Bug 1017032 - RHCS81 could not run on RHEL5.9 and RHEL5.10
RHCS81 could not run on RHEL5.9 and RHEL5.10
Status: NEW
Product: Dogtag Certificate System
Classification: Community
Component: Certificate Manager (Show other bugs)
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Ade Lee
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2013-10-09 03:57 EDT by euroford
Modified: 2015-01-04 19:30 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
catalina.out (5.87 KB, text/plain)
2013-10-09 03:57 EDT, euroford
no flags Details
-Djava.security.debug=access,failure enabled (13.54 KB, text/plain)
2013-11-07 00:58 EST, euroford
no flags Details
pki-ca.policy (10.41 KB, text/plain)
2013-11-19 03:43 EST, euroford
no flags Details
pki-ca-install.log (43.49 KB, text/plain)
2014-03-04 22:46 EST, euroford
no flags Details

  None (edit)
Description euroford 2013-10-09 03:57:04 EDT
Created attachment 809732 [details]

Description of problem:
service pki-ca start failed on RHEL5.9 and RHEL5.10

Version-Release number of selected component (if applicable):
pki-ca-8.1.0-10.el5pki (in RHCS 8.1 iso)
pki-common-8.1.0-23.el5pki(in RHCS 8.1 iso)
tomcat5-5.5.23-0jpp.40.el5_9(in RHEL5.10 iso)

How reproducible:
service pki-ca start

Steps to Reproduce:
1.yum install pki-ca
userdel pkiuser
groupdel pkiuser
groupadd -g 17 -r pkiuser
groupadd -r pkiadmin
groupadd -r pkiaudit
usermod -a -G pkiadmin chinese
useradd -g pkiuser -d /usr/share/pki -s /sbin/nologin -c "Red Hat Certificate System" -u 17 -r pkiuser
usermod -a -G pkiadmin pkiuser
usermod -a -G pkiaudit pkiuser
3. pkicreate -pki_instance_root=/var/lib \
        -pki_instance_name=pki-ca \
        -subsystem_type=ca \
        -agent_secure_port=9443 \
        -ee_secure_port=9444 \
        -ee_secure_client_auth_port=9446 \
        -admin_secure_port=9445 \
        -unsecure_port=9180 \
        -tomcat_server_port=9701 \
        -audit_group=pkiaudit \
Actual results:
Starting pki-ca: 
    Using Java Security Manager
    Constructing 'pki-ca.policy' Security Policy
Starting pki-ca:                                           [FAILED]

Expected results:
Starting pki-ca:                                           [  OK  ]

Additional info:
service pki-ca start_sans_security_manager works fine.
Comment 1 Nathan Kinder 2013-10-14 15:29:25 EDT
There are newer RHCS packages in RHN that you should be using:

Comment 2 Nathan Kinder 2013-10-28 14:06:43 EDT
Have you had a chance to try the newer RHCS packages from RHN?
Comment 3 euroford 2013-11-01 23:14:24 EDT
Thanks Nathan, I'm in my evaluation of RHCS 81, just update pki-ca-8.1.1-1.el5pki
and pki-common-8.1.3-2.el5pki in RHEL5.9/RHEL5.10 could not work, I'll try the other updates in RHCS channel. 

Thanks for your kindly help.
Comment 4 euroford 2013-11-02 00:08:02 EDT
I just updated all the following packages under RHEL5.10(x86_64 platform):

and still got the same failure.

tomcat5-5.5.23-0jpp.40.el5_9 is already included in RHEL5.9.
My evaluation system is in a standalone network, and it could not access internet, if you want to check any log files, please let me know, I can past here.

Comment 5 Ade Lee 2013-11-04 15:56:22 EST
Lets try to determine why the startup is failing.

Please add the following to the java command line ExecArgs in  /etc/<instance_name>/nuxwdog-secstart.conf


Your line could look like (for example)-- 

ExeArgs /usr/lib/jvm/jre/bin/java -Djava.security.debug=access,failure  -Djava.endorsed.dirs=/usr/share/tomcat5/common/endorsed -classpath :/usr/lib/jvm/jre/lib/rt.jar:/usr/share/java/commons-collections.jar:/usr/share/tomcat5/bin/bootstrap.jar:/usr/share/tomcat5/bin/commons-logging-api.jar:/usr/share/java/mx4j/mx4j-impl.jar:/usr/share/java/mx4j/mx4j-jmx.jar:/usr/share/tomcat5/common/lib/nuxwdog.jar -Djava.security.manager -Djava.security.policy=/var/lib/pki-ca/conf/pki-ca.policy -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat5 -Djava.io.tmpdir=/usr/share/tomcat5/temp org.apache.catalina.startup.Bootstrap  start
TmpDir /var/lib/pki-ca/logs/pids 

There should be many logs in catalina.out.  thanks!
Comment 6 euroford 2013-11-07 00:58:27 EST
Created attachment 820887 [details]
-Djava.security.debug=access,failure enabled
Comment 7 Ade Lee 2013-11-18 10:51:11 EST
Very interesting.  Please post the security policy as referred to in the previous post in the ExecArgs line:

In the case above, it would be the file associated with:

Comment 8 euroford 2013-11-19 03:43:41 EST
Created attachment 825955 [details]

It's auto generated.
Comment 9 Ade Lee 2014-02-10 14:06:06 EST
This is pretty weird.  I took the same policy you provided and compared it to a working rhel 5.10 instance on my machine.  It is identical to the one generated on my machine.

My system includes the following tomcat5 packages:


Perhaps you can update to the latest packages -- rhcs and tomcat and see if this problem goes away?
Comment 10 Ade Lee 2014-02-10 14:35:48 EST
Just for reference - here is what is on my machine:

[root@pki-rhel5 pki-ca02]#  rpm -qa | egrep -i pki-\|osutil\|symkey | sort | cat -n
     1	osutil-1.2.0-2.el5pki
     2	pki-ca-8.1.6-1.el5pki
     3	pki-common-8.1.12-1.el5pki
     4	pki-common-javadoc-8.1.12-1.el5pki
     5	pki-console-8.1.0-5.el5pki
     6	pki-java-tools-8.1.0-6.el5pki
     7	pki-java-tools-javadoc-8.1.0-6.el5pki
    10	pki-native-tools-8.1.0-7.el5pki
    13	pki-selinux-8.1.0-2.el5pki
    14	pki-setup-8.1.0-4.el5pki
    15	pki-silent-8.1.0-2.el5pki
    18	pki-util-8.1.1-1.el5pki
    19	pki-util-javadoc-8.1.1-1.el5pki
    20	redhat-pki-ca-ui-8.1.0-8.el5pki
    21	redhat-pki-common-ui-8.1.0-3.el5pki
    22	redhat-pki-console-ui-8.1.0-2.el5pki

[root@pki-rhel5 pki-ca02]# rpm -qa |grep tomcat
Comment 11 euroford 2014-02-11 22:53:07 EST
Hi Ade,

Your system use the follow updated packages,
     2  pki-ca-8.1.6-1.el5pki
     3	pki-common-8.1.12-1.el5pki
     4	pki-common-javadoc-8.1.12-1.el5pki
which were not in RHCS 8.1 ISO image.
And I'll check whether these updates fix this bug, thanks for your infomation.
Comment 12 Marc Sauton 2014-02-17 13:28:41 EST
I may interfere here, but is the issue about a failure CA start, immediately following the pkicreate like in step 3 of the description?
if so, could we review the file /var/log/pki-ca-install.log ? is it possible the hostname is not a fqdn?
Comment 14 Nathan Kinder 2014-02-24 12:07:41 EST
Have you had a chance to check the information that was asked for in comment#12?
Comment 15 euroford 2014-02-25 22:29:00 EST
Hi Marc,
I have a private DNS which works fine, the pki-ca under RHEL5.8 use this DNS too, and works fine.
Comment 16 Marc Sauton 2014-03-03 13:18:57 EST
I wanted to make sure we do have a fully functional DNS forward and reverse fully qualified hostname, any possibility to review the /var/log/pki-ca-install.log file?
Comment 17 euroford 2014-03-04 22:46:36 EST
Created attachment 870743 [details]

My pki-ca-install.log

Note You need to log in before you can comment on or make changes to this bug.