Bug 1412681 – update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1412681 - update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs

Summary:	update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core (Show other bugs)
Sub Component:
Version:	7.3
Hardware:	All Linux

Priority	urgent Severity urgent
Target Milestone:	rc
Target Release:	---
Assigned To:	Fraser Tweedale
QA Contact:	Asha Akkiangady
Docs Contact:

URL:
Whiteboard:
Keywords:	ZStream

Depends On:
Blocks:	1417066
	Show dependency tree / graph

Reported:	2017-01-12 09:40 EST by Amy Farley
Modified:	2017-08-01 18:48 EDT (History)
CC List:	12 users (show)

See Also:
Fixed In Version:	pki-core-10.4.0-1.el7
Doc Type:	Bug Fix
Doc Text:	PKI Server no longer fails to start when an "entryUSN" attribute contains a value larger than 32-bit Previously, the *LDAP Profile Monitor" and the "Lightweight CA Monitor" parsed values in "entryUSN" attributes as a 32-bit integer. As a consequence, when the attribute contained a value larger than that, a `NumberFormatException` error was logged and the server failed to start. The problem has been fixed, and the server no longer fails to start in the mentioned scenario.
Story Points:	---
Clone Of:
Clones:	1417066 (view as bug list)
Environment:
Last Closed:	2017-08-01 18:48:25 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2110	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2017-08-01 15:36:59 EDT

Groups: None (edit)

Comment 18 Petr Vobornik 2017-01-17 06:41:53 EST

Moving to pki-core based on comment 16 (issue in PKI)

Comment 34 Geetika Kapoor 2017-05-10 15:14:46 EDT

Hi,

How to reproduce/test this Bugzilla.

Thanks,
Geetika

Comment 35 Marc Sauton 2017-05-10 16:36:00 EDT

comment 26 has the main hint about the issue
https://bugzilla.redhat.com/show_bug.cgi?id=1412681#c26

but here are some detailed steps:

- failed environment:

RHEL-7.3
ipa-server-4.4.0-12.el7.x86_64
pki-ca-10.3.3-10.el7.noarch

journalctl -f _SYSTEMD_UNIT=pki-tomcatd@pki-tomcat.service
...
Jan 27 02:31:19 ipaserver1.example.com server[1794]: Exception in thread "authorityMonitor" java.lang.NumberFormatException: For input string: "3147483647"
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.Integer.parseInt(Integer.java:583)
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.Integer.<init>(Integer.java:867)
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at com.netscape.ca.CertificateAuthority.readAuthority(CertificateAuthority.java:3290)
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at com.netscape.ca.CertificateAuthority.run(CertificateAuthority.java:3197)
Jan 27 02:31:19 ipaserver1.example.com server[1794]: at java.lang.Thread.run(Thread.java:745)


- fix was tested with:
pki-base-10.3.3-16.2.el7_3.noarch
pki-server-10.3.3-16.2.el7_3.noarch
pki-tools-10.3.3-16.2.el7_3.x86_64
pki-base-java-10.3.3-16.2.el7_3.noarch
pki-kra-10.3.3-16.2.el7_3.noarch
pki-ca-10.3.3-16.2.el7_3.noarch

- have 1 IPA master already setup:
  test was with example.com and EXAMPLE-COM
  it is best to test with a subordinate CA, to exercise more code paths

- optional sanity check on default usn, low value expected:
/usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w password -b "" -s base "(objectclass=*)" lastusn

expected output example:
dn:
lastusn: 232747

- set the next entryusn start value from an import to a high value, something over 2^31-1 or 2147483647
ldapmodify -x -D "cn=directory manager" -w password << EOF
dn: cn=config
changetype: modify
replace: nsslapd-entryusn-import-initval
nsslapd-entryusn-import-initval: 3147483647
EOF

- export the LDAP ipaca backend
/var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif.pl -r -D "cn=directory manager" -w password -n ipaca -a /var/lib/dirsrv/slapd-EXAMPLE-COM/bak/ipaca.`/bin/date +%Y%m%d%H%M%S`.ldif

- import the LDAP ipaca backend saved in the previous step:
/var/lib/dirsrv/scripts-EXAMPLE-COM/ldif2db.pl -D "cn=directory manager" -w password -n ipaca -i /var/lib/dirsrv/slapd-EXAMPLE-COM/bak/ipaca.20170117195529.ldif

- optional sanity check for high entryusn values:
/usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w password -b "ou=certificateProfiles,ou=ca,o=ipaca" cn=caUserCert entryusn

expected output example:
dn: cn=caUserCert,ou=certificateProfiles,ou=ca,o=ipaca
entryusn: 3147483647

- restart CA
systemctl stop pki-tomcatd@pki-tomcat.service
systemctl start pki-tomcatd@pki-tomcat.service

- final error check, nothing should be returned from this command:
grep -r "java.lang.NumberFormatException: For input string:" /var/log/pki/pki-tomcat/
[root@ipaserver1 ~]#

Comment 36 Marc Sauton 2017-05-10 16:37:11 EDT

clearing the needinfo flag

Comment 37 Geetika Kapoor 2017-06-07 08:10:46 EDT

Test environment:
pki-ca-10.4.1-8.el7.noarch

Test steps performed based on Comment #35:
==========================================

step 1 :

[root@ipaqavmd ~]# /usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w Secret123 -b "" -s base "(objectclass=*)" lastusn
dn:
lastusn: 1970

Step 2 :

[root@ipaqavmd ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-entryusn-import-initval
> nsslapd-entryusn-import-initval: 3147483647
> EOF
modifying entry "cn=config"

Step 3:

[root@ipaqavmd ~]# /var/lib/dirsrv/scripts-TESTRELM-TEST/db2ldif.pl -r -D "cn=directory manager" -w Secret123 -n ipaca -a /var/lib/dirsrv/slapd-TESTRELM-TEST/bak/ipaca.`/bin/date +%Y%m%d%H%M%S`.ldif
Exporting to ldif file: /var/lib/dirsrv/slapd-TESTRELM-TEST/bak/ipaca.20170607080319.ldif
Successfully added task entry "cn=export_2017_6_7_8_3_19, cn=export, cn=tasks, cn=config"

Step 4:

[root@ipaqavmd ~]# /var/lib/dirsrv/scripts-TESTRELM-TEST/ldif2db.pl -D "cn=directory manager" -w Secret123 -n ipaca -i /var/lib/dirsrv/slapd-TESTRELM-TEST/bak/ipaca.20170607080319.ldif
Successfully added task entry "cn=import_2017_6_7_8_4_30, cn=import, cn=tasks, cn=config"

Step 5:
[root@ipaqavmd ~]# /usr/bin/ldapsearch -LLLx -D "cn=directory manager" -w Secret123 -b "ou=certificateProfiles,ou=ca,o=ipaca" cn=caUserCert entryusn
dn: cn=caUserCert,ou=certificateProfiles,ou=ca,o=ipaca
entryusn: 3147483647

step 6:

[root@ipaqavmd ~]# systemctl stop pki-tomcatd@pki-tomcat.service
[root@ipaqavmd ~]# systemctl start pki-tomcatd@pki-tomcat.service
[root@ipaqavmd ~]# grep -r "java.lang.NumberFormatException: For input string:" /var/log/pki/pki-tomcat/
[root@ipaqavmd ~]# grep -r "java.lang.NumberFormatException: For input string:" /var/log/pki/pki-tomcat/*

numberFormatException is not experienced.

Comment 38 Geetika Kapoor 2017-06-07 08:27:08 EDT

tested nsslapd-entryusn-import-initval with biginteger and next.
In both the cases pki process starts without any hang and without number format exception.

Comment 41 errata-xmlrpc 2017-08-01 18:48:25 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110

Note You need to log in before you can comment on or make changes to this bug.