Description of problem: Trying to install IPA server on RHEL6.8 I see this failure: Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipaqa64vme.testrelm.test -cs_port 9445 -client_certdb_dir /tmp/tmp-_XNDfj -client_certdb_pwd XXXXXXXX -preop_pin WkdqRADy2B2gDAyr6Tvb -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.TEST -ldap_host ipaqa64vme.testrelm.test -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.TEST -ca_server_cert_subject_name CN=ipaqa64vme.testrelm.test,O=TESTRELM.TEST -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.TEST -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.TEST -external false -clone false' returned non-zero exit status 255 Configuration of CA failed Version-Release number of selected component (if applicable): ipa-server-3.0.0-47.el6.x86_64 pki-ca-9.0.3-43.el6.noarch How reproducible: Unknown Steps to Reproduce: 1. ipa-server-install --setup-dns --forwarder=<FORWARDER_IP> --hostname=<hostname> -r <REALM> -n <domain> -p <password> -a <password> -U Actual results: fails with error shown above. Expected results: IPA installs. Additional info: Will attach logs
Note, this is the entry from ipaserver-install that prompted the description: Attempting to connect to: ipaqa64vme.testrelm.test:9445 Connected. Posting Query = https://ipaqa64vme.testrelm.test:9445//ca/admin/console/config/wizard?p=11&op=next&xml=true&subsystem=CN%3DCA+Subsystem%2CO%3DTESTRELM.TEST&ocsp_signing=CN%3DOCSP+Subsystem%2CO%3DTESTRELM.TEST&si gning=CN%3DCertificate+Authority%2CO%3DTESTRELM.TEST&sslserver=CN%3Dipaqa64vme.testrelm.test%2CO%3DTESTRELM.TEST&audit_signing=CN%3DCA+Audit%2CO%3DTESTRELM.TEST&urls=0 RESPONSE STATUS: HTTP/1.1 404 Not Found RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 RESPONSE HEADER: Date: Thu, 10 Dec 2015 16:08:32 GMT RESPONSE HEADER: Connection: close ERROR: unable to parse xml ERROR XML = ERROR: Tag='updateStatus' has no values Error in CertSubjectPanel(): updateStatus value is null ERROR: ConfigureCA: CertSubjectPanel() failure ERROR: unable to create CA
Created attachment 1104469 [details] ipaserver-install.log
Does it work with older PKI? IPA server was not updated in 6.8 yet so the cause might be in some recent build of PKI.
From what I can tell this is the same version of PKI that shipped out with RHEL6.7. So what else should we check? I'm running a test with RHEL6.7 with these versions now to confirm that's good.
Could a change to 389 or httpd have be related to this error? I am seeing it consistently when I try running ipa-server-install. Thanks
If I were to venture a guess as to what might be the difference here, it would be the nss packages. Try reverting those. Also, it would be good to redo the test with debug logging enabled, so we could see details in the debug log.
I'm not sure it's the version of nss. I tried with a couple older versions. I had a failure with nss-3.19.1-5.el6_7.x86_64 on a test host but, when I tried a manual setup on a local VM, it worked. From the rpm list diff there, I don't see a difference in any package versions. I do see a lot more installed on my test host where it's failing though. I'm going to get the debug log now and will post that shortly.
Ok, it was discovered that this failure is due to the system having java 1.8.0 installed. Dogtag 9 does not work with 1.8.0 so to workaround this scenario, you have to set alternatives to use the 1.7.0 version installed like so: alternatives --set java /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java
Created attachment 1111617 [details] Check for incompatible Java at startup This patch provides a check on the Java version at startup, displays an error with correction instructions to the admin, and exits.
Created attachment 1111618 [details] Spec file for incompatible Java version patch
Comment on attachment 1111617 [details] Check for incompatible Java at startup As mentioned on #irc, 1. java 6 probably works so no need to check for java_version ==7 2. on the version check, should check for rv!=0 and return rv. Other than that, ack.
Verified. I used IPA to verify this as ipa-server-install does a restart where we should see the error message. It should be noted that ipa-server-install will still fail. The details we are looking for are in the install log. Version :: [root@ipaqa64vmg yum.repos.d]# ls -l /etc/alternatives/java lrwxrwxrwx. 1 root root 46 Jan 12 20:18 /etc/alternatives/java -> /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/java [root@ipaqa64vmg yum.repos.d]# ipa-server-install --setup-dns --forwarder=$DNSFORWARDER --hostname=master.testrelm.test --ip-address=$MYIP -n testrelm.test -r TESTRELM.TEST -a Secret123 -p Secret123 -U [root@ipaqa64vmg yum.repos.d]# ipa-server-install --setup-dns --forwarder=$DNSFORWARDER --hostname=master.testrelm.test --ip-address=$MYIP -n testrelm.test -r TESTRELM.TEST -a Secret123 -p Secret123 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host master.testrelm.test Warning: hostname master.testrelm.test does not match system hostname <MY_REAL_HOSTNAME>. System hostname will be updated during the installation process to prevent service failures. Adding [<MY_IP_ADDRESS> master.testrelm.test] to your /etc/hosts file Using reverse zone <REVZONE>. The IPA Master Server will be configured with: Hostname: master.testrelm.test IP address: <MY_IP_ADDRESS> Domain name: testrelm.test Realm name: TESTRELM.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: <DNSFORWARDER> Reverse zone: <REVZONE>. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname master.testrelm.test -cs_port 9445 -client_certdb_dir /tmp/tmp-I3OWL5 -client_certdb_pwd XXXXXXXX -preop_pin Lvs4LzfGTkL8GBTeT7nq -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.TEST -ldap_host master.testrelm.test -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.TEST -ca_server_cert_subject_name CN=master.testrelm.test,O=TESTRELM.TEST -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.TEST -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.TEST -external false -clone false' returned non-zero exit status 255 Configuration of CA failed From /var/log/ipaserver-install.log: 2016-01-13T01:29:58Z DEBUG [2/21]: creating pki-ca instance 2016-01-13T01:29:58Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-01-13T01:30:10Z DEBUG args=/usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca -enable_proxy 2016-01-13T01:30:10Z DEBUG stdout=PKI instance creation Utility ... Capturing installation information in /var/log/pki-ca-install.log PKI instance creation completed ... Installation information recorded in /var/log/pki-ca-install.log. Before proceeding with the configuration, make sure the firewall settings of this machine permit proper access to this subsystem. Please start the configuration by accessing: https://master.testrelm.test:9445/ca/admin/console/config/login?pin=Lvs4LzfGTkL8GBTeT7nq After configuration, the server can be operated by the command: /sbin/service pki-cad restart pki-ca 2016-01-13T01:30:10Z DEBUG stderr=[error] FAILED run_command("/sbin/service pki-cad restart pki-ca"), exit status=7 output="Stopping pki-ca: [ OK ] Incompatible Java version '1.8.0_65'! As root, download and install 'jre-1.7.0-openjdk' and run 'alternatives --set java /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java'. " 2016-01-13T01:30:10Z DEBUG duration: 11 seconds
Hi, I have to disagree with this fix, it breaks our tests. I think it is a bad attitude. pki-ca requires specific version of java # rpm -q --requires pki-ca /bin/bash /bin/sh /bin/sh /bin/sh chkconfig chkconfig initscripts initscripts java-1.7.0-openjdk pki-ca-theme >= 9.0.0 pki-common = 9.0.3-47.el6 pki-selinux = 9.0.3-47.el6 policycoreutils rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsXz) <= 5.2-1 , so it should use specific version of java, but it uses system java and fails with warning if the system java is different from 1.7. Your patch is make java 1.7 default, but it can affect other application, because java 1.8 is default for rhel-6.8 and 1.7 will be in maintenance mode soon. The better way is to fix your application to use java 1.7 directly instead of changing default java for everyone.
Let me describe the situation a bit (and correct me if I am wrong or misleading). Version of java used for building packages by default on rhel-6 is and will stay to be java-1.6.0. System wide java version used in runtime depends on the decision of administrator and selected by alternatives. Each java has its own priority in alternatives and highest one is used when mode of alternatives is 'auto', which is by default. Priority is based on java version and release combination in a way that java6 < java7 < java8. So if java-1.8.0-* is installed on the system it is used by alternatives as the right target. Best solution is to be able to run on any supported java version on rhel-6. If that is not possible and particular version is required, the launcher script should detect proper java path automatically. It should not, unless absolutely necessary, force the administrator to select system-wide version. Simple rpm requires on particular java package is not enough, because in case that other package installed on system will depend on higher java version, it will be selected in alternatives.
(In reply to Jaroslav Aster from comment #20) ... > The better way is to fix your application to use java 1.7 directly instead > of changing default java for everyone. That makes a lot of sense to me, it would us avoid PKI breakages because of Java version. I assume there is some hurdle as I assume we would do it long time ago. Ade, can we do what Jaroslav suggested?
Hello! Lukas summarised it pretty nicely as usually, but let also myself clarify something. You MUST use system set java unless it is absolutely impossible to do so. so WHY pki needs exactly java7?? Thats troubling me as such case should not happen. If you really are not able to run on jdk6, then you should put all yours efforts to be compatible with 7 and upper. - Here I'm offering help to optimise application to run on all jdks (at least I would like to knwo the *why* - To make your app compatible with 7+, you must require >=7 and yours launcher must be solid enough, to use 8 if it is system jdk. ANd only if system jdk 6 fallback to 7 or 8 (depending what is installed) Similar practices (like depending on exact jdk) caused a lot of troubles in past, and should be avoided in all costs. I really wont to see en exception granted to this package.
Also reseting the bugstatus untill clarification is provided. (feel free to ping/visit please!)
(In reply to Jaroslav Aster from comment #20) > Hi, > > I have to disagree with this fix, it breaks our tests. I think it is a bad > attitude. pki-ca requires specific version of java > > # rpm -q --requires pki-ca > /bin/bash > /bin/sh > /bin/sh > /bin/sh > chkconfig > chkconfig > initscripts > initscripts > java-1.7.0-openjdk > pki-ca-theme >= 9.0.0 > pki-common = 9.0.3-47.el6 > pki-selinux = 9.0.3-47.el6 > policycoreutils > rpmlib(CompressedFileNames) <= 3.0.4-1 > rpmlib(FileDigests) <= 4.6.0-1 > rpmlib(PayloadFilesHavePrefix) <= 4.0-1 > rpmlib(PayloadIsXz) <= 5.2-1 > > , so it should use specific version of java, but it uses system java and > fails with warning if the system java is different from 1.7. Your patch is > make java 1.7 default, but it can affect other application, because java 1.8 > is default for rhel-6.8 and 1.7 will be in maintenance mode soon. > > The better way is to fix your application to use java 1.7 directly instead > of changing default java for everyone. Please see comment #21 above, specifically: Version of java used for building packages by default on rhel-6 is and will stay to be java-1.6.0. System wide java version used in runtime depends on the decision of administrator and selected by alternatives. Each java has its own priority in alternatives and highest one is used when mode of alternatives is 'auto', which is by default. Understand that the problem with the version of PKI (DOGTAG 9) on RHEL 6 is not that it only runs with JDK 7, it runs with JDK 6 just fine. Rather, the problem is that it does NOT run with JDK 8 on RHEL 6, and the decision was made that we would not attempt to fix this since there was a relatively simple work-around. Consequently, we wrote the check to be inclusive of Java 8 and later, and only print a message in the event that alternatives has specified Java 8 or later; if Java 6 is the current running java as specified by alternatives, no message will be displayed. In the event that Java 8 or later is being run, note that we do not alter what is being run on the system, but suggest that they download and install 'jre-1.7.0-openjdk'. We simply used Java 7 in our message since it is the most recent version of Java that works. If the decision is that Dogtag 9 has to work with Java 8 on RHEL 6.8, then the previous decision that the work-around was acceptable will need to be re-visited.
(In reply to Matthew Harmsen from comment #25) > (In reply to Jaroslav Aster from comment #20) > > Hi, > > > > I have to disagree with this fix, it breaks our tests. I think it is a bad > > attitude. pki-ca requires specific version of java > > > > # rpm -q --requires pki-ca > > /bin/bash > > /bin/sh > > /bin/sh > > /bin/sh > > chkconfig > > chkconfig > > initscripts > > initscripts > > java-1.7.0-openjdk > > pki-ca-theme >= 9.0.0 > > pki-common = 9.0.3-47.el6 > > pki-selinux = 9.0.3-47.el6 > > policycoreutils > > rpmlib(CompressedFileNames) <= 3.0.4-1 > > rpmlib(FileDigests) <= 4.6.0-1 > > rpmlib(PayloadFilesHavePrefix) <= 4.0-1 > > rpmlib(PayloadIsXz) <= 5.2-1 > > > > , so it should use specific version of java, but it uses system java and > > fails with warning if the system java is different from 1.7. Your patch is > > make java 1.7 default, but it can affect other application, because java 1.8 > > is default for rhel-6.8 and 1.7 will be in maintenance mode soon. > > > > The better way is to fix your application to use java 1.7 directly instead > > of changing default java for everyone. > > Please see comment #21 above, specifically: > > Version of java used for building packages by default on rhel-6 is and > will stay to be java-1.6.0. > > System wide java version used in runtime depends on the decision of > administrator and selected by alternatives. Each java has its own > priority > in alternatives and highest one is used when mode of alternatives is > 'auto', which is by default. > > Understand that the problem with the version of PKI (DOGTAG 9) on RHEL 6 is > not that it only runs with JDK 7, it runs with JDK 6 just fine. > > Rather, the problem is that it does NOT run with JDK 8 on RHEL 6, and the > decision was made that we would not attempt to fix this since there was a > relatively simple work-around. > For reference purposes, these are the bugs for the original problem: * https://bugzilla.redhat.com/show_bug.cgi?id=1212557 - ipa-server-install fails with OpenJDK 1.8 * https://bugzilla.redhat.com/show_bug.cgi?id=1262516 - PKI CA configuration fails with OpenJDK 1.8 > Consequently, we wrote the check to be inclusive of Java 8 and later, and > only print a message in the event that alternatives has specified Java 8 or > later; > if Java 6 is the current running java as specified by alternatives, no > message will be displayed. > > In the event that Java 8 or later is being run, note that we do not alter > what is being run on the system, but suggest that they download and install > 'jre-1.7.0-openjdk'. We simply used Java 7 in our message since it is the > most recent version of Java that works. > > If the decision is that Dogtag 9 has to work with Java 8 on RHEL 6.8, then > the previous decision that the work-around was acceptable will need to be > re-visited. I suspect that this would mean backing out the fix in this bug and closing it as INVALID, and perhaps re-opening https://bugzilla.redhat.com/show_bug.cgi?id=1262516 - PKI CA configuration fails with OpenJDK 1.8, and obtaining ACKS for all of the flags.
Hello again! Thanx for a lot of clarifications. May you point me to changes in code regarding the: >"Consequently, we wrote the check to be inclusive of Java 8 and later, and only >print a message in the event that alternatives has specified Java 8 or later >;if Java 6 is the current running java as specified by alternatives, no message >will be displayed." please? Two more things to consider: - unless it can not be avoided, package must be compiled by jdk6 - since December 2016, JDK6 will bee considered as EOLed ans so unsecure We will not force people to migrate, but they will be strongly advised to do so. Thank you for fixing the launcher!
Fix checked into rhel 6.8 branch .. Counting objects: 62, done. Compressing objects: 100% (31/31), done. Writing objects: 100% (32/32), 5.18 KiB, done. Total 32 (delta 18), reused 0 (delta 0) To ssh://git.app.eng.bos.redhat.com/srv/git/pki.git 3637b1f..dd5039f DOGTAG_9_0_RHEL_BRANCH -> DOGTAG_9_0_RHEL_BRANCH Matt will be creating builds. This fix: 1. causes the ca to use the java 7 jre directly rather than using whatever is in alternatives. 2. Will migrate existing systems to do this. 3, Removes the now obsolete error message referenced in comment 34 above.
*** Bug 1313301 has been marked as a duplicate of this bug. ***
This bug has been changed, and the doc text should be changed accordingly: Previously, installing an IdM server might fail under certain circumstances if java-1.8 is installed. The Public Key Infrastructure (PKI) server, included in Identity Management (IdM), supports Java version 1.7 on Red Hat Enterprise Linux 6. Consequently, the *ipa-server-install* installation script fails on systems where the *java-1.8* package has been installed and selected as the current system *java* using the *alternatives* utility. To fix this issue, a change was made to the pki code to circumvent the *alternatives* facility on Red Hat Enterprise Linux 6.8 by forcing pki servers to always run under OpenJDK 1.7 regardless of the *alternatives* selected version of *java*.
With java 1.8 installed and set as default alternatives, I'm seeing ipa-server-install fail with this version of pki. [3/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname master.testrelm.test -cs_port 9445 -client_certdb_dir /tmp/tmp-SQNPxv -client_certdb_pwd XXXXXXXX -preop_pin TZeyJ9UeEuSUyJoalEgH -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.TEST -ldap_host master.testrelm.test -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.TEST -ca_server_cert_subject_name CN=master.testrelm.test,O=TESTRELM.TEST -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.TEST -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.TEST -external false -clone false' returned non-zero exit status 255 Configuration of CA failed From the end of the ipaserver-install.log Crypto manager already initialized Debug : initialize crypto Manager INITIALIZATION ERROR: org.mozilla.jss.crypto.AlreadyInitializedException cdir = /tmp/tmp-SQNPxv Debug : before getInstance Debug : before get token Debug : before login password Debug : after login password ####################################################################### 2016-03-13T16:50:32Z DEBUG stderr=Exception in thread "main" java.lang.NoClassDefFoundError: sun/io/CharToByteConverter at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:760) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:467) at java.net.URLClassLoader.access$100(URLClassLoader.java:73) at java.net.URLClassLoader$1.run(URLClassLoader.java:368) at java.net.URLClassLoader$1.run(URLClassLoader.java:362) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:361) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at netscape.security.util.ASN1CharStrConvMap.<clinit>(ASN1CharStrConvMap.java:180) at netscape.security.x509.DirStrConverter.getValue(DirStrConverter.java:115) at netscape.security.x509.LdapV3DNStrConverter.parseAVAValue(LdapV3DNStrConverter.java:518) at netscape.security.x509.LdapV3DNStrConverter.parseAVA(LdapV3DNStrConverter.java:411) at netscape.security.x509.LdapV3DNStrConverter.parseRDN(LdapV3DNStrConverter.java:242) at netscape.security.x509.LdapV3DNStrConverter.parseDN(LdapV3DNStrConverter.java:198) at netscape.security.x509.LdapV3DNStrConverter.parseDN(LdapV3DNStrConverter.java:107) at netscape.security.x509.LdapV3DNStrConverter.parseDN(LdapV3DNStrConverter.java:92) at netscape.security.x509.X500Name.<init>(X500Name.java:74) at ComCrypto.generateCRMFrequest(ComCrypto.java:562) at ConfigureCA.AdminCertReqPanel(ConfigureCA.java:999) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1300) at ConfigureCA.main(ConfigureCA.java:1663) Caused by: java.lang.ClassNotFoundException: sun.io.CharToByteConverter at java.net.URLClassLoader.findClass(URLClassLoader.java:381) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ... 25 more 2016-03-13T16:50:32Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname master.testrelm.test -cs_port 9445 -client_certdb_dir /tmp/tmp-SQNPxv -client_certdb_pwd XXXXXXXX -preop_pin TZeyJ9UeEuSUyJoalEgH -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.TEST -ldap_host master.testrelm.test -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.TEST -ca_server_cert_subject_name CN=master.testrelm.test,O=TESTRELM.TEST -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.TEST -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.TEST -external false -clone false' returned non-zero exit status 255 2016-03-13T16:50:32Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 952, in main subject_base=options.subject) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 890, in __configure_instance raise RuntimeError('Configuration of CA failed') 2016-03-13T16:50:32Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
Also, version info: [root@master ~]# rpm -qa|egrep -i "java|pki-ca|ipa-server"|sort ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-3.0.0-50.el6.x86_64 ipa-server-selinux-3.0.0-50.el6.x86_64 ipa-tests-ipa-server-rhel68-shared-20160222131607-0.noarch java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64 java-1.7.0-openjdk-1.7.0.95-2.6.4.4.el6.x86_64 java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64 java-1.8.0-openjdk-headless-1.8.0.71-5.b15.el6.x86_64 java_cup-0.10k-5.el6.x86_64 libvirt-java-0.4.9-1.el6.noarch libvirt-java-devel-0.4.9-1.el6.noarch pki-ca-9.0.3-48.el6.noarch pki-java-tools-9.0.3-48.el6.noarch tzdata-java-2016a-2.el6.noarch
Issue is that pkisilent also needs to be set to use Java 1.7. Checkin below fixes this: alee@pki-rhel6 pki]$ git push origin DOGTAG_9_0_RHEL_BRANCH Counting objects: 11, done. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 635 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.app.eng.bos.redhat.com/srv/git/pki.git dd5039f..e19ab48 DOGTAG_9_0_RHEL_BRANCH -> DOGTAG_9_0_RHEL_BRANCH
Verified. Version :: pki-ca-9.0.3-49.el6.noarch Results :: [root@vm-idm-006 ~]# alternatives --display java java - status is auto. link currently points to /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/java /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/java - priority 1800071 slave jjs: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/jjs slave keytool: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/keytool slave orbd: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/orbd slave pack200: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/pack200 slave policytool: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/policytool slave rmid: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/rmid slave rmiregistry: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/rmiregistry slave servertool: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/servertool slave tnameserv: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/tnameserv slave unpack200: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/unpack200 slave jre_exports: /usr/lib/jvm-exports/jre-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64 slave jre: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre slave java.1.gz: /usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz slave jjs.1.gz: /usr/share/man/man1/jjs-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz slave keytool.1.gz: /usr/share/man/man1/keytool-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz slave orbd.1.gz: /usr/share/man/man1/orbd-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz slave pack200.1.gz: /usr/share/man/man1/pack200-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz slave policytool.1.gz: /usr/share/man/man1/policytool-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz slave rmid.1.gz: /usr/share/man/man1/rmid-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz slave rmiregistry.1.gz: /usr/share/man/man1/rmiregistry-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz slave servertool.1.gz: /usr/share/man/man1/servertool-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz slave tnameserv.1.gz: /usr/share/man/man1/tnameserv-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz slave unpack200.1.gz: /usr/share/man/man1/unpack200-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz /usr/lib/jvm/jre-1.5.0-gcj/bin/java - priority 1500 slave jjs: (null) slave keytool: /usr/lib/jvm/jre-1.5.0-gcj/bin/keytool slave orbd: (null) slave pack200: (null) slave policytool: (null) slave rmid: (null) slave rmiregistry: /usr/lib/jvm/jre-1.5.0-gcj/bin/rmiregistry slave servertool: (null) slave tnameserv: (null) slave unpack200: (null) slave jre_exports: /usr/lib/jvm-exports/jre-1.5.0-gcj slave jre: /usr/lib/jvm/jre-1.5.0-gcj slave java.1.gz: (null) slave jjs.1.gz: (null) slave keytool.1.gz: (null) slave orbd.1.gz: (null) slave pack200.1.gz: (null) slave policytool.1.gz: (null) slave rmid.1.gz: (null) slave rmiregistry.1.gz: (null) slave servertool.1.gz: (null) slave tnameserv.1.gz: (null) slave unpack200.1.gz: (null) /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java - priority 170095 slave jjs: (null) slave keytool: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/keytool slave orbd: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/orbd slave pack200: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/pack200 slave policytool: (null) slave rmid: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/rmid slave rmiregistry: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/rmiregistry slave servertool: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/servertool slave tnameserv: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/tnameserv slave unpack200: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/unpack200 slave jre_exports: /usr/lib/jvm-exports/jre-1.7.0-openjdk.x86_64 slave jre: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64 slave java.1.gz: /usr/share/man/man1/java-java-1.7.0-openjdk.1.gz slave jjs.1.gz: (null) slave keytool.1.gz: /usr/share/man/man1/keytool-java-1.7.0-openjdk.1.gz slave orbd.1.gz: /usr/share/man/man1/orbd-java-1.7.0-openjdk.1.gz slave pack200.1.gz: /usr/share/man/man1/pack200-java-1.7.0-openjdk.1.gz slave policytool.1.gz: (null) slave rmid.1.gz: /usr/share/man/man1/rmid-java-1.7.0-openjdk.1.gz slave rmiregistry.1.gz: /usr/share/man/man1/rmiregistry-java-1.7.0-openjdk.1.gz slave servertool.1.gz: /usr/share/man/man1/servertool-java-1.7.0-openjdk.1.gz slave tnameserv.1.gz: /usr/share/man/man1/tnameserv-java-1.7.0-openjdk.1.gz slave unpack200.1.gz: /usr/share/man/man1/unpack200-java-1.7.0-openjdk.1.gz Current `best' version is /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/java. [root@vm-idm-006 ~]# ipa-server-install --setup-dns --forwarder=$FORWARDER --hostname=master.testrelm.test --ip-address=$IPADDRESS -n testrelm.test -r TESTRELM.TEST -a Secret123 -p Secret123 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host master.testrelm.test Warning: hostname master.testrelm.test does not match system hostname vm-idm-006.olddomain.name System hostname will be updated during the installation process to prevent service failures. Adding [$IPADDRESS master.testrelm.test] to your /etc/hosts file Using reverse zone $REVZONE.in-addr.arpa. The IPA Master Server will be configured with: Hostname: master.testrelm.test IP address: $IPADDRESS Domain name: testrelm.test Realm name: TESTRELM.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: $FORWARDER Reverse zone: $REVZONE.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 33 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance [4/21]: disabling nonces [5/21]: creating CA agent PKCS#12 file in /root [6/21]: creating RA agent certificate database [7/21]: importing CA chain to RA certificate database [8/21]: fixing RA database permissions [9/21]: setting up signing cert profile [10/21]: set up CRL publishing [11/21]: set certificate subject base [12/21]: enabling Subject Key Identifier [13/21]: setting audit signing renewal to 2 years [14/21]: configuring certificate server to start on boot [15/21]: restarting certificate server [16/21]: requesting RA certificate from CA [17/21]: issuing RA agent certificate [18/21]: adding RA agent as a trusted user [19/21]: configure certificate renewals [20/21]: configure Server-Cert certificate renewal [21/21]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Configuring directory server (dirsrv): Estimated time 31 minutes [1/38]: creating directory server user [2/38]: creating directory server instance ^@ [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: disabling betxn plugins [10/38]: configuring uniqueness plugin [11/38]: configuring uuid plugin [12/38]: configuring modrdn plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: restarting directory server [22/38]: adding default layout [23/38]: adding delegation layout [24/38]: adding replication acis [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: Upload CA cert to the directory [33/38]: initializing group membership [34/38]: adding master entry [35/38]: configuring Posix uid/gid generation [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 31 minutes [1/14]: setting mod_nss port to 443 [2/14]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/14]: setting mod_nss password file [4/14]: enabling mod_nss renegotiate [5/14]: adding URL rewriting rules [6/14]: configuring httpd [7/14]: setting up ssl [8/14]: setting up browser autoconfig [9/14]: publish CA cert [10/14]: creating a keytab for httpd [11/14]: clean up any existing httpd ccache [12/14]: configuring SELinux for httpd [13/14]: restarting httpd [14/14]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Configuring DNS (named) [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0909.html