7:33 a.m.
Dear all,
For the past few days, I've been struggling trying to set up our
dogtag-based PKI. Unfortunately, I am unable to access the Secure Admin
Port / Configuration Wizard (https://...:9445/...), probably due to
Tomcat failing to open SSL sockets.
- Configuration : clean RHEL5u4 ;
- Installed pki-ca-1.3.0 (tried 1.3.2 too) from EPEL, with all its
dependencies (except jss-4.2.6, which is installed from EPEL-testing) ;
- tomcatjss-1.2.0 is installed as a dependency too.
There is no "tomcat5-native" package installed, and LANG is set to C,
all to no avail.
After manually creating user 'pkiuser' (pki-setup 1.3.1 does not
automatically create this user) , "pkicreate" (with parameters from the
root CA example) yields the following errors in
/var/log/pki-ca/catalina.out :
...
org.apache.coyote.http11.Http11BaseProtocol init
SEVERE: Error initializing socket factory
java.lang.ClassNotFoundException: Error loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.jss.JSSImplementation
at
org.apache.tomcat.util.net.SSLImplementation.getInstance(SSLImplementation.java:79)
at
org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(Http11BaseProtocol.java:731)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:121)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Feb 25, 2010 1:52:12 PM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed:
java.lang.ClassNotFoundException: Error loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.jss.JSSImplementation
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1019)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
...
Strangely enough, connections are set up on e.g. the Agent Secure Port
(9443), but neither on the EE Secure Port (9444) :
# lsof |grep pkiuser |grep TCP
java 28349 pkiuser 71u IPv6
1445890 TCP *:9180 (LISTEN)
java 28349 pkiuser 76u IPv6
1445899 TCP *:9443 (LISTEN)
java 28349 pkiuser 77u IPv6
1445900 TCP localhost.localdomain:9701 (LISTEN)
Both '/etc/pki-ca/tomcat5.conf' and '/etc/pki-ca/server.xml' look valid
(disclaimer: I am a Tomcat novice).
Stracing (-e trace=file) the pki-cad process yields nothing useful,
except for the fact that tomcatjss.jar seems to be nowhere accessed.
When manually adding ":/usr/share/java/tomcatjss.jar" to the CLASSPATH
variable in '/usr/bin/dtomcat5-pki-ca', Tomcat throws these exceptions
in catalina.out :
...
org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Caused by: java.lang.NoClassDefFoundError:
org/apache/tomcat/util/net/SSLImplementation
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:632)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:277)
at java.net.URLClassLoader.access$000(URLClassLoader.java:73)
at java.net.URLClassLoader$1.run(URLClassLoader.java:212)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:319)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
at java.lang.ClassLoader.loadClass(ClassLoader.java:264)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:186)
at
org.apache.tomcat.util.net.SSLImplementation.getInstance(SSLImplementation.java:73)
at
org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(Http11BaseProtocol.java:731)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:121)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
... 6 more
Caused by: java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.SSLImplementation
at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:319)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:264)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)
... 30 more
As a last resort, I created a tomcat keystore too, but as this is
nowhere mentioned in the docs, I guess this is way off.
I would be grateful for any clue whatsoever.
Best regards,
Didier
--
===================================================================
Didier Moens IT services
Department for Molecular Biomedical Research (DMBR)
VIB - Ghent University
Fiers-Schell-Van Montagu Research Building
Technologiepark 927 , B-9052 Zwijnaarde , Belgium
tel ++32(9)3313605 fax ++32(9)3313609
mailto:Didier.Moens@dmbr.vib-UGent.be http://www.dmbr.UGent.be
===================================================================
This message represents the official view of the voices in my head.
6:06 p.m.
Hi Didier,
I am not familiar with Red Hat. I assumed Red Hat has some similarities
with Fedora 11.
If you do not mind, can you provide me with the last 20 lines of your
/var/log/pki-ca-install.... file? (Assuming you are using default file
location).
One other useful log is your directory server installation log. Do you
successfully configure your directory server?
Could you also make sure that you do not mix up your dogtag CS versions.
Another pointer, when you run your pkicreate, make sure that your fedora
directory serve is running.
(/etc/init.d/dirsrv status)
If the directory server is not running, you want to start it first;
/etc/init.d/dirsrv start.
Erwin
--------------------------------------------------
From: "Didier Moens" <Didier.Moens(a)dmbr.vib-UGent.be>
Sent: Thursday, February 25, 2010 7:33 AM
To: <pki-users(a)redhat.com>
Subject: [Pki-users] Unable to connect to Secure Admin Port
Dear all,
For the past few days, I've been struggling trying to set up our
dogtag-based PKI. Unfortunately, I am unable to access the Secure Admin
Port / Configuration Wizard (https://...:9445/...), probably due to
Tomcat failing to open SSL sockets.
- Configuration : clean RHEL5u4 ;
- Installed pki-ca-1.3.0 (tried 1.3.2 too) from EPEL, with all its
dependencies (except jss-4.2.6, which is installed from EPEL-testing) ;
- tomcatjss-1.2.0 is installed as a dependency too.
There is no "tomcat5-native" package installed, and LANG is set to C,
all to no avail.
After manually creating user 'pkiuser' (pki-setup 1.3.1 does not
automatically create this user) , "pkicreate" (with parameters from the
root CA example) yields the following errors in
/var/log/pki-ca/catalina.out :
...
org.apache.coyote.http11.Http11BaseProtocol init
SEVERE: Error initializing socket factory
java.lang.ClassNotFoundException: Error loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.jss.JSSImplementation
at
org.apache.tomcat.util.net.SSLImplementation.getInstance(SSLImplementation.java:79)
at
org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(Http11BaseProtocol.java:731)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:121)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Feb 25, 2010 1:52:12 PM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed:
java.lang.ClassNotFoundException: Error loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.jss.JSSImplementation
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1019)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
...
Strangely enough, connections are set up on e.g. the Agent Secure Port
(9443), but neither on the EE Secure Port (9444) :
# lsof |grep pkiuser |grep TCP
java 28349 pkiuser 71u IPv6
1445890 TCP *:9180 (LISTEN)
java 28349 pkiuser 76u IPv6
1445899 TCP *:9443 (LISTEN)
java 28349 pkiuser 77u IPv6
1445900 TCP localhost.localdomain:9701 (LISTEN)
Both '/etc/pki-ca/tomcat5.conf' and '/etc/pki-ca/server.xml' look valid
(disclaimer: I am a Tomcat novice).
Stracing (-e trace=file) the pki-cad process yields nothing useful,
except for the fact that tomcatjss.jar seems to be nowhere accessed.
When manually adding ":/usr/share/java/tomcatjss.jar" to the CLASSPATH
variable in '/usr/bin/dtomcat5-pki-ca', Tomcat throws these exceptions
in catalina.out :
...
org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Caused by: java.lang.NoClassDefFoundError:
org/apache/tomcat/util/net/SSLImplementation
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:632)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:277)
at java.net.URLClassLoader.access$000(URLClassLoader.java:73)
at java.net.URLClassLoader$1.run(URLClassLoader.java:212)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:319)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
at java.lang.ClassLoader.loadClass(ClassLoader.java:264)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:186)
at
org.apache.tomcat.util.net.SSLImplementation.getInstance(SSLImplementation.java:73)
at
org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(Http11BaseProtocol.java:731)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:121)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
... 6 more
Caused by: java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.SSLImplementation
at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:319)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:264)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)
... 30 more
As a last resort, I created a tomcat keystore too, but as this is
nowhere mentioned in the docs, I guess this is way off.
I would be grateful for any clue whatsoever.
Best regards,
Didier
--
===================================================================
Didier Moens IT services
Department for Molecular Biomedical Research (DMBR)
VIB - Ghent University
Fiers-Schell-Van Montagu Research Building
Technologiepark 927 , B-9052 Zwijnaarde , Belgium
tel ++32(9)3313605 fax ++32(9)3313609
mailto:Didier.Moens@dmbr.vib-UGent.be http://www.dmbr.UGent.be
===================================================================
This message represents the official view of the voices in my head.
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
10:21 a.m.
Dear Erwin,
Your reply is much appreciated ; apologies for not responding sooner, as
I was busy examining some alternative Dogtag paths (without success, see
below).
On 09/03/10 01:06, Erwin Himawan wrote:
Hi Didier,
I am not familiar with Red Hat. I assumed Red Hat has some
similarities with Fedora 11.
If you do not mind, can you provide me with the last 20 lines of your
/var/log/pki-ca-install.... file? (Assuming you are using default file
location).
One other useful log is your directory server installation log. Do
you successfully configure your directory server?
Could you also make sure that you do not mix up your dogtag CS versions.
Another pointer, when you run your pkicreate, make sure that your
fedora directory serve is running.
(/etc/init.d/dirsrv status)
If the directory server is not running, you want to start it first;
/etc/init.d/dirsrv start.
Thank you for the advice.
1. Concerning the directory server : at this stage, the DS is not
needed, as the connection to the DS is defined in the Installation
Wizard (which I am unable to start).
2. I would not mind providing you with logfiles, but I am comparing with
a pristine (and successful) installation of Dogtag on a fresh Fedora12
virtual machine, and there are no discernible differences.
3. My next step was to disable the troublesome HTTPS/SSL completely, by
removing the https references from /etc/pki-ca/server.xml.
While this works for Fedora12 (the Installation Wizard can be reached on
http://:9445 instead of https://:9445), I only had partial success with
RHEL5 : all server.xml-defined ports are now initialized (9180, 9443,
9444, 9445, 9701), but trying to access the Installation Wizard on
http://:9445 now yields an error page (HTTP Status 500 : "The server
encountered an unexpected condition which prevented it from fulfilling
the request.").
Needless to say, the requested file
/var/lib/pki-ca/webapps/ca/admin/console/login.vm (from the
dogtag-pki-common-ui-1.3.1-1.el5 rpm) is present on the system.
(All this was tested with both Sun Java and OpenJDK.)
4. The problem as described in [3.] leads me to believe that DogTag is
completely borked on RHEL5/CentOS5. I filed a bugzilla report for the
SSL problem (https://bugzilla.redhat.com/show_bug.cgi?id=568787) and I
will file another one for problem [3.].
However, there are dependency problems in EPEL5 too
(https://bugzilla.redhat.com/show_bug.cgi?id=566342 , comment #16). The
bugzilla entries have been filed 14 days ago, unfortunately without any
reply from the developers.
This, combined with the very low traffic on pki-users (not to mention
pki-devel) makes me wonder what the ambitions for DogTag are.
Maybe I need to crosspost to centos-devel, but I am not too sure whether
they care for packages originating from EPEL ...
Best regards,
Didier
--
===================================================================
Didier Moens IT services
Department for Molecular Biomedical Research (DMBR)
VIB - Ghent University
Fiers-Schell-Van Montagu Research Building
Technologiepark 927 , B-9052 Zwijnaarde , Belgium
tel ++32(9)3313605 fax ++32(9)3313609
mailto:Didier.Moens@dmbr.vib-UGent.be http://www.dmbr.UGent.be
===================================================================
This message represents the official view of the voices in my head.
5:36 p.m.
On 12/03/10 17:21, Didier Moens wrote:
Dear Erwin,
Your reply is much appreciated ; apologies for not responding sooner, as
I was busy examining some alternative Dogtag paths (without success, see
below).
To whom it may concern : Dogtag PKI has been confirmed non-functional on
RHEL/CentOS for the moment being
(https://bugzilla.redhat.com/show_bug.cgi?id=573038).
Best regards,
Didier
--
===================================================================
Didier Moens IT services
Department for Molecular Biomedical Research (DMBR)
VIB - Ghent University
Fiers-Schell-Van Montagu Research Building
Technologiepark 927 , B-9052 Zwijnaarde , Belgium
tel ++32(9)3313605 fax ++32(9)3313609
mailto:Didier.Moens@dmbr.vib-UGent.be http://www.dmbr.UGent.be
===================================================================
This message represents the official view of the voices in my head.
5391
days inactive
5413
days old
3 comments
2 participants
participants (2)
-
Didier Moens -
Erwin Himawan