Bug 245661
| Summary: | Clone DRM, with HSM, does NOT function correctly after install | ||
|---|---|---|---|
| Product: | Red Hat Certificate System | Reporter: | Issue Tracker <tao> |
| Component: | Cloning | Assignee: | Bob Lord <blord> |
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.2 | CC: | benl, tao |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-07-22 23:25:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 443788 | ||
|
Description
Issue Tracker
2007-06-25 22:36:42 UTC
Description of problem: after finished the clone DRM Setup Wizard, couple of configurations were missing 01) cs.state was set to 0 02) missing kraTransportCert cert-drm-da cert 03) missing kraStorageCert cert-drm-da cert 04) missing subsystemCert cert-rhpki-drm-da cert 05) access DRM agent page, I got "Error Message: java.lang.NullPointerException:" How reproducible: 01) Manually set cs.state to 1 02) import kraTransportCert cert-drm-da cert from master DRM 03) import kraStorageCert cert-drm-da from master DRM 04) import subsystemCert cert-rhpki-drm-da from master DRM 05) goto DRM Agent page, click "Search for Keys" 07) check "Key Identifiers" and click "show key" 08) Got this message, The Certificate System has encountered an unrecoverable error. Error Message: java.lang.NullPointerException: Please contact your local administrator for assistance. This event sent from IssueTracker by mrhodes [Support Engineering Group] issue 123812 File uploaded: drm-db-CS.cfg This event sent from IssueTracker by mrhodes [Support Engineering Group] issue 123812 it_file 93667 File uploaded: drm-db-debug This event sent from IssueTracker by mrhodes [Support Engineering Group] issue 123812 it_file 93668 hi,
I am able to overcome the java.lang.NullPointerException: issue. The
problem was
01) authz.instance.DirAclAuthz.ldap.database=CertificateServer
02) internaldb.database=CertificateServer
I changed those 2 parameters to userRoot1
01) authz.instance.DirAclAuthz.ldap.database=userRoot1
02) internaldb.database=userRoot1
After fix previous issue, I am able to browser the exist keys from clone
DRM agent page. However, when I try to recover an exist key, I got another
error message.
Failed to recover key for recovery id 1.
Exception: All serial numbers are used. The max serial number is
0x20000001
attach drm-db.cfg and drm-db-debug files.
This event sent from IssueTracker by mrhodes [Support Engineering Group]
issue 123812
hi Kent, I copied following parameters from Master DRM to Clone DRM's CD.cfg. Then I did Key Recovery. That was successful. Some how the Clone DRM's request # and serial # are NOT work correctly. dbs.beginRequestNumber=1 dbs.beginSerialNumber=1 dbs.endRequestNumber=10000000 dbs.endSerialNumber=10000000 dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.requestNumber.increment=10000000 dbs.requestNumber.previncrement=1 dbs.serialNumber.increment=10000000 dbs.serialNumber.previncrement=1 Following is original clone DRM's parameters. dbs.beginRequestNumber=10000001 dbs.beginSerialNumber=10000001 dbs.endRequestNumber=20000001 dbs.endSerialNumber=20000001 dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.requestNumber.increment=10000000 dbs.requestNumber.previncrement=10000000 dbs.serialNumber.increment=10000000 dbs.serialNumber.previncrement=10000000 Let me know, if you need more information. Thanks, Fu This event sent from IssueTracker by mrhodes [Support Engineering Group] issue 123812 Kent, I got good news on clone DRM. After I changed some parameters(see previous update), I am able to do token operations with clone DRM. The enrollment was successful against Master-CA, Master-TKS, and Clone DRM. Here is small section of Clone DRM's log. The hostname of clone DRM is drm-db.hmca.ops.aol.com [2007-06-19 09:25:55] b2b7298 RA::ServerSideKeyGen - finding DRM servlet info, configname=conn.drm1.servlet.GenerateKeyPair [2007-06-19 09:25:55] b2b7298 HttpConnection::getResponse - Send request to host drm-db.hmca.ops.aol.com:8100 servlet /kra/agent/kra/GenerateKeyPair [2007-06-19 09:25:59] b2b7298 RA::ServerSideKeyGen - response from DRM (drm-db.hmca.ops.aol.com:8100) is not NULL. [2007-06-19 09:25:59] b2b7298 RA:: ServerSideKeyGen - in ServerSideKeyGen - got response [2007-06-19 09:25:59] b2b7298 RA::ServerSideKeyGen - response from DRM status ok This event sent from IssueTracker by mrhodes [Support Engineering Group] issue 123812 Per Thomas (from Issue Tracker #123812): I just checked the code and the server should use the following parameters to control the serial numbers of the DRM clone. I think AOL needs to the do following: 1) Find our current ranges for all 4 DRM (1 Master, 3 Clones) 2) Check the database to see if the issued requests and keys fell into the ranges 3) Then, adjust the following range for requests: dbs.beginRequestNumber=1000 dbs.endRequestNumber=10000000 4) adjust the following range for the key records: dbs.beginSerialNumber=1000 dbs.endSerialNumber=10000000 I did the following test. a) Install CA, DRM b) Perform a key archival, and a request #1 is created, and a key #1 is created c) Then, I changed the following paramters dbs.beginRequestNumber=1000 dbs.endRequestNumber=10000000 dbs.beginSerialNumber=1000 dbs.endSerialNumber=10000000 d) Do another archival, now i have a request #1000, and a key record #1000. This demostrates that the server is using beginRequestNumber and beginSerialNumber to determine the next serial number to use for request and key. User nkwan's account has been closed Bug already MODIFIED. setting target CS8.0 and marking screened+ |