Bug 1010111

Summary: Compatibility issue with java-1.7.0-openjdk
Product: Red Hat Satellite Reporter: Mike McCune <mmccune>
Component: Subscription ManagementAssignee: Jesus M. Rodriguez <jesusr>
Status: CLOSED CURRENTRELEASE QA Contact: sthirugn <sthirugn>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.2CC: bkearney, ckozak, cwelton, inecas, jesusr, kbidarka, nstrug, omaciel, sthirugn
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/6426
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
The user should verify that the version of of java greater than java-1.7.0-openjdk-1.7.0.40.
 Story Points: ---
Clone Of: 1010082 Environment:
Last Closed: 2014-09-11 12:25:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1010082, 1022017, 1028028    
Bug Blocks: 1122832    
Attachments:
Description Flags
clean SAM install no problem with candlepin
none
production log showing error none

Comment 2 Carter Kozak 2013-10-02 18:15:49 UTC 
You appear to be running "java-1.7.0-openjdk-1.7.0.40" which introduced a lower limit on RSA key length, it will not validate any keys under below 1024.  This can be disabled by commenting out 
jdk.certpath.disabledAlgorithms
in
path-to-jre/lib/security/java.security

You could also just remove "RSA keySize < 1024" from that line.
Comment 3 Jesus M. Rodriguez 2013-10-10 20:04:55 UTC 
Created attachment 810731 [details]
clean SAM install no problem with candlepin
Comment 4 Jesus M. Rodriguez 2013-10-10 20:08:44 UTC 
I did a fresh RHEL 6.4 install. Installed java 1.7.0 jdk, then install SAM. 

# yum install java-1.7.0-openjdk
# yum install -y katello-headpin-all
# katello-configure --deployment=sam --user-pass=admin

Then I ran the following:

# katello-service status
tomcat6 (pid 31854) is running...                          [  OK  ]
httpd (pid  32246) is running...
thumbslug (pid  32018) is running...
elasticsearch (pid  31302) is running...
katello (32199) is running.
katello (32217) is running.
delayed_job is not running.
delayed_job_monitor is not running.

# headpin -u admin -p admin ping
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                               Katello Status

Status Service        Result Duration Message                          
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
FAIL   
candlepin      ok     83ms     
candlepin_auth ok     64ms     
elasticsearch  ok     51ms     
katello_jobs   FAIL   katello-jobs service not running 
thumbslug      ok     672ms    

===== END ====

There was no SSL errors. And candlepin responds with no errors as well:

# curl -k https://localhost:8443/candlepin/status/
{"result":true,"version":"0.8.26","rulesVersion":"4.2","release":"1","standalone":true,"timeUTC":"2013-10-10T20:08:13.221+0000","managerCapabilities":["cores","ram","instance_multiplier","derived_product","cert_v3"],"rulesSource":"DEFAULT"}
Comment 5 Jesus M. Rodriguez 2013-10-10 20:09:23 UTC 
# rpm -qa | grep openjdk
java-1.7.0-openjdk-1.7.0.25-2.3.10.4.el6_4.x86_64
java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.x86_64

Both JDKs are installed as well.
Comment 6 Jesus M. Rodriguez 2013-10-10 20:36:54 UTC 
2013-10-10 16:32:44 (12.1 MB/s) - “java-1.7.0-openjdk-1.7.0.40-2.4.2.1.el6.x86_64.rpm” saved [26921136/26921136]

[root@dhcp137-135 ~]# rpm -Uvh java-1.7.0-openjdk-1.7.0.40-2.4.2.1.el6.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:java-1.7.0-openjdk     ########################################### [100%]
[root@dhcp137-135 ~]# katello-service restart
Shutting down Katello services...
Stopping katello-jobs:                                     [FAILED]
Stopping katello: 
Stopping elasticsearch:                                    [  OK  ]
Stopping thumbslug:                                        [  OK  ]
Stopping httpd:                                            [  OK  ]
Stopping tomcat6:                                          [  OK  ]
Done.
Starting Katello services...
Starting tomcat6:                                          [  OK  ]
Starting httpd:                                            [  OK  ]
Starting thumbslug: Oct 10 15:33:50 [main] WARN  org.candlepin.thumbslug.Main - Shutting down...
                                                           [  OK  ]
Starting elasticsearch:                                    [  OK  ]
Starting katello:                                          [  OK  ]
Starting katello-jobs:                                     [FAILED]
Done.
[root@dhcp137-135 ~]# headpin -u admin -p admin ping
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                               Katello Status

Status Service        Result Duration Message                          
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
FAIL   
candlepin      ok     338ms    
candlepin_auth ok     36ms     
elasticsearch  ok     62ms     
katello_jobs   FAIL   katello-jobs service not running 
thumbslug      ok     279ms
Comment 8 Jesus M. Rodriguez 2013-10-14 20:09:09 UTC 
Created attachment 812213 [details]
production log showing error

Both candlepin pings show an SSL error. This log include some debug printing I added.
Comment 9 Adrian Likins 2013-10-15 17:02:53 UTC 
whats out put of:
    ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION'

On client?

Anything interesting show up with tomcat setup to start with "-Djavax.net.debug=ssl" ? ie, add it to JAVA_OPTS in /etc/tomcat6/tomcat6.conf

How is ssl setup in /etc/tomcat6/server.xml? (the Connector config)
Comment 10 Ivan Necas 2013-11-05 08:42:26 UTC 
FYI: As a fix for this bug, we're installing java-1.6-0-openjdk as default for katello-all on rhel6 machines
Comment 11 Ivan Necas 2013-11-06 16:26:44 UTC 
And by this bug, I mean https://bugzilla.redhat.com/show_bug.cgi?id=995123 not meaning, that it resolves this issue
Comment 14 Mike McCune 2014-02-05 17:14:13 UTC 
We need to have katello-installer check for java-1.7+ to ensure we don't get bit by 1010111.
Comment 15 Mike McCune 2014-02-05 17:14:15 UTC 
*** Bug 1061721 has been marked as a duplicate of this bug. ***
Comment 16 Mike McCune 2014-02-05 17:15:15 UTC 
WORKAROUND:

rpm -e java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.x86_64

and ensure that you have:

java-1.6.0-openjdk-1.6.0.0-1.66.1.13.0.el6.x86_64
Comment 18 Bryan Kearney 2014-06-03 20:14:11 UTC 
Current install on Satellite 6.5 has both jdks installed, and the app is working. I am moving this to ON_QA.
Comment 20 sthirugn@redhat.com 2014-06-09 16:03:43 UTC 
Failed.

Verification steps:
1. Subscribe/register the client to RHN
2. Remove all openjdk
3. yum install java-1.7.0-openjdk
4. Install Satellite6 Snap 8

Actual Results:
Installation failed. 
-> foreman-debug attached
-> hammer-ping failed
# hammer ping
Could not load API description from the server
  - is your server down?
  - was "foreman-rake apipie:cache" run on the server when using apipie cache? (typical production settings))
Warning: An error occured while loading module hammer_cli_katello
^CWarning: An error occured while loading module hammer_cli_foreman
Error: No such sub-command 'ping'

See: 'hammer --help'

-> UI did not launch (screenshot attached)

Version Tested:
* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.7-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.7-1.el6_5.noarch
* candlepin-tomcat6-0.9.7-1.el6_5.noarch
* elasticsearch-0.90.10-4.el6sat.noarch
* foreman-1.6.0.14-1.el6sat.noarch
* foreman-compute-1.6.0.14-1.el6sat.noarch
* foreman-gce-1.6.0.14-1.el6sat.noarch
* foreman-libvirt-1.6.0.14-1.el6sat.noarch
* foreman-ovirt-1.6.0.14-1.el6sat.noarch
* foreman-postgresql-1.6.0.14-1.el6sat.noarch
* foreman-proxy-1.6.0.6-1.el6sat.noarch
* foreman-selinux-1.6.0-4.el6sat.noarch
* foreman-vmware-1.6.0.14-1.el6sat.noarch
* katello-1.5.0-25.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.5-1.el6sat.noarch
* katello-installer-0.0.45-1.el6sat.noarch
* openldap-2.4.23-32.el6_4.1.x86_64
* openldap-devel-2.4.23-32.el6_4.1.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.18.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.18.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.18.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.18.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.18.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.18.beta.el6sat.noarch
* pulp-server-2.4.0-0.18.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
Comment 22 sthirugn@redhat.com 2014-06-09 16:14:01 UTC 
If this bug is not fixed before beta, this may need doc update.
Comment 23 Eric Helms 2014-06-27 19:37:42 UTC 
Created redmine issue http://projects.theforeman.org/issues/6426 from this bug
Comment 24 Bryan Kearney 2014-06-27 20:01:22 UTC 
Upstream bug assigned to None
Comment 25 Bryan Kearney 2014-06-27 22:01:23 UTC 
Upstream bug assigned to None
Comment 26 Bryan Kearney 2014-06-28 00:01:23 UTC 
Upstream bug assigned to None
Comment 27 Bryan Kearney 2014-06-28 02:01:21 UTC 
Upstream bug assigned to None
Comment 28 Bryan Kearney 2014-06-28 04:01:22 UTC 
Upstream bug assigned to None
Comment 29 Bryan Kearney 2014-06-28 06:01:24 UTC 
Upstream bug assigned to None
Comment 30 Bryan Kearney 2014-06-28 08:01:24 UTC 
Upstream bug assigned to None
Comment 31 Bryan Kearney 2014-06-28 10:01:24 UTC 
Upstream bug assigned to None
Comment 32 Bryan Kearney 2014-06-28 12:01:23 UTC 
Upstream bug assigned to None
Comment 33 Bryan Kearney 2014-06-28 14:01:25 UTC 
Upstream bug assigned to None
Comment 34 Bryan Kearney 2014-06-28 16:01:22 UTC 
Upstream bug assigned to None
Comment 35 Bryan Kearney 2014-06-28 18:01:22 UTC 
Upstream bug assigned to None
Comment 36 Bryan Kearney 2014-06-28 20:01:21 UTC 
Upstream bug assigned to None
Comment 37 Bryan Kearney 2014-06-28 22:01:24 UTC 
Upstream bug assigned to None
Comment 38 Bryan Kearney 2014-06-29 00:01:22 UTC 
Upstream bug assigned to None
Comment 39 Bryan Kearney 2014-06-29 02:01:23 UTC 
Upstream bug assigned to None
Comment 40 Bryan Kearney 2014-06-29 04:01:22 UTC 
Upstream bug assigned to None
Comment 41 Bryan Kearney 2014-06-29 06:01:22 UTC 
Upstream bug assigned to None
Comment 42 Bryan Kearney 2014-06-29 08:01:23 UTC 
Upstream bug assigned to None
Comment 43 Bryan Kearney 2014-06-29 10:01:22 UTC 
Upstream bug assigned to None
Comment 44 Bryan Kearney 2014-06-29 12:01:21 UTC 
Upstream bug assigned to None
Comment 45 Bryan Kearney 2014-06-29 14:01:24 UTC 
Upstream bug assigned to None
Comment 46 Bryan Kearney 2014-06-29 16:01:21 UTC 
Upstream bug assigned to None
Comment 47 Bryan Kearney 2014-06-29 18:01:23 UTC 
Upstream bug assigned to None
Comment 48 Bryan Kearney 2014-06-29 20:01:21 UTC 
Upstream bug assigned to None
Comment 49 Bryan Kearney 2014-06-29 22:01:22 UTC 
Upstream bug assigned to None
Comment 50 Bryan Kearney 2014-06-30 00:01:22 UTC 
Upstream bug assigned to None
Comment 51 Bryan Kearney 2014-06-30 02:01:22 UTC 
Upstream bug assigned to None
Comment 52 Bryan Kearney 2014-06-30 04:01:22 UTC 
Upstream bug assigned to None
Comment 53 Bryan Kearney 2014-06-30 06:01:21 UTC 
Upstream bug assigned to None
Comment 54 Bryan Kearney 2014-06-30 08:01:30 UTC 
Upstream bug assigned to None
Comment 55 Bryan Kearney 2014-06-30 12:01:28 UTC 
Upstream bug assigned to None
Comment 56 Bryan Kearney 2014-06-30 14:01:43 UTC 
Upstream bug assigned to None
Comment 57 Bryan Kearney 2014-06-30 16:02:43 UTC 
Upstream bug assigned to None
Comment 58 Bryan Kearney 2014-06-30 18:01:35 UTC 
Upstream bug assigned to None
Comment 59 Bryan Kearney 2014-06-30 20:01:44 UTC 
Upstream bug assigned to None
Comment 60 Bryan Kearney 2014-06-30 22:01:26 UTC 
Upstream bug assigned to None
Comment 61 Bryan Kearney 2014-07-01 00:01:25 UTC 
Upstream bug assigned to None
Comment 62 Bryan Kearney 2014-07-01 02:01:24 UTC 
Upstream bug assigned to None
Comment 63 Bryan Kearney 2014-07-01 04:01:22 UTC 
Upstream bug assigned to None
Comment 64 Bryan Kearney 2014-07-01 06:01:28 UTC 
Upstream bug assigned to None
Comment 65 Bryan Kearney 2014-07-01 08:01:36 UTC 
Upstream bug assigned to None
Comment 66 Bryan Kearney 2014-07-01 10:01:26 UTC 
Upstream bug assigned to None
Comment 67 Bryan Kearney 2014-07-01 12:01:30 UTC 
Upstream bug assigned to None
Comment 68 Bryan Kearney 2014-07-01 14:01:34 UTC 
Upstream bug assigned to None
Comment 69 Bryan Kearney 2014-07-01 16:01:26 UTC 
Upstream bug assigned to None
Comment 70 Jesus M. Rodriguez 2014-07-30 17:21:11 UTC 
The 6/9 attachments do not have any of the logs from the java bits in it. There's no tomcat logs or no candlepin logs.
Comment 71 sthirugn@redhat.com 2014-07-30 17:57:45 UTC 
I dont think this bug is relevant anymore.

Satellite6 now requires java-1.7.0-openjdk by default.  Proposing to close this bug.
Comment 72 sthirugn@redhat.com 2014-07-30 18:10:34 UTC 
Verified.

Satellite6 now requires java-1.7.0-openjdk


Version Tested:
Satellite-6.0.4-RHEL-6-20140723.0

* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.19-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.19-1.el6_5.noarch
* candlepin-tomcat6-0.9.19-1.el6_5.noarch
* elasticsearch-0.90.10-4.el6sat.noarch
* foreman-1.6.0.29-1.el6sat.noarch
* foreman-compute-1.6.0.29-1.el6sat.noarch
* foreman-gce-1.6.0.29-1.el6sat.noarch
* foreman-libvirt-1.6.0.29-1.el6sat.noarch
* foreman-ovirt-1.6.0.29-1.el6sat.noarch
* foreman-postgresql-1.6.0.29-1.el6sat.noarch
* foreman-proxy-1.6.0.21-1.el6sat.noarch
* foreman-selinux-1.6.0-8.el6sat.noarch
* foreman-vmware-1.6.0.29-1.el6sat.noarch
* katello-1.5.0-27.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el6sat.noarch
* katello-installer-0.0.56-1.el6sat.noarch
* openldap-2.4.23-32.el6_4.1.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.23.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.23.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.23.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.23.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.23.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.23.beta.el6sat.noarch
* pulp-server-2.4.0-0.23.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
Comment 73 Mike McCune 2014-07-31 13:50:22 UTC 
*** Bug 1124441 has been marked as a duplicate of this bug. ***
Comment 75 Bryan Kearney 2014-09-11 12:25:00 UTC 
This was delivered with Satellite 6.0 which was released on 10 September 2014.