Re: [Freeipa-users] http service keytab for cname virtual host
On Wed, 2012-03-28 at 17:30 -0400, Rob Crittenden wrote: > Natxo Asenjo wrote: > > hi, > > > > enable a kerberized site with the fqdn is very easy with freeipa but we > > would like to use virtual hosting and kerberized sites. > > > > I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then > > created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, > > configured the apache webserver and it works. > > > > Then I created a cname record (vhost) pointing to > > webserver01.ipa.domain.tld. I enabled virtual hosting in the apache > > webserver, configured the vhosts without kerberizing anything. Virtual > > hosts work as expected. > > > > But when I enable a kerberized directory in the vhost, then I see this > > in the log file: > > > > [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] > > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > > provide more information (, Permission denied) > > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > > auth_type Kerberos > > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > > auth_type Kerberos > > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client > > 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. > > > > When not using vhosts, it works although I see similar debugging info > > (but instead of h...@vhost.ipa.domain.tld, > > h...@webserver01.ipa.domain.tld). So I was wondering if it is possible > > to do this vhost thing. With the ipa tools I can only add service > > principals to joined hosts, not to cnames. > > > > It would be nice to have. Otherwise we need to have one server per > > kerberized site, a bit of an overkill really. > > You should be able to add a host entry for the vhost, perhaps with the > --force flag to let it add w/o a DNS A record. Then you should be able > to create the service. This shouldn't be necessary unless the vhost uses an A name, but then you need a key for each vhost, which is burdensome. I would keep this as a last resort after any other avenue failed. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
On Wed, 2012-03-28 at 22:49 +0200, Natxo Asenjo wrote: > hi, > > enable a kerberized site with the fqdn is very easy with freeipa but > we would like to use virtual hosting and kerberized sites. > > I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then > created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, > configured the apache webserver and it works. > > Then I created a cname record (vhost) pointing to > webserver01.ipa.domain.tld. I enabled virtual hosting in the apache > webserver, configured the vhosts without kerberizing anything. Virtual > hosts work as expected. > > But when I enable a kerberized directory in the vhost, then I see this > in the log file: > > [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > provide more information (, Permission denied) > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client > 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. > > When not using vhosts, it works although I see similar debugging info > (but instead of h...@vhost.ipa.domain.tld, > h...@webserver01.ipa.domain.tld). So I was wondering if it is possible > to do this vhost thing. With the ipa tools I can only add service > principals to joined hosts, not to cnames. > > It would be nice to have. Otherwise we need to have one server per > kerberized site, a bit of an overkill really. CNAMEs should work just fine with the host's HTTP/A-name@REALM key. In fact I just tested a virtual host on my ipa server using a cname and it worked. Can you post your (sanitized) mod_auth_kerb configuration ? Also what browser are you testing with ? If you kdestroy and then kinit clean, and then try to access the server *only* using the CNAME you should see the browser has acquired a ticket for HTTP/A-name, You can use klist to verify. If this works you know it is a server side issue only. If you do not have the ticket, there may be a DNS/browser issue. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
Natxo Asenjo wrote: hi, enable a kerberized site with the fqdn is very easy with freeipa but we would like to use virtual hosting and kerberized sites. I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, configured the apache webserver and it works. Then I created a cname record (vhost) pointing to webserver01.ipa.domain.tld. I enabled virtual hosting in the apache webserver, configured the vhosts without kerberizing anything. Virtual hosts work as expected. But when I enable a kerberized directory in the vhost, then I see this in the log file: [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied) [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. When not using vhosts, it works although I see similar debugging info (but instead of h...@vhost.ipa.domain.tld, h...@webserver01.ipa.domain.tld). So I was wondering if it is possible to do this vhost thing. With the ipa tools I can only add service principals to joined hosts, not to cnames. It would be nice to have. Otherwise we need to have one server per kerberized site, a bit of an overkill really. You should be able to add a host entry for the vhost, perhaps with the --force flag to let it add w/o a DNS A record. Then you should be able to create the service. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwd sync
On Wed, 2012-03-28 at 20:12 +, Steven Jones wrote: > Hi, > > That is cool, but I have not read that anywhere, can we get that bit written > into the passsync section? or have I missed it? This may shed some light: http://freeipa.org/page/PasswordSynchronization Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] http service keytab for cname virtual host
hi, enable a kerberized site with the fqdn is very easy with freeipa but we would like to use virtual hosting and kerberized sites. I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, configured the apache webserver and it works. Then I created a cname record (vhost) pointing to webserver01.ipa.domain.tld. I enabled virtual hosting in the apache webserver, configured the vhosts without kerberizing anything. Virtual hosts work as expected. But when I enable a kerberized directory in the vhost, then I see this in the log file: [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied) [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. When not using vhosts, it works although I see similar debugging info (but instead of h...@vhost.ipa.domain.tld, h...@webserver01.ipa.domain.tld). So I was wondering if it is possible to do this vhost thing. With the ipa tools I can only add service principals to joined hosts, not to cnames. It would be nice to have. Otherwise we need to have one server per kerberized site, a bit of an overkill really. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwd sync
Hi,
That is cool, but I have not read that anywhere, can we get that bit written
into the passsync section? or have I missed it?
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Dmitri Pal [d...@redhat.com]
Sent: Thursday, 29 March 2012 8:53 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync
On 03/28/2012 03:50 PM, Steven Jones wrote:
> 8><--
>
> It cannot be a wildcard:
> if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
> pwdata.changetype = IPA_CHANGETYPE_DSMGR;
> break;
> }
> but it is multivalued.
>
> 8><--
>
> This is over my head
>
> 8><--
>
> What exactly are you trying to do? Defeat password sync for
>
> uid=*,cn=staff,cn=accounts,dc=etc ? Because I don't think
> passSyncManagersDNs is what you want for that, unless I'm mistaken.
>
> 8><
>
> Ok, so at present when I setup a new user with a temp password in IPA and
> give it to the user they have to set a new one on first login to a client.
>
> Once password(s) flow through from AD I don't want the reset password feature
> in IPA to be functional when a user "first" logs in.
>
> regards
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
I do not think the password reset is required when you sync the users
from an external source. Only when you added a new user via CLI or UI or
migrated him.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwd sync
On 03/28/2012 03:50 PM, Steven Jones wrote:
> 8><--
>
> It cannot be a wildcard:
> if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
> pwdata.changetype = IPA_CHANGETYPE_DSMGR;
> break;
> }
> but it is multivalued.
>
> 8><--
>
> This is over my head
>
> 8><--
>
> What exactly are you trying to do? Defeat password sync for
>
> uid=*,cn=staff,cn=accounts,dc=etc ? Because I don't think
> passSyncManagersDNs is what you want for that, unless I'm mistaken.
>
> 8><
>
> Ok, so at present when I setup a new user with a temp password in IPA and
> give it to the user they have to set a new one on first login to a client.
>
> Once password(s) flow through from AD I don't want the reset password feature
> in IPA to be functional when a user "first" logs in.
>
> regards
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
I do not think the password reset is required when you sync the users
from an external source. Only when you added a new user via CLI or UI or
migrated him.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwd sync
8><--
It cannot be a wildcard:
if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
pwdata.changetype = IPA_CHANGETYPE_DSMGR;
break;
}
but it is multivalued.
8><--
This is over my head
8><--
What exactly are you trying to do? Defeat password sync for
uid=*,cn=staff,cn=accounts,dc=etc ? Because I don't think passSyncManagersDNs
is what you want for that, unless I'm mistaken.
8><
Ok, so at present when I setup a new user with a temp password in IPA and give
it to the user they have to set a new one on first login to a client.
Once password(s) flow through from AD I don't want the reset password feature
in IPA to be functional when a user "first" logs in.
regards
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] passwd sync
Hi, I have a support call into RH as the passync msi is in the RDS channel so I have no access to it as I have no RDS subscription..so if its "free" as it comes with IPA it needs to be moved. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Another CA replica install issue
Dan Scott wrote:
Can anyone help with this?
Thanks,
Dan
On Mon, Mar 26, 2012 at 16:17, Dan Scott wrote:
On Mon, Mar 26, 2012 at 15:53, Rob Crittenden wrote:
Dan Scott wrote:
Hi,
I'm having another replica CA install issue. Fedora 16 with latest
updates applied this morning:
ipa-ca-install replica-info-fileserver4.example.com.gpg
[snip]
Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/11]: creating certificate server user
[2/11]: creating pki-ca instance
[3/11]: configuring certificate server instance
root: CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
'fileserver4.example.com' '-cs_port' '9445' '-client_certdb_dir'
'/tmp/tmp-w8FRe5' '-client_certdb_pwd' '-preop_pin'
'zIK3zLWJhhdzciy3HiE3' '-domain_name' 'IPA' '-admin_user' 'admin'
'-admin_email' 'root@localhost' '-admin_password'
'-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048'
'-agent_key_type' 'rsa' '-agent_cert_subject'
'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'fileserver4.example.com'
'-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password'
'-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
'-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
'-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name'
'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP
Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name'
'CN=fileserver4.example.com,O=EXAMPLE.COM'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' '-sd_hostname'
'fileserver1.example.com' '-sd_admin_port' '443' '-sd_admin_name'
'admin' '-sd_admin_password' '-clone_start_tls' 'true'
'-clone_uri' 'https://fileserver1.example.com:443'' returned non-zero
exit status 255
creation of replica failed: Configuration of CA failed
/var/log/ipareplica-ca-install.log contains:
org.xml.sax.SAXParseException; lineNumber: 1;
columnNumber: 50; White spaces are required between publicId and
systemId.
2012-03-26 14:22:36,714 DEBUG Configuration of CA failed
File "/usr/sbin/ipa-ca-install", line 157, in
main()
File "/usr/sbin/ipa-ca-install", line 142, in main
(CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1136, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 537, in configure_instance
self.start_creation("Configuring certificate server", 210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 248, in start_creation
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 680, in __configure_instance
raise RuntimeError('Configuration of CA failed')
/var/log/pki-ca/debug contains:
[26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: validating
SSL Admin HTTPS . . .
[26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started
[26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase: pingCS: parser
failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
White spaces are required between publicId and systemId.
[26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: pingAdminCS
no successful response for SSL Admin HTTPS
[26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase
getCertChainUsingSecureAdminPort start
[26/Mar/2012:14:22:36][http-9445-2]:
WizardPanelBase::getCertChainUsingSecureAdminPort() -
Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
50; White spaces are required between publicId and systemId.
[26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase:
getCertChainUsingSecureAdminPort: java.io.IOException:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
spaces are required between publicId and systemId.
[26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started
[26/Mar/2012:14:22:36][http-9445-1]: CMSServlet:service() uri =
/ca/admin/ca/getStatus
[26/Mar/2012:14:22:36][http-9445-1]: CMSServlet: caGetStatus start to
service.
[26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: got XML
parsed
[26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: state=0
[26/Mar/2012:14:22:36][http-9445-2]: panel no=3
[26/Mar/2012:14:22:36][http-9445-2]: panel name=securitydomain
[26/Mar/2012:14:22:36][http-9445-2]: total number of panels=19
[26/Mar/2012:14:22:36][http-9445-2]: WizardServlet: found xml
[26/Mar/2012:14:22:36][http-9445-2]: Error: unknown type
org.apache.catalina.connector.ResponseFacade
[26/Mar/2012:14:22:36][http-9445-2]: Error: unknown type
org.apache.catalina.connector.RequestFacade
[26/Mar/2012
Re: [Freeipa-users] Another CA replica install issue
Can anyone help with this?
Thanks,
Dan
On Mon, Mar 26, 2012 at 16:17, Dan Scott wrote:
> On Mon, Mar 26, 2012 at 15:53, Rob Crittenden wrote:
>> Dan Scott wrote:
>>>
>>> Hi,
>>>
>>> I'm having another replica CA install issue. Fedora 16 with latest
>>> updates applied this morning:
>>>
>>> ipa-ca-install replica-info-fileserver4.example.com.gpg
>>>
>>> [snip]
>>>
>>> Configuring certificate server: Estimated time 3 minutes 30 seconds
>>> [1/11]: creating certificate server user
>>> [2/11]: creating pki-ca instance
>>> [3/11]: configuring certificate server instance
>>> root : CRITICAL failed to configure ca instance Command
>>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
>>> 'fileserver4.example.com' '-cs_port' '9445' '-client_certdb_dir'
>>> '/tmp/tmp-w8FRe5' '-client_certdb_pwd' '-preop_pin'
>>> 'zIK3zLWJhhdzciy3HiE3' '-domain_name' 'IPA' '-admin_user' 'admin'
>>> '-admin_email' 'root@localhost' '-admin_password'
>>> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048'
>>> '-agent_key_type' 'rsa' '-agent_cert_subject'
>>> 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'fileserver4.example.com'
>>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password'
>>> '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
>>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
>>> '-backup_pwd' '-subsystem_name' 'pki-cad' '-token_name'
>>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
>>> Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP
>>> Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name'
>>> 'CN=fileserver4.example.com,O=EXAMPLE.COM'
>>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
>>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
>>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
>>> '-clone_p12_password' '-sd_hostname'
>>> 'fileserver1.example.com' '-sd_admin_port' '443' '-sd_admin_name'
>>> 'admin' '-sd_admin_password' '-clone_start_tls' 'true'
>>> '-clone_uri' 'https://fileserver1.example.com:443'' returned non-zero
>>> exit status 255
>>> creation of replica failed: Configuration of CA failed
>>>
>>> /var/log/ipareplica-ca-install.log contains:
>>>
>>> org.xml.sax.SAXParseException; lineNumber: 1;
>>> columnNumber: 50; White spaces are required between publicId and
>>> systemId.
>>>
>>> 2012-03-26 14:22:36,714 DEBUG Configuration of CA failed
>>> File "/usr/sbin/ipa-ca-install", line 157, in
>>> main()
>>>
>>> File "/usr/sbin/ipa-ca-install", line 142, in main
>>> (CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
>>>
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 1136, in install_replica_ca
>>> subject_base=config.subject_base)
>>>
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 537, in configure_instance
>>> self.start_creation("Configuring certificate server", 210)
>>>
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 248, in start_creation
>>> method()
>>>
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 680, in __configure_instance
>>> raise RuntimeError('Configuration of CA failed')
>>>
>>> /var/log/pki-ca/debug contains:
>>>
>>> [26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: validating
>>> SSL Admin HTTPS . . .
>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started
>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase: pingCS: parser
>>> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50;
>>> White spaces are required between publicId and systemId.
>>> [26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: pingAdminCS
>>> no successful response for SSL Admin HTTPS
>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase
>>> getCertChainUsingSecureAdminPort start
>>> [26/Mar/2012:14:22:36][http-9445-2]:
>>> WizardPanelBase::getCertChainUsingSecureAdminPort() -
>>> Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber:
>>> 50; White spaces are required between publicId and systemId.
>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase:
>>> getCertChainUsingSecureAdminPort: java.io.IOException:
>>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
>>> spaces are required between publicId and systemId.
>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started
>>> [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet:service() uri =
>>> /ca/admin/ca/getStatus
>>> [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet: caGetStatus start to
>>> service.
>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: got XML
>>> parsed
>>> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: state=0
>>> [26/Mar/2012:14:22:36][http-9445-2]: panel no=3
>>> [26/Mar/2012:14:22:36][http-9445-2]: panel name=se
