| Summary: | cloning CA: Failed to obtain installation token from security domain | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | German Parente <gparente> |
| Component: | pki-core | Assignee: | Matthew Harmsen <mharmsen> |
| Status: | CLOSED NOTABUG | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | ||
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-03 16:39:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Description of problem: When installing a replica, pkispawn is failing at SystemConfigService. Authentication is failing in master CA. I am sorry about logging this bug. It's probably not a bug but a configuration issue but I cannot realise from log what's the issue. These are the extract of logs in master and in replica in the moment of failure: in master: ======================================= [26/Feb/2016:11:32:48][TP-Processor1]: according to ccMode, authorization for servlet: caGetCookie is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Feb/2016:11:32:48][TP-Processor1]: GetCookie init [26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet:service() uri = /ca/admin/ca/getCookie [26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet::service() param name='url' value='https://ipa7.istat.it:443/ca/admin/console/config/wizard?p=5&subsystem=CA' [26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet::service() param name='uid' value='admin' [26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet::service() param name='pwd' value='(sensitive)' [26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet: caGetCookie start to service. [26/Feb/2016:11:32:48][TP-Processor1]: GetCookie start [26/Feb/2016:11:32:48][TP-Processor1]: GetCookie before auth, url =https://ipa7.istat.it:443/ca/admin/console/config/wizard?p=5&subsystem=CA [26/Feb/2016:11:32:48][TP-Processor1]: IP: 10.18.103.43 [26/Feb/2016:11:32:48][TP-Processor1]: AuthMgrName: passwdUserDBAuthMgr [26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet: no client certificate found [26/Feb/2016:11:32:48][TP-Processor1]: Authentication: UID=admin [26/Feb/2016:11:32:48][TP-Processor1]: In LdapBoundConnFactory::getConn() [26/Feb/2016:11:32:48][TP-Processor1]: masterConn is connected: true [26/Feb/2016:11:32:48][TP-Processor1]: getConn: conn is connected true [26/Feb/2016:11:32:48][TP-Processor1]: getConn: mNumConns now 2 [26/Feb/2016:11:32:48][TP-Processor1]: LdapAnonConnFactory::getConn [26/Feb/2016:11:32:48][TP-Processor1]: LdapAnonConnFactory.getConn(): num avail conns now 2 [26/Feb/2016:11:32:48][TP-Processor1]: returnConn: mNumConns now 3 [26/Feb/2016:11:32:48][TP-Processor1]: returnConn: mNumConns now 2 [26/Feb/2016:11:32:48][TP-Processor1]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=$Unidentified$] authentication failure [26/Feb/2016:11:32:48][TP-Processor1]: GetCookie authentication failed [26/Feb/2016:11:32:48][TP-Processor1]: mErrorFormPath=/admin/ca/securitydomainlogin.template [26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet: curDate=Fri Feb 26 11:32:48 CET 2016 id=caGetCookie time=26 ================================================= in replica ================================================= [26/Feb/2016:11:32:46][http-bio-8443-exec-3]: SystemConfigService: configure() [26/Feb/2016:11:32:46][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://ipa1.istat.it:443, securityDomainName=null, securityDomainUser=admin, securityDomainPassword=XXXX, isClone=true, cloneUri=https://ipa1.istat.it:443, subsystemName=CA ipa7.istat.it 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=ipa7.istat.it, dsPort=389, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca, secureConn=false, removeData=true, replicateSchema=false, masterReplicationPort=7389, cloneReplicationPort=389, replicationSecurity=TLS, systemCerts=[com.netscape.certsrv.system.SystemCertData@2681e1f], issuingCA=https://ipa1.istat.it:443, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null, adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null, importAdminCert=false, generateServerCert=true, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null, createNewDB=true, setupReplication=True, subordinateSecurityDomainNamenull] [26/Feb/2016:11:32:46][http-bio-8443-exec-3]: === Token Panel === [26/Feb/2016:11:32:46][http-bio-8443-exec-3]: === Security Domain Panel === [26/Feb/2016:11:32:46][http-bio-8443-exec-3]: Joining existing security domain [26/Feb/2016:11:32:46][http-bio-8443-exec-3]: Resolving security domain URLhttps://ipa1.istat.it:443 [26/Feb/2016:11:32:46][http-bio-8443-exec-3]: Getting security domain cert chain [26/Feb/2016:11:32:47][http-bio-8443-exec-3]: Getting install token [26/Feb/2016:11:32:48][http-bio-8443-exec-3]: Getting install token [26/Feb/2016:11:32:48][http-bio-8443-exec-3]: Getting old cookie [26/Feb/2016:11:32:48][http-bio-8443-exec-3]: Token: null [26/Feb/2016:11:32:48][http-bio-8443-exec-3]: Install token is null [26/Feb/2016:11:32:48][http-bio-8443-exec-3]: Failed to obtain installation token from security domain =============================================== Seems rather clear to me that authentication with uid=admin is failing. But I cannot find from the source code how the admin password is obtained. And if it's simple authentication or cert based. Version-Release number of selected component (if applicable): pki-server-10.2.5-6.el7