I didn't use any file for the installation, i used the basic questions with their answers. This is a replica of how things went.


[root@ocsp01 ~]# pkispawn -s OCSP -vvv

IMPORTANT:

    Interactive installation currently only exists for very basic deployments!

    For example, deployments intent upon using advanced features such as:

        * Cloning,
        * Elliptic Curve Cryptography (ECC),
        * External CA,
        * Hardware Security Module (HSM),
        * Subordinate CA,
        * etc.,

    must provide the necessary override parameters in a separate
    configuration file.

    Run 'man pkispawn' for details.

Tomcat:
  Instance [pki-tomcat]: testinstance
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

Administrator:
  Username [ocspadmin]: 
  Password: 
  Verify password: 
  Import certificate (Yes/No) [Y]? 
  Import certificate from [/root/.dogtag/testinstance/ca_admin.cert]: /root/ca_admin.cert

Directory Server:
  Hostname [ocsp01.pki.ccpsd.corp]: ca01 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Password: 
  Base DN [o=testinstance-OCSP]: 

Security Domain:
  Hostname [ocsp01.pki.ccpsd.corp]: ca01
  Secure HTTP port [8443]: 
  Name: Test Instance Security Domain
  Username [caadmin]: 
  Password: 

Begin installation (Yes/No/Quit)? Yes


As you can see, the LDAP server was up, it asked for user and password and went to the next step. The security domain, when i indicated the host of the CA, it was detected, so that was good also.

If you take a look to the /etc/sysconfig/pki/tomcat/testinstance/ocsp/deployment.cfg
[DEFAULT]
pki_instance_name = testinstance
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_ds_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX

[OCSP]
pki_http_port = 8080
pki_https_port = 8443
pki_ajp_port = 8009
pki_tomcat_server_port = 8005
pki_admin_uid = ocspadmin
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_import_admin_cert = True
pki_admin_cert_file = /root/ca_admin.cert
pki_ds_hostname = ca01
pki_ds_ldap_port = 389
pki_ds_bind_dn = cn=Directory Manager
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=testinstance-OCSP
pki_security_domain_hostname = ca01
pki_security_domain_https_port = 8443
pki_security_domain_name = Test Instance Security Domain
pki_security_domain_user = caadmin
pki_security_domain_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX

The CA deployment file is this
[DEFAULT]
pki_instance_name = testinstance
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_ds_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX

[CA]
pki_http_port = 8080
pki_https_port = 8443
pki_ajp_port = 8009
pki_tomcat_server_port = 8005
pki_admin_uid = caadmin
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_import_admin_cert = False
pki_client_admin_cert = /root/.dogtag/testinstance/ca_admin.cert
pki_ds_hostname = ca01.pki.ccpsd.corp
pki_ds_ldap_port = 389
pki_ds_bind_dn = cn=Directory Manager
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=testinstance-CA
pki_security_domain_name = Test Instance Security Domain
pki_client_pin = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX



Jonathan Montero
 
IT Professional | IT Trainer
A: Santo Domingo, DR
 
 



On Fri, Mar 1, 2019 at 8:41 PM Marc Sauton <msauton@redhat.com> wrote:
Make sure in the OCSP's pkispawn config file, the security domain configured for the CA, and make sure that CA and its LDAP server are up.
Or may be something is missing in that OCSP's pkispawn config file, or incorrect.
There may be more hints into the /var/log/pki/pki-ocsp/ocsp/debug file, like may be a private key could not be unlocked (file or hsm)
Thanks,
M.

On Fri, Mar 1, 2019 at 5:24 AM Jonathan Montero <jmrxto@gmail.com> wrote:
Hi Guys, i have a case that i haven't been able to solve. I'm not too experienced in dogtag, but believe me, i'm doing my best. I installed a CA in server1 and OSCP in server2. Server1 is working fine as CA. When i "pkispawn -s OCSP -vvv" in server 2, things go fine until the last moment.

pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd@testinstance.service'
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused'))
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused'))
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused'))
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: 500 Server Error: Internal Server Error
pkispawn    : DEBUG    ........... No connection - server may still be down

firewalld is down and disabled, same with iptables, same with selinux in both servers


I'm using default values (most of them) before going to production.

what am i missing here?

Jonathan Montero
 
IT Professional | IT Trainer
A: Santo Domingo, DR
 
 

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users