Bug 1262516

Summary: PKI CA configuration fails with OpenJDK 1.8
Product: Red Hat Enterprise Linux 6 Reporter: Endi Sukma Dewata <edewata>
Component: pki-coreAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED WONTFIX QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.7CC: nkinder, omajid
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-29 22:31:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Endi Sukma Dewata 2015-09-12 03:18:52 UTC 
PKI CA configuration fails with OpenJDK 1.8 on RHEL 6.7. It is the same problem as reported in bug #1212557, but now it can now be reproduced without IPA. The CA configuration works fine with OpenJDK 1.7.


Prerequisites:

1. Install the following packages:
# yum install pki-ca pki-silent 389-ds-base java-1.8.0-openjdk

Installed packages:
* 389-ds-base-libs-1.2.11.15-60.el6.x86_64
* 389-ds-base-1.2.11.15-60.el6.x86_64
* java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_7.x86_64
* java-1.8.0-openjdk-1.8.0.51-1.b16.el6_7.x86_64
* java-1.8.0-openjdk-headless-1.8.0.51-1.b16.el6_7.x86_64
* pki-silent-9.0.3-43.el6.noarch
* pki-ca-9.0.3-43.el6.noarch
* pki-symkey-9.0.3-43.el6.x86_64
* pki-java-tools-9.0.3-43.el6.noarch
* pki-common-9.0.3-43.el6.noarch
* pki-selinux-9.0.3-43.el6.noarch
* pki-util-9.0.3-43.el6.noarch
* pki-native-tools-9.0.3-43.el6.x86_64
* pki-setup-9.0.3-43.el6.noarch

2. Create DS instance:
# setup-ds.pl --silent -- General.FullMachineName=$HOSTNAME General.SuiteSpotUserID=nobody General.SuiteSpotGroup=nobody slapd.ServerPort=389 slapd.ServerIdentifier=pki-master slapd.Suffix=dc=example,dc=com 'slapd.RootDN=cn=Directory Manager' slapd.RootDNPwd=Secret123


Steps to reproduce:

1. Select OpenJDK 1.8:
# alternatives --config java

2. Create CA instance:
# pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ca -subsystem_type=ca -secure_port=9443 -unsecure_port=9180 -tomcat_server_port=9701 -user=pkiuser -group=pkiuser -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca

3. Create certs folder:
# mkdir -p /var/lib/pki-ca/certs

3. Configure CA instance:
# pkisilent ConfigureCA -cs_hostname $HOSTNAME -cs_port 9443 -preop_pin `grep preop.pin= /var/lib/pki-ca/conf/CS.cfg | awk -F= '{ print $2; }'` -client_certdb_dir /var/lib/pki-ca/certs -client_certdb_pwd Secret123 -token_name internal -domain_name EXAMPLE-COM -subsystem_name 'Certificate Authority' -ldap_host $HOSTNAME -ldap_port 389 -base_dn ou=ca,dc=example,dc=com -db_name example.com-pki-ca -bind_dn 'cn=Directory Manager' -bind_password Secret123 -remove_data true -key_type rsa -key_size 2048 -key_algorithm SHA256withRSA -signing_signingalgorithm SHA256withRSA -save_p12 true -backup_fname /var/lib/pki-ca/certs/ca-server-certs.p12 -backup_pwd Secret123 -ca_sign_cert_subject_name 'CN=Certificate Authority,O=EXAMPLE-COM' -ca_ocsp_cert_subject_name 'CN=OCSP Signing Certificate,O=EXAMPLE-COM' -ca_server_cert_subject_name CN=$HOSTNAME,O=EXAMPLE-COM -ca_subsystem_cert_subject_name 'CN=CA Subsystem Certificate,O=EXAMPLE-COM' -ca_audit_signing_cert_subject_name 'CN=CA Audit Signing Certificate,O=EXAMPLE-COM' -admin_user caadmin -agent_name caadmin -admin_email caadmin -admin_password Secret123 -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=caadmin,UID=caadmin,E=caadmin,O=EXAMPLE-COM


Actual result: CA configuration fails with the following output:

[Fatal Error] :-1:-1: Premature end of file.
org.xml.sax.SAXParseException; Premature end of file.
        at org.apache.xerces.parsers.DOMParser.parse(DOMParser.java:239)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:283)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121)
        at ParseXML.parse(ParseXML.java:258)
        at ConfigureCA.getStatus(ConfigureCA.java:205)
        at ConfigureCA.checkStatus(ConfigureCA.java:221)
        at ConfigureCA.checkStatus(ConfigureCA.java:216)
        at ConfigureCA.CertSubjectPanel(ConfigureCA.java:644)
        at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1242)
        at ConfigureCA.main(ConfigureCA.java:1672)
#######################################################################
... snip ...
#############################################
Attempting to connect to: server.example.com:9443
Connected.
Posting Query = https://server.example.com:9443//ca/admin/console/config/wizard?p=11&op=next&xml=true&subsystem=CN%3DCA+Subsystem+Certificate%2CO%3DEXAMPLE-COM&ocsp_signing=CN%3DOCSP+Signing+Certificate%2CO%3DEXAMPLE-COM&signing=CN%3DCertificate+Authority%2CO%3DEXAMPLE-COM&sslserver=CN%3Dserver.example.com%2CO%3DEXAMPLE-COM&audit_signing=CN%3DCA+Audit+Signing+Certificate%2CO%3DEXAMPLE-COM&urls=0
RESPONSE STATUS:  HTTP/1.1 404 Not Found
RESPONSE HEADER:  Server: Apache-Coyote/1.1
RESPONSE HEADER:  Content-Type: text/html;charset=UTF-8
RESPONSE HEADER:  Date: Fri, 11 Sep 2015 20:58:08 GMT
RESPONSE HEADER:  Connection: close
ERROR: unable to parse xml
ERROR XML =
ERROR: Tag='updateStatus' has no values
Error in CertSubjectPanel(): updateStatus value is null
ERROR: ConfigureCA: CertSubjectPanel() failure
ERROR: unable to create CA

#######################################################################


Expected result: CA configuration should complete successfully just like with OpenJDK 1.7:
Certificate System - CA Instance Configured.


To rerun the test, remove the CA instance with the following command:
# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
Comment 2 Nathan Kinder 2015-09-29 22:31:37 UTC 
We have no plans to support Java 1.8 for pki-core in RHEL 6.x.  Newer versions of pki-core on RHEL 7.x do work with Java 1.8.  Closing this as WONTFIX.
Comment 3 Endi Sukma Dewata 2016-02-05 20:40:26 UTC 
https://fedorahosted.org/pki/ticket/1350