*I didn't use any file for the installation, i used the basic questions
with their answers. This is a replica of how things went.*
[root@ocsp01 ~]# pkispawn -s OCSP -vvv
IMPORTANT:
Interactive installation currently only exists for very basic
deployments!
For example, deployments intent upon using advanced features such as:
* Cloning,
* Elliptic Curve Cryptography (ECC),
* External CA,
* Hardware Security Module (HSM),
* Subordinate CA,
* etc.,
must provide the necessary override parameters in a separate
configuration file.
Run 'man pkispawn' for details.
Tomcat:
Instance [pki-tomcat]: testinstance
HTTP port [8080]:
Secure HTTP port [8443]:
AJP port [8009]:
Management port [8005]:
Administrator:
Username [ocspadmin]:
Password:
Verify password:
Import certificate (Yes/No) [Y]?
Import certificate from [/root/.dogtag/testinstance/ca_admin.cert]:
/root/ca_admin.cert
Directory Server:
Hostname [ocsp01.pki.ccpsd.corp]: ca01
Use a secure LDAPS connection (Yes/No/Quit) [N]?
LDAP Port [389]:
Bind DN [cn=Directory Manager]:
Password:
Base DN [o=testinstance-OCSP]:
Security Domain:
Hostname [ocsp01.pki.ccpsd.corp]: ca01
Secure HTTP port [8443]:
Name: Test Instance Security Domain
Username [caadmin]:
Password:
Begin installation (Yes/No/Quit)? Yes
*As you can see, the LDAP server was up, it asked for user and password and
went to the next step. The security domain, when i indicated the host of
the CA, it was detected, so that was good also.*
*If you take a look to the
/etc/sysconfig/pki/tomcat/testinstance/ocsp/deployment.cfg*
[DEFAULT]
pki_instance_name = testinstance
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_ds_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX
[OCSP]
pki_http_port = 8080
pki_https_port = 8443
pki_ajp_port = 8009
pki_tomcat_server_port = 8005
pki_admin_uid = ocspadmin
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_import_admin_cert = True
pki_admin_cert_file = /root/ca_admin.cert
pki_ds_hostname = ca01
pki_ds_ldap_port = 389
pki_ds_bind_dn = cn=Directory Manager
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=testinstance-OCSP
pki_security_domain_hostname = ca01
pki_security_domain_https_port = 8443
pki_security_domain_name = Test Instance Security Domain
pki_security_domain_user = caadmin
pki_security_domain_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX
*The CA deployment file is this*
[DEFAULT]
pki_instance_name = testinstance
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pin = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_ds_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX
[CA]
pki_http_port = 8080
pki_https_port = 8443
pki_ajp_port = 8009
pki_tomcat_server_port = 8005
pki_admin_uid = caadmin
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_import_admin_cert = False
pki_client_admin_cert = /root/.dogtag/testinstance/ca_admin.cert
pki_ds_hostname = ca01.pki.ccpsd.corp
pki_ds_ldap_port = 389
pki_ds_bind_dn = cn=Directory Manager
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=testinstance-CA
pki_security_domain_name = Test Instance Security Domain
pki_client_pin = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX
Jonathan Montero
IT Professional | IT Trainer
M: 809-609-3003
S: tuxmontero
E: jmr...@gmail.com
A: Santo Domingo, DR
jonathanmontero.com
<https://www.linkedin.com/in/monterojonathan>
<https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
<https://github.com/tuxmontero>
On Fri, Mar 1, 2019 at 8:41 PM Marc Sauton <msau...@redhat.com> wrote:
> Make sure in the OCSP's pkispawn config file, the security domain
> configured for the CA, and make sure that CA and its LDAP server are up.
> Or may be something is missing in that OCSP's pkispawn config file, or
> incorrect.
> There may be more hints into the /var/log/pki/pki-ocsp/ocsp/debug file,
> like may be a private key could not be unlocked (file or hsm)
> Thanks,
> M.
>
> On Fri, Mar 1, 2019 at 5:24 AM Jonathan Montero <jmr...@gmail.com> wrote:
>
>> Hi Guys, i have a case that i haven't been able to solve. I'm not too
>> experienced in dogtag, but believe me, i'm doing my best. I installed a CA
>> in server1 and OSCP in server2. Server1 is working fine as CA. When i
>> "pkispawn -s OCSP -vvv" in server 2, things go fine until the last moment.
>>
>> pkispawn : INFO ....... executing 'systemctl daemon-reload'
>> pkispawn : INFO ....... executing 'systemctl start
>> pki-tomcatd@testinstance.service'
>> pkispawn : DEBUG ........... No connection - server may still be
>> down
>> pkispawn : DEBUG ........... No connection - exception thrown:
>> ('Connection aborted.', error(111, 'Connection refused'))
>> pkispawn : DEBUG ........... No connection - server may still be
>> down
>> pkispawn : DEBUG ........... No connection - exception thrown:
>> ('Connection aborted.', error(111, 'Connection refused'))
>> pkispawn : DEBUG ........... No connection - server may still be
>> down
>> pkispawn : DEBUG ........... No connection - exception thrown:
>> ('Connection aborted.', error(111, 'Connection refused'))
>> pkispawn : DEBUG ........... No connection - server may still be
>> down
>> pkispawn : DEBUG ........... No connection - exception thrown: 500
>> Server Error: Internal Server Error
>> pkispawn : DEBUG ........... No connection - server may still be
>> down
>>
>>
>> *firewalld is down and disabled, same with iptables, same with selinux in
>> both servers*
>>
>>
>> I'm using default values (most of them) before going to production.
>>
>> what am i missing here?
>>
>> Jonathan Montero
>>
>> IT Professional | IT Trainer
>> M: 809-609-3003
>> S: tuxmontero
>> E: jmr...@gmail.com
>> A: Santo Domingo, DR
>>
>> jonathanmontero.com
>>
>> <https://www.linkedin.com/in/monterojonathan>
>> <https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
>> <https://github.com/tuxmontero>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
