Bug 1313458 - cloning CA: Failed to obtain installation token from security domain
cloning CA: Failed to obtain installation token from security domain
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Matthew Harmsen
Asha Akkiangady
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-01 11:01 EST by German Parente
Modified: 2016-05-06 21:13 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-03 11:39:44 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description German Parente 2016-03-01 11:01:12 EST
Description of problem:

When installing a replica, pkispawn is failing at SystemConfigService.
Authentication is failing in master CA.

I am sorry about logging this bug. It's probably not a bug but a configuration issue but I cannot realise from log what's the issue.

These are the extract of logs in master and in replica in the moment of failure:


in master:

=======================================
[26/Feb/2016:11:32:48][TP-Processor1]: according to ccMode, authorization for servlet: caGetCookie is LDAP based, not XML {1}, use default authz mgr: {2}.
[26/Feb/2016:11:32:48][TP-Processor1]: GetCookie init
[26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet:service() uri = /ca/admin/ca/getCookie
[26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet::service() param name='url' value='https://ipa7.istat.it:443/ca/admin/console/config/wizard?p=5&subsystem=CA'
[26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet::service() param name='uid' value='admin'
[26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet::service() param name='pwd' value='(sensitive)'
[26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet: caGetCookie start to service.
[26/Feb/2016:11:32:48][TP-Processor1]: GetCookie start
[26/Feb/2016:11:32:48][TP-Processor1]: GetCookie before auth, url =https://ipa7.istat.it:443/ca/admin/console/config/wizard?p=5&subsystem=CA
[26/Feb/2016:11:32:48][TP-Processor1]: IP: 10.18.103.43
[26/Feb/2016:11:32:48][TP-Processor1]: AuthMgrName: passwdUserDBAuthMgr
[26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet: no client certificate found
[26/Feb/2016:11:32:48][TP-Processor1]: Authentication: UID=admin
[26/Feb/2016:11:32:48][TP-Processor1]: In LdapBoundConnFactory::getConn()
[26/Feb/2016:11:32:48][TP-Processor1]: masterConn is connected: true
[26/Feb/2016:11:32:48][TP-Processor1]: getConn: conn is connected true
[26/Feb/2016:11:32:48][TP-Processor1]: getConn: mNumConns now 2
[26/Feb/2016:11:32:48][TP-Processor1]: LdapAnonConnFactory::getConn
[26/Feb/2016:11:32:48][TP-Processor1]: LdapAnonConnFactory.getConn(): num avail conns now 2
[26/Feb/2016:11:32:48][TP-Processor1]: returnConn: mNumConns now 3
[26/Feb/2016:11:32:48][TP-Processor1]: returnConn: mNumConns now 2
[26/Feb/2016:11:32:48][TP-Processor1]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=$Unidentified$] authentication failure

[26/Feb/2016:11:32:48][TP-Processor1]: GetCookie authentication failed
[26/Feb/2016:11:32:48][TP-Processor1]: mErrorFormPath=/admin/ca/securitydomainlogin.template
[26/Feb/2016:11:32:48][TP-Processor1]: CMSServlet: curDate=Fri Feb 26 11:32:48 CET 2016 id=caGetCookie time=26
=================================================

in replica
=================================================
[26/Feb/2016:11:32:46][http-bio-8443-exec-3]: SystemConfigService: configure()
[26/Feb/2016:11:32:46][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://ipa1.istat.it:443, securityDomainName=null, securityDomainUser=admin, securityDomainPassword=XXXX, isClone=true, cloneUri=https://ipa1.istat.it:443, subsystemName=CA ipa7.istat.it 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=ipa7.istat.it, dsPort=389, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca, secureConn=false, removeData=true, replicateSchema=false, masterReplicationPort=7389, cloneReplicationPort=389, replicationSecurity=TLS, systemCerts=[com.netscape.certsrv.system.SystemCertData@2681e1f], issuingCA=https://ipa1.istat.it:443, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null, adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null, importAdminCert=false, generateServerCert=true, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null, createNewDB=true, setupReplication=True, subordinateSecurityDomainNamenull]
[26/Feb/2016:11:32:46][http-bio-8443-exec-3]: === Token Panel ===
[26/Feb/2016:11:32:46][http-bio-8443-exec-3]: === Security Domain Panel ===
[26/Feb/2016:11:32:46][http-bio-8443-exec-3]: Joining existing security domain
[26/Feb/2016:11:32:46][http-bio-8443-exec-3]: Resolving security domain URLhttps://ipa1.istat.it:443
[26/Feb/2016:11:32:46][http-bio-8443-exec-3]: Getting security domain cert chain
[26/Feb/2016:11:32:47][http-bio-8443-exec-3]: Getting install token
[26/Feb/2016:11:32:48][http-bio-8443-exec-3]: Getting install token
[26/Feb/2016:11:32:48][http-bio-8443-exec-3]: Getting old cookie
[26/Feb/2016:11:32:48][http-bio-8443-exec-3]: Token: null
[26/Feb/2016:11:32:48][http-bio-8443-exec-3]: Install token is null
[26/Feb/2016:11:32:48][http-bio-8443-exec-3]: Failed to obtain installation token from security domain
===============================================

Seems rather clear to me that authentication with uid=admin is failing. But I cannot find from the source code how the admin password is obtained. And if it's simple authentication or cert based.


Version-Release number of selected component (if applicable):

pki-server-10.2.5-6.el7

Note You need to log in before you can comment on or make changes to this bug.