Bug 1017032

Summary:

RHCS81 could not run on RHEL5.9 and RHEL5.10

Product:

[Retired] Dogtag Certificate System

Reporter:

euroford <an.euroford>

Component:

Certificate Manager

Assignee:

Ade Lee <alee>

Status:

CLOSED EOL

QA Contact:

Ben Levenson <benl>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

9.0

CC:

alee, an.euroford, dpal, msauton, nkinder

Target Milestone:

---

Target Release:

---

Hardware:

x86_64

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2020-03-27 18:35:30 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
catalina.out	none
-Djava.security.debug=access,failure enabled	none
pki-ca.policy	none
pki-ca-install.log	none

Description euroford 2013-10-09 07:57:04 UTC

Created attachment 809732 [details]
catalina.out

Description of problem:
service pki-ca start failed on RHEL5.9 and RHEL5.10

Version-Release number of selected component (if applicable):
pki-ca-8.1.0-10.el5pki (in RHCS 8.1 iso)
pki-common-8.1.0-23.el5pki(in RHCS 8.1 iso)
tomcat5-5.5.23-0jpp.40.el5_9(in RHEL5.10 iso)

How reproducible:
service pki-ca start

Steps to Reproduce:
1.yum install pki-ca
2.
userdel pkiuser
groupdel pkiuser
groupadd -g 17 -r pkiuser
groupadd -r pkiadmin
groupadd -r pkiaudit
usermod -a -G pkiadmin chinese
useradd -g pkiuser -d /usr/share/pki -s /sbin/nologin -c "Red Hat Certificate System" -u 17 -r pkiuser
usermod -a -G pkiadmin pkiuser
usermod -a -G pkiaudit pkiuser
3. pkicreate -pki_instance_root=/var/lib \
        -pki_instance_name=pki-ca \
        -subsystem_type=ca \
        -agent_secure_port=9443 \
        -ee_secure_port=9444 \
        -ee_secure_client_auth_port=9446 \
        -admin_secure_port=9445 \
        -unsecure_port=9180 \
        -tomcat_server_port=9701 \
        -audit_group=pkiaudit \
        -verbose
Actual results:
Starting pki-ca: 
    Using Java Security Manager
    Constructing 'pki-ca.policy' Security Policy
Starting pki-ca:                                           [FAILED]

Expected results:
Starting pki-ca:                                           [  OK  ]

Additional info:
service pki-ca start_sans_security_manager works fine.

Comment 1 Nathan Kinder 2013-10-14 19:29:25 UTC

There are newer RHCS packages in RHN that you should be using:

pki-ca-8.1.1-1.el5pki
pki-common-8.1.3-2.el5pki
tomcat5-5.5.23-0jpp.40.el5_9

Comment 2 Nathan Kinder 2013-10-28 18:06:43 UTC

Have you had a chance to try the newer RHCS packages from RHN?

Comment 3 euroford 2013-11-02 03:14:24 UTC

Thanks Nathan, I'm in my evaluation of RHCS 81, just update pki-ca-8.1.1-1.el5pki
and pki-common-8.1.3-2.el5pki in RHEL5.9/RHEL5.10 could not work, I'll try the other updates in RHCS channel. 

Thanks for your kindly help.

Comment 4 euroford 2013-11-02 04:08:02 UTC

I just updated all the following packages under RHEL5.10(x86_64 platform):
pki-ca-8.1.1-1.el5pki.noarch.rpm
pki-tks-8.1.1-1.el5pki.noarch.rpm
pki-common-8.1.3-2.el5pki.noarch.rpm
pki-tps-8.1.3-5.el5pki.x86_64.rpm
pki-kra-8.1.1-1.el5pki.noarch.rpm
symkey-1.2.1-1.el5pki.x86_64.rpm
pki-ocsp-8.1.1-1.el5pki.noarch.rpm

and still got the same failure.

BTW, 
tomcat5-5.5.23-0jpp.40.el5_9 is already included in RHEL5.9.
My evaluation system is in a standalone network, and it could not access internet, if you want to check any log files, please let me know, I can past here.


Regards.

Comment 5 Ade Lee 2013-11-04 20:56:22 UTC

Lets try to determine why the startup is failing.

Please add the following to the java command line ExecArgs in  /etc/<instance_name>/nuxwdog-secstart.conf

 -Djava.security.debug=access,failure

Your line could look like (for example)-- 

ExeArgs /usr/lib/jvm/jre/bin/java -Djava.security.debug=access,failure  -Djava.endorsed.dirs=/usr/share/tomcat5/common/endorsed -classpath :/usr/lib/jvm/jre/lib/rt.jar:/usr/share/java/commons-collections.jar:/usr/share/tomcat5/bin/bootstrap.jar:/usr/share/tomcat5/bin/commons-logging-api.jar:/usr/share/java/mx4j/mx4j-impl.jar:/usr/share/java/mx4j/mx4j-jmx.jar:/usr/share/tomcat5/common/lib/nuxwdog.jar -Djava.security.manager -Djava.security.policy=/var/lib/pki-ca/conf/pki-ca.policy -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat5 -Djava.io.tmpdir=/usr/share/tomcat5/temp org.apache.catalina.startup.Bootstrap  start
TmpDir /var/lib/pki-ca/logs/pids 

There should be many logs in catalina.out.  thanks!

Comment 6 euroford 2013-11-07 05:58:27 UTC

Created attachment 820887 [details]
-Djava.security.debug=access,failure enabled

Comment 7 Ade Lee 2013-11-18 15:51:11 UTC

Very interesting.  Please post the security policy as referred to in the previous post in the ExecArgs line:

In the case above, it would be the file associated with:
 -Djava.security.policy=/var/lib/pki-ca/conf/pki-ca.policy

Thanks!

Comment 8 euroford 2013-11-19 08:43:41 UTC

Created attachment 825955 [details]
pki-ca.policy

It's auto generated.

Comment 9 Ade Lee 2014-02-10 19:06:06 UTC

This is pretty weird.  I took the same policy you provided and compared it to a working rhel 5.10 instance on my machine.  It is identical to the one generated on my machine.

My system includes the following tomcat5 packages:

tomcat5-jsp-2.0-api-5.5.23-0jpp.40.el5_9
tomcatjss-1.1.4-5.el5idm
tomcat5-5.5.23-0jpp.40.el5_9
tomcat5-common-lib-5.5.23-0jpp.40.el5_9
tomcat5-jasper-5.5.23-0jpp.40.el5_9
tomcat5-servlet-2.4-api-5.5.23-0jpp.40.el5_9
tomcat5-server-lib-5.5.23-0jpp.40.el5_9

Perhaps you can update to the latest packages -- rhcs and tomcat and see if this problem goes away?

Comment 10 Ade Lee 2014-02-10 19:35:48 UTC

Just for reference - here is what is on my machine:

[root@pki-rhel5 pki-ca02]#  rpm -qa | egrep -i pki-\|osutil\|symkey | sort | cat -n
     1	osutil-1.2.0-2.el5pki
     2	pki-ca-8.1.6-1.el5pki
     3	pki-common-8.1.12-1.el5pki
     4	pki-common-javadoc-8.1.12-1.el5pki
     5	pki-console-8.1.0-5.el5pki
     6	pki-java-tools-8.1.0-6.el5pki
     7	pki-java-tools-javadoc-8.1.0-6.el5pki
    10	pki-native-tools-8.1.0-7.el5pki
    13	pki-selinux-8.1.0-2.el5pki
    14	pki-setup-8.1.0-4.el5pki
    15	pki-silent-8.1.0-2.el5pki
    18	pki-util-8.1.1-1.el5pki
    19	pki-util-javadoc-8.1.1-1.el5pki
    20	redhat-pki-ca-ui-8.1.0-8.el5pki
    21	redhat-pki-common-ui-8.1.0-3.el5pki
    22	redhat-pki-console-ui-8.1.0-2.el5pki


[root@pki-rhel5 pki-ca02]# rpm -qa |grep tomcat
tomcat5-jsp-2.0-api-5.5.23-0jpp.40.el5_9
tomcatjss-1.1.4-5.el5idm
tomcat5-5.5.23-0jpp.40.el5_9
tomcat5-common-lib-5.5.23-0jpp.40.el5_9
tomcat5-jasper-5.5.23-0jpp.40.el5_9
tomcat5-servlet-2.4-api-5.5.23-0jpp.40.el5_9
tomcat5-server-lib-5.5.23-0jpp.40.el5_9

Comment 11 euroford 2014-02-12 03:53:07 UTC

Hi Ade,

Your system use the follow updated packages,
     2  pki-ca-8.1.6-1.el5pki
     3	pki-common-8.1.12-1.el5pki
     4	pki-common-javadoc-8.1.12-1.el5pki
which were not in RHCS 8.1 ISO image.
And I'll check whether these updates fix this bug, thanks for your infomation.

Comment 12 Marc Sauton 2014-02-17 18:28:41 UTC

I may interfere here, but is the issue about a failure CA start, immediately following the pkicreate like in step 3 of the description?
if so, could we review the file /var/log/pki-ca-install.log ? is it possible the hostname is not a fqdn?

Comment 14 Nathan Kinder 2014-02-24 17:07:41 UTC

Have you had a chance to check the information that was asked for in comment#12?

Comment 15 euroford 2014-02-26 03:29:00 UTC

Hi Marc,
I have a private DNS which works fine, the pki-ca under RHEL5.8 use this DNS too, and works fine.

Comment 16 Marc Sauton 2014-03-03 18:18:57 UTC

I wanted to make sure we do have a fully functional DNS forward and reverse fully qualified hostname, any possibility to review the /var/log/pki-ca-install.log file?

Comment 17 euroford 2014-03-05 03:46:36 UTC

Created attachment 870743 [details]
pki-ca-install.log

My pki-ca-install.log