After rooting around in the Dogtag source and documentation to try and
figure out what it's doing, I noticed that a KRA connector was
configured on my server "ipa2" (which is what "ipa" is going to
replicate):
❯ pki -u admin ca-kraconnector-show
Enter Password:
WARNING: UNTRUSTED ISSUER encountered on
'CN=ipa2.example.com,O=EXAMPLE.COM' indicates a non-trusted CA cert
'CN=Certificate Authority,O=EXAMPLE.COM'
Trust this certificate (y/N)? y
Host: ipa2.example.com:443
Enabled: true
Local: false
Timeout: 30
URI: /kra/agent/kra/connector
Transport Cert:
MII.....
So, on a hunch, I deleted that connector from ipa2 after saving off the
information and cert:
❯ pki -u admin ca-kraconnector-del --host
ipa2.example.com --port 443
Enter Password:
WARNING: UNTRUSTED ISSUER encountered on
'CN=ipa2.example.com,O=EXAMPLE.COM' indicates a non-trusted CA cert
'CN=Certificate Authority,O=EXAMPLE.COM'
Trust this certificate (y/N)? y
--------------------------------------------
Removed KRA host "ipa2.example.com:443"
--------------------------------------------
I then re-ran ipa-replica-install on "ipa" and it seemed to work fine -
at least I didn't get any errors.
So now ... Because I am nowhere near an expert at Dogtag, did I do the
wrong thing by removing that kra connector? Will there be any
unintended side effects? Or was that kra connector some leftover that
shouldn't have been there? The server ipa2 was not the original IPA
server, it started as a replica.
- Dave
On 11/29/2020 04:01, David Andrzejewski via FreeIPA-users wrote:
> I'm attempting to reinstall a replica that I had previously removed.
> When I run ipa-replica-install and include the --setup-kra option, it
> eventually fails. I've included the output of the ipa-replica-install
> command, and the only "bad" thing I can find is the following in the
> tomcat debug log:
>
>> 2020-11-29 03:51:35 [ajp-nio-127.0.0.1-8009-exec-3] SEVERE:
> addConnector: Connector is already defined
>
> I've gone through and run ipa-healthcheck, all is well there. After
> uninstalling, I couldn't find any old references to the replica in the
> LDAP database.... the ipa-replica-install works fine if I do not include
> --setup-kra.
>
> Any help would be appreciated. I'm happy to provide whatever additional
> logs that may be needed. I've replaced my internal DNS suffix with
> 'example.com'.
>
> Thanks!
>
> - Dave
>
>
>
> Failed to configure KRA instance: CalledProcessError(Command
> ['/usr/sbin/pkispawn', '-s', 'KRA', '-f',
'/tmp/tmpf6kaucv2', '--debug']
> returned non-zero exit status 1: 'INFO: Connecting to LDAP server at
> ldaps://ipa.example.com:636\nINFO: Connecting to LDAP server at
> ldaps://ipa.example.com:636\nINFO: Connecting to security domain at
>
https://ipa.example.com:443\nINFO: Getting security domain info\nINFO:
> Logging into security domain IPA\nDEBUG: Installing Maven dependencies:
> False\nINFO: BEGIN spawning KRA subsystem in pki-tomcat instance\nINFO:
> Loading instance: pki-tomcat\nINFO: Loading global Tomcat config:
> /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
> /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config:
> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
> /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config:
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem
> registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading
> instance registry:
> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user:
> pkiuser\nINFO: - group: pkiuser\nINFO: Setting up pkiuser group\nINFO:
> Reusing existing pkiuser group with GID 17\nINFO: Setting up pkiuser
> user\nINFO: Reusing existing pkiuser user with UID 17\nDEBUG: Retrieving
> UID for \'pkiuser\'\nDEBUG: UID of \'pkiuser\' is 17\nDEBUG:
Retrieving
> GID for \'pkiuser\'\nDEBUG: GID of \'pkiuser\' is 17\nINFO:
> Initialization\nINFO: Appending logs to /var/log/pki/pki-tomcat\nINFO:
> Setting up infrastructure\nINFO: Creating
> /etc/sysconfig/pki/tomcat/pki-tomcat\nINFO: Creating
> /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: mkdir -p
> /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chmod 770
> /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chown 17:17
> /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nINFO: Creating
> /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: cp
> -p /usr/share/pki/server/etc/default.cfg
> /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command:
> chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG:
> Command: chown 17:17
> /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command:
> touch /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG:
> Command: chmod 660
> /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG: Command:
> chown 17:17
> /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nINFO: Creating
> /var/lib/pki/pki-tomcat\nINFO: Creating
> /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: mkdir -p
> /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chmod 770
> /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chown 17:17
> /var/lib/pki/pki-tomcat/kra\nINFO: Preparing pki-tomcat instance\nINFO:
> Loading instance: pki-tomcat\nINFO: Loading global Tomcat config:
> /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
> /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config:
> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
> /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config:
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem
> registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading
> instance registry:
> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user:
> pkiuser\nINFO: - group: pkiuser\nINFO: Creating
> /etc/pki/pki-tomcat\nWARNING: Directory already exists:
> /etc/pki/pki-tomcat\nINFO: Creating
> /etc/pki/pki-tomcat/password.conf\nINFO: Reusing server NSS database
> password\nINFO: Using specified internal database password\nINFO:
> Reusing replication manager password\nINFO: Installing pki-tomcat
> instance\nINFO: Creating KRA subsystem\nINFO: Creating
> /var/log/pki/pki-tomcat/kra\nDEBUG: Command: mkdir
> /var/log/pki/pki-tomcat/kra\nINFO: Creating
> /var/log/pki/pki-tomcat/kra/archive\nDEBUG: Command: mkdir
> /var/log/pki/pki-tomcat/kra/archive\nINFO: Creating
> /var/log/pki/pki-tomcat/kra/signedAudit\nDEBUG: Command: mkdir
> /var/log/pki/pki-tomcat/kra/signedAudit\nINFO: Creating
> /etc/pki/pki-tomcat/kra\nDEBUG: Command: mkdir
> /etc/pki/pki-tomcat/kra\nINFO: Creating
> /etc/pki/pki-tomcat/kra/CS.cfg\nDEBUG: Command: cp
> /usr/share/pki/kra/conf/CS.cfg /etc/pki/pki-tomcat/kra/CS.cfg\nINFO:
> Creating /etc/pki/pki-tomcat/kra/registry.cfg\nINFO: Creating
> /var/lib/pki/pki-tomcat/kra/conf\nDEBUG: Command: ln -s
> /etc/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/conf\nINFO: Creating
> /var/lib/pki/pki-tomcat/kra/logs\nDEBUG: Command: ln -s
> /var/log/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/logs\nINFO:
> Creating /var/lib/pki/pki-tomcat/kra/registry\nDEBUG: Command: ln -s
> /etc/sysconfig/pki/tomcat/pki-tomcat
> /var/lib/pki/pki-tomcat/kra/registry\nINFO: Loading instance:
> pki-tomcat\nINFO: Loading global Tomcat config:
> /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
> /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config:
> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
> /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config:
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem
> registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading
> subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading
> instance registry:
> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user:
> pkiuser\nINFO: - group: pkiuser\nINFO: Getting transport cert info from
> CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting
> sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from
> CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing
> subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing
> registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO:
> Deploying /kra web application\nINFO: Loading instance:
> pki-tomcat\nINFO: Loading global Tomcat config:
> /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
> /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config:
> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
> /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config:
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem
> registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading
> subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading
> subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO:
> Loading instance registry:
> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user:
> pkiuser\nINFO: - group: pkiuser\nINFO: Creating
> /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: mkdir -p
> /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chmod 770
> /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chown 17:17
> /var/lib/pki/pki-tomcat/kra/webapps\nINFO: Setting up ownerships,
> permissions, and ACLs on /var/lib/pki/pki-tomcat/kra/webapps\nINFO:
> Creating /etc/pki/pki-tomcat/Catalina/localhost/kra.xml\nINFO: Loading
> instance: pki-tomcat\nINFO: Loading global Tomcat config:
> /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
> /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config:
> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
> /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config:
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem
> registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading
> subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading
> subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO:
> Loading instance registry:
> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user:
> pkiuser\nINFO: - group: pkiuser\nINFO: Creating password file:
> /etc/pki/pki-tomcat/pfile\nINFO: Updating
> /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chmod 660
> /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chown 17:17
> /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: ln -s
> /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/kra/alias\nDEBUG:
> Command: pki -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile
> pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file
> /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Certificates in PKCS #12
> file:\nINFO: Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp
> /usr/share/pki/lib/*
> -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties
> com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C
> /etc/pki/pki-tomcat/pfile --debug pkcs12-cert-find --pkcs12
> /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt
> --debug\nINFO: Server URL:
https://ipa.example.com:8443\nINFO: Loading
> NSS password from /etc/pki/pki-tomcat/pfile\nINFO: NSS database:
> /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command:
> pkcs12-cert-find --pkcs12 /tmp/tmp3plm5h3l --password-file
> /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Module: pkcs12\nINFO:
> Module: cert\nINFO: Module: find\nINFO: Initializing NSS\nINFO: Logging
> into internal token\nINFO: Using internal token\nINFO: -
> auditSigningCert cert-pki-kra\nINFO: - caSigningCert cert-pki-ca\nINFO:
> - storageCert cert-pki-kra\nINFO: - subsystemCert cert-pki-ca\nINFO: -
> transportCert cert-pki-kra\nINFO: Importing CA certificates:\nINFO: -
> caSigningCert cert-pki-ca\nDEBUG: Command: certutil -L -d
> /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n caSigningCert
> cert-pki-ca -a\nWARNING: Certificate already exists: caSigningCert
> cert-pki-ca\nINFO: Importing user certificates:\nINFO: -
> auditSigningCert cert-pki-kra\nINFO: - storageCert cert-pki-kra\nINFO: -
> subsystemCert cert-pki-ca\nINFO: - transportCert cert-pki-kra\nINFO:
> Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp /usr/share/pki/lib/*
> -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties
> com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C
> /etc/pki/pki-tomcat/pfile --debug pkcs12-import --pkcs12
> /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug
> auditSigningCert cert-pki-kra storageCert cert-pki-kra subsystemCert
> cert-pki-ca transportCert cert-pki-kra\nINFO: Server URL:
>
https://ipa.example.com:8443\nINFO: Loading NSS password from
> /etc/pki/pki-tomcat/pfile\nINFO: NSS database:
> /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command:
> pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file
> /tmp/tmpm1sa32dg/password.txt --debug "auditSigningCert cert-pki-kra"
> "storageCert cert-pki-kra" "subsystemCert cert-pki-ca"
"transportCert
> cert-pki-kra"\nINFO: Module: pkcs12\nINFO: Module: import\nINFO:
> Initializing NSS\nINFO: Logging into internal token\nINFO: Using
> internal token\nDEBUG: Command: certutil -M -d /etc/pki/pki-tomcat/alias
> -f /etc/pki/pki-tomcat/pfile -n auditSigningCert cert-pki-kra -t
> u,u,Pu\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias\nDEBUG:
> Result of CA certificate export: \nINFO: Removing
> /etc/pki/pki-tomcat/pfile\nDEBUG: Command: rm -f
> /etc/pki/pki-tomcat/pfile\nINFO: Getting transport cert info from
> CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting
> sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from
> CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing
> subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing
> registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO:
> Creating /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: mkdir -p
> /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chmod 755
> /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chown 0:0
> /root/.dogtag/pki-tomcat/kra\nINFO: Creating password file:
> /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Updating
> /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chmod 660
> /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chown 0:0
> /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Storing PKCS #12
> password in /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nINFO:
> Updating /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG:
> Command: chmod 660
> /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG: Command: chown
> 17:17 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nWARNING:
> Directory already exists: /var/lib/ipa/tmp-6ae9ficu\nDEBUG: Command:
> certutil -N -d /var/lib/ipa/tmp-6ae9ficu -f
> /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Creating SELinux
> contexts\nINFO: Generating system keys\nINFO: Loading instance:
> pki-tomcat\nINFO: Loading global Tomcat config:
> /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
> /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config:
> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
> /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config:
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem
> registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading
> subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading
> subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO:
> Loading instance registry:
> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user:
> pkiuser\nINFO: - group: pkiuser\nINFO: Configuring subsystem\nINFO:
> Loading instance: pki-tomcat\nINFO: Loading global Tomcat config:
> /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
> /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config:
> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
> /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config:
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem
> registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading
> subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading
> subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO:
> Loading instance registry:
> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user:
> pkiuser\nINFO: - group: pkiuser\nDEBUG: Setting ephemeral requests to
> true\nINFO: Storing subsystem config:
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config:
> /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Importing sslserver
> cert data from CA\nINFO: Importing subsystem cert data from CA\nINFO:
> Importing sslserver request data from CA\nINFO: Importing subsystem
> request data from CA\nINFO: Joining existing domain\nINFO: Getting
> install token\nINFO: Using CA at
https://ipa.example.com:443\nINFO:
> Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO:
> Storing registry config:
> /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Reusing replicated
> database\nINFO: Initializing database\nDEBUG: Command: sudo -u pkiuser
> /usr/lib/jvm/jre-openjdk/bin/java -classpath
>
/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/kra/webapps/kra/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*
> -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory
> -Dcatalina.base=/var/lib/pki/pki-tomcat
> -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
> -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
> -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI
> kra-db-init --setup-schema --setup-db-manager --setup-vlv-indexes
> --debug\nINFO: Loading /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO:
> Initializing database ipaca for o=kra,o=ipaca\nINFO: Creating
> com.netscape.cmsutil.password.PlainPasswordFile\nFINE:
> PlainPasswordFile: Initializing PlainPasswordFile\nFINE: LdapAuthInfo:
> init()\nFINE: LdapAuthInfo: init begins\nFINE: LdapAuthInfo: init
> ends\nFINE: TCP Keep-Alive: true\nFINE: LdapAuthInfo: init: prompt is
> internaldb\nFINE: LdapAuthInfo: init: try getting from memory
> cache\nFINE: LdapAuthInfo: init: password not in memory\nFINE:
> LdapAuthInfo: getPasswordFromStore: try to get it from password
> store\nFINE: LdapAuthInfo: getPasswordFromStore: about to get from
> passwored store: internaldb\nFINE: LdapAuthInfo: getPasswordFromStore:
> password store available\nFINE: LdapAuthInfo: getPasswordFromStore:
> password found for prompt in password store\nFINE: LdapAuthInfo:
> password ok: store in memory cache\nFINE: LdapBoundConnection:
> Connecting to ipa.example.com:636 with basic auth as cn=Directory
> Manager\nFINE: ldapconn/PKISocketFactory.makeSSLSocket: begins\nFINE:
> PKIClientSocketListener.handshakeCompleted: begins\nFINE: Handshake
> completed:\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: -
> subject: SYSTEM\nFINE: SignedAuditLogger: event
> CLIENT_ACCESS_SESSION_ESTABLISH\nFINE:
> PKIClientSocketListener.handshakeCompleted:
> CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS\nFINE:
> PKIClientSocketListener.handshakeCompleted: clientIP=10.1.1.7
> serverIP=10.1.1.7 serverPort=636\nFINE: SSL handshake happened\nINFO:
> Configuring directory\nINFO: Importing
> /usr/share/pki/server/conf/database.ldif\nINFO: Creating
> /var/lib/pki/pki-tomcat/temp/pki-import-549427834453303422.ldif\nINFO:
> Modifying cn=config\nINFO: - replacing nsslapd-maxbersize:
> 209715200\nINFO: Enabling USN\nINFO: Importing
> /usr/share/pki/server/conf/usn.ldif\nINFO: Creating
> /var/lib/pki/pki-tomcat/temp/pki-import-784255222034676900.ldif\nINFO:
> Modifying cn=USN,cn=plugins,cn=config\nINFO: - replacing
> nsslapd-pluginenabled: on\nINFO: Setting up PKI schema\nINFO: Importing
> /usr/share/pki/server/conf/schema.ldif\nINFO: Adding attributetypes: (
> usertype-oid NAME \'usertype\' DESC \'Distinguish whether the user is
> administrator, agent or subsystem.\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( userstate-oid NAME \'userstate\' DESC \'Distinguish
> whether the user is administrator, agent or subsystem.\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> objectclasses: ( cmsuser-oid NAME \'cmsuser\' DESC \'CMS User\' SUP
top
> STRUCTURAL MUST usertype MAY userstate X-ORIGIN \'user defined\'
> )\nINFO: Adding attributetypes: ( archivedBy-oid NAME \'archivedBy\'
> DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> adminMessages-oid NAME \'adminMessages\' DESC \'CMS defined
attribute\'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO:
> Adding attributetypes: ( algorithm-oid NAME \'algorithm\' DESC \'CMS
> defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( algorithmId-oid NAME
> \'algorithmId\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( signingAlgorithmId-oid NAME \'signingAlgorithmId\'
> DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> autoRenew-oid NAME \'autoRenew\' DESC \'CMS defined
attribute\'SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( certStatus-oid NAME \'certStatus\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( crlName-oid NAME \'crlName\'
> DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlSize-oid
> NAME \'crlSize\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( deltaSize-oid NAME \'deltaSize\' DESC \'CMS defined
> attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( crlNumber-oid NAME
> \'crlNumber\' DESC \'CMS defined attribute\'SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( deltaNumber-oid NAME \'deltaNumber\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( firstUnsaved-oid NAME
> \'firstUnsaved\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( crlCache-oid NAME \'crlCache\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( revokedCerts-oid NAME
> \'revokedCerts\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( unrevokedCerts-oid NAME \'unrevokedCerts\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( expiredCerts-oid NAME
> \'expiredCerts\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( crlExtensions-oid NAME \'crlExtensions\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( dateOfArchival-oid NAME
> \'dateOfArchival\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( dateOfRecovery-oid NAME \'dateOfRecovery\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( dateOfRevocation-oid NAME
> \'dateOfRevocation\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( dateOfModify-oid NAME
> \'dateOfModify\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( duration-oid NAME \'duration\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( extension-oid NAME
> \'extension\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( issuedBy-oid NAME \'issuedBy\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( issueInfo-oid NAME
> \'issueInfo\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( issuerName-oid NAME \'issuerName\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( keySize-oid NAME \'keySize\'
> DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( clientId-oid
> NAME \'clientId\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( dataType-oid NAME \'dataType\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( status-oid NAME \'status\'
> DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keyState-oid
> NAME \'keyState\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( metaInfo-oid NAME \'metaInfo\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( nextUpdate-oid NAME
> \'nextUpdate\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( notAfter-oid NAME \'notAfter\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( notBefore-oid NAME
> \'notBefore\' DESC \'CMS defined attribute\'SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( ownerName-oid NAME \'ownerName\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( password-oid NAME
> \'password\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( p12Expiration-oid NAME \'p12Expiration\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( proofOfArchival-oid NAME
> \'proofOfArchival\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( publicKeyData-oid NAME \'publicKeyData\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( publicKeyFormat-oid NAME
> \'publicKeyFormat\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( privateKeyData-oid NAME \'privateKeyData\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( requestId-oid NAME
> \'requestId\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( requestInfo-oid NAME \'requestInfo\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( requestState-oid NAME
> \'requestState\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( requestResult-oid NAME \'requestResult\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( requestOwner-oid NAME
> \'requestOwner\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( requestAgentGroup-oid NAME \'requestAgentGroup\' DESC
> \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
> \'user defined\' )\nINFO: Adding attributetypes: ( requestSourceId-oid
> NAME \'requestSourceId\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( requestType-oid NAME \'requestType\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( requestFlag-oid NAME
> \'requestFlag\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( requestError-oid NAME \'requestError\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( resourceACLS-oid NAME
> \'resourceACLS\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( revInfo-oid NAME \'revInfo\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( revokedBy-oid NAME
> \'revokedBy\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( revokedOn-oid NAME \'revokedOn\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( serialno-oid NAME
> \'serialno\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( nextRange-oid NAME \'nextRange\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( publishingStatus-oid NAME
> \'publishingStatus\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( beginRange-oid NAME \'beginRange\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( endRange-oid NAME
> \'endRange\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( subjectName-oid NAME \'subjectName\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( sessionContext-oid NAME
> \'sessionContext\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( thisUpdate-oid NAME \'thisUpdate\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( transId-oid NAME \'transId\'
> DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> transStatus-oid NAME \'transStatus\' DESC \'CMS defined attribute\'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO:
> Adding attributetypes: ( transName-oid NAME \'transName\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( transOps-oid NAME
> \'transOps\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( userDN-oid NAME \'userDN\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( userMessages-oid NAME
> \'userMessages\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( version-oid NAME \'version\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( Clone-oid NAME \'Clone\'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( DomainManager-oid NAME
> \'DomainManager\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> SecurePort-oid NAME \'SecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
> SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> SecureAgentPort-oid NAME \'SecureAgentPort\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\'
> )\nINFO: Adding attributetypes: ( SecureAdminPort-oid NAME
> \'SecureAdminPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> SecureEEClientAuthPort-oid NAME \'SecureEEClientAuthPort\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\'
> )\nINFO: Adding attributetypes: ( UnSecurePort-oid NAME
> \'UnSecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> SubsystemName-oid NAME \'SubsystemName\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN \'user defined\'
> )\nINFO: Adding attributetypes: ( cmsUserGroup-oid NAME \'cmsUserGroup\'
> DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( realm-oid
> NAME \'realm\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> objectclasses: ( CertACLS-oid NAME \'CertACLS\' DESC \'CMS defined
> class\' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN \'user
> defined\' )\nINFO: Adding objectclasses: ( repository-oid NAME
> \'repository\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ou
MAY
> ( serialno $ description $ nextRange $ publishingStatus ) X-ORIGIN
> \'user defined\' )\nINFO: Adding objectclasses: ( request-oid NAME
> \'request\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY
(
> requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $
> requestOwner $ requestAgentGroup $ requestSourceId $ requestType $
> requestFlag $ requestError $ userMessages $ adminMessages $ realm )
> X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: (
> transaction-oid NAME \'transaction\' DESC \'CMS defined class\' SUP
top
> STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStatus
> $ transOps ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: (
> crlIssuingPointRecord-oid NAME \'crlIssuingPointRecord\' DESC \'CMS
> defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $
> dateOfModify $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $
> deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $
> deltaRevocationList $ crlCache $ revokedCerts $ unrevokedCerts $
> expiredCerts $ cACertificate ) X-ORIGIN \'user defined\' )\nINFO: Adding
> objectclasses: ( certificateRecord-oid NAME \'certificateRecord\' DESC
> \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( serialno $
> dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $
> metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $
> algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $
> issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $
> issuerName ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: (
> userDetails-oid NAME \'userDetails\' DESC \'CMS defined class\' SUP
top
> STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $
> p12Expiration ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses:
> ( keyRecord-oid NAME \'keyRecord\' DESC \'CMS defined class\' SUP
top
> STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $
> keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $
> dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $
> publicKeyData $ archivedBy $ clientId $ dataType $ status $ realm )
> X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: (
> pkiSecurityDomain-oid NAME \'pkiSecurityDomain\' DESC \'CMS defined
> class\' SUP top STRUCTURAL MUST ( ou $ name ) X-ORIGIN \'user defined\'
> )\nINFO: Adding objectclasses: ( pkiSecurityGroup-oid NAME
> \'pkiSecurityGroup\' DESC \'CMS defined class\' SUP top STRUCTURAL
MUST
> cn X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: (
> pkiSubsystem-oid NAME \'pkiSubsystem\' DESC \'CMS defined class\'
SUP
> top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone )
> MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort
> $SecureEEClientAuthPort $ UnSecurePort ) X-ORIGIN \'user defined\'
> )\nINFO: Adding objectclasses: ( pkiRange-oid NAME \'pkiRange\' DESC
> \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ beginRange $
> endRange $ Host $ SecurePort ) X-ORIGIN \'user defined\' )\nINFO: Adding
> objectclasses: ( securityDomainSessionEntry-oid NAME
> \'securityDomainSessionEntry\' DESC \'CMS defined class\' SUP top
> STRUCTURAL MUST ( cn $ host $ uid $ cmsUserGroup $ dateOfCreate )
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS defined
attribute\'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO:
> Adding attributetypes: ( dateOfModify-oid NAME \'dateOfModify\' DESC
> \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
> \'user defined\' )\nINFO: Adding attributetypes: ( modified-oid NAME
> \'modified\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( tokenUserID-oid NAME \'tokenUserID\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( tokenStatus-oid NAME
> \'tokenStatus\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( tokenAppletID-oid NAME \'tokenAppletID\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( keyInfo-oid NAME \'keyInfo\'
> DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> numberOfResets-oid NAME \'numberOfResets\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( numberOfEnrollments-oid NAME
> \'numberOfEnrollments\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( numberOfRenewals-oid NAME \'numberOfRenewals\' DESC
> \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN
> \'user defined\' )\nINFO: Adding attributetypes: (
> numberOfRecoveries-oid NAME \'numberOfRecoveries\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( allowPinReset-oid NAME
> \'allowPinReset\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( extensions-oid NAME \'extensions\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( tokenOp-oid NAME \'tokenOp\'
> DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenID-oid
> NAME \'tokenID\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( tokenMsg-oid NAME \'tokenMsg\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( tokenResult-oid NAME
> \'tokenResult\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( tokenIP-oid NAME \'tokenIP\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( tokenPolicy-oid NAME
> \'tokenPolicy\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( tokenIssuer-oid NAME \'tokenIssuer\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( tokenSubject-oid NAME
> \'tokenSubject\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( tokenSerial-oid NAME \'tokenSerial\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( tokenOrigin-oid NAME
> \'tokenOrigin\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( tokenType-oid NAME \'tokenType\' DESC \'CMS defined
> attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( tokenKeyType-oid NAME
> \'tokenKeyType\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( tokenReason-oid NAME \'tokenReason\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( tokenNotBefore-oid NAME
> \'tokenNotBefore\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> attributetypes: ( tokenNotAfter-oid NAME \'tokenNotAfter\' DESC \'CMS
> defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( profileID-oid NAME
> \'profileID\' DESC \'CMS defined attribute\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> objectclasses: ( tokenRecord-oid NAME \'tokenRecord\' DESC \'CMS defined
> class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $
> modified $ tokenReason $ tokenUserID $ tokenStatus $ tokenAppletID $
> keyInfo $ tokenPolicy $ extensions $ numberOfResets $
> numberOfEnrollments $ numberOfRenewals $ numberOfRecoveries $
> userCertificate $ tokenType ) X-ORIGIN \'user defined\' )\nINFO: Adding
> objectclasses: ( tokenActivity-oid NAME \'tokenActivity\' DESC \'CMS
> defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $
> dateOfModify $ tokenOp $ tokenIP $ tokenResult $ tokenID $ tokenUserID $
> tokenMsg $ extensions $ tokenType ) X-ORIGIN \'user defined\' )\nINFO:
> Adding objectclasses: ( tokenCert-oid NAME \'tokenCert\' DESC \'CMS
> defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $
> dateOfModify $ userCertificate $ tokenUserID $ tokenID $ tokenIssuer $
> tokenOrigin $ tokenSubject $ tokenSerial $ tokenStatus $ tokenType $
> tokenKeyType $ tokenNotBefore $ tokenNotAfter $ extensions ) X-ORIGIN
> \'user defined\' )\nINFO: Adding objectclasses: ( tpsProfileID-oid NAME
> \'tpsProfileID\' DESC \'CMS defined class\' SUP top AUXILIARY MAY (
> profileID ) X-ORIGIN \'user-defined\' )\nINFO: Adding attributetypes: (
> classId-oid NAME \'classId\' DESC \'Certificate profile class ID\'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO:
> Adding attributetypes: ( certProfileConfig-oid NAME
> \'certProfileConfig\' DESC \'Certificate profile configuration\'
SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN \'user defined\' )\nINFO: Adding
> objectclasses: ( certProfile-oid NAME \'certProfile\' DESC \'Certificate
> profile\' SUP top STRUCTURAL MUST cn MAY ( classId $ certProfileConfig )
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> authorityID-oid NAME \'authorityID\' DESC \'Authority ID\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\'
> )\nINFO: Adding attributetypes: ( authorityKeyNickname-oid NAME
> \'authorityKeyNickname\' DESC \'Authority key nickname\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN \'user-defined\'
> )\nINFO: Adding attributetypes: ( authorityParentID-oid NAME
> \'authorityParentID\' DESC \'Authority Parent ID\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\'
> )\nINFO: Adding attributetypes: ( authorityEnabled-oid NAME
> \'authorityEnabled\' DESC \'Authority Enabled\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\'
> )\nINFO: Adding attributetypes: ( authorityDN-oid NAME \'authorityDN\'
> DESC \'Authority DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE
> X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> authoritySerial-oid NAME \'authoritySerial\' DESC \'Authority
> certificate serial number\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
> SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: (
> authorityParentDN-oid NAME \'authorityParentDN\' DESC \'Authority Parent
> DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN \'user
> defined\' )\nINFO: Adding attributetypes: ( authorityKeyHost-oid NAME
> \'authorityKeyHost\' DESC \'Authority Key Hosts\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding
> objectclasses: ( authority-oid NAME \'authority\' DESC \'Certificate
> Authority\' SUP top STRUCTURAL MUST ( cn $ authorityID $
> authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY (
> authoritySerial $ authorityParentID $ authorityParentDN $
> authorityKeyHost $ description ) X-ORIGIN \'user defined\' )\nINFO:
> Setting up ACME schema\nINFO: Importing
> /usr/share/pki/acme/database/ldap/schema.ldif\nINFO: Adding
> attributetypes: ( acmeExpires-oid NAME \'acmeExpires\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING
> generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding
> attributetypes: ( acmeValidatedAt-oid NAME \'acmeValidatedAt\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING
> generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding
> attributetypes: ( acmeStatus-oid NAME \'acmeStatus\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SINGLE-VALUE
> )\nINFO: Adding attributetypes: ( acmeError-oid NAME \'acmeError\'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding
> attributetypes: ( acmeNonceId-oid NAME \'acmeNonceId\' SUP name
> SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeAccountId-oid NAME
> \'acmeAccountId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes:
> ( acmeAccountContact-oid NAME \'acmeAccountContact\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR
> caseIgnoreSubstringsMatch )\nINFO: Adding attributetypes: (
> acmeAccountKey-oid NAME \'acmeAccountKey\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding
> attributetypes: ( acmeOrderId-oid NAME \'acmeOrderId\' SUP name
> SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeIdentifier-oid NAME
> \'acmeIdentifier\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY
> caseIgnoreMatch )\nINFO: Adding attributetypes: (
> acmeAuthorizationId-oid NAME \'acmeAuthorizationId\' SUP name )\nINFO:
> Adding attributetypes: ( acmeAuthorizationWildcard-oid NAME
> \'acmeAuthorizationWildcard\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
> EQUALITY booleanMatch SINGLE-VALUE )\nINFO: Adding attributetypes: (
> acmeChallengeId-oid NAME \'acmeChallengeId\' SUP name SINGLE-VALUE
> )\nINFO: Adding attributetypes: ( acmeToken-oid NAME \'acmeToken\'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\nINFO: Adding attributetypes: (
> acmeCertificateId-oid NAME \'acmeCertificateId\' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SINGLE-VALUE
> )\nINFO: Adding objectclasses: ( acmeNonce-oid NAME \'acmeNonce\'
> STRUCTURAL MUST ( acmeNonceId $ acmeExpires ) )\nINFO: Adding
> objectclasses: ( acmeAccount-oid NAME \'acmeAccount\' STRUCTURAL MUST (
> acmeAccountId $ acmeAccountKey $ acmeStatus ) MAY acmeAccountContact
> )\nINFO: Adding objectclasses: ( acmeOrder-oid NAME \'acmeOrder\'
> STRUCTURAL MUST ( acmeOrderId $ acmeAccountId $ acmeStatus $
> acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $
> acmeCertificateId $ acmeExpires ) )\nINFO: Adding objectclasses: (
> acmeAuthorization-oid NAME \'acmeAuthorization\' STRUCTURAL MUST (
> acmeAuthorizationId $ acmeAccountId $ acmeIdentifier $
> acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires )\nINFO: Adding
> objectclasses: ( acmeChallenge-oid NAME \'acmeChallenge\' ABSTRACT MUST
> ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $ acmeStatus )
> MAY ( acmeValidatedAt $ acmeError ) )\nINFO: Adding objectclasses: (
> acmeChallengeDns01-oid NAME \'acmeChallengeDns01\' SUP acmeChallenge
> STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: (
> acmeChallengeHttp01-oid NAME \'acmeChallengeHttp01\' SUP acmeChallenge
> STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: (
> acmeCertificate-oid NAME \'acmeCertificate\' STRUCTURAL MUST (
> acmeCertificateId $ userCertificate ) MAY acmeExpires )\nINFO: Creating
> indexes\nINFO: Importing /usr/share/pki/kra/conf/index.ldif\nINFO:
> Creating
> /var/lib/pki/pki-tomcat/temp/pki-import-25296192129415365.ldif\nINFO:
> Adding cn=revokedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add cn=revokedby,cn=index,cn=ipaca,cn=ldbm
> database, cn=plugins, cn=config: netscape.ldap.LDAPException: error
> result (68); Already exists\nINFO: Adding
> cn=issuedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add cn=issuedby,cn=index,cn=ipaca,cn=ldbm
> database, cn=plugins, cn=config: netscape.ldap.LDAPException: error
> result (68); Already exists\nINFO: Adding
> cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add
> cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config: netscape.ldap.LDAPException: error result (68); Already
> exists\nINFO: Adding cn=clientId,cn=index,cn=ipaca,cn=ldbm database,
> cn=plugins, cn=config\nWARNING: Unable to add
> cn=clientId,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config:
> netscape.ldap.LDAPException: error result (68); Already exists\nINFO:
> Adding cn=dataType,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add cn=dataType,cn=index,cn=ipaca,cn=ldbm
> database, cn=plugins, cn=config: netscape.ldap.LDAPException: error
> result (68); Already exists\nINFO: Adding
> cn=status,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add cn=status,cn=index,cn=ipaca,cn=ldbm
> database, cn=plugins, cn=config: netscape.ldap.LDAPException: error
> result (68); Already exists\nINFO: Adding
> cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add
> cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config: netscape.ldap.LDAPException: error result (68); Already
> exists\nINFO: Adding cn=serialno,cn=index,cn=ipaca,cn=ldbm database,
> cn=plugins, cn=config\nWARNING: Unable to add
> cn=serialno,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config:
> netscape.ldap.LDAPException: error result (68); Already exists\nINFO:
> Adding cn=metaInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add cn=metaInfo,cn=index,cn=ipaca,cn=ldbm
> database, cn=plugins, cn=config: netscape.ldap.LDAPException: error
> result (68); Already exists\nINFO: Adding
> cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add
> cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config:
> netscape.ldap.LDAPException: error result (68); Already exists\nINFO:
> Adding cn=requestid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add cn=requestid,cn=index,cn=ipaca,cn=ldbm
> database, cn=plugins, cn=config: netscape.ldap.LDAPException: error
> result (68); Already exists\nINFO: Adding
> cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add
> cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config: netscape.ldap.LDAPException: error result (68); Already
> exists\nINFO: Adding cn=requeststate,cn=index,cn=ipaca,cn=ldbm database,
> cn=plugins, cn=config\nWARNING: Unable to add
> cn=requeststate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config: netscape.ldap.LDAPException: error result (68); Already
> exists\nINFO: Adding cn=requestowner,cn=index,cn=ipaca,cn=ldbm database,
> cn=plugins, cn=config\nWARNING: Unable to add
> cn=requestowner,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config: netscape.ldap.LDAPException: error result (68); Already
> exists\nINFO: Adding cn=notbefore,cn=index,cn=ipaca,cn=ldbm database,
> cn=plugins, cn=config\nWARNING: Unable to add
> cn=notbefore,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config:
> netscape.ldap.LDAPException: error result (68); Already exists\nINFO:
> Adding cn=notafter,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add cn=notafter,cn=index,cn=ipaca,cn=ldbm
> database, cn=plugins, cn=config: netscape.ldap.LDAPException: error
> result (68); Already exists\nINFO: Adding
> cn=duration,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add cn=duration,cn=index,cn=ipaca,cn=ldbm
> database, cn=plugins, cn=config: netscape.ldap.LDAPException: error
> result (68); Already exists\nINFO: Adding
> cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add
> cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config: netscape.ldap.LDAPException: error result (68); Already
> exists\nINFO: Adding cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database,
> cn=plugins, cn=config\nWARNING: Unable to add
> cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config:
> netscape.ldap.LDAPException: error result (68); Already exists\nINFO:
> Adding cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add
> cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config:
> netscape.ldap.LDAPException: error result (68); Already exists\nINFO:
> Adding cn=ownername,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add cn=ownername,cn=index,cn=ipaca,cn=ldbm
> database, cn=plugins, cn=config: netscape.ldap.LDAPException: error
> result (68); Already exists\nINFO: Adding
> cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add
> cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config: netscape.ldap.LDAPException: error result (68); Already
> exists\nINFO: Adding cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm
> database, cn=plugins, cn=config\nWARNING: Unable to add
> cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config: netscape.ldap.LDAPException: error result (68); Already
> exists\nINFO: Adding cn=revInfo,cn=index,cn=ipaca,cn=ldbm database,
> cn=plugins, cn=config\nWARNING: Unable to add
> cn=revInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config:
> netscape.ldap.LDAPException: error result (68); Already exists\nINFO:
> Adding cn=extension,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nWARNING: Unable to add cn=extension,cn=index,cn=ipaca,cn=ldbm
> database, cn=plugins, cn=config: netscape.ldap.LDAPException: error
> result (68); Already exists\nINFO: Adding
> cn=realm,cn=index,cn=ipaca,cn=ldbm database, cn=plugins,
> cn=config\nINFO: Setting up database manager\nINFO: Importing
> /usr/share/pki/server/conf/manager.ldif\nINFO: Creating
> /var/lib/pki/pki-tomcat/temp/pki-import-3984013368624234966.ldif\nINFO:
> Adding ou=csusers,cn=config\nWARNING: Unable to add
> ou=csusers,cn=config: netscape.ldap.LDAPException: error result (68);
> Already exists\nINFO: Modifying o=kra,o=ipaca\nINFO: - adding aci:
> (targetattr = "*")(version 3.0; acl "cert manager access v2";
allow
> (all) userdn =
> "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to
> modify o=kra,o=ipaca: netscape.ldap.LDAPException: error result (20);
> Type or value exists\nINFO: Modifying cn=ldbm
> database,cn=plugins,cn=config\nINFO: - adding aci: (targetattr =
> "*")(version 3.0; acl "Cert Manager access for VLV searches";
allow
> (read) userdn="ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO:
> Modifying cn=config\nINFO: - adding aci: (targetattr != "aci")(version
> 3.0; aci "cert manager read access"; allow (read, search, compare)
> userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO:
> Modifying ou=csusers,cn=config\nINFO: - adding aci: (targetattr !=
> "aci")(version 3.0; aci "cert manager manage replication users";
allow
> (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO:
> Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding
> aci: (targetattr = "*")(version 3.0;acl "cert manager: Add
Replication
> Agreements";allow (add) userdn =
> "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to
> modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config:
> netscape.ldap.LDAPException: error result (32); No such object\nINFO:
> Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding
> aci: (targetattr =
>
"*")(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version
> 3.0; acl "cert manager: Modify Replication Agreements"; allow (read,
> write, search) userdn =
> "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to
> modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config:
> netscape.ldap.LDAPException: error result (32); No such object\nINFO:
> Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding
> aci: (targetattr =
>
"*")(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
> 3.0;acl "cert manager: Remove Replication Agreements";allow (delete)
> userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING:
> Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config:
> netscape.ldap.LDAPException: error result (32); No such object\nINFO:
> Modifying cn=tasks,cn=config\nINFO: - adding aci: (targetattr =
> "*")(version 3.0; acl "cert manager: Run tasks after replica
> re-initialization"; allow (add) userdn =
> "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Creating VLV
> indexes\nINFO: Importing /usr/share/pki/kra/conf/vlv.ldif\nINFO:
> Creating
> /var/lib/pki/pki-tomcat/temp/pki-import-1261970238527115258.ldif\nINFO:
> Adding cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins,
> cn=config\nINFO: Adding cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm
> database, cn=plugins, cn=config\nINFO: Adding cn=kraArchival-pki-tomcat,
> cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding
> cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins,
> cn=config\nINFO: Adding cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm
> database, cn=plugins, cn=config\nINFO: Adding
> cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database,
> cn=plugins, cn=config\nINFO: Adding cn=kraCanceledRecovery-pki-tomcat,
> cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding
> cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins,
> cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca,
> cn=ldbm database, cn=plugins, cn=config\nINFO: Adding
> cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database,
> cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcat, cn=ipaca,
> cn=ldbm database, cn=plugins, cn=config\nINFO: Adding
> cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database,
> cn=plugins, cn=config\nINFO: Adding cn=kraCompleteRecovery-pki-tomcat,
> cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding
> cn=allKeys-pki-tomcatIndex, cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm
> database, cn=plugins, cn=config\nINFO: Adding cn=kraAll-pki-tomcatIndex,
> cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins,
> cn=config\nINFO: Adding cn=kraArchival-pki-tomcatIndex,
> cn=kraArchival-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins,
> cn=config\nINFO: Adding cn=kraRecovery-pki-tomcatIndex,
> cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins,
> cn=config\nINFO: Adding cn=kraCanceled-pki-tomcatIndex,
> cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins,
> cn=config\nINFO: Adding cn=kraCanceledEnrollment-pki-tomcatIndex,
> cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database,
> cn=plugins, cn=config\nINFO: Adding
> cn=kraCanceledRecovery-pki-tomcatIndex,
> cn=kraCanceledRecovery-pki-tomcat, cn=ipaca, cn=ldbm database,
> cn=plugins, cn=config\nINFO: Adding cn=kraRejected-pki-tomcatIndex,
> cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins,
> cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcatIndex,
> cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database,
> cn=plugins, cn=config\nINFO: Adding
> cn=kraRejectedRecovery-pki-tomcatIndex,
> cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database,
> cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcatIndex,
> cn=kraComplete-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins,
> cn=config\nINFO: Adding cn=kraCompleteEnrollment-pki-tomcatIndex,
> cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database,
> cn=plugins, cn=config\nINFO: Adding
> cn=kraCompleteRecovery-pki-tomcatIndex,
> cn=kraCompleteRecovery-pki-tomcat, cn=ipaca, cn=ldbm database,
> cn=plugins, cn=config\nINFO: Rebuilding VLV indexes\nINFO: Creating
> /var/lib/pki/pki-tomcat/temp/pki-kra-reindex-8248341685647863582.ldif\nINFO:
> Adding cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Waiting
> for task cn=index1160527115, cn=index, cn=tasks, cn=config (1s)\nINFO:
> Getting cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Task
> cn=index1160527115, cn=index, cn=tasks, cn=config complete\nFINE:
> PKIClientSocketListener.alertReceived: begins\nFINE: SSL alert
> received:\nFINE: - reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE:
> - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger:
> event CLIENT_ACCESS_SESSION_TERMINATED\nFINE:
> PKIClientSocketListener.alertReceived:
> CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE:
> PKIClientSocketListener.alertReceived: clientIP=10.1.1.7
> serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nFINE:
> PKIClientSocketListener.alertSent: begins\nFINE:
> PKIClientSocketListener.alertSent: got description:0\nFINE:
> PKIClientSocketListener.alertSent: got reason:CLOSE_NOTIFY\nFINE:
> PKIClientSocketListener.alertSent:
> CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE:
> PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7
> serverPort=636 reason=CLOSE_NOTIFY\nFINE: SSL alert sent:\nFINE: -
> reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE: - server:
> 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event
> CLIENT_ACCESS_SESSION_TERMINATED\nFINE:
> PKIClientSocketListener.alertSent:
> CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE\nFINE:
> PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7
> serverPort=636 reason=CLOSE_NOTIFY\nINFO: Updating ranges for KRA
> clone\nINFO: Updating request ID range\nDEBUG: Command: pki -d
> /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U
>
https://ipa2.example.com:443 kra-range-request request --session
> 7645071616159216931 --output-format json --debug\nINFO: Connecting to
>
https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info
> HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host:
> ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO:
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server
> certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response:
> HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:24
> GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g
> mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length:
> 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection:
> Keep-Alive\nINFO: Content-Type: text/html;
> charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO:
> Requesting request range\nINFO: HTTP request: POST
> /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type:
> application/x-www-form-urlencoded\nINFO: Content-Length: 57\nINFO:
> Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO:
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP
> response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:25
> GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g
> mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type:
> application/xml\nINFO: Content-Length: 165\nINFO: Keep-Alive:
> timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response:
> <?xml version="1.0" encoding="UTF-8"
>
standalone="no"?><XMLResponse><Status>0</Status><beginNumber>99980001</beginNumber><endNumber>99990000</endNumber></XMLResponse>\nFINE:
> Status: 0\nINFO: Begin: 99980001\nINFO: End: 99990000\nINFO: Updating
> serial number range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f
> /etc/pki/pki-tomcat/password.conf -U
https://ipa2.example.com:443
> kra-range-request serialNo --session 7645071616159216931 --output-format
> json --debug\nINFO: Connecting to
https://ipa2.example.com:443\nINFO:
> HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept:
> application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection:
> Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5
> (Java/1.8.0_272)\nINFO: Server certificate:
> CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not
> Found\nINFO: Date: Sun, 29 Nov 2020 07:38:28 GMT\nINFO: Server:
> Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7
> mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive:
> timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO:
> Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get
> server info: Not Found\nINFO: Requesting serialNo range\nINFO: HTTP
> request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO:
> Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length:
> 58\nINFO: Host: ipa2.example.com:443\nINFO: Connection:
> Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5
> (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date:
> Sun, 29 Nov 2020 07:38:29 GMT\nINFO: Server: Apache/2.4.43 (Fedora)
> OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO:
> Content-Type: application/xml\nINFO: Content-Length: 167\nINFO:
> Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE:
> Response: <?xml version="1.0" encoding="UTF-8"
>
standalone="no"?><XMLResponse><Status>0</Status><beginNumber>11ffe0001</beginNumber><endNumber>11fff0000</endNumber></XMLResponse>\nFINE:
> Status: 0\nINFO: Begin: 11ffe0001\nINFO: End: 11fff0000\nINFO: Updating
> replica ID range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f
> /etc/pki/pki-tomcat/password.conf -U
https://ipa2.example.com:443
> kra-range-request replicaId --session 7645071616159216931
> --output-format json --debug\nINFO: Connecting to
>
https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info
> HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host:
> ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO:
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server
> certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response:
> HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:32
> GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g
> mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length:
> 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection:
> Keep-Alive\nINFO: Content-Type: text/html;
> charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO:
> Requesting replicaId range\nINFO: HTTP request: POST
> /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type:
> application/x-www-form-urlencoded\nINFO: Content-Length: 59\nINFO:
> Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO:
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP
> response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:32
> GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g
> mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type:
> application/xml\nINFO: Content-Length: 157\nINFO: Keep-Alive:
> timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response:
> <?xml version="1.0" encoding="UTF-8"
>
standalone="no"?><XMLResponse><Status>0</Status><beginNumber>1285</beginNumber><endNumber>1289</endNumber></XMLResponse>\nFINE:
> Status: 0\nINFO: Begin: 1285\nINFO: End: 1289\nINFO: Storing subsystem
> config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry
> config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Updating
> configuration for KRA clone\nINFO: Updating configuration\nDEBUG:
> Command: pki -d /etc/pki/pki-tomcat/alias -f
> /etc/pki/pki-tomcat/password.conf -U
https://ipa2.example.com:443
> kra-config-export --names
> internaldb.ldapauth.password,internaldb.replication.password,cloning.ca.type
> --substores
>
internaldb,internaldb.ldapauth,internaldb.ldapconn,kra.transport,kra.storage,kra.subsystem,kra.audit_signing
> --session 7645071616159216931 --output-format json --debug\nINFO:
> Connecting to
https://ipa2.example.com:443\nINFO: HTTP request: GET
> /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host:
> ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO:
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server
> certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response:
> HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:36
> GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g
> mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length:
> 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection:
> Keep-Alive\nINFO: Content-Type: text/html;
> charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO:
> Getting configuration properties\nINFO: HTTP request: POST
> /kra/admin/kra/getConfigEntries HTTP/1.1\nINFO: Content-Type:
> application/x-www-form-urlencoded\nINFO: Content-Length: 269\nINFO:
> Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO:
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP
> response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:36
> GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g
> mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type:
> application/xml\nINFO: Content-Length: 10909\nINFO: Keep-Alive:
> timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Status:
> 0\nINFO: Properties:\nINFO: - internaldb._000\nINFO: -
> internaldb._001\nINFO: - internaldb._002\nINFO: -
> internaldb.basedn\nINFO: - internaldb.database\nINFO: -
> internaldb.maxConns\nINFO: - internaldb.minConns\nINFO: -
> internaldb.ldapauth.authtype\nINFO: - internaldb.ldapauth.bindDN\nINFO:
> - internaldb.ldapauth.bindPWPrompt\nINFO: -
> internaldb.ldapauth.clientCertNickname\nINFO: -
> internaldb.ldapconn.host\nINFO: - internaldb.ldapconn.port\nINFO: -
> internaldb.ldapconn.secureConn\nINFO: - kra.transport.cert\nINFO: -
> kra.transport.certreq\nINFO: - kra.transport.nickname\nINFO: -
> kra.transport.tokenname\nINFO: - kra.storage.cert\nINFO: -
> kra.storage.certreq\nINFO: - kra.storage.nickname\nINFO: -
> kra.storage.tokenname\nINFO: - kra.subsystem.cert\nINFO: -
> kra.subsystem.certreq\nINFO: - kra.subsystem.dn\nINFO: -
> kra.subsystem.nickname\nINFO: - kra.subsystem.tokenname\nINFO: -
> kra.audit_signing.cert\nINFO: - kra.audit_signing.certreq\nINFO: -
> kra.audit_signing.nickname\nINFO: - kra.audit_signing.tokenname\nINFO: -
> internaldb.replication.password\nINFO: - cloning.ca.type\nINFO: Storing
> subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing
> registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO:
> Restarting server\nDEBUG: Command: systemctl restart
> pki-tomcatd(a)pki-tomcat.service\nINFO: FIPS mode is not enabled\nINFO:
> Subsystem status: running\nINFO: Configuring KRA subsystem\nINFO:
> Setting up clone\nINFO: Creating clone setup
> request\n/usr/lib/python3.6/site-packages/urllib3/connection.py:362:
> SubjectAltNameWarning: Certificate for
ipa.example.com has no
> `subjectAltName`, falling back to check for a `commonName` for now. This
> feature is being removed by major browsers and deprecated by RFC 2818.
> (See
https://github.com/shazow/urllib3/issues/497 for details.)\n
> SubjectAltNameWarning\nINFO: Setting up database\nINFO: Creating
> database setup request\nINFO: Getting sslserver cert info from
> CS.cfg\nINFO: Getting sslserver cert info from NSS database\nDEBUG:
> Command: certutil -L -d /etc/pki/pki-tomcat/alias -f
> /tmp/tmpl_0lpu4u/password.txt -n Server-Cert cert-pki-ca -a\nDEBUG:
> Command: certutil -L -d /etc/pki/pki-tomcat/alias -f
> /tmp/tmpef27un35/password.txt\nINFO: Setting up transport
> certificate\nINFO: transport certificate is already set up\nINFO:
> Setting up storage certificate\nINFO: storage certificate is already set
> up\nINFO: Setting up sslserver certificate\nINFO: sslserver certificate
> is already set up\nINFO: Setting up subsystem certificate\nINFO:
> subsystem certificate is already set up\nINFO: Setting up audit_signing
> certificate\nINFO: audit_signing certificate is already set up\nINFO:
> Backing up keys into
> /etc/pki/pki-tomcat/alias/kra_backup_keys.p12\nDEBUG: Command:
> pki-server subsystem-cert-export kra -i pki-tomcat --pkcs12-file
> /etc/pki/pki-tomcat/alias/kra_backup_keys.p12 --pkcs12-password-file
> /tmp/tmpdeq3qnpk/password.txt\nINFO: Setting up security domain\nINFO:
> Creating security domain setup request\nINFO: Finalizing KRA
> configuration\nINFO: Creating finalize config request\n')
> See the installation logs and the following files/directories for more
> information:
> /var/log/pki/pki-tomcat
> [error] RuntimeError: KRA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> KRA configuration failed.
> The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
> [root@ipa]~#
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...