Bug 1017032
Summary: | RHCS81 could not run on RHEL5.9 and RHEL5.10 | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | euroford <an.euroford> | ||||||||||
Component: | Certificate Manager | Assignee: | Ade Lee <alee> | ||||||||||
Status: | CLOSED EOL | QA Contact: | Ben Levenson <benl> | ||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||
Priority: | unspecified | ||||||||||||
Version: | 9.0 | CC: | alee, an.euroford, dpal, msauton, nkinder | ||||||||||
Target Milestone: | --- | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | x86_64 | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2020-03-27 18:35:30 UTC | Type: | Bug | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Attachments: |
|
There are newer RHCS packages in RHN that you should be using: pki-ca-8.1.1-1.el5pki pki-common-8.1.3-2.el5pki tomcat5-5.5.23-0jpp.40.el5_9 Have you had a chance to try the newer RHCS packages from RHN? Thanks Nathan, I'm in my evaluation of RHCS 81, just update pki-ca-8.1.1-1.el5pki and pki-common-8.1.3-2.el5pki in RHEL5.9/RHEL5.10 could not work, I'll try the other updates in RHCS channel. Thanks for your kindly help. I just updated all the following packages under RHEL5.10(x86_64 platform): pki-ca-8.1.1-1.el5pki.noarch.rpm pki-tks-8.1.1-1.el5pki.noarch.rpm pki-common-8.1.3-2.el5pki.noarch.rpm pki-tps-8.1.3-5.el5pki.x86_64.rpm pki-kra-8.1.1-1.el5pki.noarch.rpm symkey-1.2.1-1.el5pki.x86_64.rpm pki-ocsp-8.1.1-1.el5pki.noarch.rpm and still got the same failure. BTW, tomcat5-5.5.23-0jpp.40.el5_9 is already included in RHEL5.9. My evaluation system is in a standalone network, and it could not access internet, if you want to check any log files, please let me know, I can past here. Regards. Lets try to determine why the startup is failing. Please add the following to the java command line ExecArgs in /etc/<instance_name>/nuxwdog-secstart.conf -Djava.security.debug=access,failure Your line could look like (for example)-- ExeArgs /usr/lib/jvm/jre/bin/java -Djava.security.debug=access,failure -Djava.endorsed.dirs=/usr/share/tomcat5/common/endorsed -classpath :/usr/lib/jvm/jre/lib/rt.jar:/usr/share/java/commons-collections.jar:/usr/share/tomcat5/bin/bootstrap.jar:/usr/share/tomcat5/bin/commons-logging-api.jar:/usr/share/java/mx4j/mx4j-impl.jar:/usr/share/java/mx4j/mx4j-jmx.jar:/usr/share/tomcat5/common/lib/nuxwdog.jar -Djava.security.manager -Djava.security.policy=/var/lib/pki-ca/conf/pki-ca.policy -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat5 -Djava.io.tmpdir=/usr/share/tomcat5/temp org.apache.catalina.startup.Bootstrap start TmpDir /var/lib/pki-ca/logs/pidsĀ There should be many logs in catalina.out. thanks! Created attachment 820887 [details]
-Djava.security.debug=access,failure enabled
Very interesting. Please post the security policy as referred to in the previous post in the ExecArgs line: In the case above, it would be the file associated with: -Djava.security.policy=/var/lib/pki-ca/conf/pki-ca.policy Thanks! Created attachment 825955 [details]
pki-ca.policy
It's auto generated.
This is pretty weird. I took the same policy you provided and compared it to a working rhel 5.10 instance on my machine. It is identical to the one generated on my machine. My system includes the following tomcat5 packages: tomcat5-jsp-2.0-api-5.5.23-0jpp.40.el5_9 tomcatjss-1.1.4-5.el5idm tomcat5-5.5.23-0jpp.40.el5_9 tomcat5-common-lib-5.5.23-0jpp.40.el5_9 tomcat5-jasper-5.5.23-0jpp.40.el5_9 tomcat5-servlet-2.4-api-5.5.23-0jpp.40.el5_9 tomcat5-server-lib-5.5.23-0jpp.40.el5_9 Perhaps you can update to the latest packages -- rhcs and tomcat and see if this problem goes away? Just for reference - here is what is on my machine: [root@pki-rhel5 pki-ca02]# rpm -qa | egrep -i pki-\|osutil\|symkey | sort | cat -n 1 osutil-1.2.0-2.el5pki 2 pki-ca-8.1.6-1.el5pki 3 pki-common-8.1.12-1.el5pki 4 pki-common-javadoc-8.1.12-1.el5pki 5 pki-console-8.1.0-5.el5pki 6 pki-java-tools-8.1.0-6.el5pki 7 pki-java-tools-javadoc-8.1.0-6.el5pki 10 pki-native-tools-8.1.0-7.el5pki 13 pki-selinux-8.1.0-2.el5pki 14 pki-setup-8.1.0-4.el5pki 15 pki-silent-8.1.0-2.el5pki 18 pki-util-8.1.1-1.el5pki 19 pki-util-javadoc-8.1.1-1.el5pki 20 redhat-pki-ca-ui-8.1.0-8.el5pki 21 redhat-pki-common-ui-8.1.0-3.el5pki 22 redhat-pki-console-ui-8.1.0-2.el5pki [root@pki-rhel5 pki-ca02]# rpm -qa |grep tomcat tomcat5-jsp-2.0-api-5.5.23-0jpp.40.el5_9 tomcatjss-1.1.4-5.el5idm tomcat5-5.5.23-0jpp.40.el5_9 tomcat5-common-lib-5.5.23-0jpp.40.el5_9 tomcat5-jasper-5.5.23-0jpp.40.el5_9 tomcat5-servlet-2.4-api-5.5.23-0jpp.40.el5_9 tomcat5-server-lib-5.5.23-0jpp.40.el5_9 Hi Ade, Your system use the follow updated packages, 2 pki-ca-8.1.6-1.el5pki 3 pki-common-8.1.12-1.el5pki 4 pki-common-javadoc-8.1.12-1.el5pki which were not in RHCS 8.1 ISO image. And I'll check whether these updates fix this bug, thanks for your infomation. I may interfere here, but is the issue about a failure CA start, immediately following the pkicreate like in step 3 of the description? if so, could we review the file /var/log/pki-ca-install.log ? is it possible the hostname is not a fqdn? Have you had a chance to check the information that was asked for in comment#12? Hi Marc, I have a private DNS which works fine, the pki-ca under RHEL5.8 use this DNS too, and works fine. I wanted to make sure we do have a fully functional DNS forward and reverse fully qualified hostname, any possibility to review the /var/log/pki-ca-install.log file? Created attachment 870743 [details]
pki-ca-install.log
My pki-ca-install.log
|
Created attachment 809732 [details] catalina.out Description of problem: service pki-ca start failed on RHEL5.9 and RHEL5.10 Version-Release number of selected component (if applicable): pki-ca-8.1.0-10.el5pki (in RHCS 8.1 iso) pki-common-8.1.0-23.el5pki(in RHCS 8.1 iso) tomcat5-5.5.23-0jpp.40.el5_9(in RHEL5.10 iso) How reproducible: service pki-ca start Steps to Reproduce: 1.yum install pki-ca 2. userdel pkiuser groupdel pkiuser groupadd -g 17 -r pkiuser groupadd -r pkiadmin groupadd -r pkiaudit usermod -a -G pkiadmin chinese useradd -g pkiuser -d /usr/share/pki -s /sbin/nologin -c "Red Hat Certificate System" -u 17 -r pkiuser usermod -a -G pkiadmin pkiuser usermod -a -G pkiaudit pkiuser 3. pkicreate -pki_instance_root=/var/lib \ -pki_instance_name=pki-ca \ -subsystem_type=ca \ -agent_secure_port=9443 \ -ee_secure_port=9444 \ -ee_secure_client_auth_port=9446 \ -admin_secure_port=9445 \ -unsecure_port=9180 \ -tomcat_server_port=9701 \ -audit_group=pkiaudit \ -verbose Actual results: Starting pki-ca: Using Java Security Manager Constructing 'pki-ca.policy' Security Policy Starting pki-ca: [FAILED] Expected results: Starting pki-ca: [ OK ] Additional info: service pki-ca start_sans_security_manager works fine.