From tangoxix at gmail.com Thu Aug 6 17:14:40 2015 From: tangoxix at gmail.com (Ben Peck) Date: Thu, 6 Aug 2015 12:14:40 -0500 Subject: [Pki-users] How to install RA on DogTag 10? In-Reply-To: <1353572365.1517942.1437592577488.JavaMail.zimbra@redhat.com> References: <1353572365.1517942.1437592577488.JavaMail.zimbra@redhat.com> Message-ID: Thanks for your answer Dave. I searched the pki-users archive and did not find that. Will use pkicreate like in DogTag 9 to create the registration authority. Ben On Wed, Jul 22, 2015 at 2:16 PM, Dave Sirrine wrote: > Ben, > > Looks like this has already been answered here: > https://www.redhat.com/archives/pki-users/2014-June/msg00004.html. > > pkispawn only works for CA, KRA, TKS, TPS, and OCSP. Here's the meat of > that email thread: > > ~~~ > > > In order to install a native Apache-based RA (or a legacy TPS) instance, you > > must still use the 'pkicreate' installer, and configure the instance using a > > browser with the GUI interface or construct the proper arguments to the > > 'pkisilent' configuration tool. > > ~~~ > > There is a trac ticket for references to RA to be removed from pkispawn. > Hope this helps! > > -- Dave > > > ------------------------------ > > *From: *"Ben Peck" > *To: *pki-users at redhat.com > *Sent: *Monday, July 13, 2015 4:53:56 PM > *Subject: *[Pki-users] How to install RA on DogTag 10? > > > I'm running Fedora 21 with Dogtag 10.2.1-3 and trying to get the > Registration Authority subsystem to install to enable SCEP ultimately. > > I installed pki-ra, but when I run "pkispawn -s RA" I get the following: > > Traceback (most recent call last): > File "/usr/sbin/pkispawn", line 579, in > main(sys.argv) > File "/usr/sbin/pkispawn", line 143, in main > parser.init_config() > File "/usr/lib/python2.7/site-packages/pki/server/ > deployment/pkiparser.py", > line 192, in init_config > 'pki_instance_name': default_instance_name, > UnboundLocalError: local variable 'default_instance_name' referenced > before assignment > > Can anyone point me in the right direction concerning SCEP and DogTag 10? > Is there some updated documentation on this somewhere I'm missing? > > Thanks, > Ben > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Sat Aug 22 08:06:50 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Sat, 22 Aug 2015 13:36:50 +0530 Subject: [Pki-users] Starting with Dogtag PKI Message-ID: Hi, *We are planning to use Fedora Dogtag for our Certificate Management where we can keep track of certificates and Internal CA.* However , we use CentOS in our Environment. Is it possible to have Dogtag on CentOS or Fedora is must.? If CentOS is an options which version of CentOS has latest/stable Dogtag PKI. *?Please suggest* *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Sun Aug 23 23:41:25 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 24 Aug 2015 09:41:25 +1000 Subject: [Pki-users] Starting with Dogtag PKI In-Reply-To: References: Message-ID: <20150823234125.GW16439@dhcp-40-8.bne.redhat.com> On Sat, Aug 22, 2015 at 01:36:50PM +0530, Yogesh Sharma wrote: > Hi, > > *We are planning to use Fedora Dogtag for our Certificate Management where > we can keep track of certificates and Internal CA.* > > However , we use CentOS in our Environment. Is it possible to have Dogtag > on CentOS or Fedora is must.? If CentOS is an options which version of > CentOS has latest/stable Dogtag PKI. > Hi Yogesh, Dogtag is available in CentOS. Centos 7.1 has Dogtag 10.1. The latest version - 10.2 - is only available in Fedora at this time. Cheers, Fraser > > *?Please suggest* > > > *Best Regards,* > > *__________________________________________* > > *Yogesh Sharma* > *Email: yks0000 at gmail.com | Web: www.initd.in > * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From yks0000 at gmail.com Mon Aug 24 18:15:48 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Mon, 24 Aug 2015 23:45:48 +0530 Subject: [Pki-users] Starting with Dogtag PKI In-Reply-To: <20150823234125.GW16439@dhcp-40-8.bne.redhat.com> References: <20150823234125.GW16439@dhcp-40-8.bne.redhat.com> Message-ID: Thanks Fraser. -Yogesh Sharma (Sent from my HTC) On 24-Aug-2015 5:11 am, "Fraser Tweedale" wrote: > On Sat, Aug 22, 2015 at 01:36:50PM +0530, Yogesh Sharma wrote: > > Hi, > > > > *We are planning to use Fedora Dogtag for our Certificate Management > where > > we can keep track of certificates and Internal CA.* > > > > However , we use CentOS in our Environment. Is it possible to have Dogtag > > on CentOS or Fedora is must.? If CentOS is an options which version of > > CentOS has latest/stable Dogtag PKI. > > > Hi Yogesh, > > Dogtag is available in CentOS. Centos 7.1 has Dogtag 10.1. > > The latest version - 10.2 - is only available in Fedora at this > time. > > Cheers, > Fraser > > > > > *?Please suggest* > > > > > > *Best Regards,* > > > > *__________________________________________* > > > > *Yogesh Sharma* > > *Email: yks0000 at gmail.com | Web: www.initd.in > > * > > > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey.chudov at gmail.com Wed Aug 26 09:58:31 2015 From: aleksey.chudov at gmail.com (Aleksey Chudov) Date: Wed, 26 Aug 2015 12:58:31 +0300 Subject: [Pki-users] How to setup PKI CA to ask for passwords at startup? Message-ID: Hi, The password.conf file stores system passwords in plaintext, and I prefer to enter system passwords manually and to remove the password file. I have found original documentation https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html. But it is for older version on PKI and does not work with systemd. How to setup PKI CA to ask for NSS DB password at startup? Packages versions (I have rebuilt F22 packages for CentOS 7): # rpm -qa | grep pki pki-base-10.2.5-1.el7.centos.noarch pki-server-10.2.5-1.el7.centos.noarch dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch pki-ca-10.2.5-1.el7.centos.noarch pki-tools-10.2.5-1.el7.centos.x86_64 dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch Aleksey -------------- next part -------------- An HTML attachment was scrubbed... URL: From dsirrine at redhat.com Wed Aug 26 17:09:23 2015 From: dsirrine at redhat.com (Dave Sirrine) Date: Wed, 26 Aug 2015 13:09:23 -0400 Subject: [Pki-users] How to setup PKI CA to ask for passwords at startup? In-Reply-To: References: Message-ID: Aleksey, Did removing the password from the file not cause the system to prompt you for the password at startup. Also, are you looking at doing both nss and 389 passwords? -- David On Aug 26, 2015 5:58 AM, "Aleksey Chudov" wrote: > Hi, > > The password.conf file stores system passwords in plaintext, and I prefer > to enter system passwords manually and to remove the password file. > > I have found original documentation > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html. > But it is for older version on PKI and does not work with systemd. > > How to setup PKI CA to ask for NSS DB password at startup? > > Packages versions (I have rebuilt F22 packages for CentOS 7): > # rpm -qa | grep pki > pki-base-10.2.5-1.el7.centos.noarch > pki-server-10.2.5-1.el7.centos.noarch > dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch > pki-ca-10.2.5-1.el7.centos.noarch > pki-tools-10.2.5-1.el7.centos.x86_64 > dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch > > Aleksey > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey.chudov at gmail.com Wed Aug 26 18:49:44 2015 From: aleksey.chudov at gmail.com (Aleksey Chudov) Date: Wed, 26 Aug 2015 21:49:44 +0300 Subject: [Pki-users] How to setup PKI CA to ask for passwords at startup? In-Reply-To: References: Message-ID: I'm looking at removing at least nss password but both nss and 389 passwords will be better. Actually PKI prompts for password but I don't see the prompt because of systemd. To reproduce systemctl stop pki-tomcatd at pki-tomcat.service sed -i.bak '/internal=/d' /etc/pki/pki-tomcat/password.conf systemctl start pki-tomcatd at pki-tomcat.service /var/log/messages Aug 26 21:37:33 srv333 server[8889]: Enter password for Internal Key Storage Token /var/log/pki/pki-tomcat/ca/debug [26/Aug/2015:21:37:52][localhost-startStop-1]: Got token Internal Key Storage Token by name [26/Aug/2015:21:37:52][localhost-startStop-1]: SigningUnit init: debug org.mozilla.jss.util.IncorrectPasswordException Invalid Password at com.netscape.ca.SigningUnit.init(SigningUnit.java:192) at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1229) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:342) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:520) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) [26/Aug/2015:21:37:52][localhost-startStop-1]: CMSEngine.shutdown() On Wed, Aug 26, 2015 at 8:09 PM, Dave Sirrine wrote: > Aleksey, > > Did removing the password from the file not cause the system to prompt you > for the password at startup. Also, are you looking at doing both nss and > 389 passwords? > > -- David > On Aug 26, 2015 5:58 AM, "Aleksey Chudov" > wrote: > >> Hi, >> >> The password.conf file stores system passwords in plaintext, and I >> prefer to enter system passwords manually and to remove the password file. >> >> I have found original documentation >> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html. >> But it is for older version on PKI and does not work with systemd. >> >> How to setup PKI CA to ask for NSS DB password at startup? >> >> Packages versions (I have rebuilt F22 packages for CentOS 7): >> # rpm -qa | grep pki >> pki-base-10.2.5-1.el7.centos.noarch >> pki-server-10.2.5-1.el7.centos.noarch >> dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch >> pki-ca-10.2.5-1.el7.centos.noarch >> pki-tools-10.2.5-1.el7.centos.x86_64 >> dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch >> >> Aleksey >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Wed Aug 26 19:06:03 2015 From: alee at redhat.com (Ade Lee) Date: Wed, 26 Aug 2015 15:06:03 -0400 Subject: [Pki-users] How to setup PKI CA to ask for passwords at startup? In-Reply-To: References: Message-ID: <1440615963.23248.139.camel@redhat.com> Aleksey, password prompting in CS 8.1 worked because of a utility program called nuxwdog which would prompt for passwords. We have done some work to get nuxwdog working with the latest Dogtag code, but there is some setup required. Fortunately, all that setup has been encapsulated in the pki-server utility. For details, man pki-server , man pki-server-instance and man pki -server-nuxwdog. The specific command would be: pki-server instance-nuxwdog-enable You should then be prompted for the passwords, and can remove your password.conf file. Ade On Wed, 2015-08-26 at 21:49 +0300, Aleksey Chudov wrote: > I'm looking at removing at least nss password but both nss and 389 > passwords will be better. > > Actually PKI prompts for password but I don't see the prompt because > of systemd. > > To reproduce > > systemctl stop pki-tomcatd at pki-tomcat.service > sed -i.bak '/internal=/d' /etc/pki/pki-tomcat/password.conf > systemctl start pki-tomcatd at pki-tomcat.service > > /var/log/messages > Aug 26 21:37:33 srv333 server[8889]: Enter password for Internal Key > Storage Token > > /var/log/pki/pki-tomcat/ca/debug > [26/Aug/2015:21:37:52][localhost-startStop-1]: Got token Internal Key > Storage Token by name > [26/Aug/2015:21:37:52][localhost-startStop-1]: SigningUnit init: > debug org.mozilla.jss.util.IncorrectPasswordException > Invalid Password > at com.netscape.ca.SigningUnit.init(SigningUnit.java:192) > at > com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority > .java:1229) > at > com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:3 > 42) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107 > ) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:101 > 3) > at > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:520) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.ja > va:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. > java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces > sorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277 > ) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274 > ) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:3 > 09) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil. > java:169) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil. > java:123) > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper. > java:1272) > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper. > java:1197) > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:10 > 87) > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContex > t.java:5210) > at > org.apache.catalina.core.StandardContext.startInternal(StandardContex > t.java:5493) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase > .java:901) > at > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java: > 133) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(Contain > erBase.java:156) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(Contain > erBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:87 > 5) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.ja > va:672) > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfi > g.java:1862) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:47 > 1) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor. > java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor > .java:615) > at java.lang.Thread.run(Thread.java:745) > [26/Aug/2015:21:37:52][localhost-startStop-1]: CMSEngine.shutdown() > > > On Wed, Aug 26, 2015 at 8:09 PM, Dave Sirrine > wrote: > > Aleksey, > > Did removing the password from the file not cause the system to > > prompt you for the password at startup. Also, are you looking at > > doing both nss and 389 passwords? > > -- David > > On Aug 26, 2015 5:58 AM, "Aleksey Chudov" > > wrote: > > > Hi, > > > > > > The password.conf file stores system passwords in plaintext, and > > > I prefer to enter system passwords manually and to remove the > > > password file. > > > > > > I have found original documentation https://access.redhat.com/doc > > > umentation/en > > > -US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwo > > > rds.html. But it is for older version on PKI and does not work > > > with systemd. > > > > > > How to setup PKI CA to ask for NSS DB password at startup? > > > > > > Packages versions (I have rebuilt F22 packages for CentOS 7): > > > # rpm -qa | grep pki > > > pki-base-10.2.5-1.el7.centos.noarch > > > pki-server-10.2.5-1.el7.centos.noarch > > > dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch > > > pki-ca-10.2.5-1.el7.centos.noarch > > > pki-tools-10.2.5-1.el7.centos.x86_64 > > > dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch > > > > > > Aleksey > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey.chudov at gmail.com Thu Aug 27 11:33:11 2015 From: aleksey.chudov at gmail.com (Aleksey Chudov) Date: Thu, 27 Aug 2015 14:33:11 +0300 Subject: [Pki-users] How to setup PKI CA to ask for passwords at startup? In-Reply-To: <1440615963.23248.139.camel@redhat.com> References: <1440615963.23248.139.camel@redhat.com> Message-ID: To begin with I have updated to version 10.2.6 from F22 testing to get pki-server man pages. Enabling nuxwdog solves the problem. Thank you! On Wed, Aug 26, 2015 at 10:06 PM, Ade Lee wrote: > Aleksey, > > password prompting in CS 8.1 worked because of a utility program called > nuxwdog which would prompt for passwords. > > We have done some work to get nuxwdog working with the latest Dogtag code, > but there is some setup required. > Fortunately, all that setup has been encapsulated in the pki-server > utility. > > For details, man pki-server , man pki-server-instance and man > pki-server-nuxwdog. > > The specific command would be: > pki-server instance-nuxwdog-enable > > You should then be prompted for the passwords, and can remove your > password.conf file. > > Ade > On Wed, 2015-08-26 at 21:49 +0300, Aleksey Chudov wrote: > > I'm looking at removing at least nss password but both nss and 389 > passwords will be better. > > Actually PKI prompts for password but I don't see the prompt because of > systemd. > > To reproduce > > systemctl stop pki-tomcatd at pki-tomcat.service > sed -i.bak '/internal=/d' /etc/pki/pki-tomcat/password.conf > systemctl start pki-tomcatd at pki-tomcat.service > > /var/log/messages > Aug 26 21:37:33 srv333 server[8889]: Enter password for Internal Key > Storage Token > > /var/log/pki/pki-tomcat/ca/debug > [26/Aug/2015:21:37:52][localhost-startStop-1]: Got token Internal Key > Storage Token by name > [26/Aug/2015:21:37:52][localhost-startStop-1]: SigningUnit init: debug > org.mozilla.jss.util.IncorrectPasswordException > Invalid Password > at com.netscape.ca.SigningUnit.init(SigningUnit.java:192) > at > com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1229) > at > com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:342) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:520) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > at > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > [26/Aug/2015:21:37:52][localhost-startStop-1]: CMSEngine.shutdown() > > > On Wed, Aug 26, 2015 at 8:09 PM, Dave Sirrine wrote: > > Aleksey, > > Did removing the password from the file not cause the system to prompt you > for the password at startup. Also, are you looking at doing both nss and > 389 passwords? > > -- David > On Aug 26, 2015 5:58 AM, "Aleksey Chudov" > wrote: > > Hi, > > The password.conf file stores system passwords in plaintext, and I prefer > to enter system passwords manually and to remove the password file. > > I have found original documentation > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html. > But it is for older version on PKI and does not work with systemd. > > How to setup PKI CA to ask for NSS DB password at startup? > > Packages versions (I have rebuilt F22 packages for CentOS 7): > # rpm -qa | grep pki > pki-base-10.2.5-1.el7.centos.noarch > pki-server-10.2.5-1.el7.centos.noarch > dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch > pki-ca-10.2.5-1.el7.centos.noarch > pki-tools-10.2.5-1.el7.centos.x86_64 > dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch > > Aleksey > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey.chudov at gmail.com Thu Aug 27 15:15:28 2015 From: aleksey.chudov at gmail.com (Aleksey Chudov) Date: Thu, 27 Aug 2015 18:15:28 +0300 Subject: [Pki-users] Possible PKI LDAP connections leak? Message-ID: Hi, I have found possible PKI LDAP connections leak on access to /ca/rest/securityDomain/domainInfo url. To reproduce # ss -ant state established sport = :636 Recv-Q Send-Q Local Address:Port Peer Address:Port 0 0 10.172.3.13:636 10.172.3.13:57696 0 0 10.172.3.13:636 10.172.3.13:57692 0 0 10.172.3.13:636 10.172.3.13:57695 0 0 10.172.3.13:636 10.172.3.13:57690 0 0 10.172.3.13:636 10.172.3.13:57689 0 0 10.172.3.13:636 10.172.3.13:57693 0 0 10.172.3.13:636 10.172.3.13:57688 0 0 10.172.3.13:636 10.172.3.13:57691 0 0 10.172.3.13:636 10.172.3.13:57687 # ss -ant state established sport = :636 | wc -l 10 # for ((i=0; i<256; i++)); do curl http://localhost/ca/rest/securityDomain/domainInfo &>/dev/null; done # ss -ant state established sport = :636 | wc -l 266 Every request to /ca/rest/securityDomain/domainInfo url increases number on LDAP connections and produces the same message in debug log [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SessionContextInterceptor: Not authenticated. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: mapping: default [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: required auth methods: [*] [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: anonymous access allowed [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: SecurityDomainResource.getDomainInfo() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor.filter: no authorization required [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: No ACL mapping; authz not required. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization success [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: content-type: null [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: accept: [*/*] [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: response format: application/xml [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory: init [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory:doCloning true [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init begins [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: prompt is internaldb [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: try getting from memory cache [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: got password from memory [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: password found for prompt. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: password ok: store in memory cache [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init ends [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: init: before makeConnection errorIfDown is false [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: makeConnection: errorIfDown false [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SSL handshake happened [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Established LDAP connection using basic authentication to host srv334.example.com port 636 as cn=Directory Manager [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: initializing with mininum 3 and maximum 15 connections to host srv334.example.com port 636, secure connection, true, authentication type 1 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: increasing minimum connections by 3 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new total available connections 3 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new number of connections 3 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: In LdapBoundConnFactory::getConn() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: masterConn is connected: true [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: conn is connected true [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: mNumConns now 2 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: name: Company LLC [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn=srv333.example.com:8443,cn=CAList,ou=Security Domain,o=pki-tomcat-CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - DomainManager: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn: srv333.example.com:8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SubsystemName: CA srv333.example.com 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - Clone: FALSE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - UnSecurePort: 8080 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAdminPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAgentPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecurePort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - host: srv333.example.com [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - objectClass: top [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn=srv334.example.com:8443,cn=CAList,ou=Security Domain,o=pki-tomcat-CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - objectClass: top [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn: srv334.example.com:8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - host: srv334.example.com [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecurePort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAgentPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAdminPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - UnSecurePort: 8080 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - DomainManager: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - Clone: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SubsystemName: CA srv334.example.com 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn=srv335.example.com:8443,cn=CAList,ou=Security Domain,o=pki-tomcat-CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - objectClass: top [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn: srv335.example.com:8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - host: srv335.example.com [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecurePort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAgentPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAdminPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - UnSecurePort: 8080 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - DomainManager: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - Clone: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SubsystemName: CA srv335.example.com 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: OCSP [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: KRA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: RA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TKS [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TPS [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Releasing ldap connection [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: returnConn: mNumConns now 3 At the same time requests to different urls does not increase the number of established LDAP connections. Is it a bug or expected behavior? Aleksey -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey.chudov at gmail.com Fri Aug 28 19:21:21 2015 From: aleksey.chudov at gmail.com (Aleksey Chudov) Date: Fri, 28 Aug 2015 22:21:21 +0300 Subject: [Pki-users] Possible PKI LDAP connections leak? In-Reply-To: References: Message-ID: To clarify it is possible to DOS the Certificate System repeatedly calling /ca/rest/securityDomain/domainInfo url until Direcrory Server exhausts all available connections. $ rpm -qa 389* pki* | sort 389-ds-base-1.3.3.1-20.el7_1.x86_64 389-ds-base-libs-1.3.3.1-20.el7_1.x86_64 pki-base-10.2.6-7.el7.centos.noarch pki-ca-10.2.6-7.el7.centos.noarch pki-server-10.2.6-7.el7.centos.noarch pki-tools-10.2.6-7.el7.centos.x86_64 On Thu, Aug 27, 2015 at 6:15 PM, Aleksey Chudov wrote: > Hi, > > I have found possible PKI LDAP connections leak on access to > /ca/rest/securityDomain/domainInfo url. > > To reproduce > > # ss -ant state established sport = :636 > Recv-Q Send-Q Local Address:Port Peer Address:Port > 0 0 10.172.3.13:636 10.172.3.13:57696 > 0 0 10.172.3.13:636 10.172.3.13:57692 > 0 0 10.172.3.13:636 10.172.3.13:57695 > 0 0 10.172.3.13:636 10.172.3.13:57690 > 0 0 10.172.3.13:636 10.172.3.13:57689 > 0 0 10.172.3.13:636 10.172.3.13:57693 > 0 0 10.172.3.13:636 10.172.3.13:57688 > 0 0 10.172.3.13:636 10.172.3.13:57691 > 0 0 10.172.3.13:636 10.172.3.13:57687 > > # ss -ant state established sport = :636 | wc -l > 10 > > # for ((i=0; i<256; i++)); do curl > http://localhost/ca/rest/securityDomain/domainInfo &>/dev/null; done > > # ss -ant state established sport = :636 | wc -l > 266 > > Every request to /ca/rest/securityDomain/domainInfo url increases number > on LDAP connections and produces the same message in debug log > > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SessionContextInterceptor: Not authenticated. > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > AuthMethodInterceptor: SecurityDomainResource.getDomainInfo() > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > AuthMethodInterceptor: mapping: default > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > AuthMethodInterceptor: required auth methods: [*] > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > AuthMethodInterceptor: anonymous access allowed > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: > SecurityDomainResource.getDomainInfo() > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > ACLInterceptor.filter: no authorization required > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: No > ACL mapping; authz not required. > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SignedAuditEventFactory: create() > message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL > mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization > success > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > MessageFormatInterceptor: SecurityDomainResource.getDomainInfo() > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > MessageFormatInterceptor: content-type: null > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > MessageFormatInterceptor: accept: [*/*] > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > MessageFormatInterceptor: response format: application/xml > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: according to > ccMode, authorization for servlet: securitydomain is LDAP based, not XML > {1}, use default authz mgr: {2}. > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Creating > LdapBoundConnFactor(SecurityDomainProcessor) > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > LdapBoundConnFactory: init > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > LdapBoundConnFactory:doCloning true > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init() > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init > begins > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: > prompt is internaldb > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: > try getting from memory cache > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: > got password from memory > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: > password found for prompt. > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: > password ok: store in memory cache > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init > ends > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: init: before > makeConnection errorIfDown is false > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: makeConnection: > errorIfDown false > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SSL handshake > happened > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Established LDAP > connection using basic authentication to host srv334.example.com port 636 > as cn=Directory Manager > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: initializing with > mininum 3 and maximum 15 connections to host srv334.example.com port 636, > secure connection, true, authentication type 1 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: increasing minimum > connections by 3 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new total available > connections 3 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new number of > connections 3 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: In > LdapBoundConnFactory::getConn() > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: masterConn is > connected: true > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: conn is > connected true > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: mNumConns > now 2 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: name: Company LLC > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: subtype: CA > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - cn=srv333.example.com:8443,cn=CAList,ou=Security > Domain,o=pki-tomcat-CA > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - DomainManager: TRUE > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - cn: srv333.example.com:8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SubsystemName: CA srv333.example.com 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - Clone: FALSE > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - UnSecurePort: 8080 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecureAdminPort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecureAgentPort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecurePort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - host: srv333.example.com > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - objectClass: top > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - cn=srv334.example.com:8443,cn=CAList,ou=Security > Domain,o=pki-tomcat-CA > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - objectClass: top > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - cn: srv334.example.com:8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - host: srv334.example.com > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecurePort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecureAgentPort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecureAdminPort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - UnSecurePort: 8080 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - DomainManager: TRUE > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - Clone: TRUE > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SubsystemName: CA srv334.example.com 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - cn=srv335.example.com:8443,cn=CAList,ou=Security > Domain,o=pki-tomcat-CA > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - objectClass: top > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - cn: srv335.example.com:8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - host: srv335.example.com > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecurePort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecureAgentPort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecureAdminPort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - UnSecurePort: 8080 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - DomainManager: TRUE > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - Clone: TRUE > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: - SubsystemName: CA srv335.example.com 8443 > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: subtype: OCSP > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: subtype: KRA > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: subtype: RA > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: subtype: TKS > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: > SecurityDomainProcessor: subtype: TPS > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Releasing ldap > connection > [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: returnConn: > mNumConns now 3 > > > At the same time requests to different urls does not increase the number > of established LDAP connections. > > Is it a bug or expected behavior? > > Aleksey > -------------- next part -------------- An HTML attachment was scrubbed... URL: