On 08/01/2017 03:11 PM, Ian Harding wrote:
On 08/01/2017 01:48 AM, Florence Blanc-Renaud wrote:
> On 08/01/2017 01:32 AM, Ian Harding via FreeIPA-users wrote:
>>
>>
>> On 07/31/2017 11:34 AM, Rob Crittenden wrote:
>>> Ian Harding via FreeIPA-users wrote:
>>>> I had an unexpected restart of an IPA server that had apparently had
>>>> updates run but had not been restarted. ipactl says pki-tomcatd would
>>>> not start.
>>>>
>>>> Strangely, the actual service appears to be running:
>>>>
>>>
>>> dogtag is an application within tomcat so tomcat can run without dogtag
>>> running.
>>>
>>> We need to see more of the dogtag debug log to see what is going on.
>>>
>>
>> It looks like an authentication problem...
>>
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: SSL handshake happened
>> Could not connect to LDAP server host seattlenfs.bpt.rocks port 636
>> Error netscape.ldap.LDAPException: Authentication failed (49)
>>
>
> Hi,
>
> dogtag stores its internal data in the LDAP server and needs to
> establish a secure LDAP connection. You can check how this connection
> is configured in /etc/pki/pki-tomcat/ca/CS.cfg, look for the lines:
>
> internaldb.ldapauth.authtype=SslClientAuth
> internaldb.ldapauth.bindDN=cn=Directory Manager
> internaldb.ldapauth.bindPWPrompt=internaldb
> internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
> internaldb.ldapconn.host=vm-...
> internaldb.ldapconn.port=636
> internaldb.ldapconn.secureConn
>
> authtype can be SslClientAuth (authentication with a ssl certificate)
> or BasicAuth (authentication with a bind DN and password stored in
> /var/lib/pki/pki-tomcat/conf/password.conf).
>
> You can use this information to manually check the credentials. For
> instance with sslclientauth:
>
> export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias
> export LDAPTLS_CERT='subsystemCert cert-pki-ca'
>
> ldapsearch -H ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL
> (provide the password from /etc/pki/pki-tomcat/alias/pwdfile.txt)
>
I found this:
internaldb.ldapauth.authtype=SslClientAuth
internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipaca
internaldb.ldapauth.bindPWPrompt=internaldb
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
internaldb.ldapconn.cloneReplicationPort=389
...
and when I try the ldapsearch I am presented with a prompt to provide a
pin/password
Please enter pin, password, or pass phrase for security token 'ldap(0)':
but there is no password file...
Hi,
you are right, in 4.4. there is no pwdfile.txt and the password can be
found in /var/lib/pki/pki-tomcat/conf/password.conf (with the tag
internal=...)
Can you check if the password with the tag internal=... allows to read
the keys from the NSS db?
certutil -K -d /etc/pki/pki-tomcat/alias
(provide password)
If the password is not the right one, certutil will prompt you once
again for it. This would mean that the password does not allow to access
the key from the NSSdb and Dogtag will not be able to use the
certificate for authentication.
Flo
ls -a /etc/pki/pki-tomcat/alias/
. .. cert8.db key3.db secmod.db
There are "internal" and "replicationdb" values in
/var/lib/pki/pki-tomcat/conf/password.conf but they don't work in
response to the ldapsearch prompt above.
Thank you so much for your help!
> HTH,
> Flo.
>>
>>
>> at
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
>>
>> at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>
>> at java.lang.Thread.run(Thread.java:745)
>> Internal Database Error encountered: Could not connect to LDAP server
>> host seattlenfs.bpt.rocks port 636 Error netscape.ldap.LDAPException:
>> Authentication failed (49)
>> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
>> at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)
>> at
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>>
>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>
>> at
>>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>> at
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
>>
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
>> at
>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
>>
>> at
>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
>>
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>> at
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
>>
>> at
>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>>
>> at
>>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>>
>> at
>>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>>
>> at java.security.AccessController.doPrivileged(Native Method)
>> at
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
>> at
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
>> at
>> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
>>
>> at
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
>>
>> at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>
>> at java.lang.Thread.run(Thread.java:745)
>> [28/Jul/2017:09:56:24][localhost-startStop-1]: CMSEngine.shutdown()
>> [28/Jul/2017:10:08:46][localhost-startStop-1]:
>> ============================================
>> [28/Jul/2017:10:08:46][localhost-startStop-1]: ===== DEBUG SUBSYSTEM
>> INITIALIZED =======
>> [28/Jul/2017:10:08:46][localhost-startStop-1]:
>> ============================================
>> [28/Jul/2017:10:08:46][localhost-startStop-1]: CMSEngine: restart at
>> autoShutdown? false
>> [28/Jul/2017:10:08:46][localhost-startStop-1]: CMSEngine:
>> autoShutdown crumb file path?
>> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [28/Jul/2017:10:08:46][localhost-startStop-1]: CMSEngine: about to
>> look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:08:46][localhost-startStop-1]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:08:46][localhost-startStop-1]: CMSEngine: done init
>> id=debug
>> [28/Jul/2017:10:08:46][localhost-startStop-1]: CMSEngine: initialized
>> debug
>> [28/Jul/2017:10:08:46][localhost-startStop-1]: CMSEngine:
>> initSubsystem id=log
>> [28/Jul/2017:10:08:46][localhost-startStop-1]: CMSEngine: ready to
>> init id=log
>> [28/Jul/2017:10:08:46][localhost-startStop-1]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
>> [28/Jul/2017:10:08:46][localhost-startStop-1]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: restart at
>> autoShutdown? false
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine:
>> autoShutdown crumb file path?
>> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: about to
>> look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: done init
>> id=log
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: initialized
>> log
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine:
>> initSubsystem id=jss
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: ready to
>> init id=jss
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: restart at
>> autoShutdown? false
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine:
>> autoShutdown crumb file path?
>> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: about to
>> look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: done init
>> id=jss
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: initialized
>> jss
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine:
>> initSubsystem id=dbs
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine: ready to
>> init id=dbs
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: DBSubsystem: init()
>> mEnableSerialMgmt=true
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: Creating
>> LdapBoundConnFactor(DBSubsystem)
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: LdapBoundConnFactory:
>> init
>> [28/Jul/2017:10:08:47][localhost-startStop-1]:
>> LdapBoundConnFactory:doCloning true
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: LdapAuthInfo: init()
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: LdapAuthInfo: init begins
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: LdapAuthInfo: init ends
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: init: before
>> makeConnection errorIfDown is true
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: makeConnection:
>> errorIfDown true
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: TCP Keep-Alive: true
>> [28/Jul/2017:10:08:47][localhost-startStop-1]:
>> SSLClientCertificateSelectionCB: Setting desired cert nickname to:
>> subsystemCert cert-pki-ca
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: LdapJssSSLSocket: set
>> client auth cert nickname subsystemCert cert-pki-ca
>> [28/Jul/2017:10:08:47][localhost-startStop-1]:
>> SSLClientCertificatSelectionCB: Entering!
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: Candidate cert:
>> ocspSigningCert cert-pki-ca
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: Candidate cert:
>> subsystemCert cert-pki-ca
>> [28/Jul/2017:10:08:47][localhost-startStop-1]:
>> SSLClientCertificateSelectionCB: desired cert found in list:
>> subsystemCert cert-pki-ca
>> [28/Jul/2017:10:08:47][localhost-startStop-1]:
>> SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: SSL handshake happened
>> Could not connect to LDAP server host seattlenfs.bpt.rocks port 636
>> Error netscape.ldap.LDAPException: Authentication failed (49)
>> at
>>
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
>>
>> at
>>
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
>>
>> at
>>
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
>>
>> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
>> at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)
>> at
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>>
>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>
>> at
>>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>> at
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
>>
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
>> at
>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
>>
>> at
>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
>>
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>> at
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
>>
>> at
>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>>
>> at
>>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>>
>> at
>>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>>
>> at java.security.AccessController.doPrivileged(Native Method)
>> at
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
>> at
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
>> at
>> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
>>
>> at
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
>>
>> at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>
>> at java.lang.Thread.run(Thread.java:745)
>> Internal Database Error encountered: Could not connect to LDAP server
>> host seattlenfs.bpt.rocks port 636 Error netscape.ldap.LDAPException:
>> Authentication failed (49)
>> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
>> at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)
>> at
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>>
>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>
>> at
>>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>> at
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
>>
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
>> at
>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
>>
>> at
>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
>>
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>> at
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
>>
>> at
>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>>
>> at
>>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>>
>> at
>>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>>
>> at java.security.AccessController.doPrivileged(Native Method)
>> at
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
>> at
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
>> at
>> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
>>
>> at
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
>>
>> at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>
>> at java.lang.Thread.run(Thread.java:745)
>> [28/Jul/2017:10:08:47][localhost-startStop-1]: CMSEngine.shutdown()
>> [28/Jul/2017:10:13:29][localhost-startStop-2]:
>> ============================================
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: ===== DEBUG SUBSYSTEM
>> INITIALIZED =======
>> [28/Jul/2017:10:13:29][localhost-startStop-2]:
>> ============================================
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: restart at
>> autoShutdown? false
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine:
>> autoShutdown crumb file path?
>> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: about to
>> look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: done init
>> id=debug
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: initialized
>> debug
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine:
>> initSubsystem id=log
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: ready to
>> init id=log
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: restart at
>> autoShutdown? false
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine:
>> autoShutdown crumb file path?
>> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: about to
>> look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: done init
>> id=log
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: initialized
>> log
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine:
>> initSubsystem id=jss
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: ready to
>> init id=jss
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: restart at
>> autoShutdown? false
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine:
>> autoShutdown crumb file path?
>> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: about to
>> look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: done init
>> id=jss
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: initialized
>> jss
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine:
>> initSubsystem id=dbs
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: CMSEngine: ready to
>> init id=dbs
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: DBSubsystem: init()
>> mEnableSerialMgmt=true
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: Creating
>> LdapBoundConnFactor(DBSubsystem)
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: LdapBoundConnFactory:
>> init
>> [28/Jul/2017:10:13:29][localhost-startStop-2]:
>> LdapBoundConnFactory:doCloning true
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: LdapAuthInfo: init()
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: LdapAuthInfo: init begins
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: LdapAuthInfo: init ends
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: init: before
>> makeConnection errorIfDown is true
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: makeConnection:
>> errorIfDown true
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: TCP Keep-Alive: true
>> [28/Jul/2017:10:13:29][localhost-startStop-2]:
>> SSLClientCertificateSelectionCB: Setting desired cert nickname to:
>> subsystemCert cert-pki-ca
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: LdapJssSSLSocket: set
>> client auth cert nickname subsystemCert cert-pki-ca
>> [28/Jul/2017:10:13:29][localhost-startStop-2]: SSL handshake happened
>> Could not connect to LDAP server host seattlenfs.bpt.rocks port 636
>> Error netscape.ldap.LDAPException: Authentication failed (49)
>> at
>>
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
>>
>> at
>>
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
>>
>> at
>>
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
>>
>> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
>> at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)
>> at
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>>
>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>
>> at
>>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>> at
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
>>
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
>>
>> at
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
>> at
>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
>>
>> at
>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
>>
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>> at
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
>>
>> at
>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>>
>> at
>>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>>
>>
>>
>>> I don't think re-running the upgrade command would help.
>>>
>>> rob
>>>
>>
>