*I didn't use any file for the installation, i used the basic questions
with their answers. This is a replica of how things went.*
[root@ocsp01 ~]# pkispawn -s OCSP -vvv
IMPORTANT:
Interactive installation currently only exists for very basic
deployments!
For example, deployments intent upon using advanced features such as:
* Cloning,
* Elliptic Curve Cryptography (ECC),
* External CA,
* Hardware Security Module (HSM),
* Subordinate CA,
* etc.,
must provide the necessary override parameters in a separate
configuration file.
Run 'man pkispawn' for details.
Tomcat:
Instance [pki-tomcat]: testinstance
HTTP port [8080]:
Secure HTTP port [8443]:
AJP port [8009]:
Management port [8005]:
Administrator:
Username [ocspadmin]:
Password:
Verify password:
Import certificate (Yes/No) [Y]?
Import certificate from [/root/.dogtag/testinstance/ca_admin.cert]:
/root/ca_admin.cert
Directory Server:
Hostname [ocsp01.pki.ccpsd.corp]: ca01
Use a secure LDAPS connection (Yes/No/Quit) [N]?
LDAP Port [389]:
Bind DN [cn=Directory Manager]:
Password:
Base DN [o=testinstance-OCSP]:
Security Domain:
Hostname [ocsp01.pki.ccpsd.corp]: ca01
Secure HTTP port [8443]:
Name: Test Instance Security Domain
Username [caadmin]:
Password:
Begin installation (Yes/No/Quit)? Yes
*As you can see, the LDAP server was up, it asked for user and password and
went to the next step. The security domain, when i indicated the host of
the CA, it was detected, so that was good also.*
*If you take a look to the
/etc/sysconfig/pki/tomcat/testinstance/ocsp/deployment.cfg*
[DEFAULT]
pki_instance_name = testinstance
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_ds_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX
[OCSP]
pki_http_port = 8080
pki_https_port = 8443
pki_ajp_port = 8009
pki_tomcat_server_port = 8005
pki_admin_uid = ocspadmin
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_import_admin_cert = True
pki_admin_cert_file = /root/ca_admin.cert
pki_ds_hostname = ca01
pki_ds_ldap_port = 389
pki_ds_bind_dn = cn=Directory Manager
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=testinstance-OCSP
pki_security_domain_hostname = ca01
pki_security_domain_https_port = 8443
pki_security_domain_name = Test Instance Security Domain
pki_security_domain_user = caadmin
pki_security_domain_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX
*The CA deployment file is this*
[DEFAULT]
pki_instance_name = testinstance
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_ds_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX
[CA]
pki_http_port = 8080
pki_https_port = 8443
pki_ajp_port = 8009
pki_tomcat_server_port = 8005
pki_admin_uid = caadmin
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_import_admin_cert = False
pki_client_admin_cert = /root/.dogtag/testinstance/ca_admin.cert
pki_ds_hostname = ca01.pki.ccpsd.corp
pki_ds_ldap_port = 389
pki_ds_bind_dn = cn=Directory Manager
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=testinstance-CA
pki_security_domain_name = Test Instance Security Domain
pki_client_pin = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX
Jonathan Montero
IT Professional | IT Trainer
M: 809-609-3003
S: tuxmontero
E: jmrxto(a)gmail.com
A: Santo Domingo, DR
jonathanmontero.com
<
https://www.linkedin.com/in/monterojonathan>
<
https://twitter.com/tuxmontero> <
https://www.facebook.com/jmrxto>
<
https://github.com/tuxmontero>
On Fri, Mar 1, 2019 at 8:41 PM Marc Sauton <msauton(a)redhat.com> wrote:
Make sure in the OCSP's pkispawn config file, the security
domain
configured for the CA, and make sure that CA and its LDAP server are up.
Or may be something is missing in that OCSP's pkispawn config file, or
incorrect.
There may be more hints into the /var/log/pki/pki-ocsp/ocsp/debug file,
like may be a private key could not be unlocked (file or hsm)
Thanks,
M.
On Fri, Mar 1, 2019 at 5:24 AM Jonathan Montero <jmrxto(a)gmail.com> wrote:
> Hi Guys, i have a case that i haven't been able to solve. I'm not too
> experienced in dogtag, but believe me, i'm doing my best. I installed a CA
> in server1 and OSCP in server2. Server1 is working fine as CA. When i
> "pkispawn -s OCSP -vvv" in server 2, things go fine until the last moment.
>
> pkispawn : INFO ....... executing 'systemctl daemon-reload'
> pkispawn : INFO ....... executing 'systemctl start
> pki-tomcatd(a)testinstance.service'
> pkispawn : DEBUG ........... No connection - server may still be
> down
> pkispawn : DEBUG ........... No connection - exception thrown:
> ('Connection aborted.', error(111, 'Connection refused'))
> pkispawn : DEBUG ........... No connection - server may still be
> down
> pkispawn : DEBUG ........... No connection - exception thrown:
> ('Connection aborted.', error(111, 'Connection refused'))
> pkispawn : DEBUG ........... No connection - server may still be
> down
> pkispawn : DEBUG ........... No connection - exception thrown:
> ('Connection aborted.', error(111, 'Connection refused'))
> pkispawn : DEBUG ........... No connection - server may still be
> down
> pkispawn : DEBUG ........... No connection - exception thrown: 500
> Server Error: Internal Server Error
> pkispawn : DEBUG ........... No connection - server may still be
> down
>
>
> *firewalld is down and disabled, same with iptables, same with selinux in
> both servers*
>
>
> I'm using default values (most of them) before going to production.
>
> what am i missing here?
>
> Jonathan Montero
>
> IT Professional | IT Trainer
> M: 809-609-3003
> S: tuxmontero
> E: jmrxto(a)gmail.com
> A: Santo Domingo, DR
>
>
jonathanmontero.com
>
> <
https://www.linkedin.com/in/monterojonathan>
> <
https://twitter.com/tuxmontero> <
https://www.facebook.com/jmrxto>
> <
https://github.com/tuxmontero>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-users