I assume the issue here is with the command...
https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getDomainXML
Which returns...
domain info: <?xml version="1.0" encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><SubsystemCount>0</SubsystemCount></CAList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList><SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
I notice that all the SubsystemCount values are 0. I'm guessing that is what is
causing the ipa-ca-install command to throw the Clone URI does not match available
subsystems error.
However, the ipa server-show command shows that the pci-mgmt-ipa01 server is actually
enabled for CA server.
[root@ipa-nyc-pci01 ~]# ipa server-show
pci-mgmt-ipa01.pci.xxxxxx.com
Server name:
pci-mgmt-ipa01.pci.xxxxxx.com
Managed suffixes: domain, ca
Min domain level: 0
Max domain level: 1
Enabled server roles: CA server, DNS server, NTP server
So why does the DomainXML query return 0 subsystems?
What is the ipa-ca-install command expecting here?
Thanks,
Ross
________________________________________
From: Ross Infinger
Sent: Friday, April 27, 2018 1:47 PM
To: Fraser Tweedale
Cc: FreeIPA users list
Subject: RE: [Freeipa-users] CA install on replica fails - Clone URI does not match...
Replica debug log file:
Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 5
class=SunJCE version 1.8
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 6
class=SunJGSS version 1.8
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 7
class=SunSASL version 1.8
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 8
class=XMLDSig version 1.8
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 9
class=SunPCSC version 1.8
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 10
class=CMS version 1.0
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: debug startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: debug startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: log startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: entering LogSubsystem.startup()
[26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=Transactions in
LogSubsystem.startup()
[26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup()
[26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=SignedAudit in
LogSubsystem.startup()
[26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup()
[26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=System in
LogSubsystem.startup()
[26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup()
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: log startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jss startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jss startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: dbs startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: dbs startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: usrgrp startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: usrgrp startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: registry startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: RegistrySubsystem: startup
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: registry startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: oidmap startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: oidmap startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: X500Name startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: X500Name startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: request startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: request startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: ca startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CertificateAuthority.startup(): Do not
start CA in pre-op mode
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: ca startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: profile startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: LDAPProfileSubsystem: startup
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: profile startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: selftests startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: SelfTestSubsystem.startup(): Do not run
selftests in pre-op mode
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: selftests startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: CrossCertPair startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: CrossCertPair startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: stats startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: stats startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: auths startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: auths startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: authz startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: authz startup done
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jobsScheduler startup start
[26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jobsScheduler startup done
[26/Apr/2018:22:01:31][http-bio-8443-exec-1]: SignedAuditEventFactory: create() message
created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS
[26/Apr/2018:22:01:31][http-bio-8443-exec-1]: according to ccMode, authorization for
servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}.
[26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet:service() uri =
/ca/admin/ca/getStatus
[26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet: caGetStatus start to service.
[26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet: curDate=Thu Apr 26 22:01:31 UTC
2018 id=caGetStatus time=15
[26/Apr/2018:22:01:31][http-bio-8443-exec-1]: SignedAuditEventFactory: create() message
created for eventType=ACCESS_SESSION_TERMINATED
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message
created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SessionContextInterceptor:
SystemConfigResource.configure()
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SessionContextInterceptor: Not
authenticated.
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor:
SystemConfigResource.configure()
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: mapping: default
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: loading
/usr/share/pki/ca/conf/auth-method.properties
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: checking
/var/lib/pki/pki-tomcat/ca/conf/auth-method.properties
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: required auth
methods: [*]
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: anonymous access
allowed
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor:
SystemConfigResource.configure()
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor.filter: no authorization
required
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor: No ACL mapping; authz not
required.
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message
created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor:
SystemConfigResource.configure()
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: content-type:
application/json
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: accept:
[application/json]
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: request format:
application/json
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: response format:
application/json
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: SystemConfigService: configure()
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: SystemConfigService: request:
ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX,
securityDomainType=existingdomain,
securityDomainUri=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, securityDomainName=null,
securityDomainUser=admin-ipa-nyc-pci01.pci.xxxxxx.com, securityDomainPassword=XXXX,
securityDomainPostLoginSleepSeconds=null, isClone=true,
cloneUri=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, subsystemName=CA
ipa-nyc-pci01.pci.xxxxxx.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root,
dsHost=ipa-nyc-pci01.pci.xxxxxx.com, dsPort=636, baseDN=o=ipaca, bindDN=cn=Directory
Manager, bindpwd=XXXX, database=ipaca, secureConn=true, removeData=true,
replicateSchema=false, masterReplicationPort=389, cloneReplicationPort=389,
replicationSecurity=TLS, systemCertsImported=false,
systemCerts=[com.netscape.certsrv.system.SystemCertData@5faae3f1],
issuingCA=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, backupKeys=true, backupPassword=XXXX,
backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null,
adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null,
adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null,
importAdminCert=false, generateServerCert=true, external=false, standAlone=false,
stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null,
caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null,
importSharedSecret=null, generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null,
createNewDB=false, setupReplication=False, subordinateSecurityDomainName=null,
reindexData=True, startingCrlNumber=0, createSigningCertRecord=true,
signingCertSerialNumber=1]
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: === Token Authentication ===
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: === Security Domain Configuration ===
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Joining existing security domain
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Resolving security domain URL
https://pci-mgmt-ipa01.pci.xxxxxx.com:443
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting security domain cert chain
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils.importCertChain()
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: GET
https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getCertChain
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Server certificate:
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: - subject:
CN=pci-mgmt-ipa01.pci.xxxxxx.com,O=PCI.XXXXXX.COM
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: - issuer: CN=Certificate
Authority,O=PCI.XXXXXX.COM
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: certificate chain:
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: - CN=Certificate
Authority,O=PCI.XXXXXX.COM
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting install token
[26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting install token
[26/Apr/2018:22:01:35][http-bio-8443-exec-3]: Getting domain XML
[26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info
[26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: GET
https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getDomainXML
[26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: status: 0
[26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml
version="1.0" encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><SubsystemCount>0</SubsystemCount></CAList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList><SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
[26/Apr/2018:22:01:35][http-bio-8443-exec-3]: len is 0
[26/Apr/2018:22:01:35][http-bio-8443-exec-3]: Logged into security domain; sleeping for
5s
[26/Apr/2018:22:01:40][http-bio-8443-exec-3]: === Subsystem Configuration ===
[26/Apr/2018:22:01:40][http-bio-8443-exec-3]: SystemConfigService: validate clone URI:
https://pci-mgmt-ipa01.pci.xxxxxx.com:443
[26/Apr/2018:22:01:40][http-bio-8443-exec-3]: Clone URI does not match available
subsystems:
https://pci-mgmt-ipa01.pci.xxxxxx.com:443
[26/Apr/2018:22:01:40][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message
created for eventType=ACCESS_SESSION_TERMINATED
Master debug file:
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor:
SecurityDomainResource.getDomainInfo()
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: Not
authenticated.
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor:
SecurityDomainResource.getDomainInfo()
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping:
default
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required
auth methods: [*]
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: anonymous
access allowed
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
SecurityDomainResource.getDomainInfo()
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor.filter: no
authorization required
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: No ACL mapping;
authz not required.
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create()
message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor:
SecurityDomainResource.getDomainInfo()
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor:
content-type: null
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept:
[application/json]
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response
format: application/json
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: according to ccMode, authorization
for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}.
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Creating
LdapBoundConnFactor(SecurityDomainProcessor)
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapBoundConnFactory: init
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapBoundConnFactory:doCloning
true
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init()
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init begins
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init ends
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: init: before makeConnection
errorIfDown is false
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: makeConnection: errorIfDown false
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: TCP Keep-Alive: true
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SSLClientCertificateSelectionCB:
Setting desired cert nickname to: subsystemCert cert-pki-ca
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapJssSSLSocket: set client auth
cert nickname subsystemCert cert-pki-ca
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake happened
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Established LDAP connection with
SSL client auth to pci-mgmt-ipa01.pci.xxxxxx.com:636
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: initializing with mininum 3 and
maximum 15 connections to host
pci-mgmt-ipa01.pci.xxxxxx.com port 636, secure connection,
true, authentication type 2
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: increasing minimum connections by
3
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: new total available connections 3
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: new number of connections 3
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: name: IPA
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype:
CA
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype:
OCSP
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype:
KRA
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype:
RA
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype:
TKS
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype:
TPS
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Releasing ldap connection
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Authenticating user
admin-ipa-nyc-pci01.pci.xxxxxx.com with password.
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PasswdUserDBAuthentication: UID:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PasswdUserDBAuthentication: DN:
uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAnonConnFactory::getConn
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAnonConnFactory.getConn(): num
avail conns now 2
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake happened
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 2
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create()
message created for eventType=AUTH_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: User DN:
uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Roles:
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Security Domain
Administrators
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Enterprise CA
Administrators
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Enterprise KRA
Administrators
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor:
AccountResource.login()
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor:
principal:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor:
AccountResource.login()
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping:
account
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required
auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr]
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor:
authentication manager: passwdUserDBAuthMgr
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: access
granted
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
AccountResource.login()
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: principal:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: will use authz
manager DirAclAuthz
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: mapping:
account.login
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL:
certServer.ca.account,login
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): ACLEntry expressions=
user="anybody"
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluating expressions:
user="anybody"
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluated expression:
user="anybody" to be true
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: authorization passed
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: access granted
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create()
message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor:
AccountResource.login()
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor:
content-type: null
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept:
[application/json]
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response
format: application/json
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor:
AccountResource.logout()
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor:
principal:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor:
AccountResource.logout()
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping:
account
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required
auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr]
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor:
authentication manager: passwdUserDBAuthMgr
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: access
granted
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor:
AccountResource.logout()
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: principal:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: will use authz
manager DirAclAuthz
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: mapping:
account.logout
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL:
certServer.ca.account,logout
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): ACLEntry expressions=
user="anybody"
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluating expressions:
user="anybody"
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluated expression:
user="anybody" to be true
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: authorization passed
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: access granted
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create()
message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor:
AccountResource.logout()
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor:
content-type: null
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept:
[application/json]
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response
format: application/json
[26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: according to ccMode, authorization
for servlet: caGetCertChainAdmin is LDAP based, not XML {1}, use default authz mgr: {2}.
[26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet:service() uri =
/ca/admin/ca/getCertChain
[26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet: caGetCertChainAdmin
start to service.
[26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: GetCertChain: certificate chain:
[26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: GetCertChain: - CN=Certificate
Authority,O=PCI.XXXXXX.COM
[26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet: curDate=Thu Apr 26
22:01:33 UTC 2018 id=caGetCertChainAdmin time=8
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Authenticating user
admin-ipa-nyc-pci01.pci.xxxxxx.com with password.
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PasswdUserDBAuthentication: UID:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PasswdUserDBAuthentication: DN:
uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: LdapAnonConnFactory::getConn
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: LdapAnonConnFactory.getConn(): num
avail conns now 2
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SSL handshake happened
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 2
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create()
message created for eventType=AUTH_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: User DN:
uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Roles:
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Security Domain
Administrators
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Enterprise CA
Administrators
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Enterprise KRA
Administrators
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor:
AccountResource.login()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor:
principal:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor:
AccountResource.login()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping:
account
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required
auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr]
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor:
authentication manager: passwdUserDBAuthMgr
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access
granted
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor:
AccountResource.login()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz
manager DirAclAuthz
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping:
account.login
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL:
certServer.ca.account,login
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions=
user="anybody"
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions:
user="anybody"
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression:
user="anybody" to be true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create()
message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor:
AccountResource.login()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor:
content-type: null
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept:
[application/xml]
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response
format: application/xml
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor:
SecurityDomainResource.getInstallToken()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor:
principal:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor:
SecurityDomainResource.getInstallToken()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping:
securityDomain.installToken
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required
auth methods: [passwdUserDBAuthMgr]
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor:
authentication manager: passwdUserDBAuthMgr
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access
granted
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor:
SecurityDomainResource.getInstallToken()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz
manager DirAclAuthz
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping:
securityDomain.installToken
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL:
certServer.securitydomain.domainxml,read
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions=
user="anybody"
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions:
user="anybody"
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression:
user="anybody" to be true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create()
message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor:
SecurityDomainResource.getInstallToken()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor:
content-type: null
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept:
[application/xml]
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response
format: application/xml
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]:
SecurityDomainService.getInstallToken(pci-mgmt-ipa01.pci.xxxxxx.com, CA)
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: according to ccMode, authorization
for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}.
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainProcessor: group:
Enterprise CA Administrators
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization search base:
cn=Enterprise CA Administrators,ou=groups,o=ipaca
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization search filter:
(uniquemember=uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca)
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization result: true
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create()
message created for eventType=ROLE_ASSUME
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainSessionTable: added
session entry 7327023802561410048
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create()
message created for eventType=SECURITY_DOMAIN_UPDATE
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor:
AccountResource.logout()
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor:
principal:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor:
AccountResource.logout()
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping:
account
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required
auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr]
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor:
authentication manager: passwdUserDBAuthMgr
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access
granted
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor:
AccountResource.logout()
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal:
admin-ipa-nyc-pci01.pci.xxxxxx.com
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz
manager DirAclAuthz
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping:
account.logout
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL:
certServer.ca.account,logout
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions=
user="anybody"
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions:
user="anybody"
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression:
user="anybody" to be true
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create()
message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor:
AccountResource.logout()
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor:
content-type: null
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept:
[application/xml]
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response
format: application/xml
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: initializing...
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: according to ccMode, authorization
for servlet: caGetDomainXML is LDAP based, not XML {1}, use default authz mgr: {2}.
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: done initializing...
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet:service() uri =
/ca/admin/ca/getDomainXML
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet: caGetDomainXML start to
service.
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: processing...
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: according to ccMode, authorization
for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}.
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Creating
LdapBoundConnFactor(SecurityDomainProcessor)
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapBoundConnFactory: init
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapBoundConnFactory:doCloning
true
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init()
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init begins
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init ends
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: init: before makeConnection
errorIfDown is false
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: makeConnection: errorIfDown false
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: TCP Keep-Alive: true
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SSLClientCertificateSelectionCB:
Setting desired cert nickname to: subsystemCert cert-pki-ca
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapJssSSLSocket: set client auth
cert nickname subsystemCert cert-pki-ca
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SSL handshake happened
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Established LDAP connection with
SSL client auth to pci-mgmt-ipa01.pci.xxxxxx.com:636
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: initializing with mininum 3 and
maximum 15 connections to host
pci-mgmt-ipa01.pci.xxxxxx.com port 636, secure connection,
true, authentication type 2
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: increasing minimum connections by
3
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: new total available connections 3
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: new number of connections 3
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: masterConn is connected: true
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: getConn: conn is connected true
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: getConn: mNumConns now 2
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: name: IPA
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype:
CA
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype:
OCSP
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype:
KRA
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype:
RA
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype:
TKS
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype:
TPS
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Releasing ldap connection
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: returnConn: mNumConns now 3
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet: curDate=Thu Apr 26
22:01:35 UTC 2018 id=caGetDomainXML time=51
[26/Apr/2018:22:03:10][Timer-0]: SessionTimer: run()
[26/Apr/2018:22:03:10][Timer-0]: LDAPSecurityDomainSessionTable: getSessionIds()
[26/Apr/2018:22:03:10][Timer-0]: LDAPSecurityDomainSessionTable: searching
ou=sessions,ou=Security Domain,o=ipaca
[26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true
[26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true
[26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2
[26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3
[26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true
[26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true
[26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2
[26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3
[26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true
[26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true
[26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2
[26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3
[26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true
[26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true
[26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2
[26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3
[26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: findNextUpdate: fromLastUpdate: true
delta: false
[26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: findNextUpdate: Fri Apr 27 01:00:00
UTC 2018 delay: 10310677
[26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: CRLIssuingPoint:run(): before CRL
generation
[26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: In LdapBoundConnFactory::getConn()
[26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: masterConn is connected: true
[26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: getConn: conn is connected true
[26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: getConn: mNumConns now 4
Thanks,
Ross
_______________________________________
From: Fraser Tweedale [ftweedal(a)redhat.com]
Sent: Thursday, April 26, 2018 1:56 PM
To: Ross Infinger
Cc: FreeIPA users list
Subject: Re: [Freeipa-users] CA install on replica fails - Clone URI does not match...
Hi Ross,
Could you please also provide the /var/log/pki/pki-tomcat/ca/debug
log files from both master and replica?
Thanks,
Fraser
On Thu, Apr 26, 2018 at 05:33:32PM +0000, Ross Infinger via FreeIPA-users wrote:
I'm installing the CA service on an existing replica with command
ipa-ca-install. It fails with this error in the log:
Installation failed:
com.netscape.certsrv.base.BadRequestException: Clone URI does not match available
subsystems:
https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.p...
Version of both ca master and replica is 4.5.0 api version 2.228
domain level is 1
ipareplica-ca-install.log attached.
How can I further troubleshoot this?
Thanks,
Ross
2018-04-26T17:04:39Z DEBUG /usr/sbin/ipa-ca-install was invoked with
options: {'external_cert_files': None, 'subject_base': None,
'skip_schema_check': False, 'external_ca_type': None,
'unattended': False, 'no_host_dns': False, 'ca_subject': None,
'ca_signing_algorithm': None, 'debug': True, 'external_ca': False,
'skip_conncheck': False},None
2018-04-26T17:04:39Z DEBUG IPA version 4.5.0-22.el7.centos
2018-04-26T17:04:39Z DEBUG importing all plugin modules in ipaserver.plugins...
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.aci
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automember
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automount
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseldap
2018-04-26T17:04:39Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseuser
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.batch
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ca
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.caacl
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.cert
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certmap
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certprofile
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.config
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.delegation
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dns
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dnsserver
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dogtag
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.domainlevel
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.group
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbac
2018-04-26T17:04:39Z DEBUG ipaserver.plugins.hbac is not a valid plugin module
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacrule
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvc
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbactest
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.host
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hostgroup
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idrange
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idviews
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.internal
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.join
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ldap2
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.location
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.migration
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.misc
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.netgroup
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otp
2018-04-26T17:04:39Z DEBUG ipaserver.plugins.otp is not a valid plugin module
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otpconfig
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otptoken
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.passwd
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.permission
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ping
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pkinit
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.privilege
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pwpolicy
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.rabase
2018-04-26T17:04:39Z DEBUG ipaserver.plugins.rabase is not a valid plugin module
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.radiusproxy
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.realmdomains
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.role
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.schema
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selfservice
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.server
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverrole
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverroles
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.service
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.servicedelegation
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.session
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.stageuser
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudo
2018-04-26T17:04:39Z DEBUG ipaserver.plugins.sudo is not a valid plugin module
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmd
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudorule
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.topology
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.trust
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.user
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.vault
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.virtual
2018-04-26T17:04:39Z DEBUG ipaserver.plugins.virtual is not a valid plugin module
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.whoami
2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.xmlserver
2018-04-26T17:04:40Z DEBUG Created connection context.ldap2_75479632
2018-04-26T17:04:40Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-PCI-XXXXXX-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x65e1518>
2018-04-26T17:04:40Z DEBUG Initializing principal
host/ipa-nyc-pci01.pci.xxxxxx.com(a)PCI.XXXXXX.COM using keytab /etc/krb5.keytab
2018-04-26T17:04:40Z DEBUG using ccache /tmp/krbccsV9vse/ccache
2018-04-26T17:04:40Z DEBUG Attempt 1/1: success
2018-04-26T17:05:01Z DEBUG Starting external process
2018-04-26T17:05:01Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master
pci-mgmt-ipa01.pci.xxxxxx.com --auto-master-check --realm
PCI.XXXXXX.COM --hostname
ipa-nyc-pci01.pci.xxxxxx.com --ca-cert-file /etc/ipa/ca.crt
2018-04-26T17:05:16Z DEBUG Process finished, return code=0
2018-04-26T17:05:16Z DEBUG stdout=
2018-04-26T17:05:16Z DEBUG stderr=Check connection from replica to remote master
'pci-mgmt-ipa01.pci.xxxxxx.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
389 tcp: Failed to bind
636 tcp: Failed to bind
88 tcp: Failed to bind
88 udp: Failed to bind
464 tcp: Failed to bind
464 udp: Failed to bind
80 tcp: Failed to bind
443 tcp: Failed to bind
Get credentials to log in to remote master
Check RPC connection to remote master
trying
https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.p...
[try 1]: Forwarding 'schema' to json server
'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci.xxxxxx.com_ipa_json&d=DwIBAg&c=laiMAACGcvAxeLF9-K5nZ1uCTN9kBzTH8fWOxFTVLgs&r=BQGu7HO1KZWnnHq93CzOO0obebVE6FvfNGVnSYC75ic&m=z_9noEwsxWPMbVBnvdxwM8aDXiI1xYsviKVMlRFSTJs&s=4zkROk_oyrfSw6LAJqMYGnmdc2cIhj2BO51sy1CkHxo&e='
trying
https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.p...
[try 1]: Forwarding 'ping/1' to json server
'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci.xxxxxx.com_ipa_session_json&d=DwIBAg&c=laiMAACGcvAxeLF9-K5nZ1uCTN9kBzTH8fWOxFTVLgs&r=BQGu7HO1KZWnnHq93CzOO0obebVE6FvfNGVnSYC75ic&m=z_9noEwsxWPMbVBnvdxwM8aDXiI1xYsviKVMlRFSTJs&s=AgJkpxph3oIGEMzwdLSJN9aWIGBeRshVyaw7gwH3_Z8&e='
Execute check on remote master
[try 1]: Forwarding 'server_conncheck' to json server
'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci.xxxxxx.com_ipa_session_json&d=DwIBAg&c=laiMAACGcvAxeLF9-K5nZ1uCTN9kBzTH8fWOxFTVLgs&r=BQGu7HO1KZWnnHq93CzOO0obebVE6FvfNGVnSYC75ic&m=z_9noEwsxWPMbVBnvdxwM8aDXiI1xYsviKVMlRFSTJs&s=AgJkpxph3oIGEMzwdLSJN9aWIGBeRshVyaw7gwH3_Z8&e='
Check connection from master to remote replica 'ipa-nyc-pci01.pci.xxxxxx.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Failed to connect to port 88 udp on 192.168.100.154
Kerberos KDC: UDP (88): WARNING
Kerberos Kpasswd: TCP (464): OK
Failed to connect to port 464 udp on 192.168.100.154
Kerberos Kpasswd: UDP (464): WARNING
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.
Connection from master to replica is OK.
2018-04-26T17:05:16Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2018-04-26T17:05:16Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2018-04-26T17:05:16Z INFO Waiting up to 300 seconds to see our keys appear on host:
pci-mgmt-ipa01.pci.xxxxxx.com
2018-04-26T17:05:17Z DEBUG Starting external process
2018-04-26T17:05:17Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -N -f
/tmp/tmpuXiBUA/pwdfile.txt -f /tmp/tmpuXiBUA/pwdfile.txt
2018-04-26T17:05:17Z DEBUG Process finished, return code=0
2018-04-26T17:05:17Z DEBUG stdout=
2018-04-26T17:05:17Z DEBUG stderr=
2018-04-26T17:05:18Z DEBUG Starting external process
2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k
/tmp/tmpuXiBUA/pwdfile.txt -n caSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w
/tmp/tmpuXiBUA/pk12pwfile
2018-04-26T17:05:18Z DEBUG Process finished, return code=0
2018-04-26T17:05:18Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:18Z DEBUG stderr=
2018-04-26T17:05:18Z DEBUG Starting external process
2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k
/tmp/tmpuXiBUA/pwdfile.txt -n ocspSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w
/tmp/tmpuXiBUA/pk12pwfile
2018-04-26T17:05:19Z DEBUG Process finished, return code=0
2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr=
2018-04-26T17:05:19Z DEBUG Starting external process
2018-04-26T17:05:19Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k
/tmp/tmpuXiBUA/pwdfile.txt -n auditSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w
/tmp/tmpuXiBUA/pk12pwfile
2018-04-26T17:05:19Z DEBUG Process finished, return code=0
2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr=
2018-04-26T17:05:20Z DEBUG Starting external process
2018-04-26T17:05:20Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k
/tmp/tmpuXiBUA/pwdfile.txt -n subsystemCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w
/tmp/tmpuXiBUA/pk12pwfile
2018-04-26T17:05:20Z DEBUG Process finished, return code=0
2018-04-26T17:05:20Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:20Z DEBUG stderr=
2018-04-26T17:05:20Z DEBUG Starting external process
2018-04-26T17:05:20Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -A -n
PCI.XXXXXX.COM
IPA CA -t CT,C,C -f /tmp/tmpuXiBUA/pwdfile.txt
2018-04-26T17:05:20Z DEBUG Process finished, return code=0
2018-04-26T17:05:20Z DEBUG stdout=
2018-04-26T17:05:20Z DEBUG stderr=
2018-04-26T17:05:20Z DEBUG Starting external process
2018-04-26T17:05:20Z DEBUG args=/usr/bin/PKCS12Export -d /tmp/tmpuXiBUA -p
/tmp/tmpuXiBUA/pwdfile.txt -w /tmp/tmpuXiBUA/crtpwfile -o /tmp/tmpp2RSQHipa/cacert.p12
2018-04-26T17:05:20Z DEBUG Process finished, return code=0
2018-04-26T17:05:20Z DEBUG stdout=Export complete.
2018-04-26T17:05:20Z DEBUG stderr=
2018-04-26T17:05:20Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-04-26T17:05:20Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-04-26T17:05:20Z DEBUG Saving StateFile to
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-04-26T17:05:20Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2018-04-26T17:05:20Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2018-04-26T17:05:20Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time:
3 minutes
2018-04-26T17:05:20Z DEBUG [1/25]: creating certificate server db
2018-04-26T17:05:20Z DEBUG duration: 0 seconds
2018-04-26T17:05:20Z DEBUG [2/25]: setting up initial replication
2018-04-26T17:05:20Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2018-04-26T17:05:20Z DEBUG retrieving schema for SchemaCache
url=ldap://pci-mgmt-ipa01.pci.xxxxxx.com:389 conn=<ldap.ldapobject.SimpleLDAPObject
instance at 0x6a91290>
2018-04-26T17:05:21Z DEBUG Successfully updated nsDS5ReplicaId.
2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.plugins...
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.aci
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automember
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automount
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseldap
2018-04-26T17:05:30Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseuser
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.batch
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ca
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.caacl
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.cert
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certmap
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certprofile
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.config
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.delegation
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dns
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dnsserver
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dogtag
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.domainlevel
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.group
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbac
2018-04-26T17:05:30Z DEBUG ipaserver.plugins.hbac is not a valid plugin module
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacrule
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvc
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbactest
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.host
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hostgroup
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idrange
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idviews
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.internal
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.join
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ldap2
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.location
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.migration
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.misc
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.netgroup
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otp
2018-04-26T17:05:30Z DEBUG ipaserver.plugins.otp is not a valid plugin module
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otpconfig
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otptoken
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.passwd
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.permission
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ping
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pkinit
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.privilege
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pwpolicy
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.rabase
2018-04-26T17:05:30Z DEBUG ipaserver.plugins.rabase is not a valid plugin module
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.radiusproxy
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.realmdomains
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.role
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.schema
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selfservice
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.server
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverrole
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverroles
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.service
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.servicedelegation
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.session
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.stageuser
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudo
2018-04-26T17:05:30Z DEBUG ipaserver.plugins.sudo is not a valid plugin module
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmd
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudorule
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.topology
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.trust
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.user
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.vault
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.virtual
2018-04-26T17:05:30Z DEBUG ipaserver.plugins.virtual is not a valid plugin module
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.whoami
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.xmlserver
2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.install.plugins...
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.adtrust
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.ca_renewal_master
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.dns
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.fix_replica_agreements
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.rename_managed
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.update_ca_topology
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.update_dna_shared_config
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.update_idranges
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.update_ldap_server_list
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.update_managed_permissions
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_nis
2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.update_passsync
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.update_ra_cert_store
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.update_referint
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.update_services
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.update_uniqueness
2018-04-26T17:05:30Z DEBUG importing plugin module
ipaserver.install.plugins.upload_cacrt
2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456
2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456
2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456
2018-04-26T17:05:31Z DEBUG Parsing update file
'/usr/share/ipa/ca-topology.uldif'
2018-04-26T17:05:31Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket
from SchemaCache
2018-04-26T17:05:31Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a93128>
2018-04-26T17:05:31Z DEBUG Updating existing entry:
cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com
2018-04-26T17:05:31Z DEBUG ---------------------------------------------
2018-04-26T17:05:31Z DEBUG Initial value
2018-04-26T17:05:31Z DEBUG dn:
cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com
2018-04-26T17:05:31Z DEBUG objectClass:
2018-04-26T17:05:31Z DEBUG top
2018-04-26T17:05:31Z DEBUG nsContainer
2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer
2018-04-26T17:05:31Z DEBUG ipaConfigObject
2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig
2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel:
2018-04-26T17:05:31Z DEBUG 1
2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel:
2018-04-26T17:05:31Z DEBUG 0
2018-04-26T17:05:31Z DEBUG cn:
2018-04-26T17:05:31Z DEBUG
ipa-nyc-pci01.pci.xxxxxx.com
2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix:
2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com
2018-04-26T17:05:31Z DEBUG add: 'ipaReplTopoManagedServer' to objectclass,
current value [u'top', u'nsContainer',
u'ipaReplTopoManagedServer', u'ipaConfigObject',
u'ipaSupportedDomainLevelConfig']
2018-04-26T17:05:31Z DEBUG add: updated value [u'top', u'nsContainer',
u'ipaConfigObject', u'ipaSupportedDomainLevelConfig',
u'ipaReplTopoManagedServer']
2018-04-26T17:05:31Z DEBUG add: 'o=ipaca' to ipaReplTopoManagedSuffix, current
value [u'dc=pci,dc=xxxxxx,dc=com']
2018-04-26T17:05:31Z DEBUG add: updated value [u'dc=pci,dc=xxxxxx,dc=com',
u'o=ipaca']
2018-04-26T17:05:31Z DEBUG ---------------------------------------------
2018-04-26T17:05:31Z DEBUG Final value after applying updates
2018-04-26T17:05:31Z DEBUG dn:
cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com
2018-04-26T17:05:31Z DEBUG objectClass:
2018-04-26T17:05:31Z DEBUG top
2018-04-26T17:05:31Z DEBUG nsContainer
2018-04-26T17:05:31Z DEBUG ipaConfigObject
2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig
2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer
2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel:
2018-04-26T17:05:31Z DEBUG 1
2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel:
2018-04-26T17:05:31Z DEBUG 0
2018-04-26T17:05:31Z DEBUG cn:
2018-04-26T17:05:31Z DEBUG
ipa-nyc-pci01.pci.xxxxxx.com
2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix:
2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com
2018-04-26T17:05:31Z DEBUG o=ipaca
2018-04-26T17:05:31Z DEBUG [(0, u'ipaReplTopoManagedSuffix',
[u'o=ipaca'])]
2018-04-26T17:05:31Z DEBUG Updated 1
2018-04-26T17:05:31Z DEBUG Done
2018-04-26T17:05:31Z DEBUG Updating existing entry:
cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com
2018-04-26T17:05:31Z DEBUG ---------------------------------------------
2018-04-26T17:05:31Z DEBUG Initial value
2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com
2018-04-26T17:05:31Z DEBUG objectClass:
2018-04-26T17:05:31Z DEBUG top
2018-04-26T17:05:31Z DEBUG iparepltopoconf
2018-04-26T17:05:31Z DEBUG cn:
2018-04-26T17:05:31Z DEBUG ca
2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot:
2018-04-26T17:05:31Z DEBUG o=ipaca
2018-04-26T17:05:31Z DEBUG ---------------------------------------------
2018-04-26T17:05:31Z DEBUG Final value after applying updates
2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com
2018-04-26T17:05:31Z DEBUG objectClass:
2018-04-26T17:05:31Z DEBUG top
2018-04-26T17:05:31Z DEBUG iparepltopoconf
2018-04-26T17:05:31Z DEBUG cn:
2018-04-26T17:05:31Z DEBUG ca
2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot:
2018-04-26T17:05:31Z DEBUG o=ipaca
2018-04-26T17:05:31Z DEBUG []
2018-04-26T17:05:31Z DEBUG Updated 0
2018-04-26T17:05:31Z DEBUG Done
2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=replica,cn=o\=ipaca,cn=mapping
tree,cn=config
2018-04-26T17:05:31Z DEBUG ---------------------------------------------
2018-04-26T17:05:31Z DEBUG Initial value
2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config
2018-04-26T17:05:31Z DEBUG nsState:
2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
2018-04-26T17:05:31Z DEBUG cn:
2018-04-26T17:05:31Z DEBUG replica
2018-04-26T17:05:31Z DEBUG nsDS5Flags:
2018-04-26T17:05:31Z DEBUG 1
2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot:
2018-04-26T17:05:31Z DEBUG o=ipaca
2018-04-26T17:05:31Z DEBUG objectClass:
2018-04-26T17:05:31Z DEBUG top
2018-04-26T17:05:31Z DEBUG nsds5replica
2018-04-26T17:05:31Z DEBUG extensibleobject
2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount:
2018-04-26T17:05:31Z DEBUG 1
2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType:
2018-04-26T17:05:31Z DEBUG 3
2018-04-26T17:05:31Z DEBUG nsds5replicareapactive:
2018-04-26T17:05:31Z DEBUG 0
2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN:
2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config
2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName:
2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c
2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer:
2018-04-26T17:05:31Z DEBUG off
2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId:
2018-04-26T17:05:31Z DEBUG 27
2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval:
2018-04-26T17:05:31Z DEBUG 60
2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup:
2018-04-26T17:05:31Z DEBUG cn=replication
managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com
2018-04-26T17:05:31Z DEBUG onlyifexist: 'cn=replication
managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com' to nsds5replicabinddngroup,
current value [u'cn=replication
managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com']
2018-04-26T17:05:31Z DEBUG onlyifexist: set nsds5replicabinddngroup to
[u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com']
2018-04-26T17:05:31Z DEBUG ---------------------------------------------
2018-04-26T17:05:31Z DEBUG Final value after applying updates
2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config
2018-04-26T17:05:31Z DEBUG nsState:
2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
2018-04-26T17:05:31Z DEBUG cn:
2018-04-26T17:05:31Z DEBUG replica
2018-04-26T17:05:31Z DEBUG nsDS5Flags:
2018-04-26T17:05:31Z DEBUG 1
2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot:
2018-04-26T17:05:31Z DEBUG o=ipaca
2018-04-26T17:05:31Z DEBUG objectClass:
2018-04-26T17:05:31Z DEBUG top
2018-04-26T17:05:31Z DEBUG nsds5replica
2018-04-26T17:05:31Z DEBUG extensibleobject
2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount:
2018-04-26T17:05:31Z DEBUG 1
2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType:
2018-04-26T17:05:31Z DEBUG 3
2018-04-26T17:05:31Z DEBUG nsds5replicareapactive:
2018-04-26T17:05:31Z DEBUG 0
2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN:
2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config
2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName:
2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c
2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer:
2018-04-26T17:05:31Z DEBUG off
2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId:
2018-04-26T17:05:31Z DEBUG 27
2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval:
2018-04-26T17:05:31Z DEBUG 60
2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup:
2018-04-26T17:05:31Z DEBUG cn=replication
managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com
2018-04-26T17:05:31Z DEBUG []
2018-04-26T17:05:31Z DEBUG Updated 0
2018-04-26T17:05:31Z DEBUG Done
2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456
2018-04-26T17:05:31Z DEBUG duration: 11 seconds
2018-04-26T17:05:31Z DEBUG [3/25]: creating installation admin user
2018-04-26T17:05:32Z DEBUG duration: 0 seconds
2018-04-26T17:05:32Z DEBUG [4/25]: configuring certificate server instance
2018-04-26T17:05:32Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2018-04-26T17:05:32Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2018-04-26T17:05:32Z DEBUG Contents of pkispawn configuration file (/tmp/tmp4j_eo0):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_profiles_in_ldap = True
pki_default_ocsp_uri =
https://urldefense.proofpoint.com/v2/url?u=http-3A__ipa-2Dca.pci.xxxxxx.c...
pki_client_database_dir = /var/lib/ipa/tmp-6WUlS2
pki_client_database_password = XXXXXXXX
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name =
admin-ipa-nyc-pci01.pci.xxxxxx.com
pki_admin_uid =
admin-ipa-nyc-pci01.pci.xxxxxx.com
pki_admin_email = root@localhost
pki_admin_password = XXXXXXXX
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn =
cn=ipa-ca-agent,O=PCI.XXXXXX.COM
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_ds_ldaps_port = 636
pki_ds_secure_connection = True
pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt
pki_subsystem_subject_dn = cn=CA
Subsystem,O=PCI.XXXXXX.COM
pki_ocsp_signing_subject_dn = cn=OCSP
Subsystem,O=PCI.XXXXXX.COM
pki_ssl_server_subject_dn =
cn=ipa-nyc-pci01.pci.xxxxxx.com,O=PCI.XXXXXX.COM
pki_audit_signing_subject_dn = cn=CA
Audit,O=PCI.XXXXXX.COM
pki_ca_signing_subject_dn = CN=Certificate
Authority,O=PCI.XXXXXX.COM
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_ca_signing_key_algorithm = SHA256withRSA
pki_pin = XXXXXXXX
pki_ds_create_new_db = False
pki_clone_setup_replication = False
pki_clone_reindex_data = True
pki_security_domain_hostname =
pci-mgmt-ipa01.pci.xxxxxx.com
pki_security_domain_https_port = 443
pki_security_domain_user =
admin-ipa-nyc-pci01.pci.xxxxxx.com
pki_security_domain_password = XXXXXXXX
pki_clone = True
pki_clone_pkcs12_path = /tmp/ca.p12
pki_clone_pkcs12_password = XXXXXXXX
pki_clone_replication_security = TLS
pki_clone_replication_master_port = 389
pki_clone_replication_clone_port = 389
pki_clone_replicate_schema = False
pki_clone_uri =
https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.p...
2018-04-26T17:05:32Z DEBUG Starting external process
2018-04-26T17:05:32Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0
2018-04-26T17:05:51Z DEBUG Process finished, return code=1
2018-04-26T17:05:51Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20180426170532.log
Loading deployment configuration from /tmp/tmp4j_eo0.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Importing certificates from /tmp/ca.p12:
---------------
4 entries found
---------------
Certificate ID: d0117023b7661532960024635e00e4c2b3a0825d
Serial Number: 0x2
Nickname: ocspSigningCert cert-pki-ca
Subject DN: CN=OCSP
Subsystem,O=PCI.XXXXXX.COM
Issuer DN: CN=Certificate
Authority,O=PCI.XXXXXX.COM
Trust Flags: u,u,u
Has Key: true
Certificate ID: d58a46d01e65d178def787ec3cea985bed61e21d
Serial Number: 0x1
Nickname: caSigningCert cert-pki-ca
Subject DN: CN=Certificate
Authority,O=PCI.XXXXXX.COM
Issuer DN: CN=Certificate
Authority,O=PCI.XXXXXX.COM
Trust Flags: CTu,Cu,Cu
Has Key: true
Certificate ID: f9a212fc6707e63a027126aa1bfa43cae3d4c705
Serial Number: 0x4
Nickname: subsystemCert cert-pki-ca
Subject DN: CN=CA
Subsystem,O=PCI.XXXXXX.COM
Issuer DN: CN=Certificate
Authority,O=PCI.XXXXXX.COM
Trust Flags: u,u,u
Has Key: true
Certificate ID: ca121feb0cbf83c7c18b34e4d7e127157e64580b
Serial Number: 0x5
Nickname: auditSigningCert cert-pki-ca
Subject DN: CN=CA
Audit,O=PCI.XXXXXX.COM
Issuer DN: CN=Certificate
Authority,O=PCI.XXXXXX.COM
Trust Flags: u,u,u
Has Key: true
---------------
Import complete
---------------
Imported certificates in /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
Installation failed:
com.netscape.certsrv.base.BadRequestException: Clone URI does not match available
subsystems:
https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.p...
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2018-04-26T17:05:51Z DEBUG stderr=
2018-04-26T17:05:51Z CRITICAL Failed to configure CA instance: Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0' returned non-zero exit status 1
2018-04-26T17:05:51Z CRITICAL See the installation logs and the following
files/directories for more information:
2018-04-26T17:05:51Z CRITICAL /var/log/pki/pki-tomcat
2018-04-26T17:05:51Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
615, in __spawn_instance
self.tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 148, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 398, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2018-04-26T17:05:51Z DEBUG [error] RuntimeError: CA configuration failed.
2018-04-26T17:05:51Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 907,
in run_script
return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 300, in main
promote(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 268, in promote
install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 202, in install_replica
ca.install(True, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 205, in
install
install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 284, in
install_step_0
use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
447, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
615, in __spawn_instance
self.tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 148, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 398, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2018-04-26T17:05:51Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: CA
configuration failed.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org