obtaining initial ticket via keytab
by Josh
Greetings,
I am trying to follow steps at https://kb.iu.edu/d/aumh to create
freeipa admin keytab to use in some scripts but getting an error
kinit: Preauthentication failed while getting initial credentials
Does anyone know what I am missing here?
Thanks,
Josh.
$ ktutil
ktutil: addent -password -p admin(a)EXAMPLE.ORG -k 1 -e aes256-cts
Password for admin(a)EXAMPLE.ORG:
ktutil: wkt /tmp/admin.kt
ktutil: quit
$ klist -k /tmp/admin.kt
Keytab name: FILE:/tmp/admin.kt
KVNO Principal
----
--------------------------------------------------------------------------
1 admin(a)EXAMPLE.ORG
$ klist -k /tmp/admin.kt -e
Keytab name: FILE:/tmp/admin.kt
KVNO Principal
----
--------------------------------------------------------------------------
1 admin(a)EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
$ kinit -k -t /tmp/admin.kt admin(a)EXAMPLE.ORG
kinit: Preauthentication failed while getting initial credentials
$ kinit admin
Password for admin(a)EXAMPLE.ORG:
$ klist -e
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin(a)EXAMPLE.ORG
Valid starting Expires Service principal
05/09/2018 23:08:46 05/10/2018 23:08:43 krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
$
5 years, 10 months
CA install on replica fails - Clone URI does not match...
by Ross Infinger
I'm installing the CA service on an existing replica with command ipa-ca-install. It fails with this error in the log:
Installation failed:
com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://pci-mgmt-ipa01.pci.xxxxxx.com:443
Version of both ca master and replica is 4.5.0 api version 2.228
domain level is 1
ipareplica-ca-install.log attached.
How can I further troubleshoot this?
Thanks,
Ross
5 years, 10 months
attrlist_replace - attr_replace failed
by Sandor Juhasz
Hello,
we have a 4 way master master replication. Which is finnaly
working, but we still see one error:
[09/May/2018:14:21:27.882261986 +0200] attrlist_replace - attr_replace
(nsslapd-referral, ldap://ipa34.bph.cxn:389/o%3Dipaca) failed.
[09/May/2018:14:21:31.827746424 +0200] attrlist_replace - attr_replace
(nsslapd-referral, ldap://ipa35.bph.cxn:389/o%3Dipaca) failed.
How can we fix these?
--
*Sándor Juhász*
System Administrator
*ChemAxon* *Ltd*.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
5 years, 10 months
Re: After using 3rd party certs (Let's Encrypt) : pki-tomcatd fails to restart
by Joseph Flynn
I restored the earlier image where it was working well with self-signed
certs and just did the steps again.
The pki-tomcatd restart was attempted at 10:47 local time and failed out
several minutes later at 10:52.
Your suggested debug steps reveal:
root@prime prime.ipa.kkgpitt.org]# ipa-server-certinstall -w fullchain.pem
privkey.pem
Directory Manager password:
Enter private key unlock password:
Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
[root@prime prime.ipa.kkgpitt.org]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Failed to restart pki-tomcatd Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case
that a non-critical service failed
Aborting ipactl
[root@prime prime.ipa.kkgpitt.org]# cd /etc/dirsrv/slapd-IPA-KKGPITT-ORG/
[root@prime slapd-IPA-KKGPITT-ORG]# certutil -d
/etc/dirsrv/slapd-IPA-KKGPITT-ORG -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
IPA.KKGPITT.ORG IPA CA CT,C,C
Server-Cert u,u,u
ISRG_Root_X1 C,,
DSTRootCAX3 C,,
LetsEncryptX3CrossSigned C,,
LetsEncryptX3CrossSigned C,,
and
cat /var/log/pki/pki-tomcat/ca/debug.2018-05-09.log
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: restart at
autoShutdown? false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: found
cert:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: done init
id=debug
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initialized
debug
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initSubsystem
id=log
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: ready to init
id=log
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Event filters:
2018-05-09 10:47:45 [localhost-startStop-1] FINE: -
CMC_SIGNED_REQUEST_SIG_VERIFY: (Outcome=Failure)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: -
CMC_USER_SIGNED_REQUEST_SIG_VERIFY: (Outcome=Failure)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: - DELTA_CRL_GENERATION:
(Outcome=Failure)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: - FULL_CRL_GENERATION:
(Outcome=Failure)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: - OCSP_GENERATION:
(Outcome=Failure)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: - RANDOM_GENERATION:
(Outcome=Failure)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: - SELFTESTS_EXECUTION:
(Outcome=Failure)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Event filters:
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Event filters:
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: restart at
autoShutdown? false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: found
cert:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: done init
id=log
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initialized log
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initSubsystem
id=jss
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: ready to init
id=jss
2018-05-09 10:47:45 [localhost-startStop-1] FINE: JssSubsystem:
initializing JSS subsystem
2018-05-09 10:47:45 [localhost-startStop-1] FINE: JssSubsystem: enabled:
true
2018-05-09 10:47:45 [localhost-startStop-1] FINE: JssSubsystem: NSS
database: /var/lib/pki/pki-tomcat/alias/
2018-05-09 10:47:45 [localhost-startStop-1] FINE: JssSubsystem:
initializing CryptoManager
2018-05-09 10:47:45 [localhost-startStop-1] FINE: JssSubsystem:
initializing SSL
2018-05-09 10:47:45 [localhost-startStop-1] FINE: JssSubsystem: random:
2018-05-09 10:47:45 [localhost-startStop-1] FINE: JssSubsystem: -
algorithm: pkcs11prng
2018-05-09 10:47:45 [localhost-startStop-1] FINE: JssSubsystem: - provider:
Mozilla-JSS
2018-05-09 10:47:45 [localhost-startStop-1] FINE: JssSubsystem:
initialization complete
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: restart at
autoShutdown? false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: found
cert:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: done init
id=jss
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initialized jss
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initSubsystem
id=dbs
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: ready to init
id=dbs
2018-05-09 10:47:45 [localhost-startStop-1] FINE: DBSubsystem: init()
mEnableSerialMgmt=false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Creating
LdapBoundConnFactor(DBSubsystem)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Setting
internaldb.basedn=o=ipaca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapBoundConnFactory:
init
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
LdapBoundConnFactory:doCloning true
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapAuthInfo: init()
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapAuthInfo: init begins
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapAuthInfo: init ends
2018-05-09 10:47:45 [localhost-startStop-1] FINE: init: before
makeConnection errorIfDown is true
2018-05-09 10:47:45 [localhost-startStop-1] FINE: makeConnection:
errorIfDown true
2018-05-09 10:47:45 [localhost-startStop-1] FINE: TCP Keep-Alive: true
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
SSLClientCertificateSelectionCB: Setting desired cert nickname to:
subsystemCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapJssSSLSocket: set
client auth cert nickname subsystemCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
SSLClientCertificatSelectionCB: Entering!
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Candidate cert:
Server-Cert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Candidate cert:
auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Candidate cert:
subsystemCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert
cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: SSL handshake happened
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Established LDAP
connection with SSL client auth to prime.ipa.kkgpitt.org:636
2018-05-09 10:47:45 [localhost-startStop-1] FINE: initializing with mininum
3 and maximum 15 connections to host prime.ipa.kkgpitt.org port 636, secure
connection, true, authentication type 2
2018-05-09 10:47:45 [localhost-startStop-1] FINE: increasing minimum
connections by 3
2018-05-09 10:47:45 [localhost-startStop-1] FINE: new total available
connections 3
2018-05-09 10:47:45 [localhost-startStop-1] FINE: new number of connections
3
2018-05-09 10:47:45 [localhost-startStop-1] FINE: registered: false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: restart at
autoShutdown? false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: found
cert:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: done init
id=dbs
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initialized dbs
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initSubsystem
id=usrgrp
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: ready to init
id=usrgrp
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Creating
LdapBoundConnFactor(UGSubsystem)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapBoundConnFactory:
init
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
LdapBoundConnFactory:doCloning true
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapAuthInfo: init()
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapAuthInfo: init begins
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapAuthInfo: init ends
2018-05-09 10:47:45 [localhost-startStop-1] FINE: init: before
makeConnection errorIfDown is false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: makeConnection:
errorIfDown false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: TCP Keep-Alive: true
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
SSLClientCertificateSelectionCB: Setting desired cert nickname to:
subsystemCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapJssSSLSocket: set
client auth cert nickname subsystemCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: SSL handshake happened
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Established LDAP
connection with SSL client auth to prime.ipa.kkgpitt.org:636
2018-05-09 10:47:45 [localhost-startStop-1] FINE: initializing with mininum
3 and maximum 15 connections to host prime.ipa.kkgpitt.org port 636, secure
connection, true, authentication type 2
2018-05-09 10:47:45 [localhost-startStop-1] FINE: increasing minimum
connections by 3
2018-05-09 10:47:45 [localhost-startStop-1] FINE: new total available
connections 3
2018-05-09 10:47:45 [localhost-startStop-1] FINE: new number of connections
3
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: restart at
autoShutdown? false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: found
cert:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: done init
id=usrgrp
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initialized
usrgrp
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initSubsystem
id=registry
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: ready to init
id=registry
2018-05-09 10:47:45 [localhost-startStop-1] FINE: RegistrySubsystem: start
init
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profile
caEnrollImpl Generic Certificate Enrollment Profile Certificate Authority
Generic Certificate Enrollment Profile
com.netscape.cms.profile.common.CAEnrollProfile
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profile
caCACertEnrollImpl CA Certificate Enrollment Profile Certificate Authority
CA Certificate Enrollment Profile
com.netscape.cms.profile.common.CACertCAEnrollProfile
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profile
caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate
Authority Server Certificate Enrollment Profile
com.netscape.cms.profile.common.ServerCertCAEnrollProfile
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profile
caUserCertEnrollImpl User Certificate Enrollment Profile Certificate
Authority User Certificate Enrollment Profile
com.netscape.cms.profile.common.UserCertCAEnrollProfile
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy noDefaultImpl No Default No Default
com.netscape.cms.profile.def.NoDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy genericExtDefaultImpl Generic Extension Generic Extension
com.netscape.cms.profile.def.GenericExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy autoAssignDefaultImpl Auto Request Assignment Default Auto
Request Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy subjectNameDefaultImpl Subject Name Default Subject Name
Default com.netscape.cms.profile.def.SubjectNameDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy validityDefaultImpl Validity Default Validty Default
com.netscape.cms.profile.def.ValidityDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy randomizedValidityDefaultImpl Randomized Validity Default
Randomized Validity Default
com.netscape.cms.profile.def.RandomizedValidityDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy caValidityDefaultImpl CA Certificate Validity Default CA
Certificate Validty Default com.netscape.cms.profile.def.CAValidityDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy subjectKeyIdentifierExtDefaultImpl Subject Key Identifier
Default Subject Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy authorityKeyIdentifierExtDefaultImpl Authority Key Identifier
Extension Default Authority Key Identifier Extension Default
com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy basicConstraintsExtDefaultImpl Basic Constraints Extension
Default Basic Constraints Extension Default
com.netscape.cms.profile.def.BasicConstraintsExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy keyUsageExtDefaultImpl Key Usage Extension Default Key Usage
Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy nsCertTypeExtDefaultImpl Netscape Certificate Type Extension
Default Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy extendedKeyUsageExtDefaultImpl Extended Key Usage Extension
Default Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy ocspNoCheckExtDefaultImpl OCSP No Check Extension Default
OCSP No Check Extension Default
com.netscape.cms.profile.def.OCSPNoCheckExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy issuerAltNameExtDefaultImpl Issuer Alternative Name Extension
Default Issuer Alternative Name Extension Default
com.netscape.cms.profile.def.IssuerAltNameExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy subjectAltNameExtDefaultImpl Subject Alternative Name
Extension Default Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy userSubjectNameDefaultImpl User Supplied Subject Name Default
User Supplied Subject Name Default
com.netscape.cms.profile.def.UserSubjectNameDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy cmcUserSignedSubjectNameDefaultImpl CMC User Signed Subject
Name Default CMC User Signed Subject Name Default
com.netscape.cms.profile.def.CMCUserSignedSubjectNameDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy signingAlgDefaultImpl Signing Algorithm Default Signing
Algorithm Default com.netscape.cms.profile.def.SigningAlgDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy userKeyDefaultImpl User Supplied Key Default User Supplied
Key Default com.netscape.cms.profile.def.UserKeyDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy userValidityDefaultImpl User Supplied Validity Default User
Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy userExtensionDefaultImpl User Supplied Extension Default User
Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy userSigningAlgDefaultImpl User Supplied Signing Alg Default
User Supplied Signing Alg Default
com.netscape.cms.profile.def.UserSigningAlgDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy authTokenSubjectNameDefaultImpl Token Supplied Subject Name
Default Token Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy subjectInfoAccessExtDefaultImpl Subject Info Access Extension
Default Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy authInfoAccessExtDefaultImpl Authority Info Access Extension
Default Authority Info Access Extension Default
com.netscape.cms.profile.def.AuthInfoAccessExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy nscCommentExtDefaultImpl Netscape Comment Extension Default
Netscape Comment Extension Default
com.netscape.cms.profile.def.NSCCommentExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy freshestCRLExtDefaultImpl Freshest CRL Extension Default
Freshest CRL Extension Default
com.netscape.cms.profile.def.FreshestCRLExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy crlDistributionPointsExtDefaultImpl CRL Distribution Points
Extension Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy policyConstraintsExtDefaultImpl Policy Constraints Extension
Default Policy Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy policyMappingsExtDefaultImpl Policy Mappings Extension
Default Policy Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy nameConstraintsExtDefaultImpl Name Constraints Extension
Default Name Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy certificateVersionDefaultImpl Certificate Version Default
Certificate Version Default
com.netscape.cms.profile.def.CertificateVersionDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy certificatePoliciesExtDefaultImpl Certificate Policies
Extension Default Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy subjectDirAttributesExtDefaultImpl Subject Directory
Attributes Extension Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy privateKeyPeriodExtDefaultImpl Private Key Period Ext Default
Private Key Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension
Default Inhibit Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy imageDefaultImpl Image Default Image Default
com.netscape.cms.profile.def.ImageDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy nsTokenDeviceKeySubjectNameDefaultImpl
nsTokenDeviceKeySubjectNameDefault nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy nsTokenUserKeySubjectNameDefaultImpl
nsTokenUserKeySubjectNameDefault nsTokenUserKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy authzRealmDefaultImpl Authz Realm Default Authz Realm Default
com.netscape.cms.profile.def.AuthzRealmDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
defaultPolicy commonNameToSANDefaultImpl Copy Common Name to Subject
Alternative Name Copy Common Name to Subject Alternative Name
com.netscape.cms.profile.def.CommonNameToSANDefault
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy noConstraintImpl No Constraint No Constraint
com.netscape.cms.profile.constraint.NoConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy subjectNameConstraintImpl Subject Name Constraint Subject
Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy uniqueSubjectNameConstraintImpl Unique Subject Name
Constraint Unique Subject Name Constraint
com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy userSubjectNameConstraintImpl User Subject Name Constraint
User Subject Name Constraint
com.netscape.cms.profile.constraint.UserSubjectNameConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy cmcUserSignedSubjectNameConstraintImpl CMC User Subject
Name Constraint CMC User Subject Name Constraint
com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy caValidityConstraintImpl CA Validity Constraint CA
Validity Constraint com.netscape.cms.profile.constraint.CAValidityConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy validityConstraintImpl Validity Constraint Validity
Constraint com.netscape.cms.profile.constraint.ValidityConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy keyUsageExtConstraintImpl Key Usage Extension Constraint
Key Usage Extension Constraint
com.netscape.cms.profile.constraint.KeyUsageExtConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy nsCertTypeExtConstraintImpl Netscape Certificate Type
Extension Constraint Netscape Certificate Type Extension Constraint
com.netscape.cms.profile.constraint.NSCertTypeExtConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy extendedKeyUsageExtConstraintImpl Extended Key Usage
Extension Constraint Extended Key Usage Extension Constraint
com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy keyConstraintImpl Key Constraint Key Constraint
com.netscape.cms.profile.constraint.KeyConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy basicConstraintsExtConstraintImpl Basic Constraints
Extension Constraint Basic Constraints Extension Constraint
com.netscape.cms.profile.constraint.BasicConstraintsExtConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy extensionConstraintImpl Extension Constraint Extension
Constraint com.netscape.cms.profile.constraint.ExtensionConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy signingAlgConstraintImpl Signing Algorithm Constraint
Signing Algorithm Constraint
com.netscape.cms.profile.constraint.SigningAlgConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy uniqueKeyConstraintImpl Unique Public Key Constraint
Unique Public Key Constraint
com.netscape.cms.profile.constraint.UniqueKeyConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy renewGracePeriodConstraintImpl Renewal Grace Period
Constraint Renewal Grace Period Constraint
com.netscape.cms.profile.constraint.RenewGracePeriodConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy authzRealmConstraintImpl Authz Realm Constraint Authz
Realm Constraint com.netscape.cms.profile.constraint.AuthzRealmConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
constraintPolicy externalProcessConstraintImpl External Process Constraint
External Process Constraint
com.netscape.cms.profile.constraint.ExternalProcessConstraint
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
cmcCertReqInputImpl CMC Certificate Request Input CMC Certificate Request
Input com.netscape.cms.profile.input.CMCCertReqInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
certReqInputImpl Certificate Request Input Certificate Request Input
com.netscape.cms.profile.input.CertReqInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
keyGenInputImpl Key Generation Input Key Generation Input
com.netscape.cms.profile.input.KeyGenInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
encKeyGenInputImpl Encryption Key Generation Input Encryption Key
Generation Input com.netscape.cms.profile.input.EncryptionKeyGenInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
signKeyGenInputImpl Encryption Key Generation Input Encryption Key
Generation Input com.netscape.cms.profile.input.SigningKeyGenInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
dualKeyGenInputImpl Dual Key Generation Input Dual Key Generation Input
com.netscape.cms.profile.input.DualKeyGenInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
subjectNameInputImpl Subject Name Input Subject Name Input
com.netscape.cms.profile.input.SubjectNameInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
submitterInfoInputImpl Submitter Information Input Submitter Information
Input com.netscape.cms.profile.input.SubmitterInfoInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
genericInputImpl Generic Input Generic Input
com.netscape.cms.profile.input.GenericInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
fileSigningInputImpl File Signing Input File Signing Input
com.netscape.cms.profile.input.FileSigningInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
imageInputImpl Image Input Image Input
com.netscape.cms.profile.input.ImageInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
subjectDNInputImpl Subject DN Input Subject DN Input
com.netscape.cms.profile.input.SubjectDNInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl
com.netscape.cms.profile.input.nsNKeyCertReqInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl
com.netscape.cms.profile.input.nsHKeyCertReqInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
serialNumRenewInputImpl Certificate Renewal Request Serial Number Input
Certificate Renewal Request Serial Number Input
com.netscape.cms.profile.input.SerialNumRenewInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin profileInput
subjectAltNameExtInputImpl SAN Input SAN Input
com.netscape.cms.profile.input.SubjectAltNameExtInput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
profileOutput certOutputImpl Certificate Output Certificate Output
com.netscape.cms.profile.output.CertOutput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
profileOutput cmmfOutputImpl CMMF Response Output CMMF Response Output
com.netscape.cms.profile.output.CMMFOutput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
profileOutput pkcs7OutputImpl PKCS7 Output PKCS7 Output
com.netscape.cms.profile.output.PKCS7Output
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
profileOutput nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl
com.netscape.cms.profile.output.nsNKeyOutput
2018-05-09 10:47:45 [localhost-startStop-1] FINE: added plugin
profileUpdater subsystemGroupUpdaterImpl Updater for Subsystem Group
Updater for Subsystem Group
com.netscape.cms.profile.updater.SubsystemGroupUpdater
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: restart at
autoShutdown? false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: found
cert:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: done init
id=registry
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initialized
registry
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initSubsystem
id=oidmap
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: ready to init
id=oidmap
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: restart at
autoShutdown? false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: found
cert:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: done init
id=oidmap
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initialized
oidmap
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initSubsystem
id=X500Name
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: ready to init
id=X500Name
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: restart at
autoShutdown? false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: found
cert:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: done init
id=X500Name
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initialized
X500Name
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initSubsystem
id=request
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: ready to init
id=request
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: restart at
autoShutdown? false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: found
cert:auditSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: done init
id=request
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initialized
request
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: initSubsystem
id=ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CMSEngine: ready to init
id=ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
CertificateAuthority.init(MAIN, ca)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Creating
LdapBoundConnFactor(CertificateAuthority)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapBoundConnFactory:
init
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
LdapBoundConnFactory:doCloning true
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapAuthInfo: init()
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapAuthInfo: init begins
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapAuthInfo: init ends
2018-05-09 10:47:45 [localhost-startStop-1] FINE: init: before
makeConnection errorIfDown is false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: makeConnection:
errorIfDown false
2018-05-09 10:47:45 [localhost-startStop-1] FINE: TCP Keep-Alive: true
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
SSLClientCertificateSelectionCB: Setting desired cert nickname to:
subsystemCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: LdapJssSSLSocket: set
client auth cert nickname subsystemCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: SSL handshake happened
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Established LDAP
connection with SSL client auth to prime.ipa.kkgpitt.org:636
2018-05-09 10:47:45 [localhost-startStop-1] FINE: initializing with mininum
3 and maximum 15 connections to host prime.ipa.kkgpitt.org port 636, secure
connection, true, authentication type 2
2018-05-09 10:47:45 [localhost-startStop-1] FINE: increasing minimum
connections by 3
2018-05-09 10:47:45 [localhost-startStop-1] FINE: new total available
connections 3
2018-05-09 10:47:45 [localhost-startStop-1] FINE: new number of connections
3
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Cert Repot inited
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CRL Repot inited
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Replica Repot inited
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
CertificateAuthority:initSigUnit: ca cert found
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CertificateAuthority:
initSigUnit 1- setting mIssuerObj and mSubjectObj
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CA SigningUnit.init(ca,
ca.signing, null)
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Setting
ca.signing.newNickname=caSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: SigningUnit: Logging into
token Internal Key Storage Token
2018-05-09 10:47:45 [localhost-startStop-1] FINE: SigningUnit: Loading
certificate caSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: SigningUnit: Unable to
find certificate caSigningCert cert-pki-ca
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CA signing key and cert
not (yet) present in NSSDB
2018-05-09 10:47:45 [localhost-startStop-1] FINE: null authorityID -> host
authority; not starting KeyRetriever
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CertificateAuthority
init: initRequestQueue
2018-05-09 10:47:45 [localhost-startStop-1] FINE: selected policy processor
= classic
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
GenericPolicyProcessor::init begins
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
GenericPolicyProcessor::init Certificate Policy Framework (deprecated) is
DISABLED
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CA policy inited
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CA service inited
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CA notifier inited
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CA pending notifier inited
2018-05-09 10:47:45 [localhost-startStop-1] FINE: RequestRepository:
constructor2.
2018-05-09 10:47:45 [localhost-startStop-1] FINE: In
setCertStatusUpdateInterval 600
2018-05-09 10:47:45 [localhost-startStop-1] FINE: In
setCertStatusUpdateInterval listenToCloneModifications=true
2018-05-09 10:47:45 [localhost-startStop-1] FINE: In
setCertStatusUpdateInterval listening to modifications
2018-05-09 10:47:45 [localhost-startStop-1] FINE: In
setCertStatusUpdateInterval scheduling cert status update every 600 seconds.
2018-05-09 10:47:45 [RetrieveModificationsTask] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [RetrieveModificationsTask] FINE: masterConn is
connected: true
2018-05-09 10:47:45 [RetrieveModificationsTask] FINE: getConn: conn is
connected true
2018-05-09 10:47:45 [RetrieveModificationsTask] FINE: getConn: mNumConns
now 2
2018-05-09 10:47:45 [RetrieveModificationsTask] FINE: Starting persistent
search.
2018-05-09 10:47:45 [localhost-startStop-1] FINE: In
setCertStatusUpdateInterval 600
2018-05-09 10:47:45 [localhost-startStop-1] FINE: In
setSerialNumberUpdateInterval scheduling serial number update every 600
seconds.
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: About to start
updateCertStatus
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: Starting updateCertStatus
(entered lock)
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In updateCertStatus()
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: masterConn is connected:
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: conn is connected
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: mNumConns now 1
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE:
getInvalidCertificatesByNotBeforeDate filter (certStatus=INVALID)
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE:
getInvalidCertificatesByNotBeforeDate: about to call findCertRecordsInList
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: masterConn is connected:
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: conn is connected
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: mNumConns now 0
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In
findCertRecordsInListRawJumpto with Jumpto 20180509104745Z
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In DBVirtualList filter
attrs startFrom sortKey pageSize filter: (certStatus=INVALID) attrs:
[objectclass, certRecordId, x509cert] pageSize -200 startFrom
20180509104745Z
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CertificateFactory Type :
X.509
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CertificateFactory
Provider : SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5
digests; SecureRandom; X.509 certificates; JKS & DKS keystores; PKIX
CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores,
JavaPolicy Policy; JavaLoginConfig Configuration)
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: About to start
updateSerialNumbers
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Starting
updateSerialNumbers (entered lock)
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: CertificateRepository:
updateCounter mEnableRandomSerialNumbers=false mCounter=null
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: masterConn is connected:
true
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: increasing minimum
connections by 3
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: new total available
connections 6
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: new number of
connections 3
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: getConn: conn is
connected true
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: getConn: mNumConns now 2
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Repository:
getSerialNumber()
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Setting
ca.publish.publisher.instance.FileBaseCRLPublisher.directory=/var/lib/ipa/pki-ca/publish
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: returnConn: mNumConns now 3
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In
getInvalidCertsByNotBeforeDate finally.
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: returnConn: mNumConns now 4
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: searching
for entry 20180509104745Z
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList.getEntries()
2018-05-09 10:47:45 [RetrieveModificationsTask] FINE: Waiting for next
result.
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: returnConn: mNumConns
now 5
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Repository:
getSerialNumber serial=1
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: entries: 0
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: top: 0
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: size: 0
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: index may be empty
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: masterConn is connected:
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: conn is connected
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: mNumConns now 4
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE:
getValidCertsByNotAfterDate filter (certStatus=VALID)
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: masterConn is connected:
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: conn is connected
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: mNumConns now 3
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In
findCertRecordsInListRawJumpto with Jumpto 20180509104745Z
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In DBVirtualList filter
attrs startFrom sortKey pageSize filter: (certStatus=VALID) attrs:
[objectclass, certRecordId, x509cert] pageSize -200 startFrom
20180509104745Z
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: returnConn: mNumConns now 4
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: returnConn: mNumConns now 5
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: searching
for entry 20180509104745Z
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE:
Repository:setSerialNumber 2
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Repository: in InitCache
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Repository: Instance of
Certificate Repository.
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Repository: minSerial:1
maxSerial: 10000000
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Repository:
nextMinSerial: nextMaxSerial:
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Repository:
increment:10000000 lowWaterMark: 2000000
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: CertificateRepository:
in getLastSerialNumberInRange: low 1 high 268435456
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: masterConn is connected:
true
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: getConn: conn is
connected true
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: getConn: mNumConns now 4
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList.getEntries()
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Releasing ldap connection
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: returnConn: mNumConns
now 5
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: DBSubsystem:
getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=ipaca
attr=description:;
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: CertificateRepository:
getLastSerialNumberInRange mEnableRandomSerialNumbers=false
mMinRandomBitLength=4 CollisionRecovery=3,10
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: CertificateRepository:
getLastSerialNumberInRange modeChange=false enableRsnAtConfig=false
mForceModeChange=false mode=
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Setting
dbs.randomSerialNumberCounter=-1
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: entries: 1
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: top: 0
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: size: 10
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: transidValidCertificates:
list size: 10
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: transitValidCertificates:
ltSize 1
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: Record does not
qualify,notAfter Mon Apr 27 10:58:21 EDT 2020 date Wed May 09 10:47:45 EDT
2018
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: transitCertList EXPIRED
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: masterConn is connected:
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: conn is connected
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: mNumConns now 4
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE:
getRevokedCertificatesByNotAfterDate filter (certStatus=REVOKED)
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE:
getRevokedCertificatesByNotAfterDate: about to call findCertRecordsInList
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: masterConn is connected:
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: conn is connected
true
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: getConn: mNumConns now 3
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In
findCertRecordsInListRawJumpto with Jumpto 20180509104745Z
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: In DBVirtualList filter
attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs:
[objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter,
x509cert] pageSize -200 startFrom 20180509104745Z
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: returnConn: mNumConns now 4
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: returnConn: mNumConns now 5
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: searching
for entry 20180509104745Z
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList.getEntries()
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: entries: 0
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: top: 0
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: DBVirtualList: size: 0
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: index may be empty
2018-05-09 10:47:45 [CertStatusUpdateTask] FINE: updateCertStatus done
2018-05-09 10:47:45 [localhost-startStop-1] FINE: PublisherProcessor:
startup()
2018-05-09 10:47:45 [localhost-startStop-1] FINE: No LdapPublishing enabled
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: CertificateRepository:
getLastSerialNumberInRange mEnableRandomSerialNumbers=false
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: masterConn is connected:
true
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: getConn: conn is
connected true
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: getConn: mNumConns now 4
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: In findCertRecordsInList
with Jumpto 268435456
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: In DBVirtualList filter
attrs startFrom sortKey pageSize filter: (certStatus=*) attrs: null
pageSize -5 startFrom 09268435456
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: returnConn: mNumConns
now 5
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: DBVirtualList: searching
for entry 09268435456
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE:
DBVirtualList.getEntries()
2018-05-09 10:47:45 [localhost-startStop-1] FINE: PublisherProcessor:
startup: Publishing Queue Enabled: true Priority Level: 0 Maximum Number
of Threads: 3 Page Size: 40
2018-05-09 10:47:45 [localhost-startStop-1] FINE: setPublishingQueue:
Publishing Queue Enabled: true Priority Level: 0 Maximum Number of
Threads: 3 Page Size: 40
2018-05-09 10:47:45 [localhost-startStop-1] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [localhost-startStop-1] FINE: masterConn is connected:
true
2018-05-09 10:47:45 [localhost-startStop-1] FINE: getConn: conn is
connected true
2018-05-09 10:47:45 [localhost-startStop-1] FINE: getConn: mNumConns now 4
2018-05-09 10:47:45 [localhost-startStop-1] FINE: returnConn: mNumConns now
5
2018-05-09 10:47:45 [localhost-startStop-1] FINE: RequestRepository:
getPublishingStatus mBaseDN: ou=ca,ou=requests,o=ipaca status: -1
2018-05-09 10:47:45 [localhost-startStop-1] FINE: Publishing inited
2018-05-09 10:47:45 [localhost-startStop-1] FINE: initializing crl issue
point MasterCRL
2018-05-09 10:47:45 [localhost-startStop-1] FINE: CRL Page Size: 100
2018-05-09 10:47:45 [localhost-startStop-1] FINE: getTimeListSize:
ListSize=1
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
CRLIssuingPoint:initConfig: mUnexpectedExceptionWaitTime set to 1800000
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: DBVirtualList: entries: 6
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: DBVirtualList: top: 4
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: DBVirtualList: size: 10
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE:
CertificateRepository:getLastSerialNumberInRange: recList size 10
2018-05-09 10:47:45 [localhost-startStop-1] FINE:
CRLIssuingPoint:initConfig: mUnexpectedExceptionLoopMax set to 10
2018-05-09 10:47:45 [localhost-startStop-1] WARNING:
java.lang.NullPointerException
at com.netscape.ca.CRLIssuingPoint.initConfig(CRLIssuingPoint.java:752)
at com.netscape.ca.CRLIssuingPoint.init(CRLIssuingPoint.java:485)
at
com.netscape.ca.CertificateAuthority.initCRL(CertificateAuthority.java:2271)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:634)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1059)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:965)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:581)
at com.netscape.certsrv.apps.CMS.init(CMS.java:191)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1606)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1132)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1091)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:983)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4939)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5249)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:754)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:629)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1839)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE:
CertificateRepository:getLastSerialNumberInRange: ltSize 10
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE:
CertificateRepository:getLastCertRecordSerialNo: serialno 10
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE:
getLastSerialNumberInRange returning: 10
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Repository:
mLastSerialNo: 10
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: In
LdapBoundConnFactory::getConn()
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: masterConn is connected:
true
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: getConn: conn is
connected true
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: getConn: mNumConns now 4
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Releasing ldap connection
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: returnConn: mNumConns
now 5
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: DBSubsystem:
getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=ipaca
attr=description:;
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: CertificateRepository:
updateCounter mEnableRandomSerialNumbers=false
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: CertificateRepository:
updateCounter CertificateRepositoryMode =
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: CertificateRepository:
updateCounter modeChange=false
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: CertificateRepository:
UpdateCounter mEnableRandomSerialNumbers=false mCounter=-1
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Starting cert checkRanges
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Repository: Serial
Management not enabled. Returning ..
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Starting request
checkRanges
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: Repository: Serial
Management not enabled. Returning ..
2018-05-09 10:47:45 [SerialNumberUpdateTask] FINE: updateSerialNumbers done
2018-05-09 10:47:45 [http-nio-8080-exec-1] FINE: according to ccMode,
authorization for servlet: caGetStatus is LDAP based, not XML {1}, use
default authz mgr: {2}.
2018-05-09 10:47:45 [http-nio-8080-exec-1] SEVERE: Servlet.service() for
servlet [caGetStatus] in context with path [/ca] threw exception
java.io.IOException: CS server is not ready to serve.
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:442)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
at
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
2018-05-09 10:47:46 [http-nio-8080-exec-3] SEVERE: Servlet.service() for
servlet [caGetStatus] in context with path [/ca] threw exception
java.io.IOException: CS server is not ready to serve.
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:442)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
at
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
2018-05-09 10:47:47 [http-nio-8080-exec-4] SEVERE: Servlet.service() for
servlet [caGetStatus] in context with path [/ca] threw exception
java.io.IOException: CS server is not ready to serve.
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:442)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security
5 years, 10 months
ipa replication issues
by Sandor Juhasz
Hello,
we are using freeipa in a 4way multi master replication setup.
Servers ipa14,ipa15 and ipa34,ipa35 on
CentOS Linux release 7.3.1611 (Core) with version
ipa-server-common-4.4.0-14.el7.centos.7.noarch.
We have an issue where one of the servers log a missing CSN. It happens
even after
ipa replication reinitialized.
We are guessing that CSN 5a0a27d9000000060000 only exists on ipa35, but we
see it in those files listed on ipa15 and the error is reported there.
Please see attached file with logs.
How can we fix this?
--
*Sándor Juhász*
System Administrator
*ChemAxon* *Ltd*.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
5 years, 10 months
DS server crashes regularly
by Bart
Hi all,
I have set up FreeIPA server and replica, bunch of client servers and established trust with an AD domain.
In the very beginning everything seemed to be working correctly. Unfortunately, after a while it appears that 389 directory server crashes on both instances - once it crashes on one, it crashes on the other in a couple of seconds/minutes. I enabled core dumps and collected them but I can't grasp what's going on there.
It seems that it happens when I try to execute su - on one of the client instances after servers restart.
I followed the steps devoted to DS server described here: https://www.freeipa.org/page/Troubleshooting but to no avail. I've just created a bug in 389 directory server mailing list: https://pagure.io/389-ds-base/issue/49660, but wanted to try to find out here if there is anything else I can try at this stage.
Thank you in advance for you help,
Bart
5 years, 10 months
Host is enrolled and installed
by Lachlan Musicman
Not 100% sure where to send this. Am trying to write an Ansible playbook to
install SSSD and enroll the host in a domain.
The problem starts when the host exists in the domain and ipa-client is
already installed.
We can use Ansible's delegate module to remove host from domain enrollment
(would be more ideal to test if it's enrolled, then unenroll if test
returns true). And we can use ipa-client-install --uninstall to if
ipa-client is already configured. But neither of these commands provide
easy answers quickly.
ipa host-find {{ host }} | grep matched | cut -d " " -f 1
will turn ipa host-find into something usable. A switch that just returned
the number matched would be ideal, but it's workable currently.
More interestingly, once a host is unenrolled from the domain (ie, ipa
host-del <host> runs successfully on the IPA server), it doesn't, and
probably shouldn't, uninstall ipa-client on the host itself.
But there doesn't seem to be any way to check ipa-client
--install/--uninstall for it's opposite.
IE, if ipa-client is installed, and is run again, one is urged to uninstall
first:
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using
'ipa-client-install --uninstall'.
The ipa-client-install command failed. See /var/log/ipaclient-install.log
for more information
if ipa-client is not installed, and you run
ipa-client --uninstall
The message returned is:
IPA client is not configured on this system.
The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log
for more information
Have I missed a true/false return value cli arg for ipa-client-install?
ipa-client-install --exists
ipa-client-install --configured
or something like that?
Am I making hard work of something that is relatively straight forward and
solved elsewhere but I've missed?
Ansible has "ignore_errors: True" available, but I feel that is a weak get
out of jail free card. Given that this is authentication and authorization,
errors shouldn't be ignored (opinion).
cheers
L.
------
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
together. "
*Greg Bloom* @greggish
https://twitter.com/greggish/status/873177525903609857
5 years, 10 months
After using 3rd party certs (Let's Encrypt) : pki-tomcatd fails to restart
by Henery Hawk
I've followed what I thought were the instructions to install Let's Encrypt certs on my recent FreeIPA installation but when I restart the services I pki-tomcatd fails to restart.
During the installs I've tried various combinations of installing the CA certs but they all seem to result in the same problem
Logs are below and I tried to format to make it easier to read but I'm afraid this submission will lose formatting.
Any help would be greatly appreciated. Prior to these steps the instance runs fine but requires browser user to accept the security exception.
Joe
[root@prime]# cd /etc/letsencrypt/live/my.domain.org/ # I got LE certs separately using certbot & nginx
[root@prime]# ls
cert.pem README
chain.pem fullchain.pem privkey.pem
[root@prime]# kinit admin
Password for admin(a)MY.DOMAIN.ORG:
[root@prime]# sudo vi DTSRootCAX3.pem #get from https://www.identrust.com/certificates/trustid/root-download-x3.html
[root@prime]# # I got this from the Let's Encyrpt web site ISRG Root X1 (self-signed)
[root@prime]# curl --output ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem.txt
[root@prime]# # I got this from the Let's Encyrpt web site Let’s Encrypt Authority X3 (IdenTrust cross-signed)
[root@prime]# curl --output LetsEncryptX3CrossSigned.crt https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
[root@prime]# # I got this from the Let's Encyrpt web site Let’s Encrypt Authority X3 (Signed by ISRG Root X1)
[root@prime]# curl --output LetsEncryptAuthX3a.crt https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
[root@prime]# ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@prime]# ipa-cacert-manage -n ISRG_Root_X1 -t C,, install ISRG_Root_X1.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@prime]# ipa-cacert-manage -n LetsEncryptX3CrossSigned -t C,, install LetsEncryptX3CrossSigned.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@prime]# ipa-cacert-manage -n LetsEncryptAuthX3a -t C,, install LetsEncryptAuthX3a.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@prime]# ipa-cacert-manage -n LetsEncryptX3 -t C,, install chain.pem # this fails
Installing CA certificate, please wait
Failed to get LetsEncryptX3
The ipa-cacert-manage command failed.
[root@prime]# ipa-certupdate
trying https://my.domain.org/ipa/json
[try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://my.domain.org/ipa/json'
[try 1]: Forwarding 'ca_find/1' to json server 'https://my.domain.org/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
[root@prime]# ipa-server-certinstall -w fullchain.pem privkey.pem
Directory Manager password:
Enter private key unlock password:
Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
[root@prime]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Failed to restart pki-tomcatd Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed
Aborting ipactl
[root@prime]# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IPA.KKGPITT.ORG IPA CA CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
DSTRootCAX3 C,,
ISRG_Root_X1 C,,
LetsEncryptX3CrossSigned C,,
LetsEncryptX3CrossSigned C,,
5 years, 10 months
Seeking advice on testing ipa internal certificate renewal
by Roderick Johnstone
Hi
In our current ipa implementation some of the ipa internal certificates
are not able to be renewed correctly.
After a lot of support both from Redhat and also through this list,
neither of which was able to fix the issue, I was advised by Redhat to
implement a new instance of ipa and migrate to it.
I now have the new ipa instance running on RHEL7 servers, but before
migrating clients and users to it would like to test that the ipa
certificate renewal will work correctly. However, I don't want to break
the new instance!
I've read chapters 24 and 26 of the Linux Domain Identity,
Authentication and Policy guide and I'm not sure either are relevant to
renewing eg 'ocspSigningCert cert-pki-ca', which was one of the ones I
was having problems with before.
In trying to fix the current ipa implementation we have been using eg
'getcert resubmit -i <id>' where <id> is the id of the 'ocspSigningCert
cert-pki-ca' certificate as shown by 'getcert list'.
Is 'getcert resubmit -i <id>' a sensible way to test renewing a
certificate manually in a working ipa instance?
Do I need to do anything else to propagate the new certificate to the
replica?
Do I need to explicitly revoke the old certificate, if so how?
Thanks.
Roderick Johnstone
5 years, 10 months
named crashes on start; lib/dns-pkcs11/view.c:962: REQUIRE(view->zonetable != ((void *)0)) failed
by Timo Aaltonen
Hi,
Named is crashing here on start, but not if I disable the dyndb part of named.conf. So I assume it's not getting data out of ldap correctly (or correct data), and this from slapd logs might suggest so:
[05/May/2018:09:42:02.566222364 +0300] conn=23 op=3 SRCH base="cn=dns,dc=foo,dc=bar" scope=2 filter="(|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=host.foo.bar)))" attrs=ALL
[05/May/2018:09:42:02.568886490 +0300] conn=23 op=3 RESULT err=0 tag=101 nentries=2 etime=0.0002800470
[05/May/2018:09:42:02.715423436 +0300] conn=24 op=-1 fd=96 closed - B1
[05/May/2018:09:42:02.716084255 +0300] conn=23 op=-1 fd=95 closed error 104 (Connection reset by peer) - TCP connection reset by peer.
looking at the install logs everything seemed to go fine until it started named, and ldapsearch doesn't provide any hints either..
ubuntu 18.04
ipa 4.6.90.pre1+1b320ac3e7ab763
bind9 9.11.3
bind9-dyndb-ldap 11.1
--
t
5 years, 10 months