Unable to clone pki-kra (Clone is not ready)
by Mike Mercier
Hello,
I posted a message about this last week:
I will post more details here:
2 servers:
service-1: running fedora-ds and will be prime pki system (running
all subsystems)
service-2: running fedora-ds and will be clone for all (cloneable)
subsystems on service-1
[root@service-1 pki-kra]# rpm -qa|grep pki
pki-selinux-1.1.0-1.fc10.noarch
pki-kra-1.1.0-1.fc10.noarch
pki-common-1.1.0-1.fc10.noarch
pki-native-tools-1.1.0-1.fc10.x86_64
dogtag-pki-ca-ui-1.1.0-1.fc10.noarch
pki-util-1.1.0-1.fc10.noarch
pki-ca-1.1.0-1.fc10.noarch
dogtag-pki-common-ui-1.1.0-1.fc10.noarch
pki-java-tools-1.1.0-1.fc10.noarch
dogtag-pki-kra-ui-1.1.0-1.fc10.noarch
pki-setup-1.1.0-1.fc10.noarch
I did the following steps:
1. yum install pki-ca on service-1 and create instance - success
2. yum install pki-ca on service-2 cloning instance from step 1 - success
3. yum install pki-kra on service-1 - installation seems to be
succeful using security domain from service-1
Note: on the page for the login, I get Security Domain () login (Is
this correct or should it show the security domain name between the
()?)
4. yum install pki-kra on service-2
a) select security domain from service-1
b) join security domain on service-1:9444
c) select to clone domain from step 3
when clicking next on this screen service-1/var/log/pki-kra/debug shows
[25/May/2009:09:19:31][http-10444-Processor23]: CMSServlet:service()
uri = /kra/ee/kra/getTokenInfo
[25/May/2009:09:19:31][http-10444-Processor23]: CMSServlet:
kraGetTokenInfo start to service.
[25/May/2009:09:19:31][http-10444-Processor23]: CMSServlet:
curDate=Mon May 25 09:19:31 EDT 2009 id=kraGetTokenInfo time=3
service-1/var/log/pki-kra/localhost_access_log shows:
192.168.0.26 - - [25/May/2009:09:19:31 -0400] "POST
/kra/ee/kra/getTokenInfo HTTP/1.0" 200 565
d) at "Import Keys and Certificates" page, I type in the name of the
file that was copied to the system and I get "Clone is not ready"
on service-2 I can run pk12util -l pki-kra-savepkcs -w <file> and it
will output the keys and shows the correct security domain
I don't see anything new in the logs at this step anymore (not sure
where the error came from in my last post)
On service-1:
[root@service-1 ~]# service pki-kra status
pki-kra (pid 8444) is running ...
Unsecure Port = http://service-1.internaldomain:10180/kra/ee/kra
Secure Agent Port = https://service-1.internaldomain:10443/kra/agent/kra
Secure EE Port = https://service-1.internaldomain:10444/kra/ee/kra
Secure Admin Port = https://service-1.internaldomain:10445/kra/services
Secure Admin Port = pkiconsole https://service-1.internaldomain:10445/kra
Tomcat Port = 10701 (for shutdown)
Thanks,
Mike
15 years, 7 months
Error cloning KRA
by Mike Mercier
Hello,
I am having a problem cloning a KRA. I get to the "Import Keys and
Certificates" page, put in the filename and password (after copying
the file to /var/lib/pki-kra/alias) and the page returns:
"Clone is not ready"
I see the following in /var/log/pki-kra/debug
[21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet: process
[21/May/2009:16:32:09][http-10444-Processor20]:
WizardServlet:service() uri = /kra/admin/console/config/wizard
[21/May/2009:16:32:09][http-10444-Processor20]:
WizardServlet::service() param name='__password' value='(sensitive)'
[21/May/2009:16:32:09][http-10444-Processor20]:
WizardServlet::service() param name='path' value='pki-kra-savepkcs12'
[21/May/2009:16:32:09][http-10444-Processor20]:
WizardServlet::service() param name='p' value='4'
[21/May/2009:16:32:09][http-10444-Processor20]:
WizardServlet::service() param name='op' value='next'
[21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet: op=next
[21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet: size=16
[21/May/2009:16:32:09][http-10444-Processor20]: WizardServlet: in next 4
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
verify the PFX.
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteExistingCerts:
Exception=org.mozilla.jss.crypto.ObjectNotFoundException
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteExistingCerts:
Exception=org.mozilla.jss.crypto.NoSuchItemOnTokenException
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteExistingCerts:
Exception=org.mozilla.jss.crypto.ObjectNotFoundException
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteExistingCerts:
Exception=org.mozilla.jss.crypto.NoSuchItemOnTokenException
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteExistingCerts:
Exception=org.mozilla.jss.crypto.ObjectNotFoundException
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteExistingCerts:
Exception=org.mozilla.jss.crypto.NoSuchItemOnTokenException
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteExistingCerts:
Exception=org.mozilla.jss.crypto.ObjectNotFoundException
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteExistingCerts:
Exception=org.mozilla.jss.crypto.NoSuchItemOnTokenException
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteCert: this is pk11store
[21/May/2009:16:32:09][http-10444-Processor20]: Key Algorithm 'RSA'
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteCert: this is pk11store
[21/May/2009:16:32:09][http-10444-Processor20]: Key Algorithm 'RSA'
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteCert: this is pk11store
[21/May/2009:16:32:09][http-10444-Processor20]: Key Algorithm 'RSA'
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
deleteCert: this is pk11store
[21/May/2009:16:32:09][http-10444-Processor20]: Key Algorithm 'RSA'
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel:
this is the clone subsystem
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
isCertdbCloned:
[21/May/2009:16:32:09][http-10444-Processor20]: RestoreKeyCertPanel
update: clone does not have all the certificates.
[21/May/2009:16:32:09][http-10444-Processor20]: panel no=4
[21/May/2009:16:32:09][http-10444-Processor20]: panel name=restorekeys
[21/May/2009:16:32:09][http-10444-Processor20]: total number of panels=16
Any pointers?
Thanks,
Mike
15 years, 7 months
General Cloning Question
by Mike Mercier
Hello,
I am in the process of setting up a dogtag system with cloning.
I have the following up and running:
CA (on server service-1), KRA, OCSP, RA, TKS, and TPS
I have already cloned the CA (on server service-2) and have a question
about what security domain to join when cloning the rest of the sub
systems?
Should the clone of the other sub systems join the primary domain
(service-1) or the cloned domain (service-2)?
Thanks,
Mike
15 years, 7 months
Errors installing PKI Clone / chicken or egg question
by Mike Mercier
Hello,
Note: I have cross posted this because it seems to be related to both
applications.
The steps I have taken:
1. Install fedora 10 on 2 servers (service-1, service-2)
2. run yum update on both systems
3. on service-1 and service-2
a) yum install fedora-ds
b) setup replication agreement for
i) o=NetscapeRoot
ii) userRoot
Everything at this point seems to be fine.
4. on service-1 yum install pki-ca
a) run through setup screens
i) Create new security domain
ii) Configure this Instance as a New CA Subsystem
iii) Make this a Self-Signed Root CA within this new PKI hierarchy
iv) use 'localhost' for internal database
v) use defaults for rest of screen (exporting pkcs12)
b) pki-ca looks like it is running fine
5. on service-2 yum install pki-ca
a) run through setup screens
i) Join an Existing Security Domain (pointing to service-1:9444)
ii) type username / password
iii) chose to clone a system (only one option in drop down for service-1)
iv) import keys
v) use 'localhost' for internal database
At this point, the installation seems to hang... (see
/var/log/pki-ca/debug for what it is waiting for)
Should I not be using 'localhost' for the internal database?
An additional question:
When running through the setup for dogtag, you have the option of
using ssl for communication. What if you want to use your dogtag CA
(which you are setting up) to provide the sign the ldap certificate?
I have the following in my logs:
Service-1:
/var/log/dirsrv/slapd-TEST/errors
[21/May/2009:12:13:30 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:30 -0400] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389):
Replication bind with SIMPLE auth failed: LDAP error 32 (No such
object) ()
[21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:31 -0400] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389):
Replication bind with SIMPLE auth failed: LDAP error 32 (No such
object) ()
[21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:35 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:41 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:53 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:14:17 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
Service-2:
/var/log/dirsrv/slapd-TEST/errors
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allInvalidCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allInValidCertsNotBefore-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allNonRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedCaCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedCertsNotAfter-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedOrRevokedExpiredCaCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedOrRevokedExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allValidCertsNotAfter-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allValidOrRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caAll-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceled-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledEnrollment-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledRenewal-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledRevocation-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caComplete-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteEnrollment-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteRenewal-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteRevocation-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPending-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejected-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - pki-ca: Finished indexing.
[21/May/2009:12:13:30 -0400] NSMMReplicationPlugin -
agmt="cn=cloneAgreement1-service-2-pki-ca" (service-1:389): Replica
has a different generation ID than the local data.
/var/log/pki-ca/debug - this is what shows up continuously
[21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel
comparetAndWaitEntries checking ou=people,dc=pki-ca
[21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel
comparetAndWaitEntries ou=people,dc=pki-ca not found, let's wait!
Thanks,
Mike
15 years, 7 months
Error cloning CA
by Mike Mercier
Hello,
I am attempting to do some testing with the Fedora PKI and Dogtag
systems and have run into an issue.
My setup is as follows:
Server-1 - Running fedora-ds and dogtag (dogtag uses the local
fedora-ds LDAP server as for storage)
Server-2 - Running the same
Server-2 is acting as a LDAP replica for Server-1 (o=NetscapeRoot and
the primary dc are replicated, this *seems* to work fine.. I can
create an entry on Server-1 and it will show up on Server-2)
On Server-1, I installed Dogtag 1.1.0 (via yum) and setup a CA - again
everything *seems* to work fine. On Server-2 I then attempted to
clone the CA from Server-1.
Things go good until I get to the screen to specify where the backend
is located. For the backend, I use the fedora-ds server located on
Server-2, I enter my credentials and then it seems to hang.
In /var/log/dirsrv/slapd-TEST/error on Server-2 I see some error
messages I can't seem to find reference too:
info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=<dc>';
entry ou=certificaterepository,ou=ca,dc=<dc> may not be added to
database yet (this message shows up numerous times)
info: entrydn not indexed on 'ou=ca,ou=requests,dc=<dc>'; entry
ou=ca,ou=requests,dc=<dc> may not be added to database yet (this
message shows up numerous times)
NSMMReplicationPlugin - agmt="cn=cloneAgreement1-server-2-pki-ca"
(service-2:389): Replica has a different generation ID than the local
data
I managed to get around the replication problem by (and this is
probably not the correct course of action):
1. Deleted the replication agreement on both systems
2. Exported the CA database on Server-1 and imported it into Server-2
3. Recreated the replication agreement
This allowed me to finally get past the screen listed above (where the
LDAP credentials have to be entered) but I still see this error on
Server-2:
Replica has a different generation ID than the local data
And on Server-1:
NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
referrals for replica dc=<dc>: 1
Is there a reason that the installation is not correctly setting up
the LDAP database and replication agreement?
Are there steps I have missed, I followed the directions in the RedHat
Certificate Server Admin Guide?
Does this have something to do with replicating o=NetscapeRoot?
Thanks,
Mike
15 years, 7 months
end user interface
by Чумазик Соляркин
Hello
fc10
dogtag
fds 1.2
New CA (self-signed, etc)
when i'm trying to access RA (https://hostname:12888) i get error about ssl auth, but i do not have any cert yet, i'm new user. Is that normal?
If i use RA cert (generated for me at installation time) i can login and perform some actions (request for user, server cert, etc)
(i'm noob, so just link to chapter in documentation is ok for me :))
15 years, 7 months
