Bug 1195811 - PKI fails to install, missing support for Tomcat 8.0
Summary: PKI fails to install, missing support for Tomcat 8.0
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: pki-core
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Matthew Harmsen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedFreezeException https://fedor...
Depends On:
Blocks: F22AlphaFreezeException
TreeView+ depends on / blocked
 
Reported: 2015-02-24 16:03 UTC by Martin Kosek
Modified: 2015-09-28 18:45 UTC (History)
16 users (show)

Fixed In Version: tomcat-7.0.59-3.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-09-28 18:05:40 UTC


Attachments (Terms of Use)

Description Martin Kosek 2015-02-24 16:03:01 UTC
Description of problem:
This is a clone of upstream ticket
https://fedorahosted.org/pki/ticket/1264

Starting from Fedora 22 Tomcat 7.0 has been replaced with Tomcat 8.0 (see ​http://koji.fedoraproject.org/koji/packageinfo?packageID=12023). The current Dogtag is written for Tomcat 7.0, so it doesn't work on Fedora 22.

One problem is the server.xml included in Dogtag references a class that no longer exists on 8.0:

<Server port="8005" shutdown="SHUTDOWN">
  ...
  <Listener className="org.apache.catalina.core.JasperListener" />
  ...
</Server>
So starting Dogtag on F22 will fail:

24-Feb-2015 02:13:17.815 SEVERE [main] org.apache.tomcat.util.digester.Digester.startElement Begin 

event threw exception
 java.lang.ClassNotFoundException: org.apache.catalina.core.JasperListener 
...
There may be other problems too. This will require further investigation.

One solution is to support both Tomcat versions simultaneously (e.g. providing the server.xml for each Tomcat version). This way the same Dogtag version (e.g. 10.2.x) can run on both F21 and F22.

Another solution is to use different Dogtag versions for different Tomcat versions. Ideally this kind of change should be done in a new minor version, so F21 will have 10.2.x and F22 will have 10.3.x.

Either way, an upgrade script will be needed to convert the 7.0 server.xml in existing instances to 8.0 if necessary.

Migration steps: ​http://tomcat.apache.org/migration-8.html

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Fedora Blocker Bugs Application 2015-02-24 16:10:50 UTC
Proposed as a Blocker for 22-alpha by Fedora user sgallagh using the blocker tracking app because:

 This prevents proper installation and deployment of FreeIPA, which powers the Domain Controller Role of Fedora Server.

This is in violation of the Core Requirements of https://fedoraproject.org/wiki/Domain_controller_role_requirements

Comment 2 Miloslav Trmač 2015-02-24 16:41:40 UTC
Possibly relevant: http://svn.apache.org/viewvc?diff_format=h&view=revision&revision=1542822

Comment 3 Alexander Kurtakov 2015-02-25 16:17:04 UTC
So according to comment 2 updating server.xml to remove the listener in question should fix the problem. 
Are there any other problems?

Comment 4 Endi Sukma Dewata 2015-02-26 02:13:53 UTC
There are other problems. Please see this page:
http://pki.fedoraproject.org/wiki/Tomcat_8

Note that this is still an ongoing investigation, so there may be more problems.

Comment 5 Dan Mossor [danofsatx] 2015-03-02 14:33:35 UTC
+1 AlphaBlocker based on criteria sgallagh cited.

Comment 6 Stephen Gallagher 2015-03-02 14:44:46 UTC
So I've been informed that the ongoing efforts of Dogtag to use Tomcat 8 is proving unsuccessful. Too many things have changed under the hood, and after a full week of trying, they still cannot manage to get it built such that it will run at all.

I've tried to reach out to the Tomcat maintainers, but other than Alexander Kurtakov, I have had no success. With Alpha Freeze already upon us, I think we really need to move forward with the request to downgrade back to Tomcat 7 in Fedora 22 so that efforts to support Tomcat 8 can be moved to Rawhide/F23.

Comment 7 Stephen Gallagher 2015-03-02 14:56:21 UTC
I've opened a FESCo ticket to decide whether to require Tomcat 7 on Fedora 22.
https://fedorahosted.org/fesco/ticket/1418

Comment 8 Petr Schindler 2015-03-02 19:06:45 UTC
Discussed at today's blocker review meeting [1].

This bug was accepted as Alpha Blocker - This bug is a clear violation of the criterion: "The core functional requirements for all Featured Server Roles must be met, but it is acceptable if moderate workarounds are necessary to achieve this." The QA recommendation for the fix is to downgrade the version of Tomcat included in F22, as the development and testing required for the current version to work for F22 is high.

http://meetbot.fedoraproject.org/fedora-blocker-review/2015-03-02/

Comment 9 Fedora Update System 2015-03-04 01:33:39 UTC
tomcat-7.0.59-2.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/tomcat-7.0.59-2.fc22

Comment 10 Fedora Update System 2015-03-04 21:07:16 UTC
Package tomcat-7.0.59-3.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing tomcat-7.0.59-3.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-3074/tomcat-7.0.59-3.fc22
then log in and leave karma (feedback).

Comment 11 Endi Sukma Dewata 2015-03-05 06:31:31 UTC
On a fresh F22 machine installing Tomcat with yum brings in a mix of Tomcat 7 and 8 packages:
* tomcat-lib-7.0.59-3.fc22.noarch
* tomcat-servlet-3.1-api-8.0.18-2.fc22.noarch
* tomcat-el-3.0-api-8.0.18-2.fc22.noarch
* tomcat-jsp-2.3-api-8.0.18-2.fc22.noarch
* tomcat-7.0.59-3.fc22.noarch

With this combination the tomcat-lib will contain links to non-existent files:
* /usr/share/java/tomcat/tomcat-jsp-2.2-api.jar
* /usr/share/java/tomcat/tomcat-servlet-3.0-api.jar

Dogtag/IPA installation will fail because of this.

Removing the Tomcat 8 packages manually and reinstalling the corresponding Tomcat 7 packages with yum doesn't work since the packages are considered obsolete:

$ yum install tomcat-servlet-3.0-api tomcat-el-2.2-api tomcat-jsp-2.2-api

Package tomcat-servlet-3.0-api is obsoleted by tomcat-servlet-3.1-api, trying to install tomcat-servlet-3.1-api-8.0.18-2.fc22.noarch instead
Package tomcat-el-2.2-api is obsoleted by tomcat-el-3.0-api, trying to install tomcat-el-3.0-api-8.0.18-2.fc22.noarch instead
Package tomcat-jsp-2.2-api is obsoleted by tomcat-jsp-2.3-api, trying to install tomcat-jsp-2.3-api-8.0.18-2.fc22.noarch instead
Resolving Dependencies
--> Running transaction check
---> Package tomcat-el-3.0-api.noarch 0:8.0.18-2.fc22 will be installed
---> Package tomcat-jsp-2.3-api.noarch 0:8.0.18-2.fc22 will be installed
---> Package tomcat-servlet-3.1-api.noarch 0:8.0.18-2.fc22 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================
 Package                         Arch            Version                  Repository       Size
================================================================================================
Installing:
 tomcat-el-3.0-api               noarch          8.0.18-2.fc22            fedora          105 k
 tomcat-jsp-2.3-api              noarch          8.0.18-2.fc22            fedora           70 k
 tomcat-servlet-3.1-api          noarch          8.0.18-2.fc22            fedora          255 k

Transaction Summary
================================================================================================
Install  3 Packages

The workaround is to download and install the Tomcat 7 RPM packages manually.

I will leave a negative karma for this build.

Comment 12 Stephen Gallagher 2015-03-05 15:21:56 UTC
I'm looking into it, but we may still be able to ship with this, because if this package goes stable, it will replace the 8.0.x ones in the repository (since this isn't going to [updates], but [fedora]).

It would still be an issue for anyone who upgraded their tomcat packages while 8.0 was there, though.

Comment 13 Stephen Gallagher 2015-03-05 15:29:43 UTC
So, I discussed this with Alexander. What we really need to do is get this pushed to the stable [fedora] repo. It will fix itself, because it will remove the 8.0 packages that are obsoleting. This wouldn't work in a stable update, but it *WILL* work during pre-release. If someone upgraded to get to this point, they'll have to do a manual donwgrade, but there's nothing we can do to fix it that wouldn't cause bigger problems due to the intricacies of tomcat virtual Provides.

So Endi, please revert your karma, as it's only going to make this problem worse :)

Comment 14 Endi Sukma Dewata 2015-03-05 15:38:26 UTC
OK, karma reversed.

Comment 15 Scott Poore 2015-03-05 17:13:56 UTC
FYI when I tested successfully, I had to make sure all the tomcat 8 packages were removed and install only the tomcat 7 ones here.  Then ipa-server-install worked as expected.

Comment 16 Fedora Update System 2015-03-05 18:22:35 UTC
tomcat-7.0.59-3.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Endi Sukma Dewata 2015-03-05 23:46:45 UTC
The problem still persists as described in comment #11.

Comment 18 Adam Williamson 2015-03-06 09:40:08 UTC
endi: the stable push has not yet actually completed.

Comment 19 Stephen Gallagher 2015-03-06 09:43:27 UTC
Reopening. During Alpha validation testing, we discovered that the stable push hadn't happened in time for the compose and as a result, the composed ISOs contained both the old and new packages (and the network install "Everything" mirrors still had only the Tomcat 8.0 stuff).

We're currently waiting for the mash to complete of the stable push, which should hopefully resolve the situation for the network install (and rolekit deploy) of Dogtag/FreeIPA.

If that works, what will remain to be decided is whether a Common Bug about not actually selecting FreeIPA/Dogtag/Tomcat packages during anaconda/kickstart is acceptable (and relying on network install to work) or if we consider this a blocking issue and slip one week in the schedule to fix it.

I'll update this BZ once we know if the mash fixes the problem.

Comment 20 Adam Williamson 2015-03-06 11:22:33 UTC
I'm off to bed and probably won't make the go/no-go, so posting my thoughts here.

Assuming FreeIPA server role deployment works from the repos once the stable push is done, I'm not sure we have a violation of the criteria here, on a strict reading. Deploying the Domain Controller role will work. The criteria don't explicitly require it to work with the packages from the DVD, and there's no Alpha criterion relating to optional package sets.

I don't honestly think people really use the frozen Alpha/Beta repos much for this kind of purpose, I strongly suspect anyone testing FreeIPA with Alpha will be using the 'live' repos.

It is sub-optimal that you can't deploy FreeIPA server from the DVD alone, but I'm not sure it violates the criteria, and I don't feel strongly that it necessarily *should*.

So, count me a fairly weak -1 blocker on the current state of this, *assuming* domain controller role deployment works reasonably well once the stable push is complete.

For the record, to my mind the relevant criteria here are the two at https://fedoraproject.org/wiki/Fedora_22_Alpha_Release_Criteria#Role_definition_requirements :

Role definition requirements

Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried.

Role functional requirements

The core functional requirements for all Featured Server Roles must be met, but it is acceptable if moderate workarounds are necessary to achieve this.

Comment 21 Adam Williamson 2015-03-06 11:23:29 UTC
(for the record I'd definitely consider this issue a *Final* blocker - we should always make sure the role criteria are met for deployment from the *Final* DVD.)

Comment 22 Scott Poore 2015-03-06 17:31:39 UTC
I just tried installing freeipa-server from default repos from an RC3 kickstart.

I'm still seeing the tomcat 7/8 mix that Endi described earlier when I run dnf install.

[root@fedora0 ~]# rpm -qa|grep -i tomcat
tomcat-servlet-3.1-api-8.0.18-2.fc22.noarch
tomcat-jsp-2.3-api-8.0.18-2.fc22.noarch
tomcat-7.0.59-3.fc22.noarch
tomcat-el-3.0-api-8.0.18-2.fc22.noarch
tomcat-lib-7.0.59-3.fc22.noarch
tomcatjss-7.1.1-1.fc22.noarch

When I check the RC3 repo, it looks to me like it's still got a mix:

http://dl.fedoraproject.org/pub/alt/stage/22_Alpha_RC3/Server/x86_64/os/Packages/t/

Should this have been updated yet?

Comment 23 Adam Williamson 2015-03-06 17:43:18 UTC
The RC3 repo will never be updated, but it's not the 'default' repo. The default repo is the one for your arch from the development/22 tree:

https://dl.fedoraproject.org/pub/fedora/linux/development/22/

If you look in https://dl.fedoraproject.org/pub/fedora/linux/development/22/x86_64/os/Packages/t/ , you should see only 7.x packages. If you actually installed from the 22 'fedora' repo and got the 8.x mix, you might've gotten a stale mirror, they don't all sync immediately.

Comment 24 Adam Williamson 2015-03-06 17:44:42 UTC
To be clear, there will be a frozen Alpha tree here, once Alpha is released:

https://dl.fedoraproject.org/pub/fedora/linux/releases/test/22-Alpha

but installs of 22 Alpha will not use that as their base repository by default. As I said in #c23 they use the 'fedora' repo, the same one that is the base repo post-install, which is the regularly updated 22 'stable' repo in https://dl.fedoraproject.org/pub/fedora/linux/development/22/ .

Comment 25 Scott Poore 2015-03-06 17:55:55 UTC
I was wondering if I just got unlucky and hit something not in sync.  And I wasn't sure if there was some backend voodoo that would update RC3 repo.  Now I know it's static after it's built.

And yes, I do now see all tomcat 7 with another run:

[root@fedora0 ~]# dnf list tomcat*
Using metadata from Fri Mar  6 17:43:37 2015
Available Packages
tomcat.noarch                                          1:7.0.59-3.fc22                           fedora
tomcat-admin-webapps.noarch                            1:7.0.59-3.fc22                           fedora
tomcat-docs-webapp.noarch                              1:7.0.59-3.fc22                           fedora
tomcat-el-2.2-api.noarch                               1:7.0.59-3.fc22                           fedora
tomcat-javadoc.noarch                                  1:7.0.59-3.fc22                           fedora
tomcat-jsp-2.2-api.noarch                              1:7.0.59-3.fc22                           fedora
tomcat-jsvc.noarch                                     1:7.0.59-3.fc22                           fedora
tomcat-lib.noarch                                      1:7.0.59-3.fc22                           fedora
tomcat-log4j.noarch                                    1:7.0.59-3.fc22                           fedora
tomcat-native.x86_64                                   1.1.32-1.fc22                             fedora
tomcat-servlet-3.0-api.noarch                          1:7.0.59-3.fc22                           fedora
tomcat-webapps.noarch                                  1:7.0.59-3.fc22                           fedora
tomcatjss.noarch                                       7.1.1-1.fc22                              fedora


I'll run a quick check and update here shortly.

Comment 26 Scott Poore 2015-03-06 18:02:26 UTC
so far, so good:

[root@fedora0 ~]# rpm -qa|grep -i tomcat
tomcatjss-7.1.1-1.fc22.noarch
tomcat-7.0.59-3.fc22.noarch
tomcat-el-2.2-api-7.0.59-3.fc22.noarch
tomcat-lib-7.0.59-3.fc22.noarch
tomcat-servlet-3.0-api-7.0.59-3.fc22.noarch
tomcat-jsp-2.2-api-7.0.59-3.fc22.noarch

Comment 27 Scott Poore 2015-03-06 18:09:36 UTC
Looks good:

[root@fedora0 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.TEST -a Secret123 -p Secret123 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

Warning: skipping DNS resolution of host fedora0.example.test
The domain name has been determined based on the host name.

Adding [192.168.122.30 fedora0.example.test] to your /etc/hosts file
Checking forwarders, please wait ...
WARNING: DNS forwarder 192.168.122.1 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled
Using reverse zone(s) 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       fedora0.example.test
IP address(es): 192.168.122.30
Domain name:    example.test
Realm name:     EXAMPLE.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.122.1
Reverse zone(s):  122.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: configuring uniqueness plugin
  [10/38]: configuring uuid plugin
  [11/38]: configuring modrdn plugin
  [12/38]: configuring DNS plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring certmap.conf
  [18/38]: configure autobind for root
  [19/38]: configure new location for managed entries
  [20/38]: configure dirsrv ccache
  [21/38]: enable SASL mapping fallback
  [22/38]: restarting directory server
  [23/38]: adding default layout
  [24/38]: adding delegation layout
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: initializing group membership
  [33/38]: adding master entry
  [34/38]: configuring Posix uid/gid generation
  [35/38]: adding replication acis
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/27]: creating certificate server user
  [2/27]: configuring certificate server instance
  [3/27]: stopping certificate server instance to update CS.cfg
  [4/27]: backing up CS.cfg
  [5/27]: disabling nonces
  [6/27]: set up CRL publishing
  [7/27]: enable PKIX certificate path discovery and validation
  [8/27]: starting certificate server instance
  [9/27]: creating RA agent certificate database
  [10/27]: importing CA chain to RA certificate database
  [11/27]: fixing RA database permissions
  [12/27]: setting up signing cert profile
  [13/27]: set certificate subject base
  [14/27]: enabling Subject Key Identifier
  [15/27]: enabling Subject Alternative Name
  [16/27]: enabling CRL and OCSP extensions for certificates
  [17/27]: setting audit signing renewal to 2 years
  [18/27]: configuring certificate server to start on boot
  [19/27]: restarting certificate server
  [20/27]: requesting RA certificate from CA
  [21/27]: issuing RA agent certificate
  [22/27]: adding RA agent as a trusted user
  [23/27]: configure certmonger for renewals
  [24/27]: configure certificate renewals
  [25/27]: configure RA certificate renewal
  [26/27]: configure Server-Cert certificate renewal
  [27/27]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv): Estimated time 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/16]: setting mod_nss port to 443
  [2/16]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/16]: setting mod_nss password file
  [4/16]: enabling mod_nss renegotiate
  [5/16]: adding URL rewriting rules
  [6/16]: configuring httpd
  [7/16]: configure certmonger for renewals
  [8/16]: setting up ssl
  [9/16]: importing CA certificates from LDAP
  [10/16]: setting up browser autoconfig
  [11/16]: publish CA cert
  [12/16]: creating a keytab for httpd
  [13/16]: clean up any existing httpd ccache
  [14/16]: configuring SELinux for httpd
  [15/16]: restarting httpd
  [16/16]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting Directory server to apply updates
  [1/2]: stopping directory server
  [2/2]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up CA record
  [9/12]: setting up kerberos principal
  [10/12]: setting up named.conf
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@fedora0 ~]#

Comment 28 Petr Schindler 2015-03-06 20:08:55 UTC
Discussed at today's mini blocker review during Go/No-Go meeting [1].

This bug was rejected as Alpha blocker but will be considered as Freeze Exception - This bug can be resolved with update. Setting it as Common bug should be enough so there's no need to block on it. If the problem will reappear we can propose it to block beta later

http://meetbot.fedoraproject.org/fedora-meeting-2/2015-03-06/

Comment 29 Stephen Gallagher 2015-06-22 20:20:12 UTC
What's the current status on this effort? This is quite likely to bite us again in Fedora 23 if not addressed.

Comment 30 Endi Sukma Dewata 2015-06-22 21:25:52 UTC
The latest PKI runs with Tomcat 8 on F23, but it has not been extensively tested and the tool to migrate from Tomcat 7 is not complete.

Comment 31 Stephen Gallagher 2015-09-28 15:32:11 UTC
Can we mark this as closed? FreeIPA 4.2.1 is testing out just fine on my F23 systems.

Comment 32 Matthew Harmsen 2015-09-28 18:05:40 UTC
After conferring with edewata on IRC on 9/28/2015 - closing bug as currentrelease

Comment 33 Scott Poore 2015-09-28 18:45:09 UTC
FYI, I also ran a quick install check for this on a fresh Fedora 23 Beta TC5 build:

[root@fedora-0 yum.repos.d]# dnf -y install freeipa-server-dns
Last metadata expiration check performed 0:16:39 ago on Mon Sep 28 11:31:07 2015.
Dependencies resolved.
...
 tomcat                         noarch   1:8.0.26-1.fc23                       fedora             91 k
 tomcat-el-3.0-api              noarch   1:8.0.26-1.fc23                       fedora            106 k
 tomcat-jsp-2.3-api             noarch   1:8.0.26-1.fc23                       fedora             71 k
 tomcat-lib                     noarch   1:8.0.26-1.fc23                       fedora            4.1 M
 tomcat-servlet-3.1-api         noarch   1:8.0.26-1.fc23                       fedora            256 k
 tomcatjss                      noarch   7.1.3-1.fc23                          fedora             39 k
...

Complete!

[root@fedora-0 yum.repos.d]# rpm -qa|grep -i tomcat
tomcat-jsp-2.3-api-8.0.26-1.fc23.noarch
tomcat-lib-8.0.26-1.fc23.noarch
tomcat-servlet-3.1-api-8.0.26-1.fc23.noarch
tomcat-8.0.26-1.fc23.noarch
tomcat-el-3.0-api-8.0.26-1.fc23.noarch
tomcatjss-7.1.3-1.fc23.noarch

[root@fedora-0 yum.repos.d]# rpm -q freeipa-server
freeipa-server-4.2.1-1.fc23.x86_64

[root@fedora-0 yum.repos.d]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.COM -aSecret123 -p Secret123 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

Warning: skipping DNS resolution of host fedora-0.example.com
The domain name has been determined based on the host name.

Checking DNS forwarders, please wait ...
Using reverse zone(s) 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       fedora-0.example.com
IP address(es): 192.168.122.100
Domain name:    example.com
Realm name:     EXAMPLE.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.122.1
Reverse zone(s):  122.168.192.in-addr.arpa.

Adding [192.168.122.100 fedora-0.example.com] to your /etc/hosts file
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/43]: creating directory server user
  [2/43]: creating directory server instance
  [3/43]: adding default schema
  [4/43]: enabling memberof plugin
  [5/43]: enabling winsync plugin
  [6/43]: configuring replication version plugin
  [7/43]: enabling IPA enrollment plugin
  [8/43]: enabling ldapi
  [9/43]: configuring uniqueness plugin
  [10/43]: configuring uuid plugin
  [11/43]: configuring modrdn plugin
  [12/43]: configuring DNS plugin
  [13/43]: enabling entryUSN plugin
  [14/43]: configuring lockout plugin
  [15/43]: creating indices
  [16/43]: enabling referential integrity plugin
  [17/43]: configuring certmap.conf
  [18/43]: configure autobind for root
  [19/43]: configure new location for managed entries
  [20/43]: configure dirsrv ccache
  [21/43]: enable SASL mapping fallback
  [22/43]: restarting directory server
  [23/43]: adding default layout
  [24/43]: adding delegation layout
  [25/43]: creating container for managed entries
  [26/43]: configuring user private groups
  [27/43]: configuring netgroups from hostgroups
  [28/43]: creating default Sudo bind user
  [29/43]: creating default Auto Member layout
  [30/43]: adding range check plugin
  [31/43]: creating default HBAC rule allow_all
  [32/43]: creating default CA ACL rule
  [33/43]: adding entries for topology management
  [34/43]: initializing group membership
  [35/43]: adding master entry
  [36/43]: initializing domain level
  [37/43]: configuring Posix uid/gid generation
  [38/43]: adding replication acis
  [39/43]: enabling compatibility plugin
  [40/43]: activating sidgen plugin
  [41/43]: activating extdom plugin
  [42/43]: tuning directory server
  [43/43]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/25]: creating certificate server user
  [2/25]: configuring certificate server instance
  [3/25]: stopping certificate server instance to update CS.cfg
  [4/25]: backing up CS.cfg
  [5/25]: disabling nonces
  [6/25]: set up CRL publishing
  [7/25]: enable PKIX certificate path discovery and validation
  [8/25]: starting certificate server instance
  [9/25]: creating RA agent certificate database
  [10/25]: importing CA chain to RA certificate database
  [11/25]: fixing RA database permissions
  [12/25]: setting up signing cert profile
  [13/25]: setting audit signing renewal to 2 years
  [14/25]: restarting certificate server
  [15/25]: requesting RA certificate from CA
  [16/25]: issuing RA agent certificate
  [17/25]: adding RA agent as a trusted user
  [18/25]: authorizing RA to modify profiles
  [19/25]: configure certmonger for renewals
  [20/25]: configure certificate renewals
  [21/25]: configure RA certificate renewal
  [22/25]: configure Server-Cert certificate renewal
  [23/25]: Configure HTTP to proxy connections
  [24/25]: restarting certificate server
  [25/25]: Importing IPA certificate profiles
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd). Estimated time: 1 minute
  [1/18]: setting mod_nss port to 443
  [2/18]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/18]: setting mod_nss password file
  [4/18]: enabling mod_nss renegotiate
  [5/18]: adding URL rewriting rules
  [6/18]: configuring httpd
  [7/18]: configure certmonger for renewals
  [8/18]: setting up ssl
  [9/18]: importing CA certificates from LDAP
  [10/18]: setting up browser autoconfig
  [11/18]: publish CA cert
  [12/18]: creating a keytab for httpd
  [13/18]: clean up any existing httpd ccache
  [14/18]: configuring SELinux for httpd
  [15/18]: create KDC proxy config
  [16/18]: enable KDC proxy
  [17/18]: restarting httpd
  [18/18]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up CA record
  [9/12]: setting up kerberos principal
  [10/12]: setting up named.conf
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password


Note You need to log in before you can comment on or make changes to this bug.