Bug 1412681 - update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs
Summary: update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks: 1417066
TreeView+ depends on / blocked
 
Reported: 2017-01-12 14:40 UTC by Amy Farley
Modified: 2020-10-04 21:21 UTC (History)
12 users (show)

Fixed In Version: pki-core-10.4.0-1.el7
Doc Type: Bug Fix
Doc Text:
PKI Server no longer fails to start when an "entryUSN" attribute contains a value larger than 32-bit Previously, the *LDAP Profile Monitor" and the "Lightweight CA Monitor" parsed values in "entryUSN" attributes as a 32-bit integer. As a consequence, when the attribute contained a value larger than that, a `NumberFormatException` error was logged and the server failed to start. The problem has been fixed, and the server no longer fails to start in the mentioned scenario.
Clone Of:
: 1417066 (view as bug list)
Environment:
Last Closed: 2017-08-01 22:48:25 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2699 0 None None None 2020-10-04 21:21:53 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Comment 18 Petr Vobornik 2017-01-17 11:41:53 UTC
Moving to pki-core based on comment 16 (issue in PKI)

Comment 34 Geetika Kapoor 2017-05-10 19:14:46 UTC
Hi,

How to reproduce/test this Bugzilla.

Thanks,
Geetika

Comment 35 Marc Sauton 2017-05-10 20:36:00 UTC
comment 26 has the main hint about the issue
https://bugzilla.redhat.com/show_bug.cgi?id=1412681#c26

but here are some detailed steps:

- failed environment:

RHEL-7.3
ipa-server-4.4.0-12.el7.x86_64
pki-ca-10.3.3-10.el7.noarch

journalctl -f _SYSTEMD_UNIT=pki-tomcatd@pki-tomcat.service
...
Jan 27 02:31:19 ipaserver1.example.com server[1794]: Exception in thread "authorityMonitor" java.lang.NumberFormatException: For input string: "3147483647"
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.Integer.parseInt(Integer.java:583)
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.Integer.<init>(Integer.java:867)
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at com.netscape.ca.CertificateAuthority.readAuthority(CertificateAuthority.java:3290)
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at com.netscape.ca.CertificateAuthority.run(CertificateAuthority.java:3197)
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.Thread.run(Thread.java:745)


- fix was tested with:
pki-base-10.3.3-16.2.el7_3.noarch
pki-server-10.3.3-16.2.el7_3.noarch
pki-tools-10.3.3-16.2.el7_3.x86_64
pki-base-java-10.3.3-16.2.el7_3.noarch
pki-kra-10.3.3-16.2.el7_3.noarch
pki-ca-10.3.3-16.2.el7_3.noarch

- have 1 IPA master already setup:
  test was with example.com and EXAMPLE-COM
  it is best to test with a subordinate CA, to exercise more code paths

- optional sanity check on default usn, low value expected:
/usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w password -b "" -s base "(objectclass=*)" lastusn

expected output example:
dn:
lastusn: 232747

- set the next entryusn start value from an import to a high value, something over 2^31-1 or 2147483647
ldapmodify -x -D "cn=directory manager" -w password << EOF
dn: cn=config
changetype: modify
replace: nsslapd-entryusn-import-initval
nsslapd-entryusn-import-initval: 3147483647
EOF

- export the LDAP ipaca backend
/var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif.pl -r -D "cn=directory manager" -w password -n ipaca -a /var/lib/dirsrv/slapd-EXAMPLE-COM/bak/ipaca.`/bin/date +%Y%m%d%H%M%S`.ldif

- import the LDAP ipaca backend saved in the previous step:
/var/lib/dirsrv/scripts-EXAMPLE-COM/ldif2db.pl -D "cn=directory manager" -w password -n ipaca -i /var/lib/dirsrv/slapd-EXAMPLE-COM/bak/ipaca.20170117195529.ldif

- optional sanity check for high entryusn values:
/usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w password -b "ou=certificateProfiles,ou=ca,o=ipaca" cn=caUserCert entryusn

expected output example:
dn: cn=caUserCert,ou=certificateProfiles,ou=ca,o=ipaca
entryusn: 3147483647

- restart CA
systemctl stop pki-tomcatd@pki-tomcat.service
systemctl start pki-tomcatd@pki-tomcat.service

- final error check, nothing should be returned from this command:
grep -r "java.lang.NumberFormatException: For input string:" /var/log/pki/pki-tomcat/
[root@ipaserver1 ~]#

Comment 36 Marc Sauton 2017-05-10 20:37:11 UTC
clearing the needinfo flag

Comment 37 Geetika Kapoor 2017-06-07 12:10:46 UTC
Test environment:
pki-ca-10.4.1-8.el7.noarch

Test steps performed based on Comment #35:
==========================================

step 1 :

[root@ipaqavmd ~]# /usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w Secret123 -b "" -s base "(objectclass=*)" lastusn
dn:
lastusn: 1970

Step 2 :

[root@ipaqavmd ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-entryusn-import-initval
> nsslapd-entryusn-import-initval: 3147483647
> EOF
modifying entry "cn=config"

Step 3:

[root@ipaqavmd ~]# /var/lib/dirsrv/scripts-TESTRELM-TEST/db2ldif.pl -r -D "cn=directory manager" -w Secret123 -n ipaca -a /var/lib/dirsrv/slapd-TESTRELM-TEST/bak/ipaca.`/bin/date +%Y%m%d%H%M%S`.ldif
Exporting to ldif file: /var/lib/dirsrv/slapd-TESTRELM-TEST/bak/ipaca.20170607080319.ldif
Successfully added task entry "cn=export_2017_6_7_8_3_19, cn=export, cn=tasks, cn=config"

Step 4:

[root@ipaqavmd ~]# /var/lib/dirsrv/scripts-TESTRELM-TEST/ldif2db.pl -D "cn=directory manager" -w Secret123 -n ipaca -i /var/lib/dirsrv/slapd-TESTRELM-TEST/bak/ipaca.20170607080319.ldif
Successfully added task entry "cn=import_2017_6_7_8_4_30, cn=import, cn=tasks, cn=config"

Step 5:
[root@ipaqavmd ~]# /usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w Secret123 -b "ou=certificateProfiles,ou=ca,o=ipaca" cn=caUserCert entryusn
dn: cn=caUserCert,ou=certificateProfiles,ou=ca,o=ipaca
entryusn: 3147483647

step 6:

[root@ipaqavmd ~]# systemctl stop pki-tomcatd@pki-tomcat.service
[root@ipaqavmd ~]# systemctl start pki-tomcatd@pki-tomcat.service
[root@ipaqavmd ~]# grep -r "java.lang.NumberFormatException: For input string:" /var/log/pki/pki-tomcat/
[root@ipaqavmd ~]# grep -r "java.lang.NumberFormatException: For input string:" /var/log/pki/pki-tomcat/*

numberFormatException is not experienced.

Comment 38 Geetika Kapoor 2017-06-07 12:27:08 UTC
tested nsslapd-entryusn-import-initval with biginteger and next.
In both the cases pki process starts without any hang and without number format exception.

Comment 41 errata-xmlrpc 2017-08-01 22:48:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110


Note You need to log in before you can comment on or make changes to this bug.