Unable to connect to Secure Admin Port
by Didier Moens
Dear all,
For the past few days, I've been struggling trying to set up our
dogtag-based PKI. Unfortunately, I am unable to access the Secure Admin
Port / Configuration Wizard (https://...:9445/...), probably due to
Tomcat failing to open SSL sockets.
- Configuration : clean RHEL5u4 ;
- Installed pki-ca-1.3.0 (tried 1.3.2 too) from EPEL, with all its
dependencies (except jss-4.2.6, which is installed from EPEL-testing) ;
- tomcatjss-1.2.0 is installed as a dependency too.
There is no "tomcat5-native" package installed, and LANG is set to C,
all to no avail.
After manually creating user 'pkiuser' (pki-setup 1.3.1 does not
automatically create this user) , "pkicreate" (with parameters from the
root CA example) yields the following errors in
/var/log/pki-ca/catalina.out :
...
org.apache.coyote.http11.Http11BaseProtocol init
SEVERE: Error initializing socket factory
java.lang.ClassNotFoundException: Error loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.jss.JSSImplementation
at
org.apache.tomcat.util.net.SSLImplementation.getInstance(SSLImplementation.java:79)
at
org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(Http11BaseProtocol.java:731)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:121)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Feb 25, 2010 1:52:12 PM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed:
java.lang.ClassNotFoundException: Error loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.jss.JSSImplementation
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1019)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
...
Strangely enough, connections are set up on e.g. the Agent Secure Port
(9443), but neither on the EE Secure Port (9444) :
# lsof |grep pkiuser |grep TCP
java 28349 pkiuser 71u IPv6
1445890 TCP *:9180 (LISTEN)
java 28349 pkiuser 76u IPv6
1445899 TCP *:9443 (LISTEN)
java 28349 pkiuser 77u IPv6
1445900 TCP localhost.localdomain:9701 (LISTEN)
Both '/etc/pki-ca/tomcat5.conf' and '/etc/pki-ca/server.xml' look valid
(disclaimer: I am a Tomcat novice).
Stracing (-e trace=file) the pki-cad process yields nothing useful,
except for the fact that tomcatjss.jar seems to be nowhere accessed.
When manually adding ":/usr/share/java/tomcatjss.jar" to the CLASSPATH
variable in '/usr/bin/dtomcat5-pki-ca', Tomcat throws these exceptions
in catalina.out :
...
org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Caused by: java.lang.NoClassDefFoundError:
org/apache/tomcat/util/net/SSLImplementation
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:632)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:277)
at java.net.URLClassLoader.access$000(URLClassLoader.java:73)
at java.net.URLClassLoader$1.run(URLClassLoader.java:212)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:319)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
at java.lang.ClassLoader.loadClass(ClassLoader.java:264)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:186)
at
org.apache.tomcat.util.net.SSLImplementation.getInstance(SSLImplementation.java:73)
at
org.apache.coyote.http11.Http11BaseProtocol.checkSocketFactory(Http11BaseProtocol.java:731)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:121)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
... 6 more
Caused by: java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.SSLImplementation
at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:319)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:264)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)
... 30 more
As a last resort, I created a tomcat keystore too, but as this is
nowhere mentioned in the docs, I guess this is way off.
I would be grateful for any clue whatsoever.
Best regards,
Didier
--
===================================================================
Didier Moens IT services
Department for Molecular Biomedical Research (DMBR)
VIB - Ghent University
Fiers-Schell-Van Montagu Research Building
Technologiepark 927 , B-9052 Zwijnaarde , Belgium
tel ++32(9)3313605 fax ++32(9)3313609
mailto:Didier.Moens@dmbr.vib-UGent.be http://www.dmbr.UGent.be
===================================================================
This message represents the official view of the voices in my head.
14 years, 9 months
SMTP-authentication on email notification in pki server
by Jagan Kanniappan
Hi ,
I am using pki dog-tag package to provide digital certificates in
the local network.
I have followed the redhat-cs documents to configure the email
notifications to send the email-queue notifications.
However my email server requires "*SMTP authentication*". But i
cannot able to do SMTP authentication in pki-console page and cs.cfg file.
Please assist me to configure the "SMTP authentication" in
pki-console or in cs.cfg file.
Here my system specifications,
OS = fedora 10
pki = dogtag
localmailserver = sendmail
Waiting for the reply asap.
Thanks,
Jagan.k
--
14 years, 10 months
Confiduring pki-ca instance
by Erwin Himawan
Hi pki-users,
I am using Fedora 11 and DCS 1.2.x.x.
I was installing only pki-ca instance; no other DCS PKI subsystem is
installed.
I was also able to start the pki-ca process.
When I was about to configure the pki-ca instance, I could not access the
CA's GUI using the web browser.
I am using firefox web browser in the machine to access the CA's
configuration URL provided at the end of the log file.
Could you help me to guide me in the right direction to solve this issue?
Thanks,
Erwin
14 years, 10 months
DCS Release Strategy
by Erwin Himawan
Hi All,
I am in the process of evaluating various opensource PKI products and DCS
seems very promising. I started to pay more attention into the various
releases of DCS when I encountered issues during installation and
configuration. Especially, when the installation and configuration issues
seem to be resolved when I used the latest testing release.
I might have missed some information about general DCS release strategy.
Here are some initial questions:
1. What does the number in the version represent? 1.1.0 (major.minor.??)
2. Where and how to obtain patches for a particular release?
Once again, thanks for all the great and responsive support from the
pki-users community.
Regards,
Erwin
14 years, 10 months
java.lang.NullPointerException
by Erwin Himawan
Hi All,
First of all, thanks for the help of the pki-users to get me through.
Here is the last step of my pki-ca configuration.
I am in the "Import Administrator Certificate"
When I clicked "next", I got this error: java.lang.NullPointerException
Here is some output from the /var/log/pki-ca1/debug:
[10/Feb/2010:18:17:59][http-9545-Processor24]: increasing minimum
connections by 3
[10/Feb/2010:18:17:59][http-9545-Processor24]: new total available
connections 3
[10/Feb/2010:18:17:59][http-9545-Processor24]: new number of connections 3
[10/Feb/2010:18:17:59][http-9545-Processor24]: getNextPanel input p=16
[10/Feb/2010:18:17:59][http-9545-Processor24]: getNextPanel output p=17
[10/Feb/2010:18:17:59][http-9545-Processor24]: ImportAdminCertPanel: display
[10/Feb/2010:18:17:59][http-9545-Processor24]: panel no=17
[10/Feb/2010:18:17:59][http-9545-Processor24]: panel name=importadmincert
[10/Feb/2010:18:17:59][http-9545-Processor24]: total number of panels=19
[10/Feb/2010:18:17:59][http-9545-Processor24]: according to ccMode,
authorization for servlet: caGetAdminBySerial is LDAP based, not XML {1},
use default authz mgr: {2}.
[10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet:service() uri =
/ca/admin/ca/getBySerial
[10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param
name='serialNumber' value='1'
[10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param
name='browser' value='netscape'
[10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet::service() param
name='importCert' value='true'
[10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet:
caGetAdminBySerial start to service.
[10/Feb/2010:18:17:59][http-9545-Processor24]: IP: 10.7.20.82
[10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: no authMgrName
[10/Feb/2010:18:17:59][http-9545-Processor24]: checkACLS(): ACLEntry
expressions= user="anybody"
[10/Feb/2010:18:17:59][http-9545-Processor24]: evaluating expressions:
user="anybody"
[10/Feb/2010:18:17:59][http-9545-Processor24]: evaluated expression:
user="anybody" to be true
[10/Feb/2010:18:17:59][http-9545-Processor24]: DirAclAuthz: authorization
passed
[10/Feb/2010:18:17:59][http-9545-Processor24]: SignedAuditEventFactory:
create()
message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][aclResource=certServer.admin.certificate][Op=import]
authorization success
[10/Feb/2010:18:17:59][http-9545-Processor24]: getConn: mNumConns now 2
[10/Feb/2010:18:17:59][http-9545-Processor24]: returnConn: mNumConns now 3
[10/Feb/2010:18:17:59][http-9545-Processor24]: SignedAuditEventFactory:
create()
message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=<null>]
assume privileged role
[10/Feb/2010:18:17:59][http-9545-Processor24]: getConn: mNumConns now 2
[10/Feb/2010:18:17:59][http-9545-Processor24]: returnConn: mNumConns now 3
[10/Feb/2010:18:17:59][http-9545-Processor24]: CMSServlet: curDate=Wed Feb
10 18:17:59 CST 2010 id=caGetAdminBySerial time=51
[10/Feb/2010:18:17:59][http-9545-Processor24]:
com.netscape.cms.servlet.filter.AgentRequestFilter: Use HTTPS port '9543'
instead of '9545' when performing Agent tasks!
[10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: process
[10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet:service() uri =
/ca/admin/console/config/wizard
[10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service()
param name='p' value='17'
[10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service()
param name='caHost' value='FQDN'
[10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service()
param name='serialNumber' value='1'
[10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service()
param name='pkcs7' value='PKCS7-VALUExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service()
param name='op' value='next'
[10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet::service()
param name='caPort' value='9545'
[10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: op=next
[10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: size=19
[10/Feb/2010:18:18:01][http-9545-Processor24]: WizardServlet: in next 17
[10/Feb/2010:18:18:01][http-9545-Processor24]: ImportAdminCertPanel update:
Root CA subsystem - (new Security Domain)
[10/Feb/2010:18:18:01][http-9545-Processor24]: getConn: mNumConns now 2
[10/Feb/2010:18:18:01][http-9545-Processor24]: returnConn: mNumConns now 3
[10/Feb/2010:18:18:01][http-9545-Processor24]: getConn: mNumConns now 2
[10/Feb/2010:18:18:01][http-9545-Processor24]: returnConn: mNumConns now 3
[10/Feb/2010:18:18:01][http-9545-Processor24]: ImportAdminCertPanel update:
failed to add certificate. Exception: java.lang.NullPointerException
[10/Feb/2010:18:18:01][http-9545-Processor24]: panel no=17
[10/Feb/2010:18:18:01][http-9545-Processor24]: panel name=importadmincert
[10/Feb/2010:18:18:01][http-9545-Processor24]: total number of panels=19
Any idea how to resolve this issue?
Regards,
Erwin
14 years, 10 months
netscape.ldap.LDAPException: error result (21); telephoneNumber: value #0 invalid per syntax
by Erwin Himawan
Hi All,
I encountered the following error during Administrator configuration page:
netscape.ldap.LDAPException: error result (21); telephoneNumber: value #0
invalid per syntax
I am not sure how to resolve this.
Could someone help me how to resolve this error?
Here is my system configuration
I am running fedora 11 and DCS 1.2.0
I was able to install the pki-ca successfully.
Here is the grep of my pki-ca installed from the yum list
dogtag-pki-ca-ui.noarch 1.2.0-1.fc11
installed
dogtag-pki-common-ui.noarch 1.2.0-1.fc11
installed
pki-ca.noarch 1.2.0-4.fc11
installed
pki-common.noarch 1.2.0-1.fc11
installed
pki-java-tools.noarch 1.2.0-1.fc11
installed
pki-native-tools.i586 1.2.0-2.fc11
installed
pki-selinux.noarch 1.2.0-2.fc11
installed
pki-setup.noarch 1.2.0-1.fc11
installed
pki-util.noarch 1.2.0-1.fc11
installed
I also was able to access the pki-ca configuration web-page.
At the last step during administrator configuration page.
I encountered this error: netscape.ldap.LDAPException: error result (21);
telephoneNumber: value #0 invalid per syntax
Thanks,
Erwin
14 years, 10 months
Issue with pki-ca install
by Erwin Himawan
Hi all,
I am trying to install pki-ca only. I am using fedora 11 and using DCS
1.2.0.
I am following the binary installation guide.
I had install issue when installing pki-ca; "yum install pki-ca" whereby, it
complained that it can create a soft link.
Following the suggestion of other pki-user; enabling the
fedora-updates-testing.repo, I was able to install pki-ca succesfully.
However, during the install, I notice, yum picked up 1.3.0 version.
Continuing using pki-ca v1.3.0, I was able to execute pkicreate.
When it finished, this is what I got.
https://:9445/ca/admin/console/config/login?pin=xxxxxxxxxxxxx
This configuration URL is not right, since it does not include the FQDN of
my pki-ca.
When I looked into the catalina.out, I notice the following error:
CMS Warning: FAILURE: Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate|FAILURE: authz instance DirAclAuthz initialization failed and
skipped, error=Property internaldb.ldapconn.
port missing value|
Server is started.
Can somebody help me to troubleshoot this install issue?
PS: Yesterday, I was able to access the configuration URL and for some
reasons, my virtual fedora 11 got corrupted. Hence, I reinstalled everything
again.
Regards,
Erwin
14 years, 10 months
Example of Configuration Data for DCS
by Erwin Himawan
Hi PKI-Users,
Maybe this is too much to ask. However, I throw it anyway.
Is there any documentation which guide DCS (or PKI) beginnerr to get
practical hands-on with DCS.
Thinking out loud, I am thinking more of a document with a case study
whereby the case study provides readers with the set of configuration
parameter which eventually properly configure the DCS's subsystem (i.e. CA,
RA, Directory) such that using these set of configuration information, the
reader can easily get a DCS up and running.
Thanks,
Erwin
14 years, 10 months
Fwd: Problem with install
by Erwin Himawan
---------- Forwarded message ----------
From: Erwin Himawan <ehimawan(a)gmail.com>
Date: 2010/2/2
Subject: Re: [Pki-users] Problem with install
To: Rafał Kamiński <rafal.kaminski(a)blstream.com>
I am using Fedora 11 and DCS 1.2.0. and I also had the same issue. I got it
to install without error following the suggestion from other member. Here
is the reference link:
https://www.redhat.com/archives/pki-users/2010-January/msg00017.html
Here is what I did:
1. I clean all the install: yum remove pki-ca
2. edit the /etc/yum.repos.d/fedora-updates-testing.repo
3. under the [updates-testing], I uncomment the baseurl= and comment the
mirrorlist=
4. Also, under the [updates-testing], I make enabled=1
5. reinstall pki-ca: yum install pki-ca
6. run the /usr/bin/pkicreate to create the pki-ca instance
However, my pki-ca process failed, it complained about "permission denied"
on "pki-ca.pid"
Hope, it helps.
Regards,
Erwin.
2010/2/2 Rafał Kamiński <rafal.kaminski(a)blstream.com>
Hi all,
>
> I install dogtag two months ago, and now I repeat that move, but ...
>
> When I use: yum install pki-ca
>
> I see:
>
> Installing : pki-common-1.3.0-7.fc11.noarch
> 156/158
> Installing : hal-info-20090414-1.fc11.noarch
> 157/158
> Adding default PKI group "pkiuser" to /etc/group.
> Adding default PKI user "pkiuser" to /etc/passwd.
> useradd: warning: the home directory already exists.
> Not copying any file from skel directory into it.
> Installing : pki-ca-1.2.0-4.fc11.noarch
> 158/158
> PKI instance creation Utility ...
>
> [2010-02-02 04:39:15] [error] create_symbolic_link(): illegal destination
> path => /usr/share/java/ca.jar.
>
> Error detected would you like to clean up /var/lib/pki-ca (Y/N)?
> Error detected would you like to clean up /var/lib/pki-ca (Y/N)?
>
> Can sombody tell me why?
>
> BR,
>
> Rafal Kaminski
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
14 years, 10 months
Problem with install
by Rafał Kamiński
Hi all,
I install dogtag two months ago, and now I repeat that move, but ...
When I use: yum install pki-ca
I see:
Installing : pki-common-1.3.0-7.fc11.noarch
156/158
Installing : hal-info-20090414-1.fc11.noarch
157/158
Adding default PKI group "pkiuser" to /etc/group.
Adding default PKI user "pkiuser" to /etc/passwd.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Installing : pki-ca-1.2.0-4.fc11.noarch
158/158
PKI instance creation Utility ...
[2010-02-02 04:39:15] [error] create_symbolic_link(): illegal
destination path => /usr/share/java/ca.jar.
Error detected would you like to clean up /var/lib/pki-ca (Y/N)?
Error detected would you like to clean up /var/lib/pki-ca (Y/N)?
Can sombody tell me why?
BR,
Rafal Kaminski
14 years, 10 months
