[Freeipa-users] Re: Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings

2018-01-08 Thread David Harvey via FreeIPA-users 
Gentle bump (whilst I remember to nudge this).

TL;DR
Does anyone know the likely implications of error messages such as:

"Setting property 'enableOCSP' to 'false' did not find a matching property."
(then repeated for several other properties)

On 4 January 2018 at 14:52, David Harvey 
wrote:

> Point No.2 Is now sorted. It was the old missing Subject Alternative Name
> extension in certificate problem (which I had only seen with https until
> now!).
> I would still love to know if I need to live in fear of the other errors
> though :)
>
> On 4 January 2018 at 12:25, David Harvey 
> wrote:
>
>> Dear list,
>>
>> In trying to escape from the various issues facing the ubuntu freeipa, I
>> attempted to make the switch to Fedora 26 (same freeipa version 4.4.4).
>>
>> This seemed to go well (adding new replica first, and then replacing the
>> ubuntu based installs), but I notice on my fedora boxes several warnings in
>> /v/l/messages (pasted below).  Firstly, are these harmful, and what might I
>> need to rectify!? I have a half baked theory that this might relate to some
>> of the aspects that were broken in ubuntu and carrying their breakage
>> across to the new platform!
>>
>> Secondly - could they relate to an issue I am seeing where one specific
>> LDAPS client application is failing to verify the ldap server cert (even
>> thought other clients are quite happy talking to it) since the ipa server
>> reinstall?
>>
>> Advice appreciated, thank you in advance!
>>
>> David
>>
>>
>>
>>
>> Jan  4 11:53:09 ipa3 server[1357]: WARNING: Problem with JAR file
>> [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead:
>> [false]
>> Jan  4 11:53:09 ipa3 ntpd[1200]: Soliciting pool server 45.79.111.114
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'enableOCSP' to 'false' did not find a matching property.
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'ocspResponderURL' to 'http://ipa3.thomac.net:9080/c
>> a/ocsp' did not find a matching property.
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'ocspResponderCertNickname' to 'ocspSigningCert
>> cert-pki-ca' did not find a matching property.
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'ocspCacheSize' to '1000' did not find a matching property.
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'ocspMinCacheEntryDuration' to '60' did not find a
>> matching property.
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a
>> matching property.
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'ocspTimeout' to '10' did not find a matching property.
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'strictCiphers' to 'true' did not find a matching property.
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did
>> not find a matching property.
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_
>> RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_
>> RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-
>> SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property.
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_
>> SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_
>> 128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_
>> 3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_
>> EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZ
>> A_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_
>> WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_
>> EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_
>> CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching
>> property.
>> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
>> [SetAllPropertiesRule]{Server/Service/Connector}
>> Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_
>> CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_
>> WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
>> +TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_
>> AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+
>>

[Freeipa-users] Re: Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings

2018-01-04 Thread David Harvey via FreeIPA-users 
Point No.2 Is now sorted. It was the old missing Subject Alternative Name
extension in certificate problem (which I had only seen with https until
now!).
I would still love to know if I need to live in fear of the other errors
though :)

On 4 January 2018 at 12:25, David Harvey 
wrote:

> Dear list,
>
> In trying to escape from the various issues facing the ubuntu freeipa, I
> attempted to make the switch to Fedora 26 (same freeipa version 4.4.4).
>
> This seemed to go well (adding new replica first, and then replacing the
> ubuntu based installs), but I notice on my fedora boxes several warnings in
> /v/l/messages (pasted below).  Firstly, are these harmful, and what might I
> need to rectify!? I have a half baked theory that this might relate to some
> of the aspects that were broken in ubuntu and carrying their breakage
> across to the new platform!
>
> Secondly - could they relate to an issue I am seeing where one specific
> LDAPS client application is failing to verify the ldap server cert (even
> thought other clients are quite happy talking to it) since the ipa server
> reinstall?
>
> Advice appreciated, thank you in advance!
>
> David
>
>
>
>
> Jan  4 11:53:09 ipa3 server[1357]: WARNING: Problem with JAR file
> [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead:
> [false]
> Jan  4 11:53:09 ipa3 ntpd[1200]: Soliciting pool server 45.79.111.114
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'enableOCSP' to 'false' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspResponderURL' to 'http://ipa3.thomac.net:9080/
> ca/ocsp' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspResponderCertNickname' to 'ocspSigningCert
> cert-pki-ca' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspCacheSize' to '1000' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspMinCacheEntryDuration' to '60' did not find a
> matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a
> matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ocspTimeout' to '10' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'strictCiphers' to 'true' did not find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not
> find a matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_
> RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-
> SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_
> WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching
> property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_
> SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_
> RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_
> WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_
> RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_
> FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_
> RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_
> AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a
> matching property.
> Jan  4 11:53:10 ipa3 server[1357]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_
> CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_
> RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_
> SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_
> WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_
> SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_
> CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_
> 3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_
> AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_
> DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_
> SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_
>