Note, this is the entry from ipaserver-install that prompted the description:

Attempting to connect to: ipaqa64vme.testrelm.test:9445
Connected.
Posting Query = https://ipaqa64vme.testrelm.test:9445//ca/admin/console/config/wizard?p=11&op=next&xml=true&subsystem=CN%3DCA+Subsystem%2CO%3DTESTRELM.TEST&ocsp_signing=CN%3DOCSP+Subsystem%2CO%3DTESTRELM.TEST&si
gning=CN%3DCertificate+Authority%2CO%3DTESTRELM.TEST&sslserver=CN%3Dipaqa64vme.testrelm.test%2CO%3DTESTRELM.TEST&audit_signing=CN%3DCA+Audit%2CO%3DTESTRELM.TEST&urls=0
RESPONSE STATUS:  HTTP/1.1 404 Not Found
RESPONSE HEADER:  Server: Apache-Coyote/1.1
RESPONSE HEADER:  Content-Type: text/html;charset=UTF-8
RESPONSE HEADER:  Date: Thu, 10 Dec 2015 16:08:32 GMT
RESPONSE HEADER:  Connection: close
ERROR: unable to parse xml
ERROR XML = 
ERROR: Tag='updateStatus' has no values
Error in CertSubjectPanel(): updateStatus value is null
ERROR: ConfigureCA: CertSubjectPanel() failure
ERROR: unable to create CA

Created attachment 1104469 [details]
ipaserver-install.log

Does it work with older PKI? IPA server was not updated in 6.8 yet so the cause might be in some recent build of PKI.

From what I can tell this is the same version of PKI that shipped out with RHEL6.7.  So what else should we check?  

I'm running a test with RHEL6.7 with these versions now to confirm that's good.

Could a change to 389 or httpd have be related to this error?

I am seeing it consistently when I try running ipa-server-install.

Thanks

If I were to venture a guess as to what might be the difference here, it would be the nss packages.  Try reverting those.

Also, it would be good to redo the test with debug logging enabled, so we could see details in the debug log.

I'm not sure it's the version of nss.  I tried with a couple older versions.  I had a failure with nss-3.19.1-5.el6_7.x86_64 on a test host but, when I tried a manual setup on a local VM, it worked.  From the rpm list diff there, I don't see a difference in any package versions.  I do see a lot more installed on my test host where it's failing though.

I'm going to get the debug log now and will post that shortly.

Ok, it was discovered that this failure is due to the system having java 1.8.0 installed.  Dogtag 9 does not work with 1.8.0 so to workaround this scenario, you have to set alternatives to use the 1.7.0 version installed like so:

alternatives --set java /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java

Created attachment 1111617 [details]
Check for incompatible Java at startup

This patch provides a check on the Java version at startup, displays an error with correction instructions to the admin, and exits.

Created attachment 1111618 [details]
Spec file for incompatible Java version patch

Comment on attachment 1111617 [details]
Check for incompatible Java at startup

As mentioned on #irc, 

1. java 6 probably works so no need to check for java_version ==7
2. on the version check, should check for rv!=0 and return rv.

Other than that, ack.

Verified.

I used IPA to verify this as ipa-server-install does a restart where we should see the error message.  It should be noted that ipa-server-install will still fail.  The details we are looking for are in the install log.

Version ::


[root@ipaqa64vmg yum.repos.d]# ls -l /etc/alternatives/java
lrwxrwxrwx. 1 root root 46 Jan 12 20:18 /etc/alternatives/java -> /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/java

[root@ipaqa64vmg yum.repos.d]# ipa-server-install --setup-dns --forwarder=$DNSFORWARDER --hostname=master.testrelm.test --ip-address=$MYIP -n testrelm.test -r TESTRELM.TEST -a Secret123 -p Secret123 -U
[root@ipaqa64vmg yum.repos.d]# ipa-server-install --setup-dns --forwarder=$DNSFORWARDER --hostname=master.testrelm.test --ip-address=$MYIP -n testrelm.test -r TESTRELM.TEST -a Secret123 -p Secret123 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host master.testrelm.test

Warning: hostname master.testrelm.test does not match system hostname <MY_REAL_HOSTNAME>.
System hostname will be updated during the installation process
to prevent service failures.

Adding [<MY_IP_ADDRESS> master.testrelm.test] to your /etc/hosts file
Using reverse zone <REVZONE>.

The IPA Master Server will be configured with:
Hostname:      master.testrelm.test
IP address:    <MY_IP_ADDRESS>
Domain name:   testrelm.test
Realm name:    TESTRELM.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    <DNSFORWARDER>
Reverse zone:  <REVZONE>.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname master.testrelm.test -cs_port 9445 -client_certdb_dir /tmp/tmp-I3OWL5 -client_certdb_pwd XXXXXXXX -preop_pin Lvs4LzfGTkL8GBTeT7nq -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.TEST -ldap_host master.testrelm.test -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.TEST -ca_server_cert_subject_name CN=master.testrelm.test,O=TESTRELM.TEST -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.TEST -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.TEST -external false -clone false' returned non-zero exit status 255
Configuration of CA failed


From /var/log/ipaserver-install.log:

2016-01-13T01:29:58Z DEBUG   [2/21]: creating pki-ca instance
2016-01-13T01:29:58Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2016-01-13T01:30:10Z DEBUG args=/usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca -enable_proxy
2016-01-13T01:30:10Z DEBUG stdout=PKI instance creation Utility ...

Capturing installation information in /var/log/pki-ca-install.log

PKI instance creation completed ...

Installation information recorded in /var/log/pki-ca-install.log.
Before proceeding with the configuration, make sure 
the firewall settings of this machine permit proper 
access to this subsystem. 

Please start the configuration by accessing:

https://master.testrelm.test:9445/ca/admin/console/config/login?pin=Lvs4LzfGTkL8GBTeT7nq

After configuration, the server can be operated by the command:

    /sbin/service pki-cad restart pki-ca


2016-01-13T01:30:10Z DEBUG stderr=[error] FAILED run_command("/sbin/service pki-cad restart pki-ca"), exit status=7 output="Stopping pki-ca: [  OK  ]
Incompatible Java version '1.8.0_65'!

    As root, download and install 'jre-1.7.0-openjdk' and run
    'alternatives --set java /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java'.
"

2016-01-13T01:30:10Z DEBUG   duration: 11 seconds

Hi,

I have to disagree with this fix, it breaks our tests. I think it is a bad attitude. pki-ca requires specific version of java

# rpm -q --requires pki-ca
/bin/bash  
/bin/sh  
/bin/sh  
/bin/sh  
chkconfig  
chkconfig  
initscripts  
initscripts  
java-1.7.0-openjdk  
pki-ca-theme >= 9.0.0
pki-common = 9.0.3-47.el6
pki-selinux = 9.0.3-47.el6
policycoreutils  
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1

, so it should use specific version of java, but it uses system java and fails with warning if the system java is different from 1.7. Your patch is make java 1.7 default, but it can affect other application, because java 1.8 is default for rhel-6.8 and 1.7 will be in maintenance mode soon.

The better way is to fix your application to use java 1.7 directly instead of changing default java for everyone.

Let me describe the situation a bit (and correct me if I am wrong or misleading).

Version of java used for building packages by default on rhel-6 is and will stay to be java-1.6.0.

System wide java version used in runtime depends on the decision of administrator and selected by alternatives. Each java has its own priority in alternatives and highest one is used when mode of alternatives is 'auto', which is by default.

Priority is based on java version and release combination in a way that java6 < java7 < java8. So if java-1.8.0-* is installed on the system it is used by alternatives as the right target.

Best solution is to be able to run on any supported java version on rhel-6.

If that is not possible and particular version is required, the launcher script should detect proper java path automatically.
It should not, unless absolutely necessary, force the administrator to select system-wide version. Simple rpm requires on particular java package is not enough, because in case that other package installed on system will depend on higher java version, it will be selected in alternatives.

(In reply to Jaroslav Aster from comment #20)
...
> The better way is to fix your application to use java 1.7 directly instead
> of changing default java for everyone.

That makes a lot of sense to me, it would us avoid PKI breakages because of Java version. I assume there is some hurdle as I assume we would do it long time ago.

Ade, can we do what Jaroslav suggested?

Hello!

Lukas summarised it pretty nicely as usually, but let also myself clarify something.

You MUST use system set java unless it is absolutely impossible to do so.
so WHY pki needs exactly java7?? Thats troubling me as such case should not happen.

If you really are not able to run on jdk6, then you should put all yours efforts to be compatible with 7 and upper. 

- Here I'm offering help to optimise application to run on all jdks (at least I would like to knwo the *why* -

To make your app compatible with 7+, you must require >=7 and  yours launcher must be solid enough, to use 8 if it is system jdk. ANd only if system jdk 6 fallback to 7 or 8 (depending what is installed)

Similar practices (like depending on exact jdk) caused a lot of troubles in past, and should be avoided in all costs.

I really wont to see en exception granted to this package.

Also reseting the bugstatus untill clarification is provided. (feel free to ping/visit please!)

(In reply to Jaroslav Aster from comment #20)
> Hi,
> 
> I have to disagree with this fix, it breaks our tests. I think it is a bad
> attitude. pki-ca requires specific version of java
> 
> # rpm -q --requires pki-ca
> /bin/bash  
> /bin/sh  
> /bin/sh  
> /bin/sh  
> chkconfig  
> chkconfig  
> initscripts  
> initscripts  
> java-1.7.0-openjdk  
> pki-ca-theme >= 9.0.0
> pki-common = 9.0.3-47.el6
> pki-selinux = 9.0.3-47.el6
> policycoreutils  
> rpmlib(CompressedFileNames) <= 3.0.4-1
> rpmlib(FileDigests) <= 4.6.0-1
> rpmlib(PayloadFilesHavePrefix) <= 4.0-1
> rpmlib(PayloadIsXz) <= 5.2-1
> 
> , so it should use specific version of java, but it uses system java and
> fails with warning if the system java is different from 1.7. Your patch is
> make java 1.7 default, but it can affect other application, because java 1.8
> is default for rhel-6.8 and 1.7 will be in maintenance mode soon.
> 
> The better way is to fix your application to use java 1.7 directly instead
> of changing default java for everyone.

Please see comment #21 above, specifically:

    Version of java used for building packages by default on rhel-6 is and
    will stay to be java-1.6.0.

    System wide java version used in runtime depends on the decision of 
    administrator and selected by alternatives. Each java has its own priority
    in alternatives and highest one is used when mode of alternatives is
    'auto', which is by default.

Understand that the problem with the version of PKI (DOGTAG 9) on RHEL 6 is not that it only runs with JDK 7, it runs with JDK 6 just fine.

Rather, the problem is that it does NOT run with JDK 8 on RHEL 6, and the decision was made that we would not attempt to fix this since there was a
relatively simple work-around.

Consequently, we wrote the check to be inclusive of Java 8 and later, and only print a message in the event that alternatives has specified Java 8 or later;
if Java 6 is the current running java as specified by alternatives, no message will be displayed.

In the event that Java 8 or later is being run, note that we do not alter what is being run on the system, but suggest that they download and install 'jre-1.7.0-openjdk'.  We simply used Java 7 in our message since it is the most recent version of Java that works.

If the decision is that Dogtag 9 has to work with Java 8 on RHEL 6.8, then the previous decision that the work-around was acceptable will need to be re-visited.

(In reply to Matthew Harmsen from comment #25)
> (In reply to Jaroslav Aster from comment #20)
> > Hi,
> > 
> > I have to disagree with this fix, it breaks our tests. I think it is a bad
> > attitude. pki-ca requires specific version of java
> > 
> > # rpm -q --requires pki-ca
> > /bin/bash  
> > /bin/sh  
> > /bin/sh  
> > /bin/sh  
> > chkconfig  
> > chkconfig  
> > initscripts  
> > initscripts  
> > java-1.7.0-openjdk  
> > pki-ca-theme >= 9.0.0
> > pki-common = 9.0.3-47.el6
> > pki-selinux = 9.0.3-47.el6
> > policycoreutils  
> > rpmlib(CompressedFileNames) <= 3.0.4-1
> > rpmlib(FileDigests) <= 4.6.0-1
> > rpmlib(PayloadFilesHavePrefix) <= 4.0-1
> > rpmlib(PayloadIsXz) <= 5.2-1
> > 
> > , so it should use specific version of java, but it uses system java and
> > fails with warning if the system java is different from 1.7. Your patch is
> > make java 1.7 default, but it can affect other application, because java 1.8
> > is default for rhel-6.8 and 1.7 will be in maintenance mode soon.
> > 
> > The better way is to fix your application to use java 1.7 directly instead
> > of changing default java for everyone.
> 
> Please see comment #21 above, specifically:
> 
>     Version of java used for building packages by default on rhel-6 is and
>     will stay to be java-1.6.0.
> 
>     System wide java version used in runtime depends on the decision of 
>     administrator and selected by alternatives. Each java has its own
> priority
>     in alternatives and highest one is used when mode of alternatives is
>     'auto', which is by default.
> 
> Understand that the problem with the version of PKI (DOGTAG 9) on RHEL 6 is
> not that it only runs with JDK 7, it runs with JDK 6 just fine.
> 
> Rather, the problem is that it does NOT run with JDK 8 on RHEL 6, and the
> decision was made that we would not attempt to fix this since there was a
> relatively simple work-around.
> 

For reference purposes, these are the bugs for the original problem:
* https://bugzilla.redhat.com/show_bug.cgi?id=1212557 - ipa-server-install 
  fails with OpenJDK 1.8
* https://bugzilla.redhat.com/show_bug.cgi?id=1262516 - PKI CA configuration
  fails with OpenJDK 1.8

> Consequently, we wrote the check to be inclusive of Java 8 and later, and
> only print a message in the event that alternatives has specified Java 8 or
> later;
> if Java 6 is the current running java as specified by alternatives, no
> message will be displayed.
> 
> In the event that Java 8 or later is being run, note that we do not alter
> what is being run on the system, but suggest that they download and install
> 'jre-1.7.0-openjdk'.  We simply used Java 7 in our message since it is the
> most recent version of Java that works.
> 
> If the decision is that Dogtag 9 has to work with Java 8 on RHEL 6.8, then
> the previous decision that the work-around was acceptable will need to be
> re-visited.

I suspect that this would mean backing out the fix in this bug and closing it as INVALID, and perhaps re-opening https://bugzilla.redhat.com/show_bug.cgi?id=1262516 -  PKI CA configuration fails with OpenJDK 1.8, and obtaining ACKS for all of the flags.

Hello again!

Thanx for a lot of clarifications. May you point me to changes in code regarding the:

>"Consequently, we wrote the check to be inclusive of Java 8 and later, and only
>print a message in the event that alternatives has specified Java 8 or later
>;if Java 6 is the current running java as specified by alternatives, no message
>will be displayed." 

please?


Two more things to consider:
 - unless it can not be avoided, package must be compiled by jdk6
 - since December 2016, JDK6 will bee considered as EOLed ans so unsecure

We will not force people to migrate, but they will be strongly advised to do so.



Thank you for fixing the launcher!

Fix checked into rhel 6.8 branch ..

Counting objects: 62, done.
Compressing objects: 100% (31/31), done.
Writing objects: 100% (32/32), 5.18 KiB, done.
Total 32 (delta 18), reused 0 (delta 0)
To ssh://git.app.eng.bos.redhat.com/srv/git/pki.git
   3637b1f..dd5039f  DOGTAG_9_0_RHEL_BRANCH -> DOGTAG_9_0_RHEL_BRANCH

Matt will be creating builds.

This fix:
1.  causes the ca to use the java 7 jre directly rather than using whatever is in
    alternatives.
2.  Will migrate existing systems to do this.
3,  Removes the now obsolete error message referenced in comment 34 above.

*** Bug 1313301 has been marked as a duplicate of this bug. ***

This bug has been changed, and the doc text should be changed accordingly:

Previously, installing an IdM server might fail under certain circumstances if java-1.8 is installed.

The Public Key Infrastructure (PKI) server, included in Identity Management (IdM), supports Java version 1.7 on Red Hat Enterprise Linux 6. Consequently, the *ipa-server-install* installation script fails on systems where the *java-1.8* package has been installed and selected as the current system *java* using the *alternatives* utility.

To fix this issue, a change was made to the pki code to circumvent the *alternatives* facility on Red Hat Enterprise Linux 6.8 by forcing pki servers to always run under OpenJDK 1.7 regardless of the *alternatives* selected version of *java*.

With java 1.8 installed and set as default alternatives, I'm seeing ipa-server-install fail with this version of pki.

  [3/21]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname master.testrelm.test -cs_port 9445 -client_certdb_dir /tmp/tmp-SQNPxv -client_certdb_pwd XXXXXXXX -preop_pin TZeyJ9UeEuSUyJoalEgH -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.TEST -ldap_host master.testrelm.test -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.TEST -ca_server_cert_subject_name CN=master.testrelm.test,O=TESTRELM.TEST -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.TEST -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.TEST -external false -clone false' returned non-zero exit status 255
Configuration of CA failed


From the end of the ipaserver-install.log

Crypto manager already initialized
Debug : initialize crypto Manager
INITIALIZATION ERROR: org.mozilla.jss.crypto.AlreadyInitializedException
cdir = /tmp/tmp-SQNPxv
Debug : before getInstance
Debug : before get token
Debug : before login password
Debug : after login password

#######################################################################

2016-03-13T16:50:32Z DEBUG stderr=Exception in thread "main" java.lang.NoClassDefFoundError: sun/io/CharToByteConverter
	at java.lang.ClassLoader.defineClass1(Native Method)
	at java.lang.ClassLoader.defineClass(ClassLoader.java:760)
	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
	at java.net.URLClassLoader.defineClass(URLClassLoader.java:467)
	at java.net.URLClassLoader.access$100(URLClassLoader.java:73)
	at java.net.URLClassLoader$1.run(URLClassLoader.java:368)
	at java.net.URLClassLoader$1.run(URLClassLoader.java:362)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(URLClassLoader.java:361)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	at netscape.security.util.ASN1CharStrConvMap.<clinit>(ASN1CharStrConvMap.java:180)
	at netscape.security.x509.DirStrConverter.getValue(DirStrConverter.java:115)
	at netscape.security.x509.LdapV3DNStrConverter.parseAVAValue(LdapV3DNStrConverter.java:518)
	at netscape.security.x509.LdapV3DNStrConverter.parseAVA(LdapV3DNStrConverter.java:411)
	at netscape.security.x509.LdapV3DNStrConverter.parseRDN(LdapV3DNStrConverter.java:242)
	at netscape.security.x509.LdapV3DNStrConverter.parseDN(LdapV3DNStrConverter.java:198)
	at netscape.security.x509.LdapV3DNStrConverter.parseDN(LdapV3DNStrConverter.java:107)
	at netscape.security.x509.LdapV3DNStrConverter.parseDN(LdapV3DNStrConverter.java:92)
	at netscape.security.x509.X500Name.<init>(X500Name.java:74)
	at ComCrypto.generateCRMFrequest(ComCrypto.java:562)
	at ConfigureCA.AdminCertReqPanel(ConfigureCA.java:999)
	at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1300)
	at ConfigureCA.main(ConfigureCA.java:1663)
Caused by: java.lang.ClassNotFoundException: sun.io.CharToByteConverter
	at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	... 25 more

2016-03-13T16:50:32Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname master.testrelm.test -cs_port 9445 -client_certdb_dir /tmp/tmp-SQNPxv -client_certdb_pwd XXXXXXXX -preop_pin TZeyJ9UeEuSUyJoalEgH -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.TEST -ldap_host master.testrelm.test -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.TEST -ca_server_cert_subject_name CN=master.testrelm.test,O=TESTRELM.TEST -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.TEST -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.TEST -external false -clone false' returned non-zero exit status 255
2016-03-13T16:50:32Z INFO   File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 952, in main
    subject_base=options.subject)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 890, in __configure_instance
    raise RuntimeError('Configuration of CA failed')

2016-03-13T16:50:32Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed

Also, version info:

[root@master ~]# rpm -qa|egrep -i "java|pki-ca|ipa-server"|sort
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-server-3.0.0-50.el6.x86_64
ipa-server-selinux-3.0.0-50.el6.x86_64
ipa-tests-ipa-server-rhel68-shared-20160222131607-0.noarch
java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64
java-1.7.0-openjdk-1.7.0.95-2.6.4.4.el6.x86_64
java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64
java-1.8.0-openjdk-headless-1.8.0.71-5.b15.el6.x86_64
java_cup-0.10k-5.el6.x86_64
libvirt-java-0.4.9-1.el6.noarch
libvirt-java-devel-0.4.9-1.el6.noarch
pki-ca-9.0.3-48.el6.noarch
pki-java-tools-9.0.3-48.el6.noarch
tzdata-java-2016a-2.el6.noarch

Issue is that pkisilent also needs to be set to use Java 1.7.
Checkin below fixes this: 

alee@pki-rhel6 pki]$ git push origin DOGTAG_9_0_RHEL_BRANCH
Counting objects: 11, done.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 635 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.app.eng.bos.redhat.com/srv/git/pki.git
   dd5039f..e19ab48  DOGTAG_9_0_RHEL_BRANCH -> DOGTAG_9_0_RHEL_BRANCH

Verified.

Version ::

pki-ca-9.0.3-49.el6.noarch

Results ::

[root@vm-idm-006 ~]# alternatives --display java
java - status is auto.
 link currently points to /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/java
/usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/java - priority 1800071
 slave jjs: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/jjs
 slave keytool: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/keytool
 slave orbd: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/orbd
 slave pack200: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/pack200
 slave policytool: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/policytool
 slave rmid: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/rmid
 slave rmiregistry: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/rmiregistry
 slave servertool: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/servertool
 slave tnameserv: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/tnameserv
 slave unpack200: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre/bin/unpack200
 slave jre_exports: /usr/lib/jvm-exports/jre-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64
 slave jre: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64/jre
 slave java.1.gz: /usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz
 slave jjs.1.gz: /usr/share/man/man1/jjs-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz
 slave keytool.1.gz: /usr/share/man/man1/keytool-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz
 slave orbd.1.gz: /usr/share/man/man1/orbd-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz
 slave pack200.1.gz: /usr/share/man/man1/pack200-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz
 slave policytool.1.gz: /usr/share/man/man1/policytool-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz
 slave rmid.1.gz: /usr/share/man/man1/rmid-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz
 slave rmiregistry.1.gz: /usr/share/man/man1/rmiregistry-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz
 slave servertool.1.gz: /usr/share/man/man1/servertool-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz
 slave tnameserv.1.gz: /usr/share/man/man1/tnameserv-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz
 slave unpack200.1.gz: /usr/share/man/man1/unpack200-java-1.8.0-openjdk-1.8.0.71-5.b15.el6.x86_64.1.gz
/usr/lib/jvm/jre-1.5.0-gcj/bin/java - priority 1500
 slave jjs: (null)
 slave keytool: /usr/lib/jvm/jre-1.5.0-gcj/bin/keytool
 slave orbd: (null)
 slave pack200: (null)
 slave policytool: (null)
 slave rmid: (null)
 slave rmiregistry: /usr/lib/jvm/jre-1.5.0-gcj/bin/rmiregistry
 slave servertool: (null)
 slave tnameserv: (null)
 slave unpack200: (null)
 slave jre_exports: /usr/lib/jvm-exports/jre-1.5.0-gcj
 slave jre: /usr/lib/jvm/jre-1.5.0-gcj
 slave java.1.gz: (null)
 slave jjs.1.gz: (null)
 slave keytool.1.gz: (null)
 slave orbd.1.gz: (null)
 slave pack200.1.gz: (null)
 slave policytool.1.gz: (null)
 slave rmid.1.gz: (null)
 slave rmiregistry.1.gz: (null)
 slave servertool.1.gz: (null)
 slave tnameserv.1.gz: (null)
 slave unpack200.1.gz: (null)
/usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java - priority 170095
 slave jjs: (null)
 slave keytool: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/keytool
 slave orbd: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/orbd
 slave pack200: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/pack200
 slave policytool: (null)
 slave rmid: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/rmid
 slave rmiregistry: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/rmiregistry
 slave servertool: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/servertool
 slave tnameserv: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/tnameserv
 slave unpack200: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/unpack200
 slave jre_exports: /usr/lib/jvm-exports/jre-1.7.0-openjdk.x86_64
 slave jre: /usr/lib/jvm/jre-1.7.0-openjdk.x86_64
 slave java.1.gz: /usr/share/man/man1/java-java-1.7.0-openjdk.1.gz
 slave jjs.1.gz: (null)
 slave keytool.1.gz: /usr/share/man/man1/keytool-java-1.7.0-openjdk.1.gz
 slave orbd.1.gz: /usr/share/man/man1/orbd-java-1.7.0-openjdk.1.gz
 slave pack200.1.gz: /usr/share/man/man1/pack200-java-1.7.0-openjdk.1.gz
 slave policytool.1.gz: (null)
 slave rmid.1.gz: /usr/share/man/man1/rmid-java-1.7.0-openjdk.1.gz
 slave rmiregistry.1.gz: /usr/share/man/man1/rmiregistry-java-1.7.0-openjdk.1.gz
 slave servertool.1.gz: /usr/share/man/man1/servertool-java-1.7.0-openjdk.1.gz
 slave tnameserv.1.gz: /usr/share/man/man1/tnameserv-java-1.7.0-openjdk.1.gz
 slave unpack200.1.gz: /usr/share/man/man1/unpack200-java-1.7.0-openjdk.1.gz
Current `best' version is /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/java.


[root@vm-idm-006 ~]# ipa-server-install --setup-dns --forwarder=$FORWARDER --hostname=master.testrelm.test --ip-address=$IPADDRESS -n testrelm.test -r TESTRELM.TEST -a Secret123 -p Secret123 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host master.testrelm.test

Warning: hostname master.testrelm.test does not match system hostname vm-idm-006.olddomain.name
System hostname will be updated during the installation process
to prevent service failures.

Adding [$IPADDRESS master.testrelm.test] to your /etc/hosts file
Using reverse zone $REVZONE.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      master.testrelm.test
IP address:    $IPADDRESS
Domain name:   testrelm.test
Realm name:    TESTRELM.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    $FORWARDER
Reverse zone:  $REVZONE.in-addr.arpa.


Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 33 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
  [16/21]: requesting RA certificate from CA
  [17/21]: issuing RA agent certificate
  [18/21]: adding RA agent as a trusted user
  [19/21]: configure certificate renewals
  [20/21]: configure Server-Cert certificate renewal
  [21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 31 minutes
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
^@  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: disabling betxn plugins
  [10/38]: configuring uniqueness plugin
  [11/38]: configuring uuid plugin
  [12/38]: configuring modrdn plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring ssl for ds instance
  [18/38]: configuring certmap.conf
  [19/38]: configure autobind for root
  [20/38]: configure new location for managed entries
  [21/38]: restarting directory server
  [22/38]: adding default layout
  [23/38]: adding delegation layout
  [24/38]: adding replication acis
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: Upload CA cert to the directory
  [33/38]: initializing group membership
  [34/38]: adding master entry
  [35/38]: configuring Posix uid/gid generation
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 31 minutes
  [1/14]: setting mod_nss port to 443
  [2/14]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: setting up browser autoconfig
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0909.html

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days