On 09/27/2012 10:26 AM, Petr Viktorin wrote:
On 09/20/2012 05:58 AM, Ade Lee wrote:
Changes to use a single database for dogtag and IPA

     New servers that are installed with dogtag 10 instances will use
     a single database instance for dogtag and IPA, albeit with different
     suffixes.  Dogtag will communicate with the instance through a
     database user with permissions to modify the dogtag  suffix only.
     This user will authenticate using client auth using the subsystem
cert
     for the instance.

     This patch includes changes to allow the creation of masters and
clones
     with single ds instances.

I have tested being able to create a master and a clone using f17 and
dogtag 10.  Note that you will need to use the latest builds on the
dogtag repo to get some changes that were checked in today.  We'll kick
off another official f18 dogtag build in a day or so.

This is a pretty big change - so I expect many issues to come up as
things get tested.  But as this will take awhile to get resolved, its
better to get this out for review as fast as possible.

Happy reviewing.

Ade



Attaching a rebased patch with a couple of style issues fixed.
- PEP8 compliance (remove trailing whitespace, use parentheses rather
than \ for line continuation, wrap touched lines at 80 characters)
- for files, use the with statement instead of the "open/close sandwich"
- don't mix tabs and spaces in install/share/certmap.conf.template

I've also adjusted the spec file, as we need dogtag 10.0 and pki-server
now obsoletes pki-setup.


I still need selinux in permissive mode to install on f17, and I still
need to exclude *.i686 packages when updating.


Are the following limitations expected?

IPA and Dogtag have to be updated simultaneously; it's not possible to have current IPA master with Dogtag 10, or IPA with this patch with D9.

It is not possible to create a replica from a machine with a single DS to an older version without the patch -- the older version will try the wrong ports.



I've tried to run ipa-ca-install on a D10 replica cloned from an upgraded (unpatched→patched IPA, D9→D10) master, and I got "Failed to obtain installation token from security domain" (see attached log).

AFAICS pkispawn returns with exit code 0 on error, so our installation script fails later, on missing /var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12. It would be nice if pkispawn told us it failed.


--
Petr³
2012-10-01T13:31:07Z DEBUG /sbin/ipa-ca-install was invoked with argument "/home/pviktori/replica-info-vm-076.idm.lab.bos.redhat.com.gpg" and options: {'debug': False, 'unattended': False, 'skip_conncheck': False, 'no_host_dns': False}
2012-10-01T13:31:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-10-01T13:31:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-10-01T13:31:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2012-10-01T13:31:07Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'...
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py'
2012-10-01T13:31:07Z DEBUG args=klist -V
2012-10-01T13:31:07Z DEBUG stdout=Kerberos 5 version 1.10.2

2012-10-01T13:31:07Z DEBUG stderr=
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/xmlclient.py'
2012-10-01T13:31:08Z DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpJr2Rq2ipa/ipa-vigfsJ/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpJr2Rq2ipa/files.tar -d /home/pviktori/replica-info-vm-076.idm.lab.bos.redhat.com.gpg
2012-10-01T13:31:08Z DEBUG stdout=
2012-10-01T13:31:08Z DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpJr2Rq2ipa/ipa-vigfsJ/.gnupg'
gpg: keyring `/tmp/tmpJr2Rq2ipa/ipa-vigfsJ/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpJr2Rq2ipa/ipa-vigfsJ/.gnupg/pubring.gpg' created
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

2012-10-01T13:31:08Z DEBUG args=tar xf /tmp/tmpJr2Rq2ipa/files.tar -C /tmp/tmpJr2Rq2ipa
2012-10-01T13:31:08Z DEBUG stdout=
2012-10-01T13:31:08Z DEBUG stderr=
2012-10-01T13:31:08Z DEBUG Check if vm-076.idm.lab.bos.redhat.com is a primary hostname for localhost
2012-10-01T13:31:08Z DEBUG Primary hostname for localhost: vm-076.idm.lab.bos.redhat.com
2012-10-01T13:31:08Z DEBUG Search DNS for vm-076.idm.lab.bos.redhat.com
2012-10-01T13:31:08Z DEBUG Check if vm-076.idm.lab.bos.redhat.com is not a CNAME
2012-10-01T13:31:08Z DEBUG Check reverse address of 10.16.78.76
2012-10-01T13:31:08Z DEBUG Found reverse name: vm-076.idm.lab.bos.redhat.com
2012-10-01T13:31:21Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master vm-074.idm.lab.bos.redhat.com --auto-master-check --realm IDM.LAB.BOS.REDHAT.COM --principal admin --hostname vm-076.idm.lab.bos.redhat.com --password XXXXXXXX --check-ca --dogtag-master-ds-port 389

2012-10-01T13:31:21Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-10-01T13:31:21Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-10-01T13:31:21Z DEBUG Configuring certificate server: Estimated time 3 minutes 30 seconds
2012-10-01T13:31:21Z DEBUG   [1/14]: creating certificate server user
2012-10-01T13:31:21Z DEBUG adding ca user pkiuser
2012-10-01T13:31:21Z DEBUG args=/usr/sbin/useradd -c CA System User -d /var/lib -s /sbin/nologin -M -r pkiuser
2012-10-01T13:31:21Z DEBUG stdout=
2012-10-01T13:31:21Z DEBUG stderr=
2012-10-01T13:31:21Z DEBUG done adding user
2012-10-01T13:31:21Z DEBUG   duration: 0 seconds
2012-10-01T13:31:21Z DEBUG   [2/14]: configuring certificate server instance
2012-10-01T13:31:21Z DEBUG Contents of pkispawn configuration file (/tmp/tmpadmNFw):
###############################################################################
##  'Sensitive' Data:                                                        ##
##                                                                           ##
##  Values in this section pertain to various PKI subsystems, and contain    ##
##  required 'sensitive' information which MUST ALWAYS be provided by users. ##
##                                                                           ##
##  IMPORTANT:  Sensitive data values must NEVER be displayed to the         ##
##              console NOR stored in log files!!!                           ##
###############################################################################
[Sensitive]
pki_admin_password=XXXXXXXX
pki_backup_password=XXXXXXXX
pki_client_database_password=XXXXXXXX
pki_client_pkcs12_password=XXXXXXXX
pki_clone_pkcs12_password=XXXXXXXX
pki_ds_password=XXXXXXXX
pki_security_domain_password=XXXXXXXX
pki_token_password=
###############################################################################
##  'Common' Data:                                                           ##
##                                                                           ##
##  Values in this section are common to more than one PKI subsystem, and    ##
##  contain required information which MAY be overridden by users as         ##
##  necessary.                                                               ##
##                                                                           ##
##  NOTE:  Default values will be generated for any and all required         ##
##         'common' data values which are left undefined.                    ##
###############################################################################
[Common]
pki_admin_cert_request_type=crmf
pki_admin_domain_name=
pki_admin_dualkey=False
pki_admin_email=root@localhost
pki_admin_keysize=2048
pki_admin_name=admin
pki_admin_nickname=ipa-ca-agent
pki_admin_subject_dn=CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM
pki_admin_uid=admin
pki_audit_group=pkiaudit
pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
pki_audit_signing_nickname=auditSigningCert cert-pki-ca
pki_audit_signing_signing_algorithm=SHA256withRSA
pki_audit_signing_subject_dn=CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM
pki_audit_signing_token=
pki_backup_keys=True
pki_client_database_dir=/tmp/tmp-3DyOVK
pki_client_database_purge=False
pki_client_dir=
pki_ds_base_dn=o=ipaca
pki_ds_bind_dn=cn=Directory Manager
pki_ds_database=ipaca
pki_ds_hostname=
pki_ds_ldap_port=389
pki_ds_ldaps_port=636
pki_ds_remove_data=True
pki_ds_secure_connection=False
pki_group=pkiuser
pki_issuing_ca=
pki_restart_configured_instance=False
pki_security_domain_hostname=vm-074.idm.lab.bos.redhat.com
pki_security_domain_https_port=443
pki_security_domain_name=IPA
pki_security_domain_user=admin
pki_ssl_server_key_algorithm=SHA256withRSA
pki_ssl_server_key_size=2048
pki_ssl_server_key_type=rsa
pki_ssl_server_nickname=Server-Cert cert-pki-ca
pki_ssl_server_subject_dn=CN=vm-076.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
pki_ssl_server_token=
pki_subsystem_key_algorithm=SHA256withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa
pki_subsystem_nickname=subsystemCert cert-pki-ca
pki_subsystem_subject_dn=CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM
pki_subsystem_token=
pki_token_name=internal
pki_user=pkiuser
###############################################################################
##  'Apache' Data:                                                           ##
##                                                                           ##
##  Values in this section are common to PKI subsystems that run             ##
##  as an instance of 'Apache' (RA and TPS subsystems), and contain          ##
##  required information which MAY be overridden by users as necessary.      ##
###############################################################################
[Apache]
pki_instance_name=pki-apache
pki_http_port=80
pki_https_port=443
###############################################################################
##  'Tomcat' Data:                                                           ##
##                                                                           ##
##  Values in this section are common to PKI subsystems that run             ##
##  as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems            ##
##  including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain  ##
##  required information which MAY be overridden by users as necessary.      ##
##                                                                           ##
##  PKI CLONES:  To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone',    ##
##               or a 'TKS Clone', change the value of 'pki_clone'           ##
##               from 'False' to 'True'.                                     ##
##                                                                           ##
##    REMINDER:  PKI CA Clones, Subordinate CAs, and External CAs            ##
##               are MUTUALLY EXCLUSIVE entities!!!                          ##
###############################################################################
[Tomcat]
pki_ajp_port=8009
pki_clone=True
pki_clone_pkcs12_path=/tmp/ca.p12
pki_clone_replication_master_port=389

pki_clone_replication_clone_port=389
pki_clone_replication_security=TLS
pki_clone_uri=https://vm-074.idm.lab.bos.redhat.com:443
pki_enable_java_debugger=False
pki_enable_proxy=True
pki_http_port=8080
pki_https_port=8443
pki_instance_name=pki-tomcat
pki_proxy_http_port=80
pki_proxy_https_port=443
pki_security_manager=false
pki_tomcat_server_port=8005
###############################################################################
##  'CA' Data:                                                               ##
##                                                                           ##
##  Values in this section are common to CA subsystems including 'PKI CAs',  ##
##  'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain         ##
##  required information which MAY be overridden by users as necessary.      ##
##                                                                           ##
##     EXTERNAL CAs:  To specify an 'External CA', change the value          ##
##                    of 'pki_external' from 'False' to 'True'.              ##
##                                                                           ##
##  SUBORDINATE CAs:  To specify a 'Subordinate CA', change the value        ##
##                    of 'pki_subordinate' from 'False' to 'True'.           ##
##                                                                           ##
##         REMINDER:  PKI CA Clones, Subordinate CAs, and External CAs       ##
##                    are MUTUALLY EXCLUSIVE entities!!!                     ##
###############################################################################
[CA]
pki_ca_signing_key_algorithm=SHA256withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_nickname=caSigningCert cert-pki-ca
pki_ca_signing_signing_algorithm=SHA256withRSA
pki_ca_signing_subject_dn=CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
pki_ca_signing_token=
pki_external=False
pki_external_ca_cert_chain_path=
pki_external_ca_cert_path=
pki_external_csr_path=
pki_external_step_two=False
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
pki_ocsp_signing_signing_algorithm=SHA256withRSA
pki_ocsp_signing_subject_dn=CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM
pki_ocsp_signing_token=
pki_subordinate=False
pki_subsystem=CA
pki_subsystem_name=
###############################################################################
##  'KRA' Data:                                                              ##
##                                                                           ##
##  Values in this section are common to KRA subsystems                      ##
##  including 'PKI KRAs' and 'Cloned KRAs', and contain                      ##
##  required information which MAY be overridden by users as necessary.      ##
###############################################################################
[KRA]
pki_storage_key_algorithm=SHA256withRSA
pki_storage_key_size=2048
pki_storage_key_type=rsa
pki_storage_nickname=
pki_storage_signing_algorithm=SHA256withRSA
pki_storage_subject_dn=
pki_storage_token=
pki_subsystem=KRA
pki_subsystem_name=
pki_transport_key_algorithm=SHA256withRSA
pki_transport_key_size=2048
pki_transport_key_type=rsa
pki_transport_nickname=
pki_transport_signing_algorithm=SHA256withRSA
pki_transport_subject_dn=
pki_transport_token=
###############################################################################
##  'OCSP' Data:                                                             ##
##                                                                           ##
##  Values in this section are common to OCSP subsystems                     ##
##  including 'PKI OCSPs' and 'Cloned OCSPs', and contain                    ##
##  required information which MAY be overridden by users as necessary.      ##
###############################################################################
[OCSP]
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
pki_ocsp_signing_signing_algorithm=SHA256withRSA
pki_ocsp_signing_subject_dn=CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM
pki_ocsp_signing_token=
pki_subsystem=OCSP
pki_subsystem_name=
###############################################################################
##  'RA' Data:                                                               ##
##                                                                           ##
##  Values in this section are common to PKI RA subsystems, and contain      ##
##  required information which MAY be overridden by users as necessary.      ##
###############################################################################
[RA]
pki_subsystem=RA
pki_subsystem_name=
###############################################################################
##  'TKS' Data:                                                              ##
##                                                                           ##
##  Values in this section are common to TKS subsystems                      ##
##  including 'PKI TKSs' and 'Cloned TKSs', and contain                      ##
##  required information which MAY be overridden by users as necessary.      ##
###############################################################################
[TKS]
pki_subsystem=TKS
pki_subsystem_name=
###############################################################################
##  'TPS' Data:                                                              ##
##                                                                           ##
##  Values in this section are common to PKI TPS subsystems, and contain     ##
##  required information which MAY be overridden by users as necessary.      ##
###############################################################################
[TPS]
pki_subsystem=TPS
pki_subsystem_name=

2012-10-01T13:31:53Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpadmNFw
2012-10-01T13:31:53Z DEBUG stdout=
2012-10-01T13:31:53Z DEBUG stderr=*sys-package-mgr*: processing new jar, '/usr/share/java/jython.jar'
*sys-package-mgr*: processing new jar, '/usr/share/java/jakarta-oro.jar'
*sys-package-mgr*: processing new jar, '/usr/share/java/tomcat-servlet-3.0-api.jar'
*sys-package-mgr*: processing new jar, '/usr/share/java/mysql-connector-java-5.1.21.jar'
*sys-package-mgr*: processing new jar, '/usr/lib64/libreadline-java/libreadline-java.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/resources.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/rt.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/jsse.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/jce.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/charsets.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/rhino.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/ext/zipfs.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/ext/sunjce_provider.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/ext/dnsns.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/ext/gnome-java-bridge.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/ext/localedata.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/ext/sunpkcs11.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/ext/sunec.jar'
*sys-package-mgr*: processing new jar, '/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/lib/ext/pulse-java.jar'
Traceback (innermost last):
  File "/usr/lib/python2.7/site-packages/pki/deployment/configuration.jy", line 135, in ?
  File "/usr/lib/python2.7/site-packages/pki/deployment/configuration.jy", line 132, in main
  File "/usr/lib/python2.7/site-packages/pki/deployment/pkijython.py", line 494, in configure_pki_data
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
	at com.netscape.certsrv.client.PKIErrorInterceptor.handle(PKIErrorInterceptor.java:52)
	at org.jboss.resteasy.client.core.extractors.ClientErrorHandler.clientErrorHandling(ClientErrorHandler.java:49)
	at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:44)
	at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:120)
	at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88)
	at $Proxy21.configure(Unknown Source)
	at com.netscape.certsrv.system.SystemConfigClient.configure(SystemConfigClient.java:41)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:601)

com.netscape.certsrv.base.PKIException: com.netscape.certsrv.base.PKIException: Failed to obtain installation token from security domain

2012-10-01T13:31:53Z INFO   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 617, in run_script
    return_value = main_function()

  File "/sbin/ipa-ca-install", line 159, in main
    config, dogtag_master_ds_port, postinstall=True)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1523, in install_replica_ca
    subject_base=config.subject_base)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 575, in configure_instance
    self.start_creation("Configuring certificate server", 210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 321, in start_creation
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 688, in __spawn_instance
    "/root/cacert.p12")

  File "/usr/lib64/python2.7/shutil.py", line 299, in move
    copy2(src, real_dst)

  File "/usr/lib64/python2.7/shutil.py", line 128, in copy2
    copyfile(src, dst)

  File "/usr/lib64/python2.7/shutil.py", line 82, in copyfile
    with open(src, 'rb') as fsrc:

2012-10-01T13:31:53Z INFO The ipa-ca-install command failed, exception: IOError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12'
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to