RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1214859 - password interface needs to be updated to support nuxwdog
Summary: password interface needs to be updated to support nuxwdog
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: tomcatjss
Version: 7.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 7.2
Assignee: Christina Fu
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On: 1214858
Blocks: 1216090
TreeView+ depends on / blocked
 
Reported: 2015-04-23 16:59 UTC by Matthew Harmsen
Modified: 2015-11-19 04:49 UTC (History)
11 users (show)

Fixed In Version: tomcatjss-7.1.2-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
The tomcatjss package has been upgraded to upstream version 7.1.2, which provides a number of bug fixes and enhancements over the previous version. Notably, the getPassword method for the tomcatjss utility has been enhanced to optionally include a counter to track the number of retries, which enables tomcatjss to interact with the nuxwdog daemon and allow multiple retries for a password retrieval.
Clone Of: 1214858
: 1216090 (view as bug list)
Environment:
Last Closed: 2015-11-19 04:49:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2188 0 normal SHIPPED_LIVE tomcatjss bug fix and enhancement update 2015-11-19 08:07:07 UTC

Description Matthew Harmsen 2015-04-23 16:59:48 UTC 
+++ This bug was initially created as a clone of Bug #1214858 +++

password interface needs the method getPassword(tag, iteration) added to interact with nuxwdog to allow multiple retries for a password retrieval

Also, clean up init code.
Comment 5 Roshni 2015-08-27 16:20:23 UTC 
[root@cloud-qe-7 ~]# rpm -qi tomcatjss
Name        : tomcatjss
Version     : 7.1.2
Release     : 1.el7
Architecture: noarch
Install Date: Wed 26 Aug 2015 03:46:46 PM EDT
Group       : System Environment/Libraries
Size        : 49694
License     : LGPLv2+
Signature   : RSA/SHA256, Wed 05 Aug 2015 06:20:33 AM EDT, Key ID 938a80caf21541eb
Source RPM  : tomcatjss-7.1.2-1.el7.src.rpm
Build Date  : Thu 23 Apr 2015 05:16:52 PM EDT
Build Host  : ppc-020.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : JSSE implementation using JSS for Tomcat


[root@cloud-qe-7 ~]# rpm -qi nuxwdog
Name        : nuxwdog
Version     : 1.0.3
Release     : 2.el7
Architecture: x86_64
Install Date: Wed 26 Aug 2015 03:45:21 PM EDT
Group       : System Environment/Libraries
Size        : 119114
License     : LGPLv2 and (GPL+ or Artistic)
Signature   : RSA/SHA256, Wed 05 Aug 2015 04:36:27 AM EDT, Key ID 938a80caf21541eb
Source RPM  : nuxwdog-1.0.3-2.el7.src.rpm
Build Date  : Wed 17 Jun 2015 05:02:06 PM EDT
Build Host  : x86-018.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.redhat.com/certificate_system
Summary     : Watchdog server to start and stop processes, and prompt for passwords


[root@cloud-qe-7 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.2.5
Release     : 5.el7
Architecture: noarch
Install Date: Wed 26 Aug 2015 03:46:58 PM EDT
Group       : System Environment/Daemons
Size        : 2429116
License     : GPLv2
Signature   : RSA/SHA256, Mon 17 Aug 2015 10:24:33 AM EDT, Key ID 938a80caf21541eb
Source RPM  : pki-core-10.2.5-5.el7.src.rpm
Build Date  : Wed 12 Aug 2015 09:51:40 PM EDT
Build Host  : ppc-034.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Verification steps:

[root@cloud-qe-7 ~]# pkispawn 

IMPORTANT:

    Interactive installation currently only exists for very basic deployments!

    For example, deployments intent upon using advanced features such as:

        * Cloning,
        * Elliptic Curve Cryptography (ECC),
        * External CA,
        * Hardware Security Module (HSM),
        * Subordinate CA,
        * etc.,

    must provide the necessary override parameters in a separate
    configuration file.

    Run 'man pkispawn' for details.

Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: 

Tomcat:
  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

Administrator:
  Username [caadmin]: 
  Password: 
  Verify password: 
  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 
Directory Server:
  Hostname [cloud-qe-7.idmqe.lab.eng.bos.redhat.com]: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Password: 
  Base DN [o=pki-tomcat-CA]: dc=pki-ca

Security Domain:
  Name [idmqe.lab.eng.bos.redhat.com Security Domain]: 

Begin installation (Yes/No/Quit)? yes

Log file: /var/log/pki/pki-ca-spawn.20150827105815.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
Notice: Trust flag u is set automatically if the private key is present.
Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      To check the status of the subsystem:
            systemctl status pki-tomcatd

      To restart the subsystem:
            systemctl restart pki-tomcatd

      The URL for the subsystem is:
            https://cloud-qe-7.idmqe.lab.eng.bos.redhat.com:8443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================

[root@cloud-qe-7 ~]# systemctl stop pki-tomcatd
[root@cloud-qe-7 ~]# pki-server instance-nuxwdog-enable pki-tomcat
----------------------------------------
Nuxwdog enabled for instance pki-tomcat.
----------------------------------------
[root@cloud-qe-7 ~]# cat /var/lib/pki/pki-tomcat/conf/password.conf 
internal=930824051813
internaldb=Secret123
replicationdb=-315257593
[root@cloud-qe-7 ~]# systemctl restart pki-tomcatd-nuxwdog
[pki-tomcat] Please provide the password for internal: ************
[pki-tomcat] Please provide the password for internaldb: *********
[pki-tomcat] Please provide the password for replicationdb: **********
[root@cloud-qe-7 ~]# systemctl status pki-tomcatd-nuxwdog
● pki-tomcatd-nuxwdog - PKI Tomcat Server pki-tomcat Started by Nuxwdog
   Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd-nuxwdog@.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2015-08-27 11:38:37 EDT; 12s ago
  Process: 22667 ExecStart=/bin/nuxwdog -f /etc/pki/%i/nuxwdog.conf (code=exited, status=0/SUCCESS)
  Process: 22485 ExecStartPre=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS)
 Main PID: 22670 (nuxwdog)
   CGroup: /system.slice/system-pki\x2dtomcatd\x2dnuxwdog.slice/pki-tomcatd-nuxwdog
           ├─22670 /bin/nuxwdog -f /etc/pki/pki-tomcat/nuxwdog.conf
           └─22671 java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.l...

Aug 27 11:38:17 cloud-qe-7.idmqe.lab.eng.bos.redhat.com systemd[1]: Starting ...
Aug 27 11:38:17 cloud-qe-7.idmqe.lab.eng.bos.redhat.com pkidaemon[22485]: SUC...
Aug 27 11:38:17 cloud-qe-7.idmqe.lab.eng.bos.redhat.com pkidaemon[22485]: SUC...
Aug 27 11:38:37 cloud-qe-7.idmqe.lab.eng.bos.redhat.com systemd[1]: Started P...
Hint: Some lines were ellipsized, use -l to show in full.
[root@cloud-qe-7 ~]# systemctl stop pki-tomcatd-nuxwdog
[root@cloud-qe-7 ~]# pki-server instance-nuxwdog-disable pki-tomcat
-----------------------------------------
Nuxwdog disabled for instance pki-tomcat.
-----------------------------------------
[root@cloud-qe-7 ~]# systemctl start pki-tomcatd
[root@cloud-qe-7 ~]# systemctl status pki-tomcatd
● pki-tomcatd - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2015-08-27 11:39:45 EDT; 9s ago
  Process: 23298 ExecStartPre=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS)
 Main PID: 23477 (java)
   CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd
           └─23477 java -DRESTEASY_LIB=/usr/share/java/resteasy-base -classpa...

Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: Aug 27...
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: INFO: ...
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: Aug 27...
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: INFO: ...
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: Aug 27...
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: INFO: ...
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: PKILis...
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: PKILis...
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: Aug 27...
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: INFO: ...
Hint: Some lines were ellipsized, use -l to show in full.
[root@cloud-qe-7 ~]# systemctl status pki-tomcatd -l
● pki-tomcatd - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2015-08-27 11:39:45 EDT; 21s ago
  Process: 23298 ExecStartPre=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS)
 Main PID: 23477 (java)
   CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd
           └─23477 java -DRESTEASY_LIB=/usr/share/java/resteasy-base -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start

Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: Aug 27, 2015 11:39:53 AM org.apache.catalina.startup.HostConfig deployDescriptor
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 3,422 ms
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: Aug 27, 2015 11:39:53 AM org.apache.coyote.AbstractProtocol start
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: INFO: Starting ProtocolHandler ["http-bio-8080"]
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: Aug 27, 2015 11:39:53 AM org.apache.coyote.AbstractProtocol start
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: INFO: Starting ProtocolHandler ["http-bio-8443"]
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: PKIListener: org.apache.catalina.core.StandardServer[after_start]
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: PKIListener: Subsystem CA is running.
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: Aug 27, 2015 11:39:53 AM org.apache.catalina.startup.Catalina start
Aug 27 11:39:53 cloud-qe-7.idmqe.lab.eng.bos.redhat.com server[23477]: INFO: Server startup in 7061 ms
Comment 6 errata-xmlrpc 2015-11-19 04:49:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2188.html
Note You need to log in before you can comment on or make changes to this bug.