Hide Forgot
This bug has been copied from bug #1412681 and has been proposed to be backported to 7.3 z-stream (EUS).
Cherry-picked to DOGTAG_10_3_RHEL_BRANCH from DOGTAG_10_3_BRANCH: * d37d1cb1a2d33d17f15cbf9565a4bba99050e59a Cherry-picked to DOGTAG_10_3_RHEL_UNRELEASED_BRANCH from DOGTAG_10_3_BRANCH: * 643c56d4a1d5632a5aeb81664882a1a55567171c
Steps to verify: 1. ensure DS entryUSN counter exceeds 2,147,483,647 (consult a DS SME to see if there is a way to set this directly) 2. make a change to a lightweight authority entry. This can be done via CLI or directly to an entry under ou=authorities,ou=ca,{basedn}. For example, you could just change the description. This step is to make sure that the entryUSN exceeds 2,147,483,647 3. restart server. Check that the server starts properly and that a NumberFormatException does not get logged in /var/log/pki/pki-tomcat/ca/debug or in `journalctl -u pki-tomcatd@pki-tomcat`.
Related to the first step to verify. You should be able to set starting entryUSN using nsslapd-entryusn-import-initval (see http://directory.fedoraproject.org/docs/389ds/design/entry-usn.html#import-and-replica-initialization) Before doing an import, set this value to something like 2,147,483,000. Then import a ldif file and checks that 'entryUSN' values of the imported entries is taking into account that new starting point. You then may be able to rapidly reach MAX_INT
IPA server: ipa-server-4.4.0-14.el7_3.6.x86_64 PKI packages: pki-server-10.3.3-17.el7_3.noarch pki-ca-10.3.3-17.el7_3.noarch Tested the bug on the basis of following Observations: 1. Verified that when entryUSN has higher denomination (e.g: in the range of 2147485000) within directory server, then ipa server service can be restarted successfully and it does not hang. 2. No error messages are observed for "NumberFormatException" within /var/log/pki/pki-tomcat/ca/debug or in `journalctl -u pki-tomcatd@pki-tomcat`. Thus on the basis of above observations marking the status of bug to "VERIFIED".
Added doc text.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0389.html