Description of problem: Because of the way the cloning code is implemented, when an attribute is accessed after configuration - the DS can crash with the following DS bug: https://bugzilla.redhat.com/show_bug.cgi?id=679978 Restarting the DS after configuration will resolve this problem. The problem is because of the sequence of steps we perform when populating the DB for the clone. For the non-clone case, We do: 1. import schema in 99user.ldif 2. create indexes 3. populate data For the clone, we do: 1. create indexes 2. do replication -- this includes schema replication. The problem is that we do not know the schema when the indexes are created. This results in a default schema being used. The default used to be directory string - it has been changed to octet string, and the resultant confusion causes the ds to crash. Once restarted, it reads its schema files and updates its representation of the indexes accordingly. We used to import the schema first for the clone, but ran into https://bugzilla.redhat.com/show_bug.cgi?id=498123 basically because the schema replication was blowing away other schema. So - the possible fixes are: 1. doc -- restart ds after creating clone 2. go to schema files 3. put all schema in one file 4. replicate, create index, reindex Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
This is in the 8.1 docs as step #11: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/cloning-other-subsystems.html
Verified. RHEL Version: [root@nocp5 kaleem]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.7 (Tikanga) RHCS Version: [root@cs81box kal]# rpm -qa *pki*|sort pki-ca-8.1.0-9.el5pki pki-common-8.1.0-18.el5pki pki-common-javadoc-8.1.0-18.el5pki pki-console-8.1.0-4.el5pki pki-java-tools-8.1.0-6.el5pki pki-java-tools-javadoc-8.1.0-6.el5pki pki-kra-8.1.0-10.el5pki pki-migrate-8.1.0-9.el5pki pki-native-tools-8.1.0-6.el5pki pkinit-nss-0.7.6-1.el5 pki-ocsp-8.1.0-7.el5pki pki-ra-8.1.0-7.el5pki pki-selinux-8.1.0-2.el5pki pki-setup-8.1.0-4.el5pki pki-silent-8.1.0-2.el5pki pki-tks-8.1.0-8.el5pki pki-tps-8.1.0-16.el5pki pki-util-8.1.0-6.el5pki pki-util-javadoc-8.1.0-6.el5pki redhat-pki-ca-ui-8.1.0-7.el5pki redhat-pki-common-ui-8.1.0-2.el5pki redhat-pki-console-ui-8.1.0-2.el5pki redhat-pki-kra-ui-8.1.0-6.el5pki redhat-pki-ocsp-ui-8.1.0-5.el5pki redhat-pki-ra-ui-8.1.0-4.el5pki redhat-pki-tks-ui-8.1.0-4.el5pki redhat-pki-tps-ui-8.1.0-7.el5pki [root@cs81box kal]# Steps Used to verify: (1)Create and Configure Master DRM (2)Create Clone DRM (followed instructions given in http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/cloning-other-subsystems.html) Starting pki-clonekra: Using Java Security Manager Constructing 'pki-clonekra.policy' Security Policy Starting pki-clonekra: [ OK ] pki-clonekra (pid 22590) is running ... 'pki-clonekra' must still be CONFIGURED! (see /var/log/pki-clonekra-install.log) Before proceeding with the configuration, make sure the firewall settings of this machine permit proper access to this subsystem. Please start the configuration by accessing: https://cs81box.pnq.redhat.com:21445/kra/admin/console/config/login?pin=SP8XoP4RIH96ZRdw2Nbv After configuration, the server can be operated by the command: /sbin/service pki-clonekra start | stop | restart (3)Copy Master instance's keys into clone DRM's alias directory and change ownership, selinux context [root@cs81box alias]# chown pkiuser: master.p12 [root@cs81box alias]# chcon "system_u:object_r:pki_kra_var_lib_t:s0" master.p12 [root@cs81box alias]# ls -lZ -rw------- pkiuser pkiuser system_u:object_r:pki_kra_var_lib_t cert8.db -rw------- pkiuser pkiuser system_u:object_r:pki_kra_var_lib_t key3.db -rw-r--r-- pkiuser pkiuser system_u:object_r:pki_kra_var_lib_t master.p12 -rw------- pkiuser pkiuser system_u:object_r:pki_kra_var_lib_t secmod.db (4)Now configure the Instance as given in http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/cloning-other-subsystems.html. (5)Now restart the clone KRA subsystem. [root@cs81box alias]# service pki-clonekra restart Stopping pki-clonekra: ............................... [ OK ] Starting pki-clonekra: Using Java Security Manager Constructing 'pki-clonekra.policy' Security Policy Starting pki-clonekra: [ OK ] pki-clonekra (pid 23748) is running ... Unsecure Port = http://cs81box.pnq.redhat.com:21180/kra/ee/kra Secure Agent Port = https://cs81box.pnq.redhat.com:21443/kra/agent/kra Secure EE Port = https://cs81box.pnq.redhat.com:21444/kra/ee/kra Secure Admin Port = https://cs81box.pnq.redhat.com:21445/kra/services PKI Console Port = pkiconsole https://cs81box.pnq.redhat.com:21445/kra Tomcat Port = 21701 (for shutdown) PKI Instance Name: pki-clonekra PKI Subsystem Type: DRM Clone Registered PKI Security Domain Information: ========================================================================== Name: PnqRedhat Domain URL: https://cs81box.pnq.redhat.com:9445 ========================================================================== [root@cs81box alias]# Result: Restart of cloned DRM is successful, without restart of DS instance.Agents interface is accessible successfully. Also restart of cloned DRM is successful, after restart of DS instance.