Bug 1447144 - CA brought down during separate KRA instance creation
Summary: CA brought down during separate KRA instance creation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
Petr Bokoc
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-01 23:35 UTC by Christina Fu
Modified: 2017-08-01 22:50 UTC (History)
8 users (show)

Fixed In Version: pki-core-10.4.1-8.el7
Doc Type: Enhancement
Doc Text:
Section headers in PKI deployment configuration file are no longer case sensitive The section headers (such as `[Tomcat]`) in the PKI deployment configuration file were previously case-sensitive. This behavior increased the chance of an error while providing no benefit. Starting with this release, section headers in the configuration file are case-insensitive, reducing the chance of an error occurring.
Clone Of:
Environment:
Last Closed: 2017-08-01 22:50:57 UTC


Attachments (Terms of Use)
ca pkispawn config file (604 bytes, text/plain)
2017-05-01 23:37 UTC, Christina Fu
no flags Details
kra pkispawn config file (857 bytes, text/plain)
2017-05-01 23:37 UTC, Christina Fu
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2110 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Christina Fu 2017-05-01 23:35:40 UTC
I was attempting to install CA and KRA as separate instances and encountered the following issue.
* CA installation appeared to be successful
* KRA installation failed; ps -ef shows that CA instance shutdown during the KRA instance creation.

It was very consistent.

It is possible that my kra.cfg for pkispawn isn't correct (I have not done this for a while);  However, no matter what, the CA should not be brought down.

pkispawn config files attachment to follow.

Comment 2 Christina Fu 2017-05-01 23:37:02 UTC
Created attachment 1275498 [details]
ca pkispawn config file

Comment 3 Christina Fu 2017-05-01 23:37:47 UTC
Created attachment 1275499 [details]
kra pkispawn config file

Comment 5 Christina Fu 2017-05-02 16:06:54 UTC
snippet of the log that shows how CA was seems to be doing fine, but right after   an audit event eventType=ACCESS_SESSION_TERMINATED is written, CA suddenly shutdown.

[02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm: Roles:
[02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm:   Certificate Manager Agents
[02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm:   Administrators
[02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm:   Security Domain Administrators
[02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm:   Enterprise CA Administrators
[02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm:   Enterprise KRA Administrators
[02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm:   Enterprise OCSP Administrators
[02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm:   Enterprise TKS Administrators
[02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm:   Enterprise RA Administrators
[02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm:   Enterprise TPS Administrators
[02/May/2017:08:56:24][http-bio-18443-exec-2]: SessionContextInterceptor: AccountResource.login()
[02/May/2017:08:56:24][http-bio-18443-exec-2]: SessionContextInterceptor: principal: caadmin
[02/May/2017:08:56:24][http-bio-18443-exec-2]: AuthMethodInterceptor: AccountResource.login()
[02/May/2017:08:56:24][http-bio-18443-exec-2]: AuthMethodInterceptor: mapping: account
[02/May/2017:08:56:24][http-bio-18443-exec-2]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr]
[02/May/2017:08:56:24][http-bio-18443-exec-2]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr
[02/May/2017:08:56:24][http-bio-18443-exec-2]: AuthMethodInterceptor: access granted
[02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: AccountResource.login()
[02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: principal: caadmin
[02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: will use authz manager DirAclAuthz
[02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: mapping: account.login
[02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: loading /usr/share/pki/ca/conf/acl.properties
[02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: checking /var/lib/pki/pki-ca-0502/ca/conf/acl.properties
[02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: ACL: certServer.ca.account,login
[02/May/2017:08:56:24][http-bio-18443-exec-2]: checkACLS(): ACLEntry expressions= user="anybody"
[02/May/2017:08:56:24][http-bio-18443-exec-2]: evaluating expressions: user="anybody"
[02/May/2017:08:56:24][http-bio-18443-exec-2]: evaluated expression: user="anybody" to be true
[02/May/2017:08:56:24][http-bio-18443-exec-2]: DirAclAuthz: authorization passed
[02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: access granted
[02/May/2017:08:56:24][http-bio-18443-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS

[02/May/2017:08:56:24][http-bio-18443-exec-2]: MessageFormatInterceptor: AccountResource.login()
[02/May/2017:08:56:24][http-bio-18443-exec-2]: MessageFormatInterceptor: content-type: null
[02/May/2017:08:56:24][http-bio-18443-exec-2]: MessageFormatInterceptor: accept: [application/json]
[02/May/2017:08:56:24][http-bio-18443-exec-2]: MessageFormatInterceptor: response format: application/json
[02/May/2017:08:56:24][http-bio-18443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS

[02/May/2017:08:56:24][http-bio-18443-exec-3]: SessionContextInterceptor: AccountResource.logout()
[02/May/2017:08:56:24][http-bio-18443-exec-3]: SessionContextInterceptor: principal: caadmin
[02/May/2017:08:56:24][http-bio-18443-exec-3]: AuthMethodInterceptor: AccountResource.logout()
[02/May/2017:08:56:24][http-bio-18443-exec-3]: AuthMethodInterceptor: mapping: account
[02/May/2017:08:56:24][http-bio-18443-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr]
[02/May/2017:08:56:24][http-bio-18443-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr
[02/May/2017:08:56:24][http-bio-18443-exec-3]: AuthMethodInterceptor: access granted
[02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: AccountResource.logout()
[02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: principal: caadmin
[02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz
[02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: mapping: account.logout
[02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: ACL: certServer.ca.account,logout
[02/May/2017:08:56:24][http-bio-18443-exec-3]: checkACLS(): ACLEntry expressions= user="anybody"
[02/May/2017:08:56:24][http-bio-18443-exec-3]: evaluating expressions: user="anybody"
[02/May/2017:08:56:24][http-bio-18443-exec-3]: evaluated expression: user="anybody" to be true
[02/May/2017:08:56:24][http-bio-18443-exec-3]: DirAclAuthz: authorization passed
[02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: access granted
[02/May/2017:08:56:24][http-bio-18443-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS

[02/May/2017:08:56:24][http-bio-18443-exec-3]: MessageFormatInterceptor: AccountResource.logout()
[02/May/2017:08:56:24][http-bio-18443-exec-3]: MessageFormatInterceptor: content-type: null
[02/May/2017:08:56:24][http-bio-18443-exec-3]: MessageFormatInterceptor: accept: [application/json]
[02/May/2017:08:56:24][http-bio-18443-exec-3]: MessageFormatInterceptor: response format: application/json
[02/May/2017:08:56:45][http-bio-18443-exec-4]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED

[02/May/2017:08:56:46][localhost-startStop-2]: CMSEngine.shutdown()

Comment 6 Roshni 2017-05-04 17:54:55 UTC
These are the config files I used and I did not see this issue


[root@pki1 ~]# cat /tmp/test_dir/ca.cfg 
[DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080
pki_token_password = Secret123
pki_admin_password = Secret123
pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-02-CA
pki_client_pkcs12_password = Secret123
pki_backup_keys = True
pki_backup_password = Secret123
pki_ds_password = Secret123
pki_ds_ldap_port = 3389
pki_ssl_server_key_algorithm=SHA512withRSA
pki_ssl_server_key_size=2048
pki_ssl_server_key_type=rsa
pki_subsystem_key_algorithm=SHA512withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA


[root@pki1 ~]# cat /tmp/test_dir/kra.cfg 
[DEFAULT]
pki_instance_name = topology-02-KRA
pki_https_port = 21443
pki_http_port = 21080
pki_token_password = Secret123
pki_admin_password = Secret123
pki_hostname = pki1.example.com
pki_security_domain_hostname = pki1.example.com
pki_security_domain_https_port = 20443
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-02-KRA
pki_client_pkcs12_password = Secret123
pki_backup_keys = True
pki_backup_password = Secret123
pki_ds_password = Secret123
pki_ds_ldap_port = 3389
pki_client_database_password = Secret123
pki_ssl_server_key_algorithm=SHA512withRSA
pki_ssl_server_key_size=2048
pki_ssl_server_key_type=rsa
pki_subsystem_key_algorithm=SHA512withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa

[Tomcat]
pki_ajp_port = 21009
pki_tomcat_server_port = 21005

[KRA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI KRA Administrator for Example.Org
pki_storage_key_algorithm=SHA512withRSA
pki_storage_key_size=2048
pki_storage_key_type=rsa
pki_storage_signing_algorithm=SHA512withRSA
pki_transport_key_algorithm=SHA512withRSA
pki_transport_key_size=2048
pki_transport_key_type=rsa
pki_transport_signing_algorithm=SHA512withRSA

[root@pki1 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.4.1
Release     : 3.el7
Architecture: noarch
Install Date: Wed 03 May 2017 01:28:24 PM EDT
Group       : System Environment/Daemons
Size        : 2299369
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-3.el7.src.rpm
Build Date  : Tue 02 May 2017 03:15:26 PM EDT
Build Host  : ppc-015.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Comment 16 Endi Sukma Dewata 2017-05-15 20:49:24 UTC
It looks like the section header in the deployment configuration is case sensitive so [TOMCAT] should have been written as [Tomcat] as shown in /etc/pki/default.cfg.

Christina, could you try again with the correct [Tomcat] header for both CA and KRA? Thanks.

Comment 17 Matthew Harmsen 2017-05-16 16:22:12 UTC
(In reply to Endi Sukma Dewata from comment #16)
> It looks like the section header in the deployment configuration is case
> sensitive so [TOMCAT] should have been written as [Tomcat] as shown in
> /etc/pki/default.cfg.
> 
> Christina, could you try again with the correct [Tomcat] header for both CA
> and KRA? Thanks.

edewata: I could check that as the replication is on my laptop; I will try to replicate it with that change.

Comment 19 Matthew Harmsen 2017-05-17 23:21:54 UTC
commit ea036b22d7d15cefb8f7a56e9c9781b545dec8ee
Author: Matthew Harmsen <mharmsen@redhat.com>
Date:   Wed May 17 17:17:42 2017 -0600

    Correct section headings in user deployment configuration file
    
    Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation
    dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance
                                   creation

Comment 21 Sumedh Sidhaye 2017-05-29 09:50:32 UTC
Build used for verification

[root@pki1 ~]# rpm -qi pki-base
Name        : pki-base
Version     : 10.4.1
Release     : 6.el7
Architecture: noarch
Install Date: Thursday 25 May 2017 02:19:29 AM EDT
Group       : System Environment/Base
Size        : 2086704
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-6.el7.src.rpm
Build Date  : Tuesday 23 May 2017 04:37:48 PM EDT
Build Host  : ppc-016.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - PKI Framework

ca.cfg

[DEFAULT]
pki_instance_name=pki-ca
pki_admin_email=admin@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret123
pki_admin_uid=caadmin

pki_client_database_password=Secret123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret123

pki_ds_base_dn=dc=example,dc=com
pki_ds_database=pki-ca
pki_ds_ldap_port = 389
pki_ds_password=Secret123
pki_ds_remove_data=True

pki_http_port=18080
pki_https_port=18443
pki_hostname=pki.example.com
pki_security_domain_https_port=18443
pki_security_domain_name=ExampleCom

[TOMCAT]
pki_ajp_port=18009
pki_tomcat_server_port=18005


kra.cfg

[DEFAULT]
pki_instance_name=pki-kra
pki_admin_cert_file=/root/.dogtag/pki-kra/ca_admin.cert
pki_admin_email=admin@example.com
pki_admin_name=kraadmin
pki_admin_nickname=kraadmin
pki_admin_password=Secret123
pki_admin_uid=kraadmin

pki_client_database_password=Secret123
pki_client_pkcs12_password=Secret123

pki_ds_base_dn=dc=example,dc=com
pki_ds_database=pki-kra
pki_ds_password=Secret123
pki_ds_password = Secret123
pki_ds_ldap_port = 389
pki_ds_remove_data=True

pki_token_password=Secret123

pki_http_port=28080
pki_https_port=28443
pki_hostname=pki.example.com

pki_issuing_ca=https://pki.example.com:18443
pki_security_domain_hostname=pki.example.com
pki_security_domain_https_port=18443
pki_security_domain_user=caadmin
pki_security_domain_password=Secret123

[TOMCAT]
pki_ajp_port=28009
pki_tomcat_server_port=28005

[KRA]
pki_import_admin_cert=False

[root@pki1 ~]# setup-ds.pl --silent --file=ldap.cfg 
Your new DS instance 'test-ldap' was successfully created.
Exiting . . .
Log file is '/tmp/setup_fb1Ke.log'

[root@pki1 ~]# pkispawn -s CA -f ca.cfg
Log file: /var/log/pki/pki-ca-spawn.20170529030743.log
Loading deployment configuration from ca.cfg.
Installing CA into /var/lib/pki/pki-ca.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-ca/ca/deployment.cfg.
Notice: Trust flag u is set automatically if the private key is present.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-ca/ca_admin_cert.p12

      Administrator's certificate nickname:
            PKI Administrator for example.com
      Administrator's certificate database:
            /root/.dogtag/pki-ca/ca/alias

      To check the status of the subsystem:
            systemctl status pki-tomcatd@pki-ca.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@pki-ca.service

      The URL for the subsystem is:
            https://pki.example.com:18443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================

[root@pki1 ~]# vim kra.cfg
[root@pki1 ~]# pkispawn -s KRA -f kra.cfg
Log file: /var/log/pki/pki-kra-spawn.20170529031955.log
Loading deployment configuration from kra.cfg.
Installing KRA into /var/lib/pki/pki-kra.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-kra/kra/deployment.cfg.
Notice: Trust flag u is set automatically if the private key is present.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             kraadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-kra/kra_admin_cert.p12

      To check the status of the subsystem:
            systemctl status pki-tomcatd@pki-kra.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@pki-kra.service

      The URL for the subsystem is:
            https://pki.example.com:28443/kra

      PKI instances will be enabled upon system boot

    ==========================================================================

Comment 22 Endi Sukma Dewata 2017-06-01 22:27:40 UTC
As discussed on IRC, the previous patch generates unnecessary backups of the deployment configuration file. It's been fixed in the following patch:

commit 772e05e746570c13afeb60516c07a3fb95ca3e78
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Jun 1 23:38:04 2017 +0200

    Removed superfluous deployment configuration backup.

    The pkispawn has been modified to generate a temporary backup
    file (instead of permanent and timestamped backup files) of the
    deployment configuration file before normalizing its content.
    The temporary backup will be removed automatically when the
    normalization is complete.

    https://pagure.io/dogtagpki/issue/2674

Comment 24 Sumedh Sidhaye 2017-06-12 06:46:14 UTC
Build used for verification:
[root@vm-idm-027 config_templates]# pki --version
PKI Command-Line Interface 10.4.1-8.el7
[root@vm-idm-027 config_templates]# rpm -qi pki-server
Name        : pki-server
Version     : 10.4.1
Release     : 8.el7
Architecture: noarch
Install Date: Monday 12 June 2017 08:51:06 AM IST
Group       : System Environment/Base
Size        : 4630365
License     : GPLv2
Signature   : RSA/SHA256, Wednesday 07 June 2017 06:34:39 AM IST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.4.1-8.el7.src.rpm
Build Date  : Tuesday 06 June 2017 10:16:27 AM IST
Build Host  : ppc-046.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - PKI Server Framework


[root@vm-idm-027 config_templates]# ls
ca.cfg  kra.cfg  ldap.cfg  ocsp.cfg  setup_cs.sh  tks.cfg  tps.cfg
[root@vm-idm-027 config_templates]# ./setup_cs.sh 
Your new DS instance 'testingmaster' was successfully created.
Exiting . . .
Log file is '/tmp/setupUcWHC5.log'

Log file: /var/log/pki/pki-ca-spawn.20170612120605.log
Loading deployment configuration from ca.cfg.
Installing CA into /var/lib/pki/FoobarCAmaster.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/FoobarCAmaster/ca/deployment.cfg.
Notice: Trust flag u is set automatically if the private key is present.
Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /opt/FoobarCAmaster/ca_admin_cert.p12

      To check the status of the subsystem:
            systemctl status pki-tomcatd@FoobarCAmaster.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@FoobarCAmaster.service

      The URL for the subsystem is:
            https://pki11.example.com:8443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================

Log file: /var/log/pki/pki-kra-spawn.20170612120706.log
Loading deployment configuration from kra.cfg.
Installing KRA into /var/lib/pki/FoobarCAmaster.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/FoobarCAmaster/kra/deployment.cfg.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             kraadmin

      To check the status of the subsystem:
            systemctl status pki-tomcatd@FoobarCAmaster.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@FoobarCAmaster.service

      The URL for the subsystem is:
            https://pki11.example.com:8443/kra

      PKI instances will be enabled upon system boot

    ==========================================================================

Log file: /var/log/pki/pki-ocsp-spawn.20170612120818.log
Loading deployment configuration from ocsp.cfg.
Installing OCSP into /var/lib/pki/FoobarCAmaster.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/FoobarCAmaster/ocsp/deployment.cfg.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             ocspadmin

      To check the status of the subsystem:
            systemctl status pki-tomcatd@FoobarCAmaster.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@FoobarCAmaster.service

      The URL for the subsystem is:
            https://pki11.example.com:8443/ocsp

      PKI instances will be enabled upon system boot

    ==========================================================================

Log file: /var/log/pki/pki-tks-spawn.20170612120935.log
Loading deployment configuration from tks.cfg.
Installing TKS into /var/lib/pki/FoobarCAmaster.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/FoobarCAmaster/tks/deployment.cfg.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             tksadmin

      To check the status of the subsystem:
            systemctl status pki-tomcatd@FoobarCAmaster.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@FoobarCAmaster.service

      The URL for the subsystem is:
            https://pki11.example.com:8443/tks

      PKI instances will be enabled upon system boot

    ==========================================================================

Log file: /var/log/pki/pki-tps-spawn.20170612121056.log
Loading deployment configuration from tps.cfg.
Installing TPS into /var/lib/pki/FoobarCAmaster.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/FoobarCAmaster/tps/deployment.cfg.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             tpsadmin

      To check the status of the subsystem:
            systemctl status pki-tomcatd@FoobarCAmaster.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@FoobarCAmaster.service

      The URL for the subsystem is:
            https://pki11.example.com:8443/tps

      PKI instances will be enabled upon system boot

    ==========================================================================

[root@vm-idm-027 config_templates]# ls
ca.cfg  kra.cfg  ldap.cfg  ocsp.cfg  setup_cs.sh  tks.cfg  tps.cfg
[root@vm-idm-027 config_templates]# 


Backups for deployment configuration files are not generated anymore.

Comment 25 errata-xmlrpc 2017-08-01 22:50:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110


Note You need to log in before you can comment on or make changes to this bug.