Bug 1320347

Summary:	KRA installation: NullPointerException in ProxyRealm.findSecurityConstraints
Product:	Red Hat Enterprise Linux 7	Reporter:	Matthew Harmsen <mharmsen>
Component:	pki-core	Assignee:	Endi Sukma Dewata <edewata>
Status:	CLOSED WONTFIX	QA Contact:	Asha Akkiangady <aakkiang>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.3
Target Milestone:	rc
Target Release:	7.4
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-11-29 01:23:00 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Matthew Harmsen 2016-03-22 23:48:53 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/2226

KRA setup over LDAPS fails with a NullPointerException in ProxyRealm.findSecurityConstraints.

https://fedorahosted.org/freeipa/ticket/5570
https://www.redhat.com/archives/pki-devel/2016-February/msg00100.html

== curl ==

{{{
# curl http://master1.ipa.test:8080/ca/admin/ca/getStatus
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.26 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - </h1><div class="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b></p><pre>java.lang.NullPointerException
        com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:114)
        org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
        org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
        org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
        org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
        org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:673)
        org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1526)
        org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1482)
        java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        java.lang.Thread.run(Thread.java:745)
</pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.26 logs.</u></p><hr class="line"><h3>Apache Tomcat/8.0.26</h3></body></html>
}}}

== journalctl ==

{{{
# journalctl -f -u pki-tomcatd
...
Mar 01 12:10:31 master1.ipa.test server[8061]: Mar 01, 2016 12:10:31 PM org.apache.catalina.core.ContainerBase backgroundProcess
Mar 01 12:10:31 master1.ipa.test server[8061]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@65ac2207 background process
Mar 01 12:10:31 master1.ipa.test server[8061]: java.lang.NullPointerException
Mar 01 12:10:31 master1.ipa.test server[8061]: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:109)
Mar 01 12:10:31 master1.ipa.test server[8061]: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1127)
Mar 01 12:10:31 master1.ipa.test server[8061]: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5554)
Mar 01 12:10:31 master1.ipa.test server[8061]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377)
Mar 01 12:10:31 master1.ipa.test server[8061]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
Mar 01 12:10:31 master1.ipa.test server[8061]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
Mar 01 12:10:31 master1.ipa.test server[8061]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349)
Mar 01 12:10:31 master1.ipa.test server[8061]: at java.lang.Thread.run(Thread.java:745)
}}}


{{{
# rpm -qa tomcat pki-ca freeipa-server
pki-ca-10.2.6-15.fc23.noarch
freeipa-server-4.3.90-0.fc23.x86_64
tomcat-8.0.26-2.fc23.noarch

}}}

Comment 1 Matthew Harmsen 2016-06-10 16:02:47 UTC

nkinder moved the accompanying ticket:

10.3.2 ==> 10.4

Comment 2 Matthew Harmsen 2016-06-10 16:03:50 UTC

tduehr reported in the ticket:

I'm seeing this exception in a FreeIPA server as well. KRA installation worked fine but this seems to be preventing the CMS from starting properly resulting in all CA operations to fail. Using the CA/KRA master for CA operations works without a problem.