Re: [Pki-users] New Release: PKI 10.7.3 is available for testing

Hi all, I managed to upgrade my Fedora-based PKI system to Release 31, which is not yet ready for production (as I think I found). Now, after the upgrade, I can enjoy server error 500 messages once the web server middleware gets busy: https://...de:8443/pki/ui/ results in > HTTP Status 500 – Internal Server Error > > Type Exception Report > > Message org.apache.jasper.JasperException: Unable to compile class > for JSP > > Beschreibung The server encountered an unexpected condition that > prevented it from fulfilling the request. > > Exception > > org.apache.jasper.JasperException: > org.apache.jasper.JasperException: Unable to compile class for JSP > org.apache.jasper.servlet.JspServletWrapper.handleJspException( > JspServletWrapper.java:604) > org.apache.jasper.servlet.JspServletWrapper.service(JspServletW > rapper.java:422) I can, of course, provide full stacktraces and configuration details. Configuration is mostly unmodified, but the whole system has been going through some upgrades since its first setup. From the automatically created debug log, I gather that this: > 2019-09-23 20:56:41 [https-jsse-nio-8443-exec-9] SEVERE: > Servlet.service() for servlet [jsp] in context with path [/pki] > threw exception [org.apache.jasper.JasperException: Unable to > compile class for JSP] with root cause > java.security.AccessControlException: access denied > ("java.util.PropertyPermission" > "tolerateIllegalAmbiguousVarargsInvocation" "read") > at > java.security.AccessControlContext.checkPermission(AccessControlCon > text.java:472) > at > java.security.AccessController.checkPermission(AccessController.jav > a:886) > at > java.lang.SecurityManager.checkPermission(SecurityManager.java:549) > at > java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java: > 1294) > ... is probably the reason for the failure. Status of the server, at a first glance, looks ok to me: > [root@ca2 ~]# pki-server --verbose status CA2 > Command: status CA2 > INFO: Loading instance: CA2 > INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf > INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf > INFO: Loading instance Tomcat config: /etc/pki/CA2/tomcat.conf > INFO: Loading password config: /etc/pki/CA2/password.conf > INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/CA2/CA2 > INFO: Loading subsystem: ca > INFO: Loading subsystem config: /var/lib/pki/CA2/ca/conf/CS.cfg > INFO: Loading subsystem: ocsp > INFO: Loading subsystem config: /var/lib/pki/CA2/ocsp/conf/CS.cfg > Instance ID: CA2 > Active: True > Unsecure Port: 8080 > Secure Port: 8443 > Tomcat Port: 8005 > > CA Subsystem: > Type: Root CA (Security Domain) > SD Registration URL: https://ca2.<redacted>.de:8443 > Enabled: True > Unsecure URL: http://ca2.<redacted>.de:8080/ca/ee/ca > Secure Agent URL: https://ca2.<redacted>.de:8443/ca/agent/ca > Secure EE URL: https://ca2.<redacted>.de:8443/ca/ee/ca > Secure Admin URL: https://ca2.<redacted>.de:8443/ca/services > PKI Console URL: https://ca2.<redacted>.de:8443/ca > > OCSP Subsystem: > Type: OCSP > SD Registration URL: https://ca2.<redacted>.de:8443 > Enabled: True > Unsecure URL: > http://ca2.<redacted>.de:8080/ocsp/ee/ocsp/<ocsp request blob> > Secure Agent URL: > https://ca2.<redacted>.de:8443/ocsp/agent/ocsp > Secure EE URL: > https://ca2.<redacted>.de:8443/ocsp/ee/ocsp/<ocsp request blob> > Secure Admin URL: > https://ca2.<redacted>.de:8443/ocsp/services > PKI Console URL: https://ca2.<redacted>.de:8443/ocsp There's no other PKI instance in place, and I'm not sufficiently skilled with dogtag to actually do much with the configuration anyway, so I kept my fingers off if as far as I could :-) Is this a known problem, is there a reasonably simple fix, or is it time to load my latest backup? Thanks, Arno