Re: [Freeipa-users] http service keytab for cname virtual host
On Wed, 2012-03-28 at 17:30 -0400, Rob Crittenden wrote: > Natxo Asenjo wrote: > > hi, > > > > enable a kerberized site with the fqdn is very easy with freeipa but we > > would like to use virtual hosting and kerberized sites. > > > > I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then > > created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, > > configured the apache webserver and it works. > > > > Then I created a cname record (vhost) pointing to > > webserver01.ipa.domain.tld. I enabled virtual hosting in the apache > > webserver, configured the vhosts without kerberizing anything. Virtual > > hosts work as expected. > > > > But when I enable a kerberized directory in the vhost, then I see this > > in the log file: > > > > [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] > > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > > provide more information (, Permission denied) > > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > > auth_type Kerberos > > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > > auth_type Kerberos > > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client > > 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. > > > > When not using vhosts, it works although I see similar debugging info > > (but instead of h...@vhost.ipa.domain.tld, > > h...@webserver01.ipa.domain.tld). So I was wondering if it is possible > > to do this vhost thing. With the ipa tools I can only add service > > principals to joined hosts, not to cnames. > > > > It would be nice to have. Otherwise we need to have one server per > > kerberized site, a bit of an overkill really. > > You should be able to add a host entry for the vhost, perhaps with the > --force flag to let it add w/o a DNS A record. Then you should be able > to create the service. This shouldn't be necessary unless the vhost uses an A name, but then you need a key for each vhost, which is burdensome. I would keep this as a last resort after any other avenue failed. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
On Wed, 2012-03-28 at 22:49 +0200, Natxo Asenjo wrote: > hi, > > enable a kerberized site with the fqdn is very easy with freeipa but > we would like to use virtual hosting and kerberized sites. > > I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then > created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, > configured the apache webserver and it works. > > Then I created a cname record (vhost) pointing to > webserver01.ipa.domain.tld. I enabled virtual hosting in the apache > webserver, configured the vhosts without kerberizing anything. Virtual > hosts work as expected. > > But when I enable a kerberized directory in the vhost, then I see this > in the log file: > > [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > provide more information (, Permission denied) > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client > 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. > > When not using vhosts, it works although I see similar debugging info > (but instead of h...@vhost.ipa.domain.tld, > h...@webserver01.ipa.domain.tld). So I was wondering if it is possible > to do this vhost thing. With the ipa tools I can only add service > principals to joined hosts, not to cnames. > > It would be nice to have. Otherwise we need to have one server per > kerberized site, a bit of an overkill really. CNAMEs should work just fine with the host's HTTP/A-name@REALM key. In fact I just tested a virtual host on my ipa server using a cname and it worked. Can you post your (sanitized) mod_auth_kerb configuration ? Also what browser are you testing with ? If you kdestroy and then kinit clean, and then try to access the server *only* using the CNAME you should see the browser has acquired a ticket for HTTP/A-name, You can use klist to verify. If this works you know it is a server side issue only. If you do not have the ticket, there may be a DNS/browser issue. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
Natxo Asenjo wrote: hi, enable a kerberized site with the fqdn is very easy with freeipa but we would like to use virtual hosting and kerberized sites. I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, configured the apache webserver and it works. Then I created a cname record (vhost) pointing to webserver01.ipa.domain.tld. I enabled virtual hosting in the apache webserver, configured the vhosts without kerberizing anything. Virtual hosts work as expected. But when I enable a kerberized directory in the vhost, then I see this in the log file: [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied) [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. When not using vhosts, it works although I see similar debugging info (but instead of h...@vhost.ipa.domain.tld, h...@webserver01.ipa.domain.tld). So I was wondering if it is possible to do this vhost thing. With the ipa tools I can only add service principals to joined hosts, not to cnames. It would be nice to have. Otherwise we need to have one server per kerberized site, a bit of an overkill really. You should be able to add a host entry for the vhost, perhaps with the --force flag to let it add w/o a DNS A record. Then you should be able to create the service. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwd sync
On Wed, 2012-03-28 at 20:12 +, Steven Jones wrote: > Hi, > > That is cool, but I have not read that anywhere, can we get that bit written > into the passsync section? or have I missed it? This may shed some light: http://freeipa.org/page/PasswordSynchronization Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] http service keytab for cname virtual host
hi, enable a kerberized site with the fqdn is very easy with freeipa but we would like to use virtual hosting and kerberized sites. I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, configured the apache webserver and it works. Then I created a cname record (vhost) pointing to webserver01.ipa.domain.tld. I enabled virtual hosting in the apache webserver, configured the vhosts without kerberizing anything. Virtual hosts work as expected. But when I enable a kerberized directory in the vhost, then I see this in the log file: [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied) [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. When not using vhosts, it works although I see similar debugging info (but instead of h...@vhost.ipa.domain.tld, h...@webserver01.ipa.domain.tld). So I was wondering if it is possible to do this vhost thing. With the ipa tools I can only add service principals to joined hosts, not to cnames. It would be nice to have. Otherwise we need to have one server per kerberized site, a bit of an overkill really. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwd sync
Hi, That is cool, but I have not read that anywhere, can we get that bit written into the passsync section? or have I missed it? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Thursday, 29 March 2012 8:53 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] passwd sync On 03/28/2012 03:50 PM, Steven Jones wrote: > 8><-- > > It cannot be a wildcard: > if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) { > pwdata.changetype = IPA_CHANGETYPE_DSMGR; > break; > } > but it is multivalued. > > 8><-- > > This is over my head > > 8><-- > > What exactly are you trying to do? Defeat password sync for > > uid=*,cn=staff,cn=accounts,dc=etc ? Because I don't think > passSyncManagersDNs is what you want for that, unless I'm mistaken. > > 8>< > > Ok, so at present when I setup a new user with a temp password in IPA and > give it to the user they have to set a new one on first login to a client. > > Once password(s) flow through from AD I don't want the reset password feature > in IPA to be functional when a user "first" logs in. > > regards > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users I do not think the password reset is required when you sync the users from an external source. Only when you added a new user via CLI or UI or migrated him. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwd sync
On 03/28/2012 03:50 PM, Steven Jones wrote: > 8><-- > > It cannot be a wildcard: > if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) { > pwdata.changetype = IPA_CHANGETYPE_DSMGR; > break; > } > but it is multivalued. > > 8><-- > > This is over my head > > 8><-- > > What exactly are you trying to do? Defeat password sync for > > uid=*,cn=staff,cn=accounts,dc=etc ? Because I don't think > passSyncManagersDNs is what you want for that, unless I'm mistaken. > > 8>< > > Ok, so at present when I setup a new user with a temp password in IPA and > give it to the user they have to set a new one on first login to a client. > > Once password(s) flow through from AD I don't want the reset password feature > in IPA to be functional when a user "first" logs in. > > regards > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users I do not think the password reset is required when you sync the users from an external source. Only when you added a new user via CLI or UI or migrated him. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwd sync
8><-- It cannot be a wildcard: if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) { pwdata.changetype = IPA_CHANGETYPE_DSMGR; break; } but it is multivalued. 8><-- This is over my head 8><-- What exactly are you trying to do? Defeat password sync for uid=*,cn=staff,cn=accounts,dc=etc ? Because I don't think passSyncManagersDNs is what you want for that, unless I'm mistaken. 8>< Ok, so at present when I setup a new user with a temp password in IPA and give it to the user they have to set a new one on first login to a client. Once password(s) flow through from AD I don't want the reset password feature in IPA to be functional when a user "first" logs in. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] passwd sync
Hi, I have a support call into RH as the passync msi is in the RDS channel so I have no access to it as I have no RDS subscription..so if its "free" as it comes with IPA it needs to be moved. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Another CA replica install issue
Dan Scott wrote: Can anyone help with this? Thanks, Dan On Mon, Mar 26, 2012 at 16:17, Dan Scott wrote: On Mon, Mar 26, 2012 at 15:53, Rob Crittenden wrote: Dan Scott wrote: Hi, I'm having another replica CA install issue. Fedora 16 with latest updates applied this morning: ipa-ca-install replica-info-fileserver4.example.com.gpg [snip] Configuring certificate server: Estimated time 3 minutes 30 seconds [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'fileserver4.example.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-w8FRe5' '-client_certdb_pwd' '-preop_pin' 'zIK3zLWJhhdzciy3HiE3' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'fileserver4.example.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name' 'CN=fileserver4.example.com,O=EXAMPLE.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' '-sd_hostname' 'fileserver1.example.com' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' '-clone_start_tls' 'true' '-clone_uri' 'https://fileserver1.example.com:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed /var/log/ipareplica-ca-install.log contains: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. 2012-03-26 14:22:36,714 DEBUG Configuration of CA failed File "/usr/sbin/ipa-ca-install", line 157, in main() File "/usr/sbin/ipa-ca-install", line 142, in main (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1136, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 537, in configure_instance self.start_creation("Configuring certificate server", 210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 248, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 680, in __configure_instance raise RuntimeError('Configuration of CA failed') /var/log/pki-ca/debug contains: [26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: validating SSL Admin HTTPS . . . [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase: pingCS: parser failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: pingAdminCS no successful response for SSL Admin HTTPS [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase getCertChainUsingSecureAdminPort start [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase::getCertChainUsingSecureAdminPort() - Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase: getCertChainUsingSecureAdminPort: java.io.IOException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet: caGetStatus start to service. [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: got XML parsed [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: state=0 [26/Mar/2012:14:22:36][http-9445-2]: panel no=3 [26/Mar/2012:14:22:36][http-9445-2]: panel name=securitydomain [26/Mar/2012:14:22:36][http-9445-2]: total number of panels=19 [26/Mar/2012:14:22:36][http-9445-2]: WizardServlet: found xml [26/Mar/2012:14:22:36][http-9445-2]: Error: unknown type org.apache.catalina.connector.ResponseFacade [26/Mar/2012:14:22:36][http-9445-2]: Error: unknown type org.apache.catalina.connector.RequestFacade [26/Mar/2012
Re: [Freeipa-users] Another CA replica install issue
Can anyone help with this? Thanks, Dan On Mon, Mar 26, 2012 at 16:17, Dan Scott wrote: > On Mon, Mar 26, 2012 at 15:53, Rob Crittenden wrote: >> Dan Scott wrote: >>> >>> Hi, >>> >>> I'm having another replica CA install issue. Fedora 16 with latest >>> updates applied this morning: >>> >>> ipa-ca-install replica-info-fileserver4.example.com.gpg >>> >>> [snip] >>> >>> Configuring certificate server: Estimated time 3 minutes 30 seconds >>> [1/11]: creating certificate server user >>> [2/11]: creating pki-ca instance >>> [3/11]: configuring certificate server instance >>> root : CRITICAL failed to configure ca instance Command >>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' >>> 'fileserver4.example.com' '-cs_port' '9445' '-client_certdb_dir' >>> '/tmp/tmp-w8FRe5' '-client_certdb_pwd' '-preop_pin' >>> 'zIK3zLWJhhdzciy3HiE3' '-domain_name' 'IPA' '-admin_user' 'admin' >>> '-admin_email' 'root@localhost' '-admin_password' >>> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' >>> '-agent_key_type' 'rsa' '-agent_cert_subject' >>> 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'fileserver4.example.com' >>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' >>> '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >>> '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name' >>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >>> Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP >>> Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name' >>> 'CN=fileserver4.example.com,O=EXAMPLE.COM' >>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' >>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' >>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >>> '-clone_p12_password' '-sd_hostname' >>> 'fileserver1.example.com' '-sd_admin_port' '443' '-sd_admin_name' >>> 'admin' '-sd_admin_password' '-clone_start_tls' 'true' >>> '-clone_uri' 'https://fileserver1.example.com:443'' returned non-zero >>> exit status 255 >>> creation of replica failed: Configuration of CA failed >>> >>> /var/log/ipareplica-ca-install.log contains: >>> >>> org.xml.sax.SAXParseException; lineNumber: 1; >>> columnNumber: 50; White spaces are required between publicId and >>> systemId. >>> >>> 2012-03-26 14:22:36,714 DEBUG Configuration of CA failed >>> File "/usr/sbin/ipa-ca-install", line 157, in >>> main() >>> >>> File "/usr/sbin/ipa-ca-install", line 142, in main >>> (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 1136, in install_replica_ca >>> subject_base=config.subject_base) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 537, in configure_instance >>> self.start_creation("Configuring certificate server", 210) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 248, in start_creation >>> method() >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 680, in __configure_instance >>> raise RuntimeError('Configuration of CA failed') >>> >>> /var/log/pki-ca/debug contains: >>> >>> [26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: validating >>> SSL Admin HTTPS . . . >>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started >>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase: pingCS: parser >>> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; >>> White spaces are required between publicId and systemId. >>> [26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: pingAdminCS >>> no successful response for SSL Admin HTTPS >>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase >>> getCertChainUsingSecureAdminPort start >>> [26/Mar/2012:14:22:36][http-9445-2]: >>> WizardPanelBase::getCertChainUsingSecureAdminPort() - >>> Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: >>> 50; White spaces are required between publicId and systemId. >>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase: >>> getCertChainUsingSecureAdminPort: java.io.IOException: >>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White >>> spaces are required between publicId and systemId. >>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started >>> [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet:service() uri = >>> /ca/admin/ca/getStatus >>> [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet: caGetStatus start to >>> service. >>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: got XML >>> parsed >>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: state=0 >>> [26/Mar/2012:14:22:36][http-9445-2]: panel no=3 >>> [26/Mar/2012:14:22:36][http-9445-2]: panel name=se