I'm installing the CA service on an existing replica with command ipa-ca-install. It fails with this error in the log:
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://pci-mgmt-ipa01.pci.xxxxxx.com:443
Version of both ca master and replica is 4.5.0 api version 2.228 domain level is 1
ipareplica-ca-install.log attached.
How can I further troubleshoot this?
Thanks, Ross
Hi Ross,
Could you please also provide the /var/log/pki/pki-tomcat/ca/debug log files from both master and replica?
Thanks, Fraser
On Thu, Apr 26, 2018 at 05:33:32PM +0000, Ross Infinger via FreeIPA-users wrote:
I'm installing the CA service on an existing replica with command ipa-ca-install. It fails with this error in the log:
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://pci-mgmt-ipa01.pci.xxxxxx.com:443
Version of both ca master and replica is 4.5.0 api version 2.228 domain level is 1
ipareplica-ca-install.log attached.
How can I further troubleshoot this?
Thanks, Ross
2018-04-26T17:04:39Z DEBUG /usr/sbin/ipa-ca-install was invoked with options: {'external_cert_files': None, 'subject_base': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_subject': None, 'ca_signing_algorithm': None, 'debug': True, 'external_ca': False, 'skip_conncheck': False},None 2018-04-26T17:04:39Z DEBUG IPA version 4.5.0-22.el7.centos 2018-04-26T17:04:39Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:04:40Z DEBUG Created connection context.ldap2_75479632 2018-04-26T17:04:40Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x65e1518> 2018-04-26T17:04:40Z DEBUG Initializing principal host/ipa-nyc-pci01.pci.xxxxxx.com@PCI.XXXXXX.COM using keytab /etc/krb5.keytab 2018-04-26T17:04:40Z DEBUG using ccache /tmp/krbccsV9vse/ccache 2018-04-26T17:04:40Z DEBUG Attempt 1/1: success 2018-04-26T17:05:01Z DEBUG Starting external process 2018-04-26T17:05:01Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master pci-mgmt-ipa01.pci.xxxxxx.com --auto-master-check --realm PCI.XXXXXX.COM --hostname ipa-nyc-pci01.pci.xxxxxx.com --ca-cert-file /etc/ipa/ca.crt 2018-04-26T17:05:16Z DEBUG Process finished, return code=0 2018-04-26T17:05:16Z DEBUG stdout= 2018-04-26T17:05:16Z DEBUG stderr=Check connection from replica to remote master 'pci-mgmt-ipa01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK. Start listening on required ports for remote master check 389 tcp: Failed to bind 636 tcp: Failed to bind 88 tcp: Failed to bind 88 udp: Failed to bind 464 tcp: Failed to bind 464 udp: Failed to bind 80 tcp: Failed to bind 443 tcp: Failed to bind Get credentials to log in to remote master Check RPC connection to remote master trying https://pci-mgmt-ipa01.pci.xxxxxx.com/ipa/json [try 1]: Forwarding 'schema' to json server 'https://pci-mgmt-ipa01.pci.xxxxxx.com/ipa/json' trying https://pci-mgmt-ipa01.pci.xxxxxx.com/ipa/session/json [try 1]: Forwarding 'ping/1' to json server 'https://pci-mgmt-ipa01.pci.xxxxxx.com/ipa/session/json' Execute check on remote master [try 1]: Forwarding 'server_conncheck' to json server 'https://pci-mgmt-ipa01.pci.xxxxxx.com/ipa/session/json' Check connection from master to remote replica 'ipa-nyc-pci01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Failed to connect to port 88 udp on 192.168.100.154 Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Failed to connect to port 464 udp on 192.168.100.154 Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder.
Connection from master to replica is OK.
2018-04-26T17:05:16Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:16Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:16Z INFO Waiting up to 300 seconds to see our keys appear on host: pci-mgmt-ipa01.pci.xxxxxx.com 2018-04-26T17:05:17Z DEBUG Starting external process 2018-04-26T17:05:17Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -N -f /tmp/tmpuXiBUA/pwdfile.txt -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:17Z DEBUG Process finished, return code=0 2018-04-26T17:05:17Z DEBUG stdout= 2018-04-26T17:05:17Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n caSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:18Z DEBUG Process finished, return code=0 2018-04-26T17:05:18Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:18Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n ocspSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:19Z DEBUG Starting external process 2018-04-26T17:05:19Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n auditSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n subsystemCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -A -n PCI.XXXXXX.COM IPA CA -t CT,C,C -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout= 2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/PKCS12Export -d /tmp/tmpuXiBUA -p /tmp/tmpuXiBUA/pwdfile.txt -w /tmp/tmpuXiBUA/crtpwfile -o /tmp/tmpp2RSQHipa/cacert.p12 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=Export complete.
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:20Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:20Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 2018-04-26T17:05:20Z DEBUG [1/25]: creating certificate server db 2018-04-26T17:05:20Z DEBUG duration: 0 seconds 2018-04-26T17:05:20Z DEBUG [2/25]: setting up initial replication 2018-04-26T17:05:20Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2018-04-26T17:05:20Z DEBUG retrieving schema for SchemaCache url=ldap://pci-mgmt-ipa01.pci.xxxxxx.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a91290> 2018-04-26T17:05:21Z DEBUG Successfully updated nsDS5ReplicaId. 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Parsing update file '/usr/share/ipa/ca-topology.uldif' 2018-04-26T17:05:31Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket from SchemaCache 2018-04-26T17:05:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a93128> 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG add: 'ipaReplTopoManagedServer' to objectclass, current value [u'top', u'nsContainer', u'ipaReplTopoManagedServer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'top', u'nsContainer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig', u'ipaReplTopoManagedServer'] 2018-04-26T17:05:31Z DEBUG add: 'o=ipaca' to ipaReplTopoManagedSuffix, current value [u'dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'dc=pci,dc=xxxxxx,dc=com', u'o=ipaca'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [(0, u'ipaReplTopoManagedSuffix', [u'o=ipaca'])] 2018-04-26T17:05:31Z DEBUG Updated 1 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG onlyifexist: 'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com' to nsds5replicabinddngroup, current value [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG onlyifexist: set nsds5replicabinddngroup to [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG duration: 11 seconds 2018-04-26T17:05:31Z DEBUG [3/25]: creating installation admin user 2018-04-26T17:05:32Z DEBUG duration: 0 seconds 2018-04-26T17:05:32Z DEBUG [4/25]: configuring certificate server instance 2018-04-26T17:05:32Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Contents of pkispawn configuration file (/tmp/tmp4j_eo0): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_default_ocsp_uri = http://ipa-ca.pci.xxxxxx.com/ca/ocsp pki_client_database_dir = /var/lib/ipa/tmp-6WUlS2 pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_uid = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=PCI.XXXXXX.COM pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_ds_ldaps_port = 636 pki_ds_secure_connection = True pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt pki_subsystem_subject_dn = cn=CA Subsystem,O=PCI.XXXXXX.COM pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=PCI.XXXXXX.COM pki_ssl_server_subject_dn = cn=ipa-nyc-pci01.pci.xxxxxx.com,O=PCI.XXXXXX.COM pki_audit_signing_subject_dn = cn=CA Audit,O=PCI.XXXXXX.COM pki_ca_signing_subject_dn = CN=Certificate Authority,O=PCI.XXXXXX.COM pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_pin = XXXXXXXX pki_ds_create_new_db = False pki_clone_setup_replication = False pki_clone_reindex_data = True pki_security_domain_hostname = pci-mgmt-ipa01.pci.xxxxxx.com pki_security_domain_https_port = 443 pki_security_domain_user = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://pci-mgmt-ipa01.pci.xxxxxx.com:443
2018-04-26T17:05:32Z DEBUG Starting external process 2018-04-26T17:05:32Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0 2018-04-26T17:05:51Z DEBUG Process finished, return code=1 2018-04-26T17:05:51Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20180426170532.log Loading deployment configuration from /tmp/tmp4j_eo0. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Importing certificates from /tmp/ca.p12:
4 entries found
Certificate ID: d0117023b7661532960024635e00e4c2b3a0825d Serial Number: 0x2 Nickname: ocspSigningCert cert-pki-ca Subject DN: CN=OCSP Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: d58a46d01e65d178def787ec3cea985bed61e21d Serial Number: 0x1 Nickname: caSigningCert cert-pki-ca Subject DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: CTu,Cu,Cu Has Key: true
Certificate ID: f9a212fc6707e63a027126aa1bfa43cae3d4c705 Serial Number: 0x4 Nickname: subsystemCert cert-pki-ca Subject DN: CN=CA Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: ca121feb0cbf83c7c18b34e4d7e127157e64580b Serial Number: 0x5 Nickname: auditSigningCert cert-pki-ca Subject DN: CN=CA Audit,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Import complete
Imported certificates in /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://pci-mgmt-ipa01.pci.xxxxxx.com:443
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2018-04-26T17:05:51Z DEBUG stderr= 2018-04-26T17:05:51Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0' returned non-zero exit status 1 2018-04-26T17:05:51Z CRITICAL See the installation logs and the following files/directories for more information: 2018-04-26T17:05:51Z CRITICAL /var/log/pki/pki-tomcat 2018-04-26T17:05:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2018-04-26T17:05:51Z DEBUG [error] RuntimeError: CA configuration failed. 2018-04-26T17:05:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 907, in run_script return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 300, in main promote(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 268, in promote install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 202, in install_replica ca.install(True, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 205, in install install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 284, in install_step_0 use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 447, in configure_instance self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem)
2018-04-26T17:05:51Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: CA configuration failed.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Replica debug log file:
Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 5 class=SunJCE version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 6 class=SunJGSS version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 7 class=SunSASL version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 8 class=XMLDSig version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 9 class=SunPCSC version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 10 class=CMS version 1.0 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: debug startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: debug startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: log startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: entering LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=Transactions in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=SignedAudit in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=System in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: log startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jss startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jss startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: dbs startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: dbs startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: usrgrp startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: usrgrp startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: registry startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: RegistrySubsystem: startup [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: registry startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: oidmap startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: oidmap startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: X500Name startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: X500Name startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: request startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: request startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: ca startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CertificateAuthority.startup(): Do not start CA in pre-op mode [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: ca startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: profile startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: LDAPProfileSubsystem: startup [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: profile startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: selftests startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: SelfTestSubsystem.startup(): Do not run selftests in pre-op mode [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: selftests startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: CrossCertPair startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: CrossCertPair startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: stats startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: stats startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: auths startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: auths startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: authz startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: authz startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jobsScheduler startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jobsScheduler startup done [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS
[26/Apr/2018:22:01:31][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet: caGetStatus start to service. [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet: curDate=Thu Apr 26 22:01:31 UTC 2018 id=caGetStatus time=15 [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SessionContextInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SessionContextInterceptor: Not authenticated. [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: mapping: default [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: loading /usr/share/pki/ca/conf/auth-method.properties [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: checking /var/lib/pki/pki-tomcat/ca/conf/auth-method.properties [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: required auth methods: [*] [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: anonymous access allowed [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor.filter: no authorization required [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor: No ACL mapping; authz not required. [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: content-type: application/json [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: request format: application/json [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: SystemConfigService: configure() [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, securityDomainName=null, securityDomainUser=admin-ipa-nyc-pci01.pci.xxxxxx.com, securityDomainPassword=XXXX, securityDomainPostLoginSleepSeconds=null, isClone=true, cloneUri=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, subsystemName=CA ipa-nyc-pci01.pci.xxxxxx.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=ipa-nyc-pci01.pci.xxxxxx.com, dsPort=636, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca, secureConn=true, removeData=true, replicateSchema=false, masterReplicationPort=389, cloneReplicationPort=389, replicationSecurity=TLS, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData@5faae3f1], issuingCA=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null, adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null, createNewDB=false, setupReplication=False, subordinateSecurityDomainName=null, reindexData=True, startingCrlNumber=0, createSigningCertRecord=true, signingCertSerialNumber=1] [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: === Token Authentication === [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: === Security Domain Configuration === [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Joining existing security domain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Resolving security domain URL https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting security domain cert chain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils.importCertChain() [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: GET https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getCertChain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Server certificate: [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: - subject: CN=pci-mgmt-ipa01.pci.xxxxxx.com,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: certificate chain: [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: - CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting install token [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting install token [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: Getting domain XML [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: GET https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getDomainXML [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><SubsystemCount>0</SubsystemCount></CAList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList><SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: len is 0 [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: Logged into security domain; sleeping for 5s [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: === Subsystem Configuration === [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: Clone URI does not match available subsystems: https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED
Master debug file:
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: Not authenticated. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: default [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [*] [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: anonymous access allowed [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor.filter: no authorization required [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: No ACL mapping; authz not required. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapBoundConnFactory: init [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapBoundConnFactory:doCloning true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init begins [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init ends [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: init: before makeConnection errorIfDown is false [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: makeConnection: errorIfDown false [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: TCP Keep-Alive: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake happened [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Established LDAP connection with SSL client auth to pci-mgmt-ipa01.pci.xxxxxx.com:636 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: initializing with mininum 3 and maximum 15 connections to host pci-mgmt-ipa01.pci.xxxxxx.com port 636, secure connection, true, authentication type 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: increasing minimum connections by 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: new total available connections 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: new number of connections 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: name: IPA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: CA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: OCSP [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: KRA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: RA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: TKS [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: TPS [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Releasing ldap connection [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Authenticating user admin-ipa-nyc-pci01.pci.xxxxxx.com with password. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PasswdUserDBAuthentication: UID: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PasswdUserDBAuthentication: DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAnonConnFactory::getConn [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAnonConnFactory.getConn(): num avail conns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake happened [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTH_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: User DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Roles: [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Security Domain Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Enterprise CA Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Enterprise KRA Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: mapping: account.login [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL: certServer.ca.account,login [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: mapping: account.logout [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL: certServer.ca.account,logout [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: according to ccMode, authorization for servlet: caGetCertChainAdmin is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet:service() uri = /ca/admin/ca/getCertChain [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet: caGetCertChainAdmin start to service. [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: GetCertChain: certificate chain: [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: GetCertChain: - CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet: curDate=Thu Apr 26 22:01:33 UTC 2018 id=caGetCertChainAdmin time=8 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Authenticating user admin-ipa-nyc-pci01.pci.xxxxxx.com with password. [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PasswdUserDBAuthentication: UID: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PasswdUserDBAuthentication: DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: LdapAnonConnFactory::getConn [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: LdapAnonConnFactory.getConn(): num avail conns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SSL handshake happened [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTH_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: User DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Roles: [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Security Domain Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Enterprise CA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Enterprise KRA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: account.login [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.ca.account,login [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: securityDomain.installToken [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: securityDomain.installToken [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.securitydomain.domainxml,read [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainService.getInstallToken(pci-mgmt-ipa01.pci.xxxxxx.com, CA) [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainProcessor: group: Enterprise CA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization search base: cn=Enterprise CA Administrators,ou=groups,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization search filter: (uniquemember=uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca) [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization result: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=ROLE_ASSUME
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainSessionTable: added session entry 7327023802561410048 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=SECURITY_DOMAIN_UPDATE
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: account.logout [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.ca.account,logout [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: initializing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: according to ccMode, authorization for servlet: caGetDomainXML is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: done initializing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet:service() uri = /ca/admin/ca/getDomainXML [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet: caGetDomainXML start to service. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: processing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapBoundConnFactory: init [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapBoundConnFactory:doCloning true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init begins [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init ends [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: init: before makeConnection errorIfDown is false [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: makeConnection: errorIfDown false [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: TCP Keep-Alive: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SSL handshake happened [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Established LDAP connection with SSL client auth to pci-mgmt-ipa01.pci.xxxxxx.com:636 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: initializing with mininum 3 and maximum 15 connections to host pci-mgmt-ipa01.pci.xxxxxx.com port 636, secure connection, true, authentication type 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: increasing minimum connections by 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: new total available connections 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: new number of connections 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: masterConn is connected: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: getConn: conn is connected true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: getConn: mNumConns now 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: name: IPA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: CA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: OCSP [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: KRA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: RA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: TKS [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: TPS [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Releasing ldap connection [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet: curDate=Thu Apr 26 22:01:35 UTC 2018 id=caGetDomainXML time=51 [26/Apr/2018:22:03:10][Timer-0]: SessionTimer: run() [26/Apr/2018:22:03:10][Timer-0]: LDAPSecurityDomainSessionTable: getSessionIds() [26/Apr/2018:22:03:10][Timer-0]: LDAPSecurityDomainSessionTable: searching ou=sessions,ou=Security Domain,o=ipaca [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: findNextUpdate: fromLastUpdate: true delta: false [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: findNextUpdate: Fri Apr 27 01:00:00 UTC 2018 delay: 10310677 [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: CRLIssuingPoint:run(): before CRL generation [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: masterConn is connected: true [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: getConn: conn is connected true [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: getConn: mNumConns now 4
Thanks, Ross _______________________________________ From: Fraser Tweedale [ftweedal@redhat.com] Sent: Thursday, April 26, 2018 1:56 PM To: Ross Infinger Cc: FreeIPA users list Subject: Re: [Freeipa-users] CA install on replica fails - Clone URI does not match...
Hi Ross,
Could you please also provide the /var/log/pki/pki-tomcat/ca/debug log files from both master and replica?
Thanks, Fraser
On Thu, Apr 26, 2018 at 05:33:32PM +0000, Ross Infinger via FreeIPA-users wrote:
I'm installing the CA service on an existing replica with command ipa-ca-install. It fails with this error in the log:
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
Version of both ca master and replica is 4.5.0 api version 2.228 domain level is 1
ipareplica-ca-install.log attached.
How can I further troubleshoot this?
Thanks, Ross
2018-04-26T17:04:39Z DEBUG /usr/sbin/ipa-ca-install was invoked with options: {'external_cert_files': None, 'subject_base': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_subject': None, 'ca_signing_algorithm': None, 'debug': True, 'external_ca': False, 'skip_conncheck': False},None 2018-04-26T17:04:39Z DEBUG IPA version 4.5.0-22.el7.centos 2018-04-26T17:04:39Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:04:40Z DEBUG Created connection context.ldap2_75479632 2018-04-26T17:04:40Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x65e1518> 2018-04-26T17:04:40Z DEBUG Initializing principal host/ipa-nyc-pci01.pci.xxxxxx.com@PCI.XXXXXX.COM using keytab /etc/krb5.keytab 2018-04-26T17:04:40Z DEBUG using ccache /tmp/krbccsV9vse/ccache 2018-04-26T17:04:40Z DEBUG Attempt 1/1: success 2018-04-26T17:05:01Z DEBUG Starting external process 2018-04-26T17:05:01Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master pci-mgmt-ipa01.pci.xxxxxx.com --auto-master-check --realm PCI.XXXXXX.COM --hostname ipa-nyc-pci01.pci.xxxxxx.com --ca-cert-file /etc/ipa/ca.crt 2018-04-26T17:05:16Z DEBUG Process finished, return code=0 2018-04-26T17:05:16Z DEBUG stdout= 2018-04-26T17:05:16Z DEBUG stderr=Check connection from replica to remote master 'pci-mgmt-ipa01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK. Start listening on required ports for remote master check 389 tcp: Failed to bind 636 tcp: Failed to bind 88 tcp: Failed to bind 88 udp: Failed to bind 464 tcp: Failed to bind 464 udp: Failed to bind 80 tcp: Failed to bind 443 tcp: Failed to bind Get credentials to log in to remote master Check RPC connection to remote master trying https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci.... [try 1]: Forwarding 'schema' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' trying https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci.... [try 1]: Forwarding 'ping/1' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' Execute check on remote master [try 1]: Forwarding 'server_conncheck' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' Check connection from master to remote replica 'ipa-nyc-pci01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Failed to connect to port 88 udp on 192.168.100.154 Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Failed to connect to port 464 udp on 192.168.100.154 Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder.
Connection from master to replica is OK.
2018-04-26T17:05:16Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:16Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:16Z INFO Waiting up to 300 seconds to see our keys appear on host: pci-mgmt-ipa01.pci.xxxxxx.com 2018-04-26T17:05:17Z DEBUG Starting external process 2018-04-26T17:05:17Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -N -f /tmp/tmpuXiBUA/pwdfile.txt -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:17Z DEBUG Process finished, return code=0 2018-04-26T17:05:17Z DEBUG stdout= 2018-04-26T17:05:17Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n caSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:18Z DEBUG Process finished, return code=0 2018-04-26T17:05:18Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:18Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n ocspSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:19Z DEBUG Starting external process 2018-04-26T17:05:19Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n auditSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n subsystemCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -A -n PCI.XXXXXX.COM IPA CA -t CT,C,C -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout= 2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/PKCS12Export -d /tmp/tmpuXiBUA -p /tmp/tmpuXiBUA/pwdfile.txt -w /tmp/tmpuXiBUA/crtpwfile -o /tmp/tmpp2RSQHipa/cacert.p12 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=Export complete.
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:20Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:20Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 2018-04-26T17:05:20Z DEBUG [1/25]: creating certificate server db 2018-04-26T17:05:20Z DEBUG duration: 0 seconds 2018-04-26T17:05:20Z DEBUG [2/25]: setting up initial replication 2018-04-26T17:05:20Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2018-04-26T17:05:20Z DEBUG retrieving schema for SchemaCache url=ldap://pci-mgmt-ipa01.pci.xxxxxx.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a91290> 2018-04-26T17:05:21Z DEBUG Successfully updated nsDS5ReplicaId. 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Parsing update file '/usr/share/ipa/ca-topology.uldif' 2018-04-26T17:05:31Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket from SchemaCache 2018-04-26T17:05:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a93128> 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG add: 'ipaReplTopoManagedServer' to objectclass, current value [u'top', u'nsContainer', u'ipaReplTopoManagedServer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'top', u'nsContainer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig', u'ipaReplTopoManagedServer'] 2018-04-26T17:05:31Z DEBUG add: 'o=ipaca' to ipaReplTopoManagedSuffix, current value [u'dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'dc=pci,dc=xxxxxx,dc=com', u'o=ipaca'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [(0, u'ipaReplTopoManagedSuffix', [u'o=ipaca'])] 2018-04-26T17:05:31Z DEBUG Updated 1 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG onlyifexist: 'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com' to nsds5replicabinddngroup, current value [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG onlyifexist: set nsds5replicabinddngroup to [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG duration: 11 seconds 2018-04-26T17:05:31Z DEBUG [3/25]: creating installation admin user 2018-04-26T17:05:32Z DEBUG duration: 0 seconds 2018-04-26T17:05:32Z DEBUG [4/25]: configuring certificate server instance 2018-04-26T17:05:32Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Contents of pkispawn configuration file (/tmp/tmp4j_eo0): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_default_ocsp_uri = https://urldefense.proofpoint.com/v2/url?u=http-3A__ipa-2Dca.pci.xxxxxx.com_... pki_client_database_dir = /var/lib/ipa/tmp-6WUlS2 pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_uid = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=PCI.XXXXXX.COM pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_ds_ldaps_port = 636 pki_ds_secure_connection = True pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt pki_subsystem_subject_dn = cn=CA Subsystem,O=PCI.XXXXXX.COM pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=PCI.XXXXXX.COM pki_ssl_server_subject_dn = cn=ipa-nyc-pci01.pci.xxxxxx.com,O=PCI.XXXXXX.COM pki_audit_signing_subject_dn = cn=CA Audit,O=PCI.XXXXXX.COM pki_ca_signing_subject_dn = CN=Certificate Authority,O=PCI.XXXXXX.COM pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_pin = XXXXXXXX pki_ds_create_new_db = False pki_clone_setup_replication = False pki_clone_reindex_data = True pki_security_domain_hostname = pci-mgmt-ipa01.pci.xxxxxx.com pki_security_domain_https_port = 443 pki_security_domain_user = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
2018-04-26T17:05:32Z DEBUG Starting external process 2018-04-26T17:05:32Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0 2018-04-26T17:05:51Z DEBUG Process finished, return code=1 2018-04-26T17:05:51Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20180426170532.log Loading deployment configuration from /tmp/tmp4j_eo0. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Importing certificates from /tmp/ca.p12:
4 entries found
Certificate ID: d0117023b7661532960024635e00e4c2b3a0825d Serial Number: 0x2 Nickname: ocspSigningCert cert-pki-ca Subject DN: CN=OCSP Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: d58a46d01e65d178def787ec3cea985bed61e21d Serial Number: 0x1 Nickname: caSigningCert cert-pki-ca Subject DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: CTu,Cu,Cu Has Key: true
Certificate ID: f9a212fc6707e63a027126aa1bfa43cae3d4c705 Serial Number: 0x4 Nickname: subsystemCert cert-pki-ca Subject DN: CN=CA Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: ca121feb0cbf83c7c18b34e4d7e127157e64580b Serial Number: 0x5 Nickname: auditSigningCert cert-pki-ca Subject DN: CN=CA Audit,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Import complete
Imported certificates in /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2018-04-26T17:05:51Z DEBUG stderr= 2018-04-26T17:05:51Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0' returned non-zero exit status 1 2018-04-26T17:05:51Z CRITICAL See the installation logs and the following files/directories for more information: 2018-04-26T17:05:51Z CRITICAL /var/log/pki/pki-tomcat 2018-04-26T17:05:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2018-04-26T17:05:51Z DEBUG [error] RuntimeError: CA configuration failed. 2018-04-26T17:05:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 907, in run_script return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 300, in main promote(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 268, in promote install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 202, in install_replica ca.install(True, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 205, in install install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 284, in install_step_0 use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 447, in configure_instance self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem)
2018-04-26T17:05:51Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: CA configuration failed.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I assume the issue here is with the command... https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getDomainXML
Which returns... domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><SubsystemCount>0</SubsystemCount></CAList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList><SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
I notice that all the SubsystemCount values are 0. I'm guessing that is what is causing the ipa-ca-install command to throw the Clone URI does not match available subsystems error.
However, the ipa server-show command shows that the pci-mgmt-ipa01 server is actually enabled for CA server.
[root@ipa-nyc-pci01 ~]# ipa server-show pci-mgmt-ipa01.pci.xxxxxx.com Server name: pci-mgmt-ipa01.pci.xxxxxx.com Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, DNS server, NTP server
So why does the DomainXML query return 0 subsystems?
What is the ipa-ca-install command expecting here?
Thanks, Ross ________________________________________ From: Ross Infinger Sent: Friday, April 27, 2018 1:47 PM To: Fraser Tweedale Cc: FreeIPA users list Subject: RE: [Freeipa-users] CA install on replica fails - Clone URI does not match...
Replica debug log file:
Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 5 class=SunJCE version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 6 class=SunJGSS version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 7 class=SunSASL version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 8 class=XMLDSig version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 9 class=SunPCSC version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 10 class=CMS version 1.0 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: debug startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: debug startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: log startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: entering LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=Transactions in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=SignedAudit in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=System in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: log startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jss startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jss startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: dbs startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: dbs startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: usrgrp startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: usrgrp startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: registry startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: RegistrySubsystem: startup [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: registry startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: oidmap startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: oidmap startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: X500Name startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: X500Name startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: request startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: request startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: ca startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CertificateAuthority.startup(): Do not start CA in pre-op mode [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: ca startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: profile startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: LDAPProfileSubsystem: startup [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: profile startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: selftests startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: SelfTestSubsystem.startup(): Do not run selftests in pre-op mode [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: selftests startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: CrossCertPair startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: CrossCertPair startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: stats startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: stats startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: auths startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: auths startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: authz startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: authz startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jobsScheduler startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jobsScheduler startup done [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS
[26/Apr/2018:22:01:31][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet: caGetStatus start to service. [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet: curDate=Thu Apr 26 22:01:31 UTC 2018 id=caGetStatus time=15 [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SessionContextInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SessionContextInterceptor: Not authenticated. [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: mapping: default [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: loading /usr/share/pki/ca/conf/auth-method.properties [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: checking /var/lib/pki/pki-tomcat/ca/conf/auth-method.properties [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: required auth methods: [*] [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: anonymous access allowed [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor.filter: no authorization required [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor: No ACL mapping; authz not required. [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: content-type: application/json [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: request format: application/json [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: SystemConfigService: configure() [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, securityDomainName=null, securityDomainUser=admin-ipa-nyc-pci01.pci.xxxxxx.com, securityDomainPassword=XXXX, securityDomainPostLoginSleepSeconds=null, isClone=true, cloneUri=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, subsystemName=CA ipa-nyc-pci01.pci.xxxxxx.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=ipa-nyc-pci01.pci.xxxxxx.com, dsPort=636, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca, secureConn=true, removeData=true, replicateSchema=false, masterReplicationPort=389, cloneReplicationPort=389, replicationSecurity=TLS, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData@5faae3f1], issuingCA=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null, adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null, createNewDB=false, setupReplication=False, subordinateSecurityDomainName=null, reindexData=True, startingCrlNumber=0, createSigningCertRecord=true, signingCertSerialNumber=1] [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: === Token Authentication === [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: === Security Domain Configuration === [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Joining existing security domain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Resolving security domain URL https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting security domain cert chain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils.importCertChain() [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: GET https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getCertChain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Server certificate: [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: - subject: CN=pci-mgmt-ipa01.pci.xxxxxx.com,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: certificate chain: [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: - CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting install token [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting install token [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: Getting domain XML [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: GET https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getDomainXML [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><SubsystemCount>0</SubsystemCount></CAList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList><SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: len is 0 [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: Logged into security domain; sleeping for 5s [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: === Subsystem Configuration === [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: Clone URI does not match available subsystems: https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED
Master debug file:
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: Not authenticated. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: default [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [*] [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: anonymous access allowed [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor.filter: no authorization required [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: No ACL mapping; authz not required. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapBoundConnFactory: init [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapBoundConnFactory:doCloning true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init begins [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init ends [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: init: before makeConnection errorIfDown is false [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: makeConnection: errorIfDown false [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: TCP Keep-Alive: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake happened [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Established LDAP connection with SSL client auth to pci-mgmt-ipa01.pci.xxxxxx.com:636 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: initializing with mininum 3 and maximum 15 connections to host pci-mgmt-ipa01.pci.xxxxxx.com port 636, secure connection, true, authentication type 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: increasing minimum connections by 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: new total available connections 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: new number of connections 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: name: IPA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: CA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: OCSP [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: KRA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: RA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: TKS [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: TPS [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Releasing ldap connection [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Authenticating user admin-ipa-nyc-pci01.pci.xxxxxx.com with password. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PasswdUserDBAuthentication: UID: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PasswdUserDBAuthentication: DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAnonConnFactory::getConn [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAnonConnFactory.getConn(): num avail conns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake happened [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTH_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: User DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Roles: [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Security Domain Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Enterprise CA Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Enterprise KRA Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: mapping: account.login [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL: certServer.ca.account,login [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: mapping: account.logout [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL: certServer.ca.account,logout [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: according to ccMode, authorization for servlet: caGetCertChainAdmin is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet:service() uri = /ca/admin/ca/getCertChain [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet: caGetCertChainAdmin start to service. [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: GetCertChain: certificate chain: [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: GetCertChain: - CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet: curDate=Thu Apr 26 22:01:33 UTC 2018 id=caGetCertChainAdmin time=8 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Authenticating user admin-ipa-nyc-pci01.pci.xxxxxx.com with password. [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PasswdUserDBAuthentication: UID: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PasswdUserDBAuthentication: DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: LdapAnonConnFactory::getConn [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: LdapAnonConnFactory.getConn(): num avail conns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SSL handshake happened [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTH_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: User DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Roles: [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Security Domain Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Enterprise CA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Enterprise KRA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: account.login [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.ca.account,login [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: securityDomain.installToken [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: securityDomain.installToken [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.securitydomain.domainxml,read [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainService.getInstallToken(pci-mgmt-ipa01.pci.xxxxxx.com, CA) [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainProcessor: group: Enterprise CA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization search base: cn=Enterprise CA Administrators,ou=groups,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization search filter: (uniquemember=uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca) [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization result: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=ROLE_ASSUME
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainSessionTable: added session entry 7327023802561410048 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=SECURITY_DOMAIN_UPDATE
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: account.logout [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.ca.account,logout [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: initializing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: according to ccMode, authorization for servlet: caGetDomainXML is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: done initializing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet:service() uri = /ca/admin/ca/getDomainXML [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet: caGetDomainXML start to service. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: processing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapBoundConnFactory: init [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapBoundConnFactory:doCloning true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init begins [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init ends [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: init: before makeConnection errorIfDown is false [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: makeConnection: errorIfDown false [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: TCP Keep-Alive: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SSL handshake happened [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Established LDAP connection with SSL client auth to pci-mgmt-ipa01.pci.xxxxxx.com:636 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: initializing with mininum 3 and maximum 15 connections to host pci-mgmt-ipa01.pci.xxxxxx.com port 636, secure connection, true, authentication type 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: increasing minimum connections by 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: new total available connections 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: new number of connections 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: masterConn is connected: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: getConn: conn is connected true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: getConn: mNumConns now 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: name: IPA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: CA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: OCSP [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: KRA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: RA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: TKS [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: TPS [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Releasing ldap connection [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet: curDate=Thu Apr 26 22:01:35 UTC 2018 id=caGetDomainXML time=51 [26/Apr/2018:22:03:10][Timer-0]: SessionTimer: run() [26/Apr/2018:22:03:10][Timer-0]: LDAPSecurityDomainSessionTable: getSessionIds() [26/Apr/2018:22:03:10][Timer-0]: LDAPSecurityDomainSessionTable: searching ou=sessions,ou=Security Domain,o=ipaca [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: findNextUpdate: fromLastUpdate: true delta: false [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: findNextUpdate: Fri Apr 27 01:00:00 UTC 2018 delay: 10310677 [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: CRLIssuingPoint:run(): before CRL generation [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: masterConn is connected: true [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: getConn: conn is connected true [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: getConn: mNumConns now 4
Thanks, Ross _______________________________________ From: Fraser Tweedale [ftweedal@redhat.com] Sent: Thursday, April 26, 2018 1:56 PM To: Ross Infinger Cc: FreeIPA users list Subject: Re: [Freeipa-users] CA install on replica fails - Clone URI does not match...
Hi Ross,
Could you please also provide the /var/log/pki/pki-tomcat/ca/debug log files from both master and replica?
Thanks, Fraser
On Thu, Apr 26, 2018 at 05:33:32PM +0000, Ross Infinger via FreeIPA-users wrote:
I'm installing the CA service on an existing replica with command ipa-ca-install. It fails with this error in the log:
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
Version of both ca master and replica is 4.5.0 api version 2.228 domain level is 1
ipareplica-ca-install.log attached.
How can I further troubleshoot this?
Thanks, Ross
2018-04-26T17:04:39Z DEBUG /usr/sbin/ipa-ca-install was invoked with options: {'external_cert_files': None, 'subject_base': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_subject': None, 'ca_signing_algorithm': None, 'debug': True, 'external_ca': False, 'skip_conncheck': False},None 2018-04-26T17:04:39Z DEBUG IPA version 4.5.0-22.el7.centos 2018-04-26T17:04:39Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:04:40Z DEBUG Created connection context.ldap2_75479632 2018-04-26T17:04:40Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x65e1518> 2018-04-26T17:04:40Z DEBUG Initializing principal host/ipa-nyc-pci01.pci.xxxxxx.com@PCI.XXXXXX.COM using keytab /etc/krb5.keytab 2018-04-26T17:04:40Z DEBUG using ccache /tmp/krbccsV9vse/ccache 2018-04-26T17:04:40Z DEBUG Attempt 1/1: success 2018-04-26T17:05:01Z DEBUG Starting external process 2018-04-26T17:05:01Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master pci-mgmt-ipa01.pci.xxxxxx.com --auto-master-check --realm PCI.XXXXXX.COM --hostname ipa-nyc-pci01.pci.xxxxxx.com --ca-cert-file /etc/ipa/ca.crt 2018-04-26T17:05:16Z DEBUG Process finished, return code=0 2018-04-26T17:05:16Z DEBUG stdout= 2018-04-26T17:05:16Z DEBUG stderr=Check connection from replica to remote master 'pci-mgmt-ipa01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK. Start listening on required ports for remote master check 389 tcp: Failed to bind 636 tcp: Failed to bind 88 tcp: Failed to bind 88 udp: Failed to bind 464 tcp: Failed to bind 464 udp: Failed to bind 80 tcp: Failed to bind 443 tcp: Failed to bind Get credentials to log in to remote master Check RPC connection to remote master trying https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci.... [try 1]: Forwarding 'schema' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' trying https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci.... [try 1]: Forwarding 'ping/1' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' Execute check on remote master [try 1]: Forwarding 'server_conncheck' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' Check connection from master to remote replica 'ipa-nyc-pci01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Failed to connect to port 88 udp on 192.168.100.154 Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Failed to connect to port 464 udp on 192.168.100.154 Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder.
Connection from master to replica is OK.
2018-04-26T17:05:16Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:16Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:16Z INFO Waiting up to 300 seconds to see our keys appear on host: pci-mgmt-ipa01.pci.xxxxxx.com 2018-04-26T17:05:17Z DEBUG Starting external process 2018-04-26T17:05:17Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -N -f /tmp/tmpuXiBUA/pwdfile.txt -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:17Z DEBUG Process finished, return code=0 2018-04-26T17:05:17Z DEBUG stdout= 2018-04-26T17:05:17Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n caSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:18Z DEBUG Process finished, return code=0 2018-04-26T17:05:18Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:18Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n ocspSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:19Z DEBUG Starting external process 2018-04-26T17:05:19Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n auditSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n subsystemCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -A -n PCI.XXXXXX.COM IPA CA -t CT,C,C -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout= 2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/PKCS12Export -d /tmp/tmpuXiBUA -p /tmp/tmpuXiBUA/pwdfile.txt -w /tmp/tmpuXiBUA/crtpwfile -o /tmp/tmpp2RSQHipa/cacert.p12 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=Export complete.
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:20Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:20Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 2018-04-26T17:05:20Z DEBUG [1/25]: creating certificate server db 2018-04-26T17:05:20Z DEBUG duration: 0 seconds 2018-04-26T17:05:20Z DEBUG [2/25]: setting up initial replication 2018-04-26T17:05:20Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2018-04-26T17:05:20Z DEBUG retrieving schema for SchemaCache url=ldap://pci-mgmt-ipa01.pci.xxxxxx.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a91290> 2018-04-26T17:05:21Z DEBUG Successfully updated nsDS5ReplicaId. 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Parsing update file '/usr/share/ipa/ca-topology.uldif' 2018-04-26T17:05:31Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket from SchemaCache 2018-04-26T17:05:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a93128> 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG add: 'ipaReplTopoManagedServer' to objectclass, current value [u'top', u'nsContainer', u'ipaReplTopoManagedServer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'top', u'nsContainer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig', u'ipaReplTopoManagedServer'] 2018-04-26T17:05:31Z DEBUG add: 'o=ipaca' to ipaReplTopoManagedSuffix, current value [u'dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'dc=pci,dc=xxxxxx,dc=com', u'o=ipaca'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [(0, u'ipaReplTopoManagedSuffix', [u'o=ipaca'])] 2018-04-26T17:05:31Z DEBUG Updated 1 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG onlyifexist: 'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com' to nsds5replicabinddngroup, current value [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG onlyifexist: set nsds5replicabinddngroup to [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG duration: 11 seconds 2018-04-26T17:05:31Z DEBUG [3/25]: creating installation admin user 2018-04-26T17:05:32Z DEBUG duration: 0 seconds 2018-04-26T17:05:32Z DEBUG [4/25]: configuring certificate server instance 2018-04-26T17:05:32Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Contents of pkispawn configuration file (/tmp/tmp4j_eo0): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_default_ocsp_uri = https://urldefense.proofpoint.com/v2/url?u=http-3A__ipa-2Dca.pci.xxxxxx.com_... pki_client_database_dir = /var/lib/ipa/tmp-6WUlS2 pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_uid = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=PCI.XXXXXX.COM pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_ds_ldaps_port = 636 pki_ds_secure_connection = True pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt pki_subsystem_subject_dn = cn=CA Subsystem,O=PCI.XXXXXX.COM pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=PCI.XXXXXX.COM pki_ssl_server_subject_dn = cn=ipa-nyc-pci01.pci.xxxxxx.com,O=PCI.XXXXXX.COM pki_audit_signing_subject_dn = cn=CA Audit,O=PCI.XXXXXX.COM pki_ca_signing_subject_dn = CN=Certificate Authority,O=PCI.XXXXXX.COM pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_pin = XXXXXXXX pki_ds_create_new_db = False pki_clone_setup_replication = False pki_clone_reindex_data = True pki_security_domain_hostname = pci-mgmt-ipa01.pci.xxxxxx.com pki_security_domain_https_port = 443 pki_security_domain_user = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
2018-04-26T17:05:32Z DEBUG Starting external process 2018-04-26T17:05:32Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0 2018-04-26T17:05:51Z DEBUG Process finished, return code=1 2018-04-26T17:05:51Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20180426170532.log Loading deployment configuration from /tmp/tmp4j_eo0. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Importing certificates from /tmp/ca.p12:
4 entries found
Certificate ID: d0117023b7661532960024635e00e4c2b3a0825d Serial Number: 0x2 Nickname: ocspSigningCert cert-pki-ca Subject DN: CN=OCSP Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: d58a46d01e65d178def787ec3cea985bed61e21d Serial Number: 0x1 Nickname: caSigningCert cert-pki-ca Subject DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: CTu,Cu,Cu Has Key: true
Certificate ID: f9a212fc6707e63a027126aa1bfa43cae3d4c705 Serial Number: 0x4 Nickname: subsystemCert cert-pki-ca Subject DN: CN=CA Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: ca121feb0cbf83c7c18b34e4d7e127157e64580b Serial Number: 0x5 Nickname: auditSigningCert cert-pki-ca Subject DN: CN=CA Audit,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Import complete
Imported certificates in /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2018-04-26T17:05:51Z DEBUG stderr= 2018-04-26T17:05:51Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0' returned non-zero exit status 1 2018-04-26T17:05:51Z CRITICAL See the installation logs and the following files/directories for more information: 2018-04-26T17:05:51Z CRITICAL /var/log/pki/pki-tomcat 2018-04-26T17:05:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2018-04-26T17:05:51Z DEBUG [error] RuntimeError: CA configuration failed. 2018-04-26T17:05:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 907, in run_script return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 300, in main promote(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 268, in promote install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 202, in install_replica ca.install(True, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 205, in install install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 284, in install_step_0 use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 447, in configure_instance self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem)
2018-04-26T17:05:51Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: CA configuration failed.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Thu, May 03, 2018 at 02:25:34PM +0000, Ross Infinger wrote:
I assume the issue here is with the command... https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getDomainXML
Which returns... domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><SubsystemCount>0</SubsystemCount></CAList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList><SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
I notice that all the SubsystemCount values are 0. I'm guessing that is what is causing the ipa-ca-install command to throw the Clone URI does not match available subsystems error.
However, the ipa server-show command shows that the pci-mgmt-ipa01 server is actually enabled for CA server.
[root@ipa-nyc-pci01 ~]# ipa server-show pci-mgmt-ipa01.pci.xxxxxx.com Server name: pci-mgmt-ipa01.pci.xxxxxx.com Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, DNS server, NTP server
So why does the DomainXML query return 0 subsystems?
What is the ipa-ca-install command expecting here?
Thanks, Ross
Hi Ross,
Could you please check the contents of the Security Domain CA List in LDAP? There should be an entry for the master. For example:
% ldapsearch -LLL -D "cn=directory manager" -w DM_PASSWORD -b "cn=CAList,ou=Security Domain,o=ipaca" dn: cn=CAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: CAList
dn: cn=f28-0.ipa.local:443,cn=CAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSubsystem host: f28-0.ipa.local SecurePort: 443 SecureAgentPort: 443 SecureAdminPort: 443 SecureEEClientAuthPort: 443 UnSecurePort: 80 Clone: FALSE SubsystemName: CA f28-0.ipa.local 8443 cn: f28-0.ipa.local:443 DomainManager: TRUE
`f28-0.ipa.local' is my master hostname. I don't have a CA replica in this topology (there would be another entry for it).
Do you have an entry for the master? Are all the attribute values as expected? If not, you could try creating the entry based on the example above, restart Dogtag on the master, then attempt replica installation again.
Cheers, Fraser
There was no record in the CA list. I added one for the CA master with the ldapadd command. The ipa-ca-install command completed successfully this time! Thanks a million for your help!
Thanks, Ross ________________________________________ From: Fraser Tweedale [ftweedal@redhat.com] Sent: Tuesday, May 08, 2018 11:49 PM To: Ross Infinger Cc: FreeIPA users list Subject: Re: [Freeipa-users] CA install on replica fails - Clone URI does not match...
On Thu, May 03, 2018 at 02:25:34PM +0000, Ross Infinger wrote:
I assume the issue here is with the command... https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
Which returns... domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><SubsystemCount>0</SubsystemCount></CAList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList><SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
I notice that all the SubsystemCount values are 0. I'm guessing that is what is causing the ipa-ca-install command to throw the Clone URI does not match available subsystems error.
However, the ipa server-show command shows that the pci-mgmt-ipa01 server is actually enabled for CA server.
[root@ipa-nyc-pci01 ~]# ipa server-show pci-mgmt-ipa01.pci.xxxxxx.com Server name: pci-mgmt-ipa01.pci.xxxxxx.com Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, DNS server, NTP server
So why does the DomainXML query return 0 subsystems?
What is the ipa-ca-install command expecting here?
Thanks, Ross
Hi Ross,
Could you please check the contents of the Security Domain CA List in LDAP? There should be an entry for the master. For example:
% ldapsearch -LLL -D "cn=directory manager" -w DM_PASSWORD -b "cn=CAList,ou=Security Domain,o=ipaca" dn: cn=CAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: CAList
dn: cn=f28-0.ipa.local:443,cn=CAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSubsystem host: f28-0.ipa.local SecurePort: 443 SecureAgentPort: 443 SecureAdminPort: 443 SecureEEClientAuthPort: 443 UnSecurePort: 80 Clone: FALSE SubsystemName: CA f28-0.ipa.local 8443 cn: f28-0.ipa.local:443 DomainManager: TRUE
`f28-0.ipa.local' is my master hostname. I don't have a CA replica in this topology (there would be another entry for it).
Do you have an entry for the master? Are all the attribute values as expected? If not, you could try creating the entry based on the example above, restart Dogtag on the master, then attempt replica installation again.
Cheers, Fraser
Could someone help me with this please? I've got a domain with only one CA and although I can create replicas, I can't create another CA. I need to get another CA in here somehow.
Any help would be much appreciated.
Thanks, Ross
________________________________________ From: Ross Infinger Sent: Friday, April 27, 2018 1:47 PM To: Fraser Tweedale Cc: FreeIPA users list Subject: RE: [Freeipa-users] CA install on replica fails - Clone URI does not match...
Replica debug log file:
Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 5 class=SunJCE version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 6 class=SunJGSS version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 7 class=SunSASL version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 8 class=XMLDSig version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 9 class=SunPCSC version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 10 class=CMS version 1.0 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: debug startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: debug startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: log startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: entering LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=Transactions in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=SignedAudit in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=System in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: log startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jss startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jss startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: dbs startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: dbs startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: usrgrp startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: usrgrp startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: registry startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: RegistrySubsystem: startup [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: registry startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: oidmap startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: oidmap startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: X500Name startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: X500Name startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: request startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: request startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: ca startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CertificateAuthority.startup(): Do not start CA in pre-op mode [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: ca startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: profile startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: LDAPProfileSubsystem: startup [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: profile startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: selftests startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: SelfTestSubsystem.startup(): Do not run selftests in pre-op mode [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: selftests startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: CrossCertPair startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: CrossCertPair startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: stats startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: stats startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: auths startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: auths startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: authz startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: authz startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jobsScheduler startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jobsScheduler startup done [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS
[26/Apr/2018:22:01:31][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet: caGetStatus start to service. [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet: curDate=Thu Apr 26 22:01:31 UTC 2018 id=caGetStatus time=15 [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SessionContextInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SessionContextInterceptor: Not authenticated. [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: mapping: default [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: loading /usr/share/pki/ca/conf/auth-method.properties [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: checking /var/lib/pki/pki-tomcat/ca/conf/auth-method.properties [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: required auth methods: [*] [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: anonymous access allowed [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor.filter: no authorization required [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor: No ACL mapping; authz not required. [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: content-type: application/json [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: request format: application/json [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: SystemConfigService: configure() [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, securityDomainName=null, securityDomainUser=admin-ipa-nyc-pci01.pci.xxxxxx.com, securityDomainPassword=XXXX, securityDomainPostLoginSleepSeconds=null, isClone=true, cloneUri=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, subsystemName=CA ipa-nyc-pci01.pci.xxxxxx.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=ipa-nyc-pci01.pci.xxxxxx.com, dsPort=636, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca, secureConn=true, removeData=true, replicateSchema=false, masterReplicationPort=389, cloneReplicationPort=389, replicationSecurity=TLS, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData@5faae3f1], issuingCA=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null, adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null, createNewDB=false, setupReplication=False, subordinateSecurityDomainName=null, reindexData=True, startingCrlNumber=0, createSigningCertRecord=true, signingCertSerialNumber=1] [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: === Token Authentication === [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: === Security Domain Configuration === [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Joining existing security domain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Resolving security domain URL https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting security domain cert chain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils.importCertChain() [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: GET https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getCertChain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Server certificate: [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: - subject: CN=pci-mgmt-ipa01.pci.xxxxxx.com,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: certificate chain: [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: - CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting install token [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting install token [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: Getting domain XML [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: GET https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getDomainXML [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><SubsystemCount>0</SubsystemCount></CAList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList><SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: len is 0 [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: Logged into security domain; sleeping for 5s [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: === Subsystem Configuration === [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: Clone URI does not match available subsystems: https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED
Master debug file:
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: Not authenticated. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: default [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [*] [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: anonymous access allowed [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor.filter: no authorization required [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: No ACL mapping; authz not required. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapBoundConnFactory: init [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapBoundConnFactory:doCloning true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init begins [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init ends [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: init: before makeConnection errorIfDown is false [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: makeConnection: errorIfDown false [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: TCP Keep-Alive: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake happened [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Established LDAP connection with SSL client auth to pci-mgmt-ipa01.pci.xxxxxx.com:636 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: initializing with mininum 3 and maximum 15 connections to host pci-mgmt-ipa01.pci.xxxxxx.com port 636, secure connection, true, authentication type 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: increasing minimum connections by 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: new total available connections 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: new number of connections 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: name: IPA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: CA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: OCSP [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: KRA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: RA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: TKS [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: TPS [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Releasing ldap connection [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Authenticating user admin-ipa-nyc-pci01.pci.xxxxxx.com with password. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PasswdUserDBAuthentication: UID: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PasswdUserDBAuthentication: DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAnonConnFactory::getConn [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAnonConnFactory.getConn(): num avail conns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake happened [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTH_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: User DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Roles: [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Security Domain Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Enterprise CA Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Enterprise KRA Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: mapping: account.login [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL: certServer.ca.account,login [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: mapping: account.logout [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL: certServer.ca.account,logout [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: according to ccMode, authorization for servlet: caGetCertChainAdmin is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet:service() uri = /ca/admin/ca/getCertChain [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet: caGetCertChainAdmin start to service. [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: GetCertChain: certificate chain: [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: GetCertChain: - CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet: curDate=Thu Apr 26 22:01:33 UTC 2018 id=caGetCertChainAdmin time=8 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Authenticating user admin-ipa-nyc-pci01.pci.xxxxxx.com with password. [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PasswdUserDBAuthentication: UID: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PasswdUserDBAuthentication: DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: LdapAnonConnFactory::getConn [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: LdapAnonConnFactory.getConn(): num avail conns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SSL handshake happened [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTH_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: User DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Roles: [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Security Domain Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Enterprise CA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Enterprise KRA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: account.login [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.ca.account,login [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: securityDomain.installToken [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: securityDomain.installToken [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.securitydomain.domainxml,read [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainService.getInstallToken(pci-mgmt-ipa01.pci.xxxxxx.com, CA) [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainProcessor: group: Enterprise CA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization search base: cn=Enterprise CA Administrators,ou=groups,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization search filter: (uniquemember=uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca) [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization result: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=ROLE_ASSUME
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainSessionTable: added session entry 7327023802561410048 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=SECURITY_DOMAIN_UPDATE
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: account.logout [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.ca.account,logout [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: initializing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: according to ccMode, authorization for servlet: caGetDomainXML is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: done initializing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet:service() uri = /ca/admin/ca/getDomainXML [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet: caGetDomainXML start to service. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: processing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapBoundConnFactory: init [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapBoundConnFactory:doCloning true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init begins [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init ends [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: init: before makeConnection errorIfDown is false [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: makeConnection: errorIfDown false [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: TCP Keep-Alive: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SSL handshake happened [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Established LDAP connection with SSL client auth to pci-mgmt-ipa01.pci.xxxxxx.com:636 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: initializing with mininum 3 and maximum 15 connections to host pci-mgmt-ipa01.pci.xxxxxx.com port 636, secure connection, true, authentication type 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: increasing minimum connections by 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: new total available connections 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: new number of connections 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: masterConn is connected: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: getConn: conn is connected true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: getConn: mNumConns now 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: name: IPA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: CA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: OCSP [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: KRA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: RA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: TKS [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: TPS [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Releasing ldap connection [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet: curDate=Thu Apr 26 22:01:35 UTC 2018 id=caGetDomainXML time=51 [26/Apr/2018:22:03:10][Timer-0]: SessionTimer: run() [26/Apr/2018:22:03:10][Timer-0]: LDAPSecurityDomainSessionTable: getSessionIds() [26/Apr/2018:22:03:10][Timer-0]: LDAPSecurityDomainSessionTable: searching ou=sessions,ou=Security Domain,o=ipaca [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: findNextUpdate: fromLastUpdate: true delta: false [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: findNextUpdate: Fri Apr 27 01:00:00 UTC 2018 delay: 10310677 [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: CRLIssuingPoint:run(): before CRL generation [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: masterConn is connected: true [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: getConn: conn is connected true [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: getConn: mNumConns now 4
Thanks, Ross _______________________________________ From: Fraser Tweedale [ftweedal@redhat.com] Sent: Thursday, April 26, 2018 1:56 PM To: Ross Infinger Cc: FreeIPA users list Subject: Re: [Freeipa-users] CA install on replica fails - Clone URI does not match...
Hi Ross,
Could you please also provide the /var/log/pki/pki-tomcat/ca/debug log files from both master and replica?
Thanks, Fraser
On Thu, Apr 26, 2018 at 05:33:32PM +0000, Ross Infinger via FreeIPA-users wrote:
I'm installing the CA service on an existing replica with command ipa-ca-install. It fails with this error in the log:
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
Version of both ca master and replica is 4.5.0 api version 2.228 domain level is 1
ipareplica-ca-install.log attached.
How can I further troubleshoot this?
Thanks, Ross
2018-04-26T17:04:39Z DEBUG /usr/sbin/ipa-ca-install was invoked with options: {'external_cert_files': None, 'subject_base': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_subject': None, 'ca_signing_algorithm': None, 'debug': True, 'external_ca': False, 'skip_conncheck': False},None 2018-04-26T17:04:39Z DEBUG IPA version 4.5.0-22.el7.centos 2018-04-26T17:04:39Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:04:40Z DEBUG Created connection context.ldap2_75479632 2018-04-26T17:04:40Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x65e1518> 2018-04-26T17:04:40Z DEBUG Initializing principal host/ipa-nyc-pci01.pci.xxxxxx.com@PCI.XXXXXX.COM using keytab /etc/krb5.keytab 2018-04-26T17:04:40Z DEBUG using ccache /tmp/krbccsV9vse/ccache 2018-04-26T17:04:40Z DEBUG Attempt 1/1: success 2018-04-26T17:05:01Z DEBUG Starting external process 2018-04-26T17:05:01Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master pci-mgmt-ipa01.pci.xxxxxx.com --auto-master-check --realm PCI.XXXXXX.COM --hostname ipa-nyc-pci01.pci.xxxxxx.com --ca-cert-file /etc/ipa/ca.crt 2018-04-26T17:05:16Z DEBUG Process finished, return code=0 2018-04-26T17:05:16Z DEBUG stdout= 2018-04-26T17:05:16Z DEBUG stderr=Check connection from replica to remote master 'pci-mgmt-ipa01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK. Start listening on required ports for remote master check 389 tcp: Failed to bind 636 tcp: Failed to bind 88 tcp: Failed to bind 88 udp: Failed to bind 464 tcp: Failed to bind 464 udp: Failed to bind 80 tcp: Failed to bind 443 tcp: Failed to bind Get credentials to log in to remote master Check RPC connection to remote master trying https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci.... [try 1]: Forwarding 'schema' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' trying https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci.... [try 1]: Forwarding 'ping/1' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' Execute check on remote master [try 1]: Forwarding 'server_conncheck' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' Check connection from master to remote replica 'ipa-nyc-pci01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Failed to connect to port 88 udp on 192.168.100.154 Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Failed to connect to port 464 udp on 192.168.100.154 Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder.
Connection from master to replica is OK.
2018-04-26T17:05:16Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:16Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:16Z INFO Waiting up to 300 seconds to see our keys appear on host: pci-mgmt-ipa01.pci.xxxxxx.com 2018-04-26T17:05:17Z DEBUG Starting external process 2018-04-26T17:05:17Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -N -f /tmp/tmpuXiBUA/pwdfile.txt -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:17Z DEBUG Process finished, return code=0 2018-04-26T17:05:17Z DEBUG stdout= 2018-04-26T17:05:17Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n caSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:18Z DEBUG Process finished, return code=0 2018-04-26T17:05:18Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:18Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n ocspSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:19Z DEBUG Starting external process 2018-04-26T17:05:19Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n auditSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n subsystemCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -A -n PCI.XXXXXX.COM IPA CA -t CT,C,C -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout= 2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/PKCS12Export -d /tmp/tmpuXiBUA -p /tmp/tmpuXiBUA/pwdfile.txt -w /tmp/tmpuXiBUA/crtpwfile -o /tmp/tmpp2RSQHipa/cacert.p12 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=Export complete.
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:20Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:20Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 2018-04-26T17:05:20Z DEBUG [1/25]: creating certificate server db 2018-04-26T17:05:20Z DEBUG duration: 0 seconds 2018-04-26T17:05:20Z DEBUG [2/25]: setting up initial replication 2018-04-26T17:05:20Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2018-04-26T17:05:20Z DEBUG retrieving schema for SchemaCache url=ldap://pci-mgmt-ipa01.pci.xxxxxx.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a91290> 2018-04-26T17:05:21Z DEBUG Successfully updated nsDS5ReplicaId. 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Parsing update file '/usr/share/ipa/ca-topology.uldif' 2018-04-26T17:05:31Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket from SchemaCache 2018-04-26T17:05:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a93128> 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG add: 'ipaReplTopoManagedServer' to objectclass, current value [u'top', u'nsContainer', u'ipaReplTopoManagedServer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'top', u'nsContainer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig', u'ipaReplTopoManagedServer'] 2018-04-26T17:05:31Z DEBUG add: 'o=ipaca' to ipaReplTopoManagedSuffix, current value [u'dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'dc=pci,dc=xxxxxx,dc=com', u'o=ipaca'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [(0, u'ipaReplTopoManagedSuffix', [u'o=ipaca'])] 2018-04-26T17:05:31Z DEBUG Updated 1 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG onlyifexist: 'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com' to nsds5replicabinddngroup, current value [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG onlyifexist: set nsds5replicabinddngroup to [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG duration: 11 seconds 2018-04-26T17:05:31Z DEBUG [3/25]: creating installation admin user 2018-04-26T17:05:32Z DEBUG duration: 0 seconds 2018-04-26T17:05:32Z DEBUG [4/25]: configuring certificate server instance 2018-04-26T17:05:32Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Contents of pkispawn configuration file (/tmp/tmp4j_eo0): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_default_ocsp_uri = https://urldefense.proofpoint.com/v2/url?u=http-3A__ipa-2Dca.pci.xxxxxx.com_... pki_client_database_dir = /var/lib/ipa/tmp-6WUlS2 pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_uid = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=PCI.XXXXXX.COM pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_ds_ldaps_port = 636 pki_ds_secure_connection = True pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt pki_subsystem_subject_dn = cn=CA Subsystem,O=PCI.XXXXXX.COM pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=PCI.XXXXXX.COM pki_ssl_server_subject_dn = cn=ipa-nyc-pci01.pci.xxxxxx.com,O=PCI.XXXXXX.COM pki_audit_signing_subject_dn = cn=CA Audit,O=PCI.XXXXXX.COM pki_ca_signing_subject_dn = CN=Certificate Authority,O=PCI.XXXXXX.COM pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_pin = XXXXXXXX pki_ds_create_new_db = False pki_clone_setup_replication = False pki_clone_reindex_data = True pki_security_domain_hostname = pci-mgmt-ipa01.pci.xxxxxx.com pki_security_domain_https_port = 443 pki_security_domain_user = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
2018-04-26T17:05:32Z DEBUG Starting external process 2018-04-26T17:05:32Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0 2018-04-26T17:05:51Z DEBUG Process finished, return code=1 2018-04-26T17:05:51Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20180426170532.log Loading deployment configuration from /tmp/tmp4j_eo0. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Importing certificates from /tmp/ca.p12:
4 entries found
Certificate ID: d0117023b7661532960024635e00e4c2b3a0825d Serial Number: 0x2 Nickname: ocspSigningCert cert-pki-ca Subject DN: CN=OCSP Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: d58a46d01e65d178def787ec3cea985bed61e21d Serial Number: 0x1 Nickname: caSigningCert cert-pki-ca Subject DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: CTu,Cu,Cu Has Key: true
Certificate ID: f9a212fc6707e63a027126aa1bfa43cae3d4c705 Serial Number: 0x4 Nickname: subsystemCert cert-pki-ca Subject DN: CN=CA Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: ca121feb0cbf83c7c18b34e4d7e127157e64580b Serial Number: 0x5 Nickname: auditSigningCert cert-pki-ca Subject DN: CN=CA Audit,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Import complete
Imported certificates in /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2018-04-26T17:05:51Z DEBUG stderr= 2018-04-26T17:05:51Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0' returned non-zero exit status 1 2018-04-26T17:05:51Z CRITICAL See the installation logs and the following files/directories for more information: 2018-04-26T17:05:51Z CRITICAL /var/log/pki/pki-tomcat 2018-04-26T17:05:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2018-04-26T17:05:51Z DEBUG [error] RuntimeError: CA configuration failed. 2018-04-26T17:05:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 907, in run_script return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 300, in main promote(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 268, in promote install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 202, in install_replica ca.install(True, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 205, in install install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 284, in install_step_0 use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 447, in configure_instance self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem)
2018-04-26T17:05:51Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: CA configuration failed.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org