security_domain_name)s pki_ds_hostname = pki_ds_ldap_port = pki_ds_bind_dn = cn= pki_ds_password = pki_ds_base_dn = o= pki_security_domain_name = pki_security_domain_password = pki_client_pin = pki_clone_pkcs12_password = pki_one_time_pin = pki_pin = pki_token_password = pki_ca_signing_key_algorithm=SHA256withRSA pki_ca_signing_key_size=2048 pki_ca_signing_key_type=rsa pki_ca_signing_signing_algorithm=SHA256withRSA pki_ca_signing_subject_dn=cn=,o=,ou=,L= pki_ca_signing_token=Internal Key Storage Token pki_external=True pki_external_csr_path=/home/fedora/ca_signing.csr -------------- next part -------------- [DEFAULT] pki_instance_name = pki_http_port = 9080 pki_https_port = 9443 pki_ajp_port = 9009 pki_tomcat_server_port = 9005 [CA] pki_admin_uid = pki_admin_password = pki_backup_password = pki_client_database_password = pki_client_pkcs12_password = pki_import_admin_cert = False pki_client_admin_cert = //ca_admin.cert pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator pki_admin_subject_dn=cn=PKI Administrator,o=%(pki_security_domain_name)s pki_ds_hostname = pki_ds_ldap_port = pki_ds_bind_dn = cn= pki_ds_password = pki_ds_base_dn = o= pki_security_domain_name = pki_security_domain_password = pki_client_pin = pki_clone_pkcs12_password = pki_one_time_pin = pki_pin = pki_token_password = pki_ca_signing_key_algorithm=SHA256withRSA pki_ca_signing_key_size=2048 pki_ca_signing_key_type=rsa pki_ca_signing_signing_algorithm=SHA256withRSA pki_ca_signing_subject_dn=cn=,o=,ou=,L= pki_ca_signing_token=Internal Key Storage Token pki_external=True pki_external_ca_cert_chain_path=/home/fedora/test-root-ca-2048.cer pki_external_ca_cert_path=/home/fedora/dogtag.cisco.com.cer pki_external_step_two=True -------------- next part -------------- -----BEGIN CERTIFICATE----- MIIEFDCCAvygAwIBAgIKUZIHHgADAAAOXjANBgkqhkiG9w0BAQUFADAuMRYwFAYD VQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQDEwtURVNULVNTTC1DQTAeFw0xNDEw MTAwOTEzMDNaFw0xNjEwMTAwOTIzMDNaMFMxDzANBgNVBAcTBktyaXRlZTEWMBQG A1UEChMNQ2lzY28gU3lzdGVtczENMAsGA1UECxMEQ0lCVTEZMBcGA1UEAxMQZG9n dGFnLmNpc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJi4 HzcInUskeO5MFQDhqK/5BzokyUuanOH7AiTOoEA57Au5V2wul3HWCrUB7PWO/x28 0A4jGTRkv4R0URoevKmXa/6QsUmzjaGzHMzO7YY1EOXK1ICQiNbRtl2jCgUUDLaj QHyWP0gWlRAaUc6ftAyedQ/qho8iWqtj884/qQiSzED7/60PQUhS6/CbPkBK5+4+ SUMGe5OMJGQqCsHAFYMA80N8QrSnsPjOV4I/Ts5pEIGZNUlYjwS15efIMvrpLgRw R0l1gGPm9+DfSEJ1ta6M89O93nw/GUoB0GFrI0cQnZ4jr4Hd+4L4sg5TCGjoe/h2 qWI9ZPlQs5ioplOGayUCAwEAAaOCAQ0wggEJMB0GA1UdDgQWBBQLVyuTi45bmeGZ +tYuLVIktqlw+TAfBgNVHSMEGDAWgBSOyU4uaEbJcL9gdzJhERmzyilLEjBKBgNV HR8EQzBBMD+gPaA7hjlodHRwOi8vdGVzdC1zc2wtY2EuY2lzY28uY29tL2NlcnRp ZmljYXRlcy90ZXN0LXNzbC1jYS5jcmwwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQEA MEMwQQYIKwYBBQUHAgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3Br aS9wb2xpY2llcy9pbmRleC5odG1sMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAnaizhTLtuAWk24gQ1eCERmzdRcU4AQux 6LTUV9iSM8UYQGZohtL4YPSq2UUG70zBZrxiXNIsdDgF7HoRte3GmcjAekT4xSL6 27W9emMLIaQARwCMN80y/S81ksDdwRPYuy3t/7QOY5fUeoxJ4OtZyq8V5f+oqmxc ngiYlnF7B6dhxDldZ7IR4ON0v2jTaXUPQmR/In7OsQiFKpiaSTfuOuEoeFvoieeh l0H5f32ex0HJOFm66e/GSBKKqFExJaIbzLaZSgCjLojSuqJvUj0SfnqMZDiKsfUa Wpuv0LrsD/AcOLeD+SDa2TCG7JHrbPT7frZ+Xomx8uKYd8FbK7+zHA== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 51:92:07:1e:00:03:00:00:0e:5e Signature Algorithm: sha1WithRSAEncryption Issuer: O=Cisco Systems, CN=TEST-SSL-CA Validity Not Before: Oct 10 09:13:03 2014 GMT Not After : Oct 10 09:23:03 2016 GMT Subject: L=Kritee, O=Cisco Systems, OU=CIBU, CN=dogtag.cisco.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:98:b8:1f:37:08:9d:4b:24:78:ee:4c:15:00:e1: a8:af:f9:07:3a:24:c9:4b:9a:9c:e1:fb:02:24:ce: a0:40:39:ec:0b:b9:57:6c:2e:97:71:d6:0a:b5:01: ec:f5:8e:ff:1d:bc:d0:0e:23:19:34:64:bf:84:74: 51:1a:1e:bc:a9:97:6b:fe:90:b1:49:b3:8d:a1:b3: 1c:cc:ce:ed:86:35:10:e5:ca:d4:80:90:88:d6:d1: b6:5d:a3:0a:05:14:0c:b6:a3:40:7c:96:3f:48:16: 95:10:1a:51:ce:9f:b4:0c:9e:75:0f:ea:86:8f:22: 5a:ab:63:f3:ce:3f:a9:08:92:cc:40:fb:ff:ad:0f: 41:48:52:eb:f0:9b:3e:40:4a:e7:ee:3e:49:43:06: 7b:93:8c:24:64:2a:0a:c1:c0:15:83:00:f3:43:7c: 42:b4:a7:b0:f8:ce:57:82:3f:4e:ce:69:10:81:99: 35:49:58:8f:04:b5:e5:e7:c8:32:fa:e9:2e:04:70: 47:49:75:80:63:e6:f7:e0:df:48:42:75:b5:ae:8c: f3:d3:bd:de:7c:3f:19:4a:01:d0:61:6b:23:47:10: 9d:9e:23:af:81:dd:fb:82:f8:b2:0e:53:08:68:e8: 7b:f8:76:a9:62:3d:64:f9:50:b3:98:a8:a6:53:86: 6b:25 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 0B:57:2B:93:8B:8E:5B:99:E1:99:FA:D6:2E:2D:52:24:B6:A9:70:F9 X509v3 Authority Key Identifier: keyid:8E:C9:4E:2E:68:46:C9:70:BF:60:77:32:61:11:19:B3:CA:29:4B:12 X509v3 CRL Distribution Points: Full Name: URI:http://test-ssl-ca.cisco.com/certificates/test-ssl-ca.crl X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.9.21.1.1.0 CPS: http://www.cisco.com/security/pki/policies/index.html X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 9d:a8:b3:85:32:ed:b8:05:a4:db:88:10:d5:e0:84:46:6c:dd: 45:c5:38:01:0b:b1:e8:b4:d4:57:d8:92:33:c5:18:40:66:68: 86:d2:f8:60:f4:aa:d9:45:06:ef:4c:c1:66:bc:62:5c:d2:2c: 74:38:05:ec:7a:11:b5:ed:c6:99:c8:c0:7a:44:f8:c5:22:fa: db:b5:bd:7a:63:0b:21:a4:00:47:00:8c:37:cd:32:fd:2f:35: 92:c0:dd:c1:13:d8:bb:2d:ed:ff:b4:0e:63:97:d4:7a:8c:49: e0:eb:59:ca:af:15:e5:ff:a8:aa:6c:5c:9e:08:98:96:71:7b: 07:a7:61:c4:39:5d:67:b2:11:e0:e3:74:bf:68:d3:69:75:0f: 42:64:7f:22:7e:ce:b1:08:85:2a:98:9a:49:37:ee:3a:e1:28: 78:5b:e8:89:e7:a1:97:41:f9:7f:7d:9e:c7:41:c9:38:59:ba: e9:ef:c6:48:12:8a:a8:51:31:25:a2:1b:cc:b6:99:4a:00:a3: 2e:88:d2:ba:a2:6f:52:3d:12:7e:7a:8c:64:38:8a:b1:f5:1a: 5a:9b:af:d0:ba:ec:0f:f0:1c:38:b7:83:f9:20:da:d9:30:86: ec:91:eb:6c:f4:fb:7e:b6:7e:5e:89:b1:f2:e2:98:77:c1:5b: 2b:bf:b3:1c -------------- next part -------------- [root at dogtag-ext1 fedora]# curl -k --request GET https://localhost:9443/ca/rest/certs Apache Tomcat/7.0.47 - Error report

HTTP Status 500 - java.lang.NullPointerException


type Exception report

message java.lang.NullPointerException

description The server encountered an internal error that prevented it from fulfilling this request.

exception

org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
[root at dogtag-ext1 fedora]# hostname
dogtag-ext1.novalocal
[root at dogtag-ext1 fedora]# curl -k --request GET https://dogtag-ext1.novalocal:9443/ca/rest/certs
Apache Tomcat/7.0.47 - Error report 

HTTP Status 500 - java.lang.NullPointerException


type Exception report

message java.lang.NullPointerException

description The server encountered an internal error that prevented it from fulfilling this request.

exception

org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
[DEFAULT]
[root at dogtag-ext1 fedora]# curl -k --request GET https://dogtag-ext1.novalocal:9443/ca/rest/certs
Apache Tomcat/7.0.47 - Error report 

HTTP Status 500 - java.lang.NullPointerException


type Exception report

message java.lang.NullPointerException

description The server encountered an internal error that prevented it from fulfilling this request.

exception

org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:340)
        org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:214)
        org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:190)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:540)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)

root cause

java.lang.NullPointerException
        com.netscape.cms.servlet.cert.CertService.<init>(CertService.java:92)
        sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:82)
        org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.createResource(POJOResourceFactory.java:43)
        org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:210)
        org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:606)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)

note The full stack trace of the root cause is available in the Apache Tomcat/7.0.47 logs.


Apache Tomcat/7.0.47

-------------- next part -------------- [root at dogtag-ext1 fedora]# pkispawn -s CA -f deployment.cfg -v Loading deployment configuration from deployment.cfg. Installing CA into /var/lib/pki/pki-tomcat. pkispawn : INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . pkispawn : INFO ... initializing 'pki.deployment.initialization' pkispawn : INFO ....... adding GID 'pkiuser' for group '17' . . . pkispawn : INFO ....... adding UID 'pkiuser' for user '17' . . . pkispawn : ERROR ....... Selinux is disabled. Not checking port contexts pkispawn : INFO ... populating 'pki.deployment.infrastructure_layout' pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat pkispawn : INFO ....... mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca pkispawn : INFO ....... cp -p /etc/pki/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. pkispawn : INFO ....... mkdir -p /var/lib/pki pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/ca pkispawn : INFO ....... ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/ca/registry pkispawn : INFO ... populating 'pki.deployment.instance_layout' pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat pkispawn : INFO ....... cp -rp /usr/share/pki/server/conf /etc/pki/pki-tomcat pkispawn : INFO ....... setting ownerships, permissions, and acls on '/etc/pki/pki-tomcat' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/common pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/common/lib pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/lib pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-ja.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-ja.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-ant.jar /var/lib/pki/pki-tomcat/lib/catalina-ant.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-collections.jar /var/lib/pki/pki-tomcat/lib/commons-collections.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-tribes.jar /var/lib/pki/pki-tomcat/lib/catalina-tribes.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/annotations-api.jar /var/lib/pki/pki-tomcat/lib/annotations-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-el-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper.jar /var/lib/pki/pki-tomcat/lib/jasper.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-es.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-es.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-pool.jar /var/lib/pki/pki-tomcat/lib/commons-pool.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-juli.jar /var/lib/pki/pki-tomcat/lib/tomcat-juli.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-jdbc.jar /var/lib/pki/pki-tomcat/lib/tomcat-jdbc.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-coyote.jar /var/lib/pki/pki-tomcat/lib/tomcat-coyote.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar /var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/commons-dbcp.jar /var/lib/pki/pki-tomcat/lib/commons-dbcp.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-i18n-fr.jar /var/lib/pki/pki-tomcat/lib/tomcat-i18n-fr.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/log4j.jar /var/lib/pki/pki-tomcat/lib/log4j.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper-el.jar /var/lib/pki/pki-tomcat/lib/jasper-el.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/tomcat-util.jar /var/lib/pki/pki-tomcat/lib/tomcat-util.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina-ha.jar /var/lib/pki/pki-tomcat/lib/catalina-ha.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/catalina.jar /var/lib/pki/pki-tomcat/lib/catalina.jar pkispawn : INFO ....... ln -s /usr/share/tomcat/lib/jasper-jdt.jar /var/lib/pki/pki-tomcat/lib/jasper-jdt.jar pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/log4j.properties /var/lib/pki/pki-tomcat/lib/log4j.properties pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/temp pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/_ pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca pkispawn : INFO ....... ln -s /usr/share/tomcat/bin /var/lib/pki/pki-tomcat/bin pkispawn : INFO ....... ln -s /usr/sbin/tomcat-sysd /var/lib/pki/pki-tomcat/pki-tomcat pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-collections.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-collections.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-io.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-io.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-lang.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-lang.jar pkispawn : INFO ....... ln -s /usr/share/java/apache-commons-logging.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-logging.jar pkispawn : INFO ....... ln -s /usr/share/java/commons-codec.jar /var/lib/pki/pki-tomcat/common/lib/apache-commons-codec.jar pkispawn : INFO ....... ln -s /usr/share/java/httpcomponents/httpclient.jar /var/lib/pki/pki-tomcat/common/lib/httpclient.jar pkispawn : INFO ....... ln -s /usr/share/java/httpcomponents/httpcore.jar /var/lib/pki/pki-tomcat/common/lib/httpcore.jar pkispawn : INFO ....... ln -s /usr/share/java/javassist.jar /var/lib/pki/pki-tomcat/common/lib/javassist.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/jaxrs-api.jar /var/lib/pki/pki-tomcat/common/lib/jaxrs-api.jar pkispawn : INFO ....... ln -s /usr/share/java/jettison.jar /var/lib/pki/pki-tomcat/common/lib/jettison.jar pkispawn : INFO ....... ln -s /usr/lib/java/jss4.jar /var/lib/pki/pki-tomcat/common/lib/jss4.jar pkispawn : INFO ....... ln -s /usr/share/java/ldapjdk.jar /var/lib/pki/pki-tomcat/common/lib/ldapjdk.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-tomcat.jar /var/lib/pki/pki-tomcat/common/lib/pki-tomcat.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-atom-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-atom-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jaxb-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxb-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jaxrs.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jaxrs.jar pkispawn : INFO ....... ln -s /usr/share/java/resteasy/resteasy-jettison-provider.jar /var/lib/pki/pki-tomcat/common/lib/resteasy-jettison-provider.jar pkispawn : INFO ....... ln -s /usr/share/java/scannotation.jar /var/lib/pki/pki-tomcat/common/lib/scannotation.jar pkispawn : INFO ....... ln -s /usr/share/java/tomcatjss.jar /var/lib/pki/pki-tomcat/common/lib/tomcatjss.jar pkispawn : INFO ....... ln -s /usr/share/java/velocity.jar /var/lib/pki/pki-tomcat/common/lib/velocity.jar pkispawn : INFO ....... ln -s /usr/share/java/xerces-j2.jar /var/lib/pki/pki-tomcat/common/lib/xerces-j2.jar pkispawn : INFO ....... ln -s /usr/share/java/xml-commons-apis.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-apis.jar pkispawn : INFO ....... ln -s /usr/share/java/xml-commons-resolver.jar /var/lib/pki/pki-tomcat/common/lib/xml-commons-resolver.jar pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat /var/lib/pki/pki-tomcat/conf pkispawn : INFO ....... ln -s /var/log/pki/pki-tomcat /var/lib/pki/pki-tomcat/logs pkispawn : INFO ... populating 'pki.deployment.subsystem_layout' pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca/archive pkispawn : INFO ....... mkdir -p /var/log/pki/pki-tomcat/ca/signedAudit pkispawn : INFO ....... mkdir -p /etc/pki/pki-tomcat/ca pkispawn : INFO ....... cp -rp /usr/share/pki/ca/emails /var/lib/pki/pki-tomcat/ca/emails pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/emails' pkispawn : INFO ....... cp -rp /usr/share/pki/ca/profiles /var/lib/pki/pki-tomcat/ca/profiles pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/profiles' pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/flatfile.txt /etc/pki/pki-tomcat/ca/flatfile.txt pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caAuditSigningCert.profile /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caCert.profile /etc/pki/pki-tomcat/ca/caCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/serverCert.profile /etc/pki/pki-tomcat/ca/serverCert.profile pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/subsystemCert.profile /etc/pki/pki-tomcat/ca/subsystemCert.profile pkispawn : INFO ....... ln -s /var/lib/pki/pki-tomcat/webapps /var/lib/pki/pki-tomcat/ca/webapps pkispawn : INFO ....... ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/ca/alias pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/conf pkispawn : INFO ....... ln -s /var/log/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/logs pkispawn : INFO ... selinux disabled. skipping labelling 'pki.deployment.selinux_setup' pkispawn : INFO ... deploying 'pki.deployment.webapp_deployment' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ROOT pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/ROOT /var/lib/pki/pki-tomcat/webapps/ROOT pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ROOT' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/pki pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/js /var/lib/pki/pki-tomcat/webapps/pki/js pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/js' pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/META-INF /var/lib/pki/pki-tomcat/webapps/pki/META-INF pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/pki/META-INF' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca pkispawn : INFO ....... cp -rp /usr/share/pki/server/webapps/pki/admin /var/lib/pki/pki-tomcat/webapps/ca/admin pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca/admin' pkispawn : INFO ....... cp -rp /usr/share/pki/ca/webapps/ca /var/lib/pki/pki-tomcat/webapps/ca pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca' pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/classes pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-certsrv.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-certsrv.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmsbundle.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsbundle.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmscore.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmscore.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cms.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cms.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-cmsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-cmsutil.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-nsutil.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-nsutil.jar pkispawn : INFO ....... ln -s /usr/share/java/pki/pki-ca.jar /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/lib/pki-ca.jar pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/webapps/ca' pkispawn : INFO ... assigning slots for 'pki.deployment.slot_substitution' pkispawn : INFO ....... copying '/usr/share/pki/ca/conf/CS.cfg' --> '/etc/pki/pki-tomcat/ca/CS.cfg' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/catalina.properties' --> '/etc/pki/pki-tomcat/catalina.properties' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/serverCertNick.conf' --> '/etc/pki/pki-tomcat/serverCertNick.conf' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/server.xml' --> '/etc/pki/pki-tomcat/server.xml' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/context.xml' --> '/etc/pki/pki-tomcat/context.xml' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/sysconfig/pki-tomcat' with slot substitution pkispawn : INFO ....... copying '/usr/share/pki/server/conf/tomcat.conf' --> '/etc/pki/pki-tomcat/tomcat.conf' with slot substitution pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/velocity.properties' pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/web.xml' pkispawn : INFO ....... copying '/usr/share/pki/ca/conf/proxy.conf' --> '/etc/pki/pki-tomcat/ca/proxy.conf' with slot substitution pkispawn : INFO ....... applying in-place slot substitutions on '/var/lib/pki/pki-tomcat/webapps/ca/ee/ca/ProfileSelect.template' pkispawn : INFO ... generating 'pki.deployment.security_databases' pkispawn : INFO ....... generating '/etc/pki/pki-tomcat/password.conf' pkispawn : INFO ....... generating '/etc/pki/pki-tomcat/pfile' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/password.conf' pkispawn : INFO ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/key3.db' pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db' pkispawn : INFO ....... generating noise file called '/etc/pki/pki-tomcat/ca/noise' and filling it with '1024' random bytes pkispawn : INFO ....... executing 'certutil -S -d /etc/pki/pki-tomcat/alias -h 'internal' -n 'Server-Cert cert-pki-tomcat' -s 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -m 0 -v 12 -c 'cn=dogtag-ext1.novalocal,o=2014-10-10 09:20:58' -t 'CTu,CTu,CTu' -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x > /dev/null 2>&1' pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/ca/noise pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile pkispawn : INFO ... configuring 'pki.deployment.configuration' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias pkispawn : INFO ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf' pkispawn : INFO ....... ln -s /lib/systemd/system/pki-tomcatd at .service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service' pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... generating noise file called '/root/.dogtag/pki-tomcat/ca/alias/noise' and filling it with '2048' random bytes pkispawn : INFO ....... executing '['certutil', '-R', '-d', '/root/.dogtag/pki-tomcat/ca/alias', '-s', 'cn=PKI Administrator,o=cisco.com', '-g', '2048', '-z', '/root/.dogtag/pki-tomcat/ca/alias/noise', '-f', '/root/.dogtag/pki-tomcat/ca/password.conf', '-o', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin']' pkispawn : INFO ....... ['BtoA', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin', '/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc'] pkispawn : INFO ....... configuring PKI configuration data. pkispawn : INFO ....... request: -----BEGIN CERTIFICATE REQUEST----- MIICmDCCAYACAQAwUzEPMA0GA1UEBxMGS3JpdGVlMQ0wCwYDVQQLEwRDSUJVMRYwFAYDVQQKEw1D aXNjbyBTeXN0ZW1zMRkwFwYDVQQDExBkb2d0YWcuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAmLgfNwidSyR47kwVAOGor/kHOiTJS5qc4fsCJM6gQDnsC7lXbC6XcdYK tQHs9Y7/HbzQDiMZNGS/hHRRGh68qZdr/pCxSbONobMczM7thjUQ5crUgJCI1tG2XaMKBRQMtqNA fJY/SBaVEBpRzp+0DJ51D+qGjyJaq2Pzzj+pCJLMQPv/rQ9BSFLr8Js+QErn7j5JQwZ7k4wkZCoK wcAVgwDzQ3xCtKew+M5Xgj9OzmkQgZk1SViPBLXl58gy+ukuBHBHSXWAY+b34N9IQnW1rozz073e fD8ZSgHQYWsjRxCdniOvgd37gviyDlMIaOh7+HapYj1k+VCzmKimU4ZrJQIDAQABoAAwDQYJKoZI hvcNAQELBQADggEBAFI5HrchG9WxTzgtCf6v21V8PFsWHEPVBr1gM+ihgiSXSp7sSmvjBvEUN+Ik mHbo4ssq+KpHWeQZmKc1tlmiF5IBoP6yiAvkHelphdqRM+DkrkMYnR8cabx4amFOEfmPBE38hLHA +eaFiVxHSorbkoZsBnSrYDz1/+5xD+4/VJrMvQiP9eRp1hG0sXjH5sLoV70LoHhO94yga0w26Gpj xkzxSrxFVFH7walY0J09rqvtGOfJ7y4Pg4hy24L0WLDux063uUjNVmRs8zmYHB5AgX2Ke1YI2XYP AHPTL9m3+wdVUuPCYVrf6njZS7CFygcG5c4W6prdu5ZcJ7cqYdSgiho= -----END CERTIFICATE REQUEST----- pkispawn : INFO ....... saving CA Signing CSR to file: '/home/fedora/ca_signing.csr' pkispawn : INFO ... finalizing 'pki.deployment.finalization' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20141010092058 pkispawn : INFO ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20141010092058 pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service' pkispawn : INFO ....... rm -rf /root/.dogtag/pki-tomcat/ca pkispawn : INFO END spawning subsystem 'CA' of instance 'pki-tomcat' ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: caadmin To check the status of the subsystem: systemctl status pki-tomcatd\@pki-tomcat.service To restart the subsystem: systemctl restart pki-tomcatd\@pki-tomcat.service The URL for the subsystem is: https://dogtag-ext1.novalocal:9443/ca ========================================================================== From jdennis at redhat.com Wed Oct 15 19:14:56 2014 From: jdennis at redhat.com (John Dennis) Date: Wed, 15 Oct 2014 15:14:56 -0400 Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag In-Reply-To: References: Message-ID: <543EC7B0.40806@redhat.com> On 10/10/2014 07:14 AM, kritee jhawar wrote: > Dogtag is the private CA for multiple services in a cluster. Trust is > established by providing the root certificate of dogtag to all the > services. What happens if dogtag crashes? All the services will have to > be given the root certificate of the new dogatg. > > How can we avoid this? Why do you need to re-provision the services with a new root certificate if Dogtag crashes? Why not just restart the Dogtag instance with the existing certs? It sounds like you're throwing away the old instance and creating a new Dogtag instance needlessly. Also, I don't understand why your services won't run if Dogtag isn't currently running (unless you're using OCSP). Dogtag provisions certs, a service using a cert issued by Dogtag doesn't need to communicate with Dogtag unless you're using OCSP). As long as your services have been provisioned with the certs issued by Dogtag they should run fine (or are you issuing very short duration certs that need constant refreshing?) FWIW, what you describe, re-provisioning of a new CA cert is exactly identical to handling an expired CA cert. There was documentation written up recently on how to handle expiring CA certs but I don't have a pointer to it, sorry. But as I mentioned above I don't you need to replace the certs, you just need to restart the service. If the instance is crashing then that's a bug that needs fixing. Please file a bug report so the problem can get fixed. Ade can comment on the specific errors you reported. -- John From kriteejhawar at gmail.com Thu Oct 16 01:51:37 2014 From: kriteejhawar at gmail.com (Kritee Jhawar) Date: Thu, 16 Oct 2014 07:21:37 +0530 Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag In-Reply-To: <543EC7B0.40806@redhat.com> References: <543EC7B0.40806@redhat.com> Message-ID: <4A6FC86F-341F-4319-BF6F-D5237ABB8EDB@gmail.com> Thanks for the response I got the setup to work with external CA just yesterday. This time I used a dogtag as the external CA rather than OpenSSL and Microsoft. I'll have multiple instances of dogtag in my deployment. Ideally I want all of them to come up with these root certificate. Is there some location I can place a public private key pair wich dogtag uses to come up ? Also what I meant by services not coming up was not other components like KRA and DRM. I just have the CA subsystem and even though it was getting spawned wo were unable to use it. Thanks Kritee Sent from my iPhone > On 16-Oct-2014, at 00:44, John Dennis wrote: > >> On 10/10/2014 07:14 AM, kritee jhawar wrote: >> Dogtag is the private CA for multiple services in a cluster. Trust is >> established by providing the root certificate of dogtag to all the >> services. What happens if dogtag crashes? All the services will have to >> be given the root certificate of the new dogatg. >> >> How can we avoid this? > > Why do you need to re-provision the services with a new root certificate > if Dogtag crashes? Why not just restart the Dogtag instance with the > existing certs? It sounds like you're throwing away the old instance and > creating a new Dogtag instance needlessly. > > Also, I don't understand why your services won't run if Dogtag isn't > currently running (unless you're using OCSP). Dogtag provisions certs, a > service using a cert issued by Dogtag doesn't need to communicate with > Dogtag unless you're using OCSP). As long as your services have been > provisioned with the certs issued by Dogtag they should run fine (or are > you issuing very short duration certs that need constant refreshing?) > > FWIW, what you describe, re-provisioning of a new CA cert is exactly > identical to handling an expired CA cert. There was documentation > written up recently on how to handle expiring CA certs but I don't have > a pointer to it, sorry. But as I mentioned above I don't you need to > replace the certs, you just need to restart the service. > > If the instance is crashing then that's a bug that needs fixing. Please > file a bug report so the problem can get fixed. > > Ade can comment on the specific errors you reported. > > -- > John From alee at redhat.com Thu Oct 16 14:05:02 2014 From: alee at redhat.com (Ade Lee) Date: Thu, 16 Oct 2014 10:05:02 -0400 Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag In-Reply-To: <4A6FC86F-341F-4319-BF6F-D5237ABB8EDB@gmail.com> References: <543EC7B0.40806@redhat.com> <4A6FC86F-341F-4319-BF6F-D5237ABB8EDB@gmail.com> Message-ID: <1413468302.9052.6.camel@aleeredhat.laptop> On Thu, 2014-10-16 at 07:21 +0530, Kritee Jhawar wrote: > Thanks for the response > > I got the setup to work with external CA just yesterday. This time I used a dogtag as the external CA rather than OpenSSL and Microsoft. > OK, I suspected that the cert being used as the external CA cert was the problem. As I recall, there is a current bug being fixed to address issues with Microsoft issued CA certs. If you can use a dogtag cert as your external CA, then you'll avoid any issues. > I'll have multiple instances of dogtag in my deployment. Ideally I want all of them to come up with these root certificate. Is there some location I can place a public private key pair wich dogtag uses to come up ? > I don't understand what you are trying to do here. You have created several dogtag CA's that are subordinate to the external CA. They are CA's in their own right, with their own signing certificates. Why do they need access to the root CA? If you want several CA's with exactly the same signing cert, then you want clones. > Also what I meant by services not coming up was not other components like KRA and DRM. > I just have the CA subsystem and even though it was getting spawned wo were unable to use it. > > Thanks > Kritee > > Sent from my iPhone > > > On 16-Oct-2014, at 00:44, John Dennis wrote: > > > >> On 10/10/2014 07:14 AM, kritee jhawar wrote: > >> Dogtag is the private CA for multiple services in a cluster. Trust is > >> established by providing the root certificate of dogtag to all the > >> services. What happens if dogtag crashes? All the services will have to > >> be given the root certificate of the new dogatg. > >> > >> How can we avoid this? > > > > Why do you need to re-provision the services with a new root certificate > > if Dogtag crashes? Why not just restart the Dogtag instance with the > > existing certs? It sounds like you're throwing away the old instance and > > creating a new Dogtag instance needlessly. > > > > Also, I don't understand why your services won't run if Dogtag isn't > > currently running (unless you're using OCSP). Dogtag provisions certs, a > > service using a cert issued by Dogtag doesn't need to communicate with > > Dogtag unless you're using OCSP). As long as your services have been > > provisioned with the certs issued by Dogtag they should run fine (or are > > you issuing very short duration certs that need constant refreshing?) > > > > FWIW, what you describe, re-provisioning of a new CA cert is exactly > > identical to handling an expired CA cert. There was documentation > > written up recently on how to handle expiring CA certs but I don't have > > a pointer to it, sorry. But as I mentioned above I don't you need to > > replace the certs, you just need to restart the service. > > > > If the instance is crashing then that's a bug that needs fixing. Please > > file a bug report so the problem can get fixed. > > > > Ade can comment on the specific errors you reported. > > > > -- > > John From kriteejhawar at gmail.com Fri Oct 17 08:28:44 2014 From: kriteejhawar at gmail.com (kritee jhawar) Date: Fri, 17 Oct 2014 13:58:44 +0530 Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag In-Reply-To: <1413468302.9052.6.camel@aleeredhat.laptop> References: <543EC7B0.40806@redhat.com> <4A6FC86F-341F-4319-BF6F-D5237ABB8EDB@gmail.com> <1413468302.9052.6.camel@aleeredhat.laptop> Message-ID: <8F790279-AC31-4434-B12A-2A11D26B836F@gmail.com> Thanks a lot All this while I was using a Microsoft external CA. One more doubt I had: Do we have a way we're we can just provide a public private keypaor in a particular location and dogtag will always use that as root cert? Something like providing a static root certificate ? Regards Kritee > On Thursday, 16 October 2014, Ade Lee wrote: > On Thu, 2014-10-16 at 07:21 +0530, Kritee Jhawar wrote: > > Thanks for the response > > > > I got the setup to work with external CA just yesterday. This time I used a dogtag as the external CA rather than OpenSSL and Microsoft. > > > OK, I suspected that the cert being used as the external CA cert was the > problem. As I recall, there is a current bug being fixed to address > issues with Microsoft issued CA certs. If you can use a dogtag cert as > your external CA, then you'll avoid any issues. > > > I'll have multiple instances of dogtag in my deployment. Ideally I want all of them to come up with these root certificate. Is there some location I can place a public private key pair wich dogtag uses to come up ? > > > I don't understand what you are trying to do here. You have created > several dogtag CA's that are subordinate to the external CA. They are > CA's in their own right, with their own signing certificates. Why do > they need access to the root CA? > > If you want several CA's with exactly the same signing cert, then you > want clones. > > > Also what I meant by services not coming up was not other components like KRA and DRM. > > I just have the CA subsystem and even though it was getting spawned wo were unable to use it. > > > > Thanks > > Kritee > > > > Sent from my iPhone > > > > > On 16-Oct-2014, at 00:44, John Dennis wrote: > > > > > >> On 10/10/2014 07:14 AM, kritee jhawar wrote: > > >> Dogtag is the private CA for multiple services in a cluster. Trust is > > >> established by providing the root certificate of dogtag to all the > > >> services. What happens if dogtag crashes? All the services will have to > > >> be given the root certificate of the new dogatg. > > >> > > >> How can we avoid this? > > > > > > Why do you need to re-provision the services with a new root certificate > > > if Dogtag crashes? Why not just restart the Dogtag instance with the > > > existing certs? It sounds like you're throwing away the old instance and > > > creating a new Dogtag instance needlessly. > > > > > > Also, I don't understand why your services won't run if Dogtag isn't > > > currently running (unless you're using OCSP). Dogtag provisions certs, a > > > service using a cert issued by Dogtag doesn't need to communicate with > > > Dogtag unless you're using OCSP). As long as your services have been > > > provisioned with the certs issued by Dogtag they should run fine (or are > > > you issuing very short duration certs that need constant refreshing?) > > > > > > FWIW, what you describe, re-provisioning of a new CA cert is exactly > > > identical to handling an expired CA cert. There was documentation > > > written up recently on how to handle expiring CA certs but I don't have > > > a pointer to it, sorry. But as I mentioned above I don't you need to > > > replace the certs, you just need to restart the service. > > > > > > If the instance is crashing then that's a bug that needs fixing. Please > > > file a bug report so the problem can get fixed. > > > > > > Ade can comment on the specific errors you reported. > > > > > > -- > > > John -------------- next part -------------- An HTML attachment was scrubbed... URL: From kriteejhawar at gmail.com Fri Oct 17 17:12:27 2014 From: kriteejhawar at gmail.com (kritee jhawar) Date: Fri, 17 Oct 2014 22:42:27 +0530 Subject: [Pki-users] [HELP NEEDED] External CA configuration for Dogtag In-Reply-To: <1413468302.9052.6.camel@aleeredhat.laptop> References: <543EC7B0.40806@redhat.com> <4A6FC86F-341F-4319-BF6F-D5237ABB8EDB@gmail.com> <1413468302.9052.6.camel@aleeredhat.laptop> Message-ID: Thanks a lot All this while I was using a Microsoft external CA. Another doubt I had: Do we have a way we're we can just provide a public private key pair in a particular location and dogtag will always use that as root cert? Something like providing a static root certificate ? Regards Kritee On Thursday, 16 October 2014, Ade Lee wrote: > On Thu, 2014-10-16 at 07:21 +0530, Kritee Jhawar wrote: > > Thanks for the response > > > > I got the setup to work with external CA just yesterday. This time I > used a dogtag as the external CA rather than OpenSSL and Microsoft. > > > OK, I suspected that the cert being used as the external CA cert was the > problem. As I recall, there is a current bug being fixed to address > issues with Microsoft issued CA certs. If you can use a dogtag cert as > your external CA, then you'll avoid any issues. > > > I'll have multiple instances of dogtag in my deployment. Ideally I want > all of them to come up with these root certificate. Is there some location > I can place a public private key pair wich dogtag uses to come up ? > > > I don't understand what you are trying to do here. You have created > several dogtag CA's that are subordinate to the external CA. They are > CA's in their own right, with their own signing certificates. Why do > they need access to the root CA? > > If you want several CA's with exactly the same signing cert, then you > want clones. > > > Also what I meant by services not coming up was not other components > like KRA and DRM. > > I just have the CA subsystem and even though it was getting spawned wo > were unable to use it. > > > > Thanks > > Kritee > > > > Sent from my iPhone > > > > > On 16-Oct-2014, at 00:44, John Dennis > wrote: > > > > > >> On 10/10/2014 07:14 AM, kritee jhawar wrote: > > >> Dogtag is the private CA for multiple services in a cluster. Trust is > > >> established by providing the root certificate of dogtag to all the > > >> services. What happens if dogtag crashes? All the services will have > to > > >> be given the root certificate of the new dogatg. > > >> > > >> How can we avoid this? > > > > > > Why do you need to re-provision the services with a new root > certificate > > > if Dogtag crashes? Why not just restart the Dogtag instance with the > > > existing certs? It sounds like you're throwing away the old instance > and > > > creating a new Dogtag instance needlessly. > > > > > > Also, I don't understand why your services won't run if Dogtag isn't > > > currently running (unless you're using OCSP). Dogtag provisions certs, > a > > > service using a cert issued by Dogtag doesn't need to communicate with > > > Dogtag unless you're using OCSP). As long as your services have been > > > provisioned with the certs issued by Dogtag they should run fine (or > are > > > you issuing very short duration certs that need constant refreshing?) > > > > > > FWIW, what you describe, re-provisioning of a new CA cert is exactly > > > identical to handling an expired CA cert. There was documentation > > > written up recently on how to handle expiring CA certs but I don't have > > > a pointer to it, sorry. But as I mentioned above I don't you need to > > > replace the certs, you just need to restart the service. > > > > > > If the instance is crashing then that's a bug that needs fixing. Please > > > file a bug report so the problem can get fixed. > > > > > > Ade can comment on the specific errors you reported. > > > > > > -- > > > John > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rperez at pgjtabasco.gob.mx Fri Oct 17 17:44:49 2014 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Fri, 17 Oct 2014 12:44:49 -0500 (CDT) Subject: [Pki-users] Dogtag and Internet Explorer 11 Compatible? In-Reply-To: <378744945.99850.1413563656861.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <281960883.100099.1413567889607.JavaMail.root@pgjtabasco.gob.mx> Hi... I'm trying generate certificate request from an computer with Windows 7 64 bits and Internet Explorer 11 . In the Certificate Profile page " Certificate Profile - Manual User Dual-Use Certificate Enrollment" Internet Explorer 11 does not display the values of Key Generation. And finally when I send the certificate request, I get the error: Sorry, your request is not submitted. The reason is "Certificate Request Not Found". On the server side... The request appears as "REJECTED" -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dogtagie11.png Type: image/png Size: 36088 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dogtagie11_2.png Type: image/png Size: 44581 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dogtagie11_3.png Type: image/png Size: 20149 bytes Desc: not available URL: From tjaalton at ubuntu.com Sat Oct 18 15:39:03 2014 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Sat, 18 Oct 2014 18:39:03 +0300 Subject: [Pki-users] Dogtag 10.2.0 is now in Debian Message-ID: <54428997.8060306@ubuntu.com> Hi! I'm happy to announce that Dogtag (version 10.2.0) has finally entered Debian unstable repository this week. Assuming there won't be any nasty surprises, the next stable release ("Jessie") will include it. Many thanks to Ade Lee who did the first pass of packaging the long chain of dependencies, up to and including RESTEasy. and next week there should be another announcement.. -- t From tjaalton at ubuntu.com Sat Oct 18 15:42:38 2014 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Sat, 18 Oct 2014 18:42:38 +0300 Subject: [Pki-users] Dogtag 10.2.0 is now in Debian In-Reply-To: <54428997.8060306@ubuntu.com> References: <54428997.8060306@ubuntu.com> Message-ID: <54428A6E.8010406@ubuntu.com> On 18.10.2014 18:39, Timo Aaltonen wrote: > > Hi! > > I'm happy to announce that Dogtag (version 10.2.0) has finally entered > Debian unstable repository this week. Assuming there won't be any nasty > surprises, the next stable release ("Jessie") will include it. Many > thanks to Ade Lee who did the first pass of packaging the long chain of > dependencies, up to and including RESTEasy. forgot the link https://packages.qa.debian.org/d/dogtag-pki.html there's a small update coming early next week -- t From ftweedal at redhat.com Sun Oct 19 02:10:08 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sun, 19 Oct 2014 12:10:08 +1000 Subject: [Pki-users] [Pki-devel] Dogtag 10.2.0 is now in Debian In-Reply-To: <54428A6E.8010406@ubuntu.com> References: <54428997.8060306@ubuntu.com> <54428A6E.8010406@ubuntu.com> Message-ID: <20141019021008.GV5346@dhcp-40-8.bne.redhat.com> On Sat, Oct 18, 2014 at 06:42:38PM +0300, Timo Aaltonen wrote: > On 18.10.2014 18:39, Timo Aaltonen wrote: > > > > Hi! > > > > I'm happy to announce that Dogtag (version 10.2.0) has finally entered > > Debian unstable repository this week. Assuming there won't be any nasty > > surprises, the next stable release ("Jessie") will include it. Many > > thanks to Ade Lee who did the first pass of packaging the long chain of > > dependencies, up to and including RESTEasy. > > forgot the link > https://packages.qa.debian.org/d/dogtag-pki.html > > there's a small update coming early next week > Great! Thanks for all your work, Timo. Fraser > -- > t > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From WilliamC.Elliott at s-itsolutions.at Tue Oct 21 12:54:57 2014 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Tue, 21 Oct 2014 12:54:57 +0000 Subject: [Pki-users] SCEP Enrollment fails with Certificate not found . In-Reply-To: <542C98FC.3040209@redhat.com> References: <85C87A9995875247B2DD471950E0AE4D1B844DC5@M0182.s-mxs.net> <542C9587.6080107@redhat.com> <542C98FC.3040209@redhat.com> Message-ID: <85C87A9995875247B2DD471950E0AE4D1B84E511@M0182.s-mxs.net> (sorry for the delay - I was out of the office for some time) The package version we're trying is pki-ca-9.0.3-32.el6.noarch, on RHEL6 as I said. But since the last email we've also tried 9.0.3-38, with the same result. We always ran through the wizard panels using all default values, changing nothing, but now we configure the ca with pkisilent with the same default values to make sure the configuration doesn't change from one test to the next. The only change we make is afterwords to enable scep in the config: ca.scep.allowedEncryptionAlgorithms=DES3 ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 ca.scep.enable=true ca.scep.encryptionAlgorithm=DES3 ca.scep.hashAlgorithm=SHA1 ca.scep.nonceSizeLimit=16 The whole thing always works fine when we use the internal token (and with RHEL5/Dogtag 1.3 on the hsm), but throws the exception when the hsm is used as token. We use sscep to submit requests to the ca. We had never set the two parameters (scep.nickname, scep.tokenname) you suggested trying. Here are the results of your suggestions below : ** 1. This is our current configuration which always produces the exception. From debug log: CRSEnrollment: init: SCEP support is enabled. CRSEnrollment: init: SCEP nickname: osstest:caSigningCert cert-pki-testca1 CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1 CRSEnrollment: init: Token name: osstest CRSEnrollment: init: Is SCEP using CA keys: true CRSEnrollment: init: mNonceSizeLimit: 16 CRSEnrollment: init: mHashAlgorithm: SHA1 CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512 CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1 CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256 CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512 CRSEnrollment: init: mEncryptionAlgorithm: DES3 CRSEnrollment: init: mEncryptionAlgorithmList: DES3 CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3 CRSEnrollment: init: mProfileId=caRouterCert ... CRSEnrollment: CryptoContext: token name: osstest' CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1' handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.(CRSEnrollment.java:2026) ... ** 2. Setting ca.scep.nickname at first produced no discernable change, other than, requests for the ca cert. with "sscep getca" then fail reliably. Due to token name not being set: From debug log: CRSEnrollment: init: SCEP support is enabled. CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1 CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1 CRSEnrollment: init: Token name: CRSEnrollment: init: Is SCEP using CA keys: false CRSEnrollment: init: mNonceSizeLimit: 16 CRSEnrollment: init: mHashAlgorithm: SHA1 CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512 CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1 CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256 CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512 CRSEnrollment: init: mEncryptionAlgorithm: DES3 CRSEnrollment: init: mEncryptionAlgorithmList: DES3 CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3 CRSEnrollment: init: mProfileId=caRouterCert ... CRSEnrollment: CryptoContext: internal token name: '' CRSEnrollment: CryptoContext: mNickname: 'caSigningCert cert-pki-testca1' handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.(CRSEnrollment.java:2026) ... ** 3. setting both ca.scep.nickname and ca.scep.tokenname also does not get around the problem. From debug log: CRSEnrollment: init: SCEP support is enabled. CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1 CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1 CRSEnrollment: init: Token name: osstest CRSEnrollment: init: Is SCEP using CA keys: false CRSEnrollment: init: mNonceSizeLimit: 16 CRSEnrollment: init: mHashAlgorithm: SHA1 CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512 CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1 CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256 CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512 CRSEnrollment: init: mEncryptionAlgorithm: DES3 CRSEnrollment: init: mEncryptionAlgorithmList: DES3 CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3 CRSEnrollment: init: mProfileId=caRouterCert ... CRSEnrollment: CryptoContext: token name: osstest' <-- from sscep getca request CRSEnrollment: CryptoContext: mNickname: 'osstest:caSigningCert cert-pki-testca1' ... CRSEnrollment: CryptoContext: token name: osstest' CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1' <-- from sscep enroll request handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1 at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.(CRSEnrollment.java:2026) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) best regards, William -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu Sent: Donnerstag, 02. Oktober 2014 02:15 To: pki-users at redhat.com Subject: Re: [Pki-users] SCEP Enrollment fails with Certificate not found . [heur][html-removed] btw, I'm not suggesting that you need either or both config params. three sets of config you can try: 1. don't specify either ca.scep.nickname or ca.scep.tokenname (I think by default it takes the ca signing cert, if that's what you intend to use anyway) 2. specify nickname only ca.scep.nickname (without the token) ca.scep.nickname=caSigningCert cert-pki-testca1 (I think by default, if the nickname you specified matches that of the ca, it will find the token for you) 3. specify both nickname and token: ca.scep.nickname=caSigningCert cert-pki-testca1 ca.scep.tokenname=osstest (last resort, because when you do this, it thinks it's not using the ca signing cert.. ) Let us know. Christina On 10/01/2014 05:00 PM, Christina Fu wrote: > What's your scep config values, specifically: > ca.scep.nickname > ca.scep.tokenname > > Christina > > On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote: >> >> Hello, >> >> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs >> setup for SCEP enrollment. But, no matter whether we try the older >> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a >> successful SCEP request. The following exception occurs in the debug log: >> >> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation >> >> [29/Sep/2014:13:41:17][http-9180-1]: >> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ >> >> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w >> >> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt >> >> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG >> >> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH >> >> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP >> >> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs >> >> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r >> >> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g >> >> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF >> >> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM >> >> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW >> >> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu >> >> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc >> >> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT >> >> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61 >> >> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz >> >> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z >> >> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB >> >> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG >> >> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy >> >> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx >> >> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF >> >> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM >> >> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip >> >> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB >> >> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN >> >> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp >> >> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w >> >> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG >> >> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC >> >> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw >> >> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg >> >> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0 >> >> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB >> >> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH >> >> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm >> >> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+ >> >> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: >> token name: osstest' >> >> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: >> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1' >> >> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: >> Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: >> Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.(CRSEnrollment.java:2026) >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> >> at >> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >> >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >> >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) >> >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) >> >> at >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) >> >> at >> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) >> >> at >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) >> >> at java.lang.Thread.run(Thread.java:701) >> >> [29/Sep/2014:13:41:17][http-9180-1]: ServletException >> javax.servlet.ServletException: Failed to process message in CEP >> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> What stands out is the line with mNickname. After restarting the >> service, with the first request, the HSM token name appears to be >> listed twice in the *mNickname* string. Interestingly, with each new >> request, the number of token names increases by one in the string. >> i.e. with the 2^nd attempt, the same exception occurs but the token >> name appears three times: >> >> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: >> token name: osstest' >> >> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: >> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1' >> >> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: >> Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: >> Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.(CRSEnrollment.java:2026) >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) >> >> at >> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> >> at >> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >> >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >> >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) >> >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) >> >> at >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) >> >> at >> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) >> >> at >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) >> >> at java.lang.Thread.run(Thread.java:701) >> >> [29/Sep/2014:13:41:17][http-9180-1]: ServletException >> javax.servlet.ServletException: Failed to process message in CEP >> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 >> >> As mentioned, the exception occurs with both versions 4 and 5 of >> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating >> with SCEP enrollment.) With local tokens, (no HSMs) the error does >> not occur. >> >> Any Ideas, how we can track this down? We definitely need to get this >> running. >> >> Best regards! >> >> William Elliott >> >> s IT Solutions >> >> Open System Services >> >> s IT Solutions AT Spardat GmbH >> >> A-1110 Wien, Geiselbergstra?e 21 - 25 >> >> Phone: +43 (0)5 0100 - 39376 >> >> Fax: +43 (0)5 0100 9 - 39376 >> >> Mobile: +43 (0)5 0100 6 - 39376 >> >> _mailto:william.elliott at s-itsolutions.at >> _ >> >> www.s-itsolutions.com >> >> Head Office: Vienna Commercial Register No.: 152289f Commercial Court >> of Vienna >> >> This message and any attached files are confidential and intended >> solely for the addressee(s). Any publication, transmission or other >> use of the information by a person or entity other than the intended >> addressee is prohibited. If you receive this in error please contact >> the sender and delete the material. The sender does not accept >> liability for any errors or omissions as a result of the transmission. >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From kriteejhawar at gmail.com Mon Oct 27 07:15:53 2014 From: kriteejhawar at gmail.com (kritee jhawar) Date: Mon, 27 Oct 2014 12:45:53 +0530 Subject: [Pki-users] Can OpensSSL be used as external CA ? Message-ID: Hi In my recent thread i read that there is a bug due to which Microsoft CA can't work as external CA for dogtag. Can OpenSSL be used ? Thanks Kritee -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Mon Oct 27 16:15:39 2014 From: cfu at redhat.com (Christina Fu) Date: Mon, 27 Oct 2014 09:15:39 -0700 Subject: [Pki-users] Can OpensSSL be used as external CA ? In-Reply-To: References: Message-ID: <544E6FAB.1020003@redhat.com> If you meant the following two: https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not preserved at issuance with signing cert signed by an external CA https://fedorahosted.org/pki/ticket/1110 - pkispawn (configuration) does not provide CA extensions in subordinate certificate signing requests (CSR) They have just recently been fixed upstream so I imagine you could use Microsoft CA now. Theoretically any other CA can be used as an external CA, but if you run into issues, please feel free to report. Christina On 10/27/2014 12:15 AM, kritee jhawar wrote: > Hi > > In my recent thread i read that there is a bug due to which Microsoft > CA can't work as external CA for dogtag. > Can OpenSSL be used ? > > Thanks > Kritee > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From kriteejhawar at gmail.com Tue Oct 28 02:55:14 2014 From: kriteejhawar at gmail.com (kritee jhawar) Date: Tue, 28 Oct 2014 08:25:14 +0530 Subject: [Pki-users] Can OpensSSL be used as external CA ? In-Reply-To: <544E6FAB.1020003@redhat.com> References: <544E6FAB.1020003@redhat.com> Message-ID: Hi Christina I was undertaking this activity last month where Microsoft CA didn't work out but Dogtag as external CA did. While using Microsoft CA or OpenSSL CA, pki spawn goes through without any error but dogtag stops communications to 389ds. Upon calling the rest Api /ca/rest/certs I get a "PKIException error listing the certs". Is there a particular format for the ca cert chain that we need to provide ? I was trying to reverse engineer the chain provided by dogtag. Thanks Kritee On Monday, 27 October 2014, Christina Fu wrote: > If you meant the following two: > https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not > preserved at issuance with signing cert signed by an external CA > https://fedorahosted.org/pki/ticket/1110 - pkispawn (configuration) does > not provide CA extensions in subordinate certificate signing requests (CSR) > > They have just recently been fixed upstream so I imagine you could use > Microsoft CA now. Theoretically any other CA can be used as an external > CA, but if you run into issues, please feel free to report. > > Christina > > > On 10/27/2014 12:15 AM, kritee jhawar wrote: > > Hi > > In my recent thread i read that there is a bug due to which Microsoft CA > can't work as external CA for dogtag. > Can OpenSSL be used ? > > Thanks > Kritee > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Oct 28 19:52:59 2014 From: cfu at redhat.com (Christina Fu) Date: Tue, 28 Oct 2014 12:52:59 -0700 Subject: [Pki-users] Can OpensSSL be used as external CA ? In-Reply-To: References: <544E6FAB.1020003@redhat.com> Message-ID: <544FF41B.3010705@redhat.com> the cert chain you provide in the file specified under pki_external_ca_cert_chain_path should be just pkcs7 without header/footer. I don't know why it would not talk to the DS (did you turn on ssl for the ds?). Not sure if you build your Dogtag from the master, if you do, I'd suggest you get the most updated so you get fixes from the tickets I provided previously which would address at least two issues relating to external CA. Christina On 10/27/2014 07:55 PM, kritee jhawar wrote: > Hi Christina > > I was undertaking this activity last month where Microsoft CA didn't > work out but Dogtag as external CA did. > > While using Microsoft CA or OpenSSL CA, pki spawn goes through > without any error but dogtag stops communications to 389ds. Upon > calling the rest Api /ca/rest/certs I get a "PKIException error > listing the certs". > > Is there a particular format for the ca cert chain that we need to > provide ? I was trying to reverse engineer the chain provided by dogtag. > > Thanks > Kritee > > > > On Monday, 27 October 2014, Christina Fu > wrote: > > If you meant the following two: > https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding > not preserved at issuance with signing cert signed by an external CA > https://fedorahosted.org/pki/ticket/1110 - pkispawn > (configuration) does not provide CA extensions in subordinate > certificate signing requests (CSR) > > They have just recently been fixed upstream so I imagine you could > use Microsoft CA now. Theoretically any other CA can be used as > an external CA, but if you run into issues, please feel free to > report. > > Christina > > > On 10/27/2014 12:15 AM, kritee jhawar wrote: >> Hi >> >> In my recent thread i read that there is a bug due to which >> Microsoft CA can't work as external CA for dogtag. >> Can OpenSSL be used ? >> >> Thanks >> Kritee >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kriteejhawar at gmail.com Wed Oct 29 08:16:46 2014 From: kriteejhawar at gmail.com (kritee jhawar) Date: Wed, 29 Oct 2014 13:46:46 +0530 Subject: [Pki-users] Can OpensSSL be used as external CA ? In-Reply-To: <544FF41B.3010705@redhat.com> References: <544E6FAB.1020003@redhat.com> <544FF41B.3010705@redhat.com> Message-ID: Hi Christina I have done the default configuration for 389ds and haven't specifically turned on ssl for it. Initially I tried using Microsoft and OpenSSL CA as external CAs. This is about a month back and I pull the Rpms using yum (so I assume they are the latest ones with the fix you mentioned). With this, my pki spawn went fine. Infect the admin cert got generated using the externally provided root cert as well. But dogtag couldn't connect to the ds. As mentioned earlier it gave me a PKIException error listing the certs with error code 500. Looking at the ds logs I found that the error was 'bad search filter'. However when I tried the same steps with dogtag as external CA the setup went through without a glitch. The chain I imported was directly from the GUI of dogtag. In fact I included the header and footer as well. When I tried to reverse engineer the chain, I took the root cert of external dogtag ca and used OpenSSL to convert it into pkcs7. This chain was not the same as provided from the GUI. Hence I thought that there is some particular format for the chain because of which the other CAs aren't working. Also, I updated the Rpms using yum and tried to generate the CSR with the extra attributes. My csr still doesn't reflect those added attributes. Is yum not the correct way to get the latest code ? I am very new to this, really appreciate your assistance and time. Regards Kritee On Wednesday, 29 October 2014, Christina Fu wrote: > the cert chain you provide in the file specified under > pki_external_ca_cert_chain_path > should be just pkcs7 without header/footer. > > I don't know why it would not talk to the DS (did you turn on ssl for the > ds?). > Not sure if you build your Dogtag from the master, if you do, I'd suggest > you get the most updated so you get fixes from the tickets I provided > previously which would address at least two issues relating to external CA. > > Christina > > On 10/27/2014 07:55 PM, kritee jhawar wrote: > > Hi Christina > > I was undertaking this activity last month where Microsoft CA didn't > work out but Dogtag as external CA did. > > While using Microsoft CA or OpenSSL CA, pki spawn goes through > without any error but dogtag stops communications to 389ds. Upon calling > the rest Api /ca/rest/certs I get a "PKIException error listing the certs". > > Is there a particular format for the ca cert chain that we need to > provide ? I was trying to reverse engineer the chain provided by dogtag. > > Thanks > Kritee > > > > On Monday, 27 October 2014, Christina Fu > wrote: > >> If you meant the following two: >> https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not >> preserved at issuance with signing cert signed by an external CA >> https://fedorahosted.org/pki/ticket/1110 - pkispawn (configuration) does >> not provide CA extensions in subordinate certificate signing requests (CSR) >> >> They have just recently been fixed upstream so I imagine you could use >> Microsoft CA now. Theoretically any other CA can be used as an external >> CA, but if you run into issues, please feel free to report. >> >> Christina >> >> >> On 10/27/2014 12:15 AM, kritee jhawar wrote: >> >> Hi >> >> In my recent thread i read that there is a bug due to which Microsoft >> CA can't work as external CA for dogtag. >> Can OpenSSL be used ? >> >> Thanks >> Kritee >> >> >> _______________________________________________ >> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Fri Oct 31 17:06:45 2014 From: cfu at redhat.com (Christina Fu) Date: Fri, 31 Oct 2014 10:06:45 -0700 Subject: [Pki-users] Can OpensSSL be used as external CA ? In-Reply-To: References: <544E6FAB.1020003@redhat.com> <544FF41B.3010705@redhat.com> Message-ID: <5453C1A5.5090206@redhat.com> Kritee, At the minimum, you need the fixes I talked about. They were checked into the master but has not been built officially so yum is not going to get you the right rpm. However, you can check it out and build it yourself. Here is how you check out the master: git clone git://git.fedorahosted.org/git/pki.git You can then use the build scripts to build. Finally, I apologize that we are not supposed to respond to private emails. Dogtag is a community where we share our knowledge. In the future please send requests to the mailing list. I took the exception this time to look at your CSR and certs and I could see that you need the fixes I talked about. I don't know if you have other issues though, but AFAIK you need those two fixes. Hope this helps. Christina On 10/29/2014 01:16 AM, kritee jhawar wrote: > Hi Christina > > I have done the default configuration for 389ds and haven't > specifically turned on ssl for it. > > Initially I tried using Microsoft and OpenSSL CA as external CAs. This > is about a month back and I pull the Rpms using yum (so I assume they > are the latest ones with the fix you mentioned). > With this, my pki spawn went fine. Infect the admin cert got generated > using the externally provided root cert as well. But dogtag couldn't > connect to the ds. As mentioned earlier it gave me a PKIException > error listing the certs with error code 500. > Looking at the ds logs I found that the error was 'bad search filter'. > However when I tried the same steps with dogtag as external CA the > setup went through without a glitch. The chain I imported was directly > from the GUI of dogtag. In fact I included the header and footer as well. > > When I tried to reverse engineer the chain, I took the root cert of > external dogtag ca and used OpenSSL to convert it into pkcs7. This > chain was not the same as provided from the GUI. Hence I thought that > there is some particular format for the chain because of which the > other CAs aren't working. > > Also, I updated the Rpms using yum and tried to generate the CSR with > the extra attributes. My csr still doesn't reflect those added > attributes. > > Is yum not the correct way to get the latest code ? > > I am very new to this, really appreciate your assistance and time. > > Regards > Kritee > > On Wednesday, 29 October 2014, Christina Fu > wrote: > > the cert chain you provide in the file specified under > pki_external_ca_cert_chain_path > should be just pkcs7 without header/footer. > > I don't know why it would not talk to the DS (did you turn on ssl > for the ds?). > Not sure if you build your Dogtag from the master, if you do, I'd > suggest you get the most updated so you get fixes from the tickets > I provided previously which would address at least two issues > relating to external CA. > > Christina > > On 10/27/2014 07:55 PM, kritee jhawar wrote: >> Hi Christina >> >> I was undertaking this activity last month where Microsoft CA >> didn't work out but Dogtag as external CA did. >> >> While using Microsoft CA or OpenSSL CA, pki spawn goes through >> without any error but dogtag stops communications to 389ds. Upon >> calling the rest Api /ca/rest/certs I get a "PKIException error >> listing the certs". >> >> Is there a particular format for the ca cert chain that we need >> to provide ? I was trying to reverse engineer the chain provided >> by dogtag. >> >> Thanks >> Kritee >> >> >> >> On Monday, 27 October 2014, Christina Fu > > wrote: >> >> If you meant the following two: >> https://fedorahosted.org/pki/ticket/1190 CA: issuer DN >> encoding not preserved at issuance with signing cert signed >> by an external CA >> https://fedorahosted.org/pki/ticket/1110 - pkispawn >> (configuration) does not provide CA extensions in subordinate >> certificate signing requests (CSR) >> >> They have just recently been fixed upstream so I imagine you >> could use Microsoft CA now. Theoretically any other CA can be >> used as an external CA, but if you run into issues, please >> feel free to report. >> >> Christina >> >> >> On 10/27/2014 12:15 AM, kritee jhawar wrote: >>> Hi >>> >>> In my recent thread i read that there is a bug due to which >>> Microsoft CA can't work as external CA for dogtag. >>> Can OpenSSL be used ? >>> >>> Thanks >>> Kritee >>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Oct 20 06:47:03 2014 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 20 Oct 2014 06:47:03 -0000 Subject: [Pki-users] [Freeipa-devel] Dogtag 10.2.0 is now in Debian In-Reply-To: <54428A6E.8010406@ubuntu.com> References: <54428997.8060306@ubuntu.com> <54428A6E.8010406@ubuntu.com> Message-ID: <5444AFE4.2070103@redhat.com> On 10/18/2014 05:42 PM, Timo Aaltonen wrote: > On 18.10.2014 18:39, Timo Aaltonen wrote: >> >> Hi! >> >> I'm happy to announce that Dogtag (version 10.2.0) has finally entered >> Debian unstable repository this week. Assuming there won't be any nasty >> surprises, the next stable release ("Jessie") will include it. Many >> thanks to Ade Lee who did the first pass of packaging the long chain of >> dependencies, up to and including RESTEasy. > > forgot the link > https://packages.qa.debian.org/d/dogtag-pki.html > > there's a small update coming early next week > Thanks Timo for your great work! With Dogtag in Debian, we are getting wery close to including FreeIPA as well - looking forward to this day :-) As usual, let us know if you hit problems with porting FreeIPA there or extending our platform-independent code. Thanks, Martin