I assume the issue here is with the command... https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getDomainXML
Which returns... domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><SubsystemCount>0</SubsystemCount></CAList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList><SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
I notice that all the SubsystemCount values are 0. I'm guessing that is what is causing the ipa-ca-install command to throw the Clone URI does not match available subsystems error.
However, the ipa server-show command shows that the pci-mgmt-ipa01 server is actually enabled for CA server.
[root@ipa-nyc-pci01 ~]# ipa server-show pci-mgmt-ipa01.pci.xxxxxx.com Server name: pci-mgmt-ipa01.pci.xxxxxx.com Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, DNS server, NTP server
So why does the DomainXML query return 0 subsystems?
What is the ipa-ca-install command expecting here?
Thanks, Ross ________________________________________ From: Ross Infinger Sent: Friday, April 27, 2018 1:47 PM To: Fraser Tweedale Cc: FreeIPA users list Subject: RE: [Freeipa-users] CA install on replica fails - Clone URI does not match...
Replica debug log file:
Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 5 class=SunJCE version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 6 class=SunJGSS version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 7 class=SunSASL version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 8 class=XMLDSig version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 9 class=SunPCSC version 1.8 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: Java Security Provider 10 class=CMS version 1.0 [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: debug startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: debug startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: log startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: entering LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=Transactions in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=SignedAudit in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: about to call inst=System in LogSubsystem.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: LogFile: entering LogFile.startup() [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: log startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jss startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jss startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: dbs startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: dbs startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: usrgrp startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: usrgrp startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: registry startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: RegistrySubsystem: startup [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: registry startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: oidmap startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: oidmap startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: X500Name startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: X500Name startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: request startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: request startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: ca startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CertificateAuthority.startup(): Do not start CA in pre-op mode [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: ca startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: profile startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: LDAPProfileSubsystem: startup [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: profile startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: selftests startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: SelfTestSubsystem.startup(): Do not run selftests in pre-op mode [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: selftests startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: CrossCertPair startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: CrossCertPair startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: stats startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: stats startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: auths startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: auths startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: authz startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: authz startup done [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jobsScheduler startup start [26/Apr/2018:22:01:31][localhost-startStop-1]: CMSEngine: jobsScheduler startup done [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS
[26/Apr/2018:22:01:31][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet: caGetStatus start to service. [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: CMSServlet: curDate=Thu Apr 26 22:01:31 UTC 2018 id=caGetStatus time=15 [26/Apr/2018:22:01:31][http-bio-8443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SessionContextInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SessionContextInterceptor: Not authenticated. [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: mapping: default [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: loading /usr/share/pki/ca/conf/auth-method.properties [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: checking /var/lib/pki/pki-tomcat/ca/conf/auth-method.properties [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: required auth methods: [*] [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: AuthMethodInterceptor: anonymous access allowed [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor.filter: no authorization required [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: ACLInterceptor: No ACL mapping; authz not required. [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: SystemConfigResource.configure() [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: content-type: application/json [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: request format: application/json [26/Apr/2018:22:01:32][http-bio-8443-exec-3]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: SystemConfigService: configure() [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, securityDomainName=null, securityDomainUser=admin-ipa-nyc-pci01.pci.xxxxxx.com, securityDomainPassword=XXXX, securityDomainPostLoginSleepSeconds=null, isClone=true, cloneUri=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, subsystemName=CA ipa-nyc-pci01.pci.xxxxxx.com 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=ipa-nyc-pci01.pci.xxxxxx.com, dsPort=636, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca, secureConn=true, removeData=true, replicateSchema=false, masterReplicationPort=389, cloneReplicationPort=389, replicationSecurity=TLS, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData@5faae3f1], issuingCA=https://pci-mgmt-ipa01.pci.xxxxxx.com:443, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null, adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null, createNewDB=false, setupReplication=False, subordinateSecurityDomainName=null, reindexData=True, startingCrlNumber=0, createSigningCertRecord=true, signingCertSerialNumber=1] [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: === Token Authentication === [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: === Security Domain Configuration === [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Joining existing security domain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Resolving security domain URL https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting security domain cert chain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils.importCertChain() [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: GET https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getCertChain [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Server certificate: [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: - subject: CN=pci-mgmt-ipa01.pci.xxxxxx.com,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: - issuer: CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: certificate chain: [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: ConfigurationUtils: - CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting install token [26/Apr/2018:22:01:33][http-bio-8443-exec-3]: Getting install token [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: Getting domain XML [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: GET https://pci-mgmt-ipa01.pci.xxxxxx.com:443/ca/admin/ca/getDomainXML [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: ConfigurationUtils: domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><SubsystemCount>0</SubsystemCount></CAList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList><SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: len is 0 [26/Apr/2018:22:01:35][http-bio-8443-exec-3]: Logged into security domain; sleeping for 5s [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: === Subsystem Configuration === [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: Clone URI does not match available subsystems: https://pci-mgmt-ipa01.pci.xxxxxx.com:443 [26/Apr/2018:22:01:40][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED
Master debug file:
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: Not authenticated. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: default [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [*] [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: anonymous access allowed [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor.filter: no authorization required [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: No ACL mapping; authz not required. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapBoundConnFactory: init [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapBoundConnFactory:doCloning true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init begins [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init ends [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: init: before makeConnection errorIfDown is false [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: makeConnection: errorIfDown false [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: TCP Keep-Alive: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake happened [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Established LDAP connection with SSL client auth to pci-mgmt-ipa01.pci.xxxxxx.com:636 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: initializing with mininum 3 and maximum 15 connections to host pci-mgmt-ipa01.pci.xxxxxx.com port 636, secure connection, true, authentication type 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: increasing minimum connections by 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: new total available connections 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: new number of connections 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: name: IPA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: CA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: OCSP [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: KRA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: RA [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: TKS [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: SecurityDomainProcessor: subtype: TPS [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: Releasing ldap connection [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Authenticating user admin-ipa-nyc-pci01.pci.xxxxxx.com with password. [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PasswdUserDBAuthentication: UID: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: PasswdUserDBAuthentication: DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAnonConnFactory::getConn [26/Apr/2018:22:01:24][ajp-bio-127.0.0.1-8009-exec-2]: LdapAnonConnFactory.getConn(): num avail conns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake happened [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTH_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: User DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is connected: true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is connected true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns now 2 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Roles: [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Security Domain Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Enterprise CA Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: PKIRealm: Enterprise KRA Administrators [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: mapping: account.login [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL: certServer.ca.account,login [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: AccountResource.login() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: mapping: account.logout [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: ACL: certServer.ca.account,logout [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: access granted [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: AccountResource.logout() [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: accept: [application/json] [26/Apr/2018:22:01:25][ajp-bio-127.0.0.1-8009-exec-2]: MessageFormatInterceptor: response format: application/json [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: according to ccMode, authorization for servlet: caGetCertChainAdmin is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet:service() uri = /ca/admin/ca/getCertChain [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet: caGetCertChainAdmin start to service. [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: GetCertChain: certificate chain: [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: GetCertChain: - CN=Certificate Authority,O=PCI.XXXXXX.COM [26/Apr/2018:22:01:33][ajp-bio-127.0.0.1-8009-exec-9]: CMSServlet: curDate=Thu Apr 26 22:01:33 UTC 2018 id=caGetCertChainAdmin time=8 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Authenticating user admin-ipa-nyc-pci01.pci.xxxxxx.com with password. [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PasswdUserDBAuthentication: UID: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PasswdUserDBAuthentication: DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: LdapAnonConnFactory::getConn [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: LdapAnonConnFactory.getConn(): num avail conns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SSL handshake happened [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTH_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: User DN: uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Roles: [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Security Domain Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Enterprise CA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: PKIRealm: Enterprise KRA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: account.login [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.ca.account,login [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: AccountResource.login() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: securityDomain.installToken [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: securityDomain.installToken [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.securitydomain.domainxml,read [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: SecurityDomainResource.getInstallToken() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainService.getInstallToken(pci-mgmt-ipa01.pci.xxxxxx.com, CA) [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainProcessor: group: Enterprise CA Administrators [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization search base: cn=Enterprise CA Administrators,ou=groups,o=ipaca [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization search filter: (uniquemember=uid=admin-ipa-nyc-pci01.pci.xxxxxx.com,ou=people,o=ipaca) [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: authorization result: true [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=ROLE_ASSUME
[26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:34][ajp-bio-127.0.0.1-8009-exec-3]: masterConn is connected: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: getConn: conn is connected true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: getConn: mNumConns now 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SecurityDomainSessionTable: added session entry 7327023802561410048 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=SECURITY_DOMAIN_UPDATE
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SessionContextInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: mapping: account [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: AuthMethodInterceptor: access granted [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: principal: admin-ipa-nyc-pci01.pci.xxxxxx.com [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: mapping: account.logout [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: ACL: certServer.ca.account,logout [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: evaluating expressions: user="anybody" [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: evaluated expression: user="anybody" to be true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: DirAclAuthz: authorization passed [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: ACLInterceptor: access granted [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: AccountResource.logout() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: content-type: null [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: accept: [application/xml] [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-3]: MessageFormatInterceptor: response format: application/xml [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: initializing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: according to ccMode, authorization for servlet: caGetDomainXML is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: done initializing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet:service() uri = /ca/admin/ca/getDomainXML [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet: caGetDomainXML start to service. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: GetDomainXML: processing... [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapBoundConnFactory: init [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapBoundConnFactory:doCloning true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init begins [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapAuthInfo: init ends [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: init: before makeConnection errorIfDown is false [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: makeConnection: errorIfDown false [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: TCP Keep-Alive: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SSL handshake happened [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Established LDAP connection with SSL client auth to pci-mgmt-ipa01.pci.xxxxxx.com:636 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: initializing with mininum 3 and maximum 15 connections to host pci-mgmt-ipa01.pci.xxxxxx.com port 636, secure connection, true, authentication type 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: increasing minimum connections by 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: new total available connections 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: new number of connections 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: masterConn is connected: true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: getConn: conn is connected true [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: getConn: mNumConns now 2 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: name: IPA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: CA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: OCSP [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: KRA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: RA [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: TKS [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: SecurityDomainProcessor: subtype: TPS [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: Releasing ldap connection [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: returnConn: mNumConns now 3 [26/Apr/2018:22:01:35][ajp-bio-127.0.0.1-8009-exec-4]: CMSServlet: curDate=Thu Apr 26 22:01:35 UTC 2018 id=caGetDomainXML time=51 [26/Apr/2018:22:03:10][Timer-0]: SessionTimer: run() [26/Apr/2018:22:03:10][Timer-0]: LDAPSecurityDomainSessionTable: getSessionIds() [26/Apr/2018:22:03:10][Timer-0]: LDAPSecurityDomainSessionTable: searching ou=sessions,ou=Security Domain,o=ipaca [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:03:10][Timer-0]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:03:10][Timer-0]: masterConn is connected: true [26/Apr/2018:22:03:10][Timer-0]: getConn: conn is connected true [26/Apr/2018:22:03:10][Timer-0]: getConn: mNumConns now 2 [26/Apr/2018:22:03:10][Timer-0]: returnConn: mNumConns now 3 [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: findNextUpdate: fromLastUpdate: true delta: false [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: findNextUpdate: Fri Apr 27 01:00:00 UTC 2018 delay: 10310677 [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: CRLIssuingPoint:run(): before CRL generation [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: In LdapBoundConnFactory::getConn() [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: masterConn is connected: true [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: getConn: conn is connected true [26/Apr/2018:22:08:09][CRLIssuingPoint-MasterCRL]: getConn: mNumConns now 4
Thanks, Ross _______________________________________ From: Fraser Tweedale [ftweedal@redhat.com] Sent: Thursday, April 26, 2018 1:56 PM To: Ross Infinger Cc: FreeIPA users list Subject: Re: [Freeipa-users] CA install on replica fails - Clone URI does not match...
Hi Ross,
Could you please also provide the /var/log/pki/pki-tomcat/ca/debug log files from both master and replica?
Thanks, Fraser
On Thu, Apr 26, 2018 at 05:33:32PM +0000, Ross Infinger via FreeIPA-users wrote:
I'm installing the CA service on an existing replica with command ipa-ca-install. It fails with this error in the log:
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
Version of both ca master and replica is 4.5.0 api version 2.228 domain level is 1
ipareplica-ca-install.log attached.
How can I further troubleshoot this?
Thanks, Ross
2018-04-26T17:04:39Z DEBUG /usr/sbin/ipa-ca-install was invoked with options: {'external_cert_files': None, 'subject_base': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_subject': None, 'ca_signing_algorithm': None, 'debug': True, 'external_ca': False, 'skip_conncheck': False},None 2018-04-26T17:04:39Z DEBUG IPA version 4.5.0-22.el7.centos 2018-04-26T17:04:39Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:04:39Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:04:39Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:04:40Z DEBUG Created connection context.ldap2_75479632 2018-04-26T17:04:40Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x65e1518> 2018-04-26T17:04:40Z DEBUG Initializing principal host/ipa-nyc-pci01.pci.xxxxxx.com@PCI.XXXXXX.COM using keytab /etc/krb5.keytab 2018-04-26T17:04:40Z DEBUG using ccache /tmp/krbccsV9vse/ccache 2018-04-26T17:04:40Z DEBUG Attempt 1/1: success 2018-04-26T17:05:01Z DEBUG Starting external process 2018-04-26T17:05:01Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master pci-mgmt-ipa01.pci.xxxxxx.com --auto-master-check --realm PCI.XXXXXX.COM --hostname ipa-nyc-pci01.pci.xxxxxx.com --ca-cert-file /etc/ipa/ca.crt 2018-04-26T17:05:16Z DEBUG Process finished, return code=0 2018-04-26T17:05:16Z DEBUG stdout= 2018-04-26T17:05:16Z DEBUG stderr=Check connection from replica to remote master 'pci-mgmt-ipa01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK. Start listening on required ports for remote master check 389 tcp: Failed to bind 636 tcp: Failed to bind 88 tcp: Failed to bind 88 udp: Failed to bind 464 tcp: Failed to bind 464 udp: Failed to bind 80 tcp: Failed to bind 443 tcp: Failed to bind Get credentials to log in to remote master Check RPC connection to remote master trying https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci.... [try 1]: Forwarding 'schema' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' trying https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci.... [try 1]: Forwarding 'ping/1' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' Execute check on remote master [try 1]: Forwarding 'server_conncheck' to json server 'https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....' Check connection from master to remote replica 'ipa-nyc-pci01.pci.xxxxxx.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Failed to connect to port 88 udp on 192.168.100.154 Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Failed to connect to port 464 udp on 192.168.100.154 Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder.
Connection from master to replica is OK.
2018-04-26T17:05:16Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:16Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:16Z INFO Waiting up to 300 seconds to see our keys appear on host: pci-mgmt-ipa01.pci.xxxxxx.com 2018-04-26T17:05:17Z DEBUG Starting external process 2018-04-26T17:05:17Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -N -f /tmp/tmpuXiBUA/pwdfile.txt -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:17Z DEBUG Process finished, return code=0 2018-04-26T17:05:17Z DEBUG stdout= 2018-04-26T17:05:17Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n caSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:18Z DEBUG Process finished, return code=0 2018-04-26T17:05:18Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:18Z DEBUG stderr= 2018-04-26T17:05:18Z DEBUG Starting external process 2018-04-26T17:05:18Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n ocspSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:19Z DEBUG Starting external process 2018-04-26T17:05:19Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n auditSigningCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:19Z DEBUG Process finished, return code=0 2018-04-26T17:05:19Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:19Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/pk12util -d /tmp/tmpuXiBUA -k /tmp/tmpuXiBUA/pwdfile.txt -n subsystemCert cert-pki-ca -i /tmp/tmpuXiBUA/pk12file -w /tmp/tmpuXiBUA/pk12pwfile 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/certutil -d /tmp/tmpuXiBUA -A -n PCI.XXXXXX.COM IPA CA -t CT,C,C -f /tmp/tmpuXiBUA/pwdfile.txt 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout= 2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Starting external process 2018-04-26T17:05:20Z DEBUG args=/usr/bin/PKCS12Export -d /tmp/tmpuXiBUA -p /tmp/tmpuXiBUA/pwdfile.txt -w /tmp/tmpuXiBUA/crtpwfile -o /tmp/tmpp2RSQHipa/cacert.p12 2018-04-26T17:05:20Z DEBUG Process finished, return code=0 2018-04-26T17:05:20Z DEBUG stdout=Export complete.
2018-04-26T17:05:20Z DEBUG stderr= 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-04-26T17:05:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:20Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-04-26T17:05:20Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 2018-04-26T17:05:20Z DEBUG [1/25]: creating certificate server db 2018-04-26T17:05:20Z DEBUG duration: 0 seconds 2018-04-26T17:05:20Z DEBUG [2/25]: setting up initial replication 2018-04-26T17:05:20Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2018-04-26T17:05:20Z DEBUG retrieving schema for SchemaCache url=ldap://pci-mgmt-ipa01.pci.xxxxxx.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a91290> 2018-04-26T17:05:21Z DEBUG Successfully updated nsDS5ReplicaId. 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.aci 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automember 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.automount 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseldap 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.baseuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.batch 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ca 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.caacl 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.cert 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certmap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.certprofile 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.delegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.dogtag 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.group 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbac 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hbactest 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.host 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idrange 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.idviews 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.internal 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.join 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ldap2 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.location 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.migration 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.misc 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.netgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otp 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.otptoken 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.passwd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.permission 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.ping 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pkinit 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.privilege 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.rabase 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.role 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.schema 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selfservice 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.server 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverrole 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.serverroles 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.service 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.session 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.stageuser 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudo 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.sudorule 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.trust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.user 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.vault 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.virtual 2018-04-26T17:05:30Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.whoami 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-04-26T17:05:30Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.dns 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2018-04-26T17:05:30Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Created connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG Parsing update file '/usr/share/ipa/ca-topology.uldif' 2018-04-26T17:05:31Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket from SchemaCache 2018-04-26T17:05:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-PCI-XXXXXX-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6a93128> 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG add: 'ipaReplTopoManagedServer' to objectclass, current value [u'top', u'nsContainer', u'ipaReplTopoManagedServer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'top', u'nsContainer', u'ipaConfigObject', u'ipaSupportedDomainLevelConfig', u'ipaReplTopoManagedServer'] 2018-04-26T17:05:31Z DEBUG add: 'o=ipaca' to ipaReplTopoManagedSuffix, current value [u'dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG add: updated value [u'dc=pci,dc=xxxxxx,dc=com', u'o=ipaca'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ipa-nyc-pci01.pci.xxxxxx.com,cn=masters,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsContainer 2018-04-26T17:05:31Z DEBUG ipaConfigObject 2018-04-26T17:05:31Z DEBUG ipaSupportedDomainLevelConfig 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedServer 2018-04-26T17:05:31Z DEBUG ipaMaxDomainLevel: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG ipaMinDomainLevel: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ipa-nyc-pci01.pci.xxxxxx.com 2018-04-26T17:05:31Z DEBUG ipaReplTopoManagedSuffix: 2018-04-26T17:05:31Z DEBUG dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [(0, u'ipaReplTopoManagedSuffix', [u'o=ipaca'])] 2018-04-26T17:05:31Z DEBUG Updated 1 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG iparepltopoconf 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG ca 2018-04-26T17:05:31Z DEBUG ipaReplTopoConfRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Updating existing entry: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Initial value 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG onlyifexist: 'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com' to nsds5replicabinddngroup, current value [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG onlyifexist: set nsds5replicabinddngroup to [u'cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com'] 2018-04-26T17:05:31Z DEBUG --------------------------------------------- 2018-04-26T17:05:31Z DEBUG Final value after applying updates 2018-04-26T17:05:31Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2018-04-26T17:05:31Z DEBUG nsState: 2018-04-26T17:05:31Z DEBUG GwAAAAAAAADRBuJaAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2018-04-26T17:05:31Z DEBUG cn: 2018-04-26T17:05:31Z DEBUG replica 2018-04-26T17:05:31Z DEBUG nsDS5Flags: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaRoot: 2018-04-26T17:05:31Z DEBUG o=ipaca 2018-04-26T17:05:31Z DEBUG objectClass: 2018-04-26T17:05:31Z DEBUG top 2018-04-26T17:05:31Z DEBUG nsds5replica 2018-04-26T17:05:31Z DEBUG extensibleobject 2018-04-26T17:05:31Z DEBUG nsds5ReplicaChangeCount: 2018-04-26T17:05:31Z DEBUG 1 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaType: 2018-04-26T17:05:31Z DEBUG 3 2018-04-26T17:05:31Z DEBUG nsds5replicareapactive: 2018-04-26T17:05:31Z DEBUG 0 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaBindDN: 2018-04-26T17:05:31Z DEBUG cn=replication manager,cn=config 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaName: 2018-04-26T17:05:31Z DEBUG f4af5caa-497311e8-b8fbb6d8-f4ce109c 2018-04-26T17:05:31Z DEBUG nsds5ReplicaLegacyConsumer: 2018-04-26T17:05:31Z DEBUG off 2018-04-26T17:05:31Z DEBUG nsDS5ReplicaId: 2018-04-26T17:05:31Z DEBUG 27 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroupcheckinterval: 2018-04-26T17:05:31Z DEBUG 60 2018-04-26T17:05:31Z DEBUG nsds5replicabinddngroup: 2018-04-26T17:05:31Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=pci,dc=xxxxxx,dc=com 2018-04-26T17:05:31Z DEBUG [] 2018-04-26T17:05:31Z DEBUG Updated 0 2018-04-26T17:05:31Z DEBUG Done 2018-04-26T17:05:31Z DEBUG Destroyed connection context.ldap2_131045456 2018-04-26T17:05:31Z DEBUG duration: 11 seconds 2018-04-26T17:05:31Z DEBUG [3/25]: creating installation admin user 2018-04-26T17:05:32Z DEBUG duration: 0 seconds 2018-04-26T17:05:32Z DEBUG [4/25]: configuring certificate server instance 2018-04-26T17:05:32Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2018-04-26T17:05:32Z DEBUG Contents of pkispawn configuration file (/tmp/tmp4j_eo0): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_default_ocsp_uri = https://urldefense.proofpoint.com/v2/url?u=http-3A__ipa-2Dca.pci.xxxxxx.com_... pki_client_database_dir = /var/lib/ipa/tmp-6WUlS2 pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_uid = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=PCI.XXXXXX.COM pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_ds_ldaps_port = 636 pki_ds_secure_connection = True pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt pki_subsystem_subject_dn = cn=CA Subsystem,O=PCI.XXXXXX.COM pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=PCI.XXXXXX.COM pki_ssl_server_subject_dn = cn=ipa-nyc-pci01.pci.xxxxxx.com,O=PCI.XXXXXX.COM pki_audit_signing_subject_dn = cn=CA Audit,O=PCI.XXXXXX.COM pki_ca_signing_subject_dn = CN=Certificate Authority,O=PCI.XXXXXX.COM pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_pin = XXXXXXXX pki_ds_create_new_db = False pki_clone_setup_replication = False pki_clone_reindex_data = True pki_security_domain_hostname = pci-mgmt-ipa01.pci.xxxxxx.com pki_security_domain_https_port = 443 pki_security_domain_user = admin-ipa-nyc-pci01.pci.xxxxxx.com pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
2018-04-26T17:05:32Z DEBUG Starting external process 2018-04-26T17:05:32Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0 2018-04-26T17:05:51Z DEBUG Process finished, return code=1 2018-04-26T17:05:51Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20180426170532.log Loading deployment configuration from /tmp/tmp4j_eo0. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Importing certificates from /tmp/ca.p12:
4 entries found
Certificate ID: d0117023b7661532960024635e00e4c2b3a0825d Serial Number: 0x2 Nickname: ocspSigningCert cert-pki-ca Subject DN: CN=OCSP Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: d58a46d01e65d178def787ec3cea985bed61e21d Serial Number: 0x1 Nickname: caSigningCert cert-pki-ca Subject DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: CTu,Cu,Cu Has Key: true
Certificate ID: f9a212fc6707e63a027126aa1bfa43cae3d4c705 Serial Number: 0x4 Nickname: subsystemCert cert-pki-ca Subject DN: CN=CA Subsystem,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Certificate ID: ca121feb0cbf83c7c18b34e4d7e127157e64580b Serial Number: 0x5 Nickname: auditSigningCert cert-pki-ca Subject DN: CN=CA Audit,O=PCI.XXXXXX.COM Issuer DN: CN=Certificate Authority,O=PCI.XXXXXX.COM Trust Flags: u,u,u Has Key: true
Import complete
Imported certificates in /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu
Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2018-04-26T17:05:51Z DEBUG stderr= 2018-04-26T17:05:51Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp4j_eo0' returned non-zero exit status 1 2018-04-26T17:05:51Z CRITICAL See the installation logs and the following files/directories for more information: 2018-04-26T17:05:51Z CRITICAL /var/log/pki/pki-tomcat 2018-04-26T17:05:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2018-04-26T17:05:51Z DEBUG [error] RuntimeError: CA configuration failed. 2018-04-26T17:05:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 907, in run_script return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 300, in main promote(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 268, in promote install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 202, in install_replica ca.install(True, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 205, in install install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 284, in install_step_0 use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 447, in configure_instance self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem)
2018-04-26T17:05:51Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: CA configuration failed.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org