Bug 1412681
| Summary: | update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Amy Farley <afarley> | |
| Component: | pki-core | Assignee: | Fraser Tweedale <ftweedal> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.3 | CC: | afarley, edewata, ftweedal, gkapoor, gparente, ifloodmu, ipa-maint, karlo.luiten+bugzilla, mharmsen, msauton, pvoborni, rcritten | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-10.4.0-1.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
PKI Server no longer fails to start when an "entryUSN" attribute contains a value larger than 32-bit
Previously, the *LDAP Profile Monitor" and the "Lightweight CA Monitor" parsed values in "entryUSN" attributes as a 32-bit integer. As a consequence, when the attribute contained a value larger than that, a `NumberFormatException` error was logged and the server failed to start. The problem has been fixed, and the server no longer fails to start in the mentioned scenario.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1417066 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 22:48:25 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1417066 | |||
|
Comment 18
Petr Vobornik
2017-01-17 11:41:53 UTC
Hi, How to reproduce/test this Bugzilla. Thanks, Geetika comment 26 has the main hint about the issue https://bugzilla.redhat.com/show_bug.cgi?id=1412681#c26 but here are some detailed steps: - failed environment: RHEL-7.3 ipa-server-4.4.0-12.el7.x86_64 pki-ca-10.3.3-10.el7.noarch journalctl -f _SYSTEMD_UNIT=pki-tomcatd ... Jan 27 02:31:19 ipaserver1.example.com server[1794]: Exception in thread "authorityMonitor" java.lang.NumberFormatException: For input string: "3147483647" Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.Integer.parseInt(Integer.java:583) Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.Integer.<init>(Integer.java:867) Jan 27 02:31:19 ipaserver1.example.com server[1794]: at com.netscape.ca.CertificateAuthority.readAuthority(CertificateAuthority.java:3290) Jan 27 02:31:19 ipaserver1.example.com server[1794]: at com.netscape.ca.CertificateAuthority.run(CertificateAuthority.java:3197) Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.Thread.run(Thread.java:745) - fix was tested with: pki-base-10.3.3-16.2.el7_3.noarch pki-server-10.3.3-16.2.el7_3.noarch pki-tools-10.3.3-16.2.el7_3.x86_64 pki-base-java-10.3.3-16.2.el7_3.noarch pki-kra-10.3.3-16.2.el7_3.noarch pki-ca-10.3.3-16.2.el7_3.noarch - have 1 IPA master already setup: test was with example.com and EXAMPLE-COM it is best to test with a subordinate CA, to exercise more code paths - optional sanity check on default usn, low value expected: /usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w password -b "" -s base "(objectclass=*)" lastusn expected output example: dn: lastusn: 232747 - set the next entryusn start value from an import to a high value, something over 2^31-1 or 2147483647 ldapmodify -x -D "cn=directory manager" -w password << EOF dn: cn=config changetype: modify replace: nsslapd-entryusn-import-initval nsslapd-entryusn-import-initval: 3147483647 EOF - export the LDAP ipaca backend /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif.pl -r -D "cn=directory manager" -w password -n ipaca -a /var/lib/dirsrv/slapd-EXAMPLE-COM/bak/ipaca.`/bin/date +%Y%m%d%H%M%S`.ldif - import the LDAP ipaca backend saved in the previous step: /var/lib/dirsrv/scripts-EXAMPLE-COM/ldif2db.pl -D "cn=directory manager" -w password -n ipaca -i /var/lib/dirsrv/slapd-EXAMPLE-COM/bak/ipaca.20170117195529.ldif - optional sanity check for high entryusn values: /usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w password -b "ou=certificateProfiles,ou=ca,o=ipaca" cn=caUserCert entryusn expected output example: dn: cn=caUserCert,ou=certificateProfiles,ou=ca,o=ipaca entryusn: 3147483647 - restart CA systemctl stop pki-tomcatd systemctl start pki-tomcatd - final error check, nothing should be returned from this command: grep -r "java.lang.NumberFormatException: For input string:" /var/log/pki/pki-tomcat/ [root@ipaserver1 ~]# clearing the needinfo flag Test environment: pki-ca-10.4.1-8.el7.noarch Test steps performed based on Comment #35: ========================================== step 1 : [root@ipaqavmd ~]# /usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w Secret123 -b "" -s base "(objectclass=*)" lastusn dn: lastusn: 1970 Step 2 : [root@ipaqavmd ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 << EOF > dn: cn=config > changetype: modify > replace: nsslapd-entryusn-import-initval > nsslapd-entryusn-import-initval: 3147483647 > EOF modifying entry "cn=config" Step 3: [root@ipaqavmd ~]# /var/lib/dirsrv/scripts-TESTRELM-TEST/db2ldif.pl -r -D "cn=directory manager" -w Secret123 -n ipaca -a /var/lib/dirsrv/slapd-TESTRELM-TEST/bak/ipaca.`/bin/date +%Y%m%d%H%M%S`.ldif Exporting to ldif file: /var/lib/dirsrv/slapd-TESTRELM-TEST/bak/ipaca.20170607080319.ldif Successfully added task entry "cn=export_2017_6_7_8_3_19, cn=export, cn=tasks, cn=config" Step 4: [root@ipaqavmd ~]# /var/lib/dirsrv/scripts-TESTRELM-TEST/ldif2db.pl -D "cn=directory manager" -w Secret123 -n ipaca -i /var/lib/dirsrv/slapd-TESTRELM-TEST/bak/ipaca.20170607080319.ldif Successfully added task entry "cn=import_2017_6_7_8_4_30, cn=import, cn=tasks, cn=config" Step 5: [root@ipaqavmd ~]# /usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w Secret123 -b "ou=certificateProfiles,ou=ca,o=ipaca" cn=caUserCert entryusn dn: cn=caUserCert,ou=certificateProfiles,ou=ca,o=ipaca entryusn: 3147483647 step 6: [root@ipaqavmd ~]# systemctl stop pki-tomcatd [root@ipaqavmd ~]# systemctl start pki-tomcatd [root@ipaqavmd ~]# grep -r "java.lang.NumberFormatException: For input string:" /var/log/pki/pki-tomcat/ [root@ipaqavmd ~]# grep -r "java.lang.NumberFormatException: For input string:" /var/log/pki/pki-tomcat/* numberFormatException is not experienced. tested nsslapd-entryusn-import-initval with biginteger and next. In both the cases pki process starts without any hang and without number format exception. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |