HBAC: Negate?
by Christian Reiss
Hey folks,
We are running a lot of server, we nearly exhausted and allocated our
/29 ipv6 allocation*.
Let's say we have 10 really, really important servers that only a
handful of people should be able to access. Everyone else not.
So I have a fixed group of known "critical servers" and a dynamic, ever
changing group of "the rest". As I have not yet found a "negate" option
what is the smartest way to allow a fixed group to a fixed set of
servers, while everyone else has access to everything else but this?
Thanks and have a great weekend folks!
-Chris.
* Alternate facts disclaimer: The given number has been optimized to
impress, bedazzle and to intimidate. The real number of host might be
substantially smaller.
--
Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon
support(a)alpha-labs.net \ / Campaign
X against HTML
WEB alpha-labs.net / \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
4 years, 9 months
OPEN TOOLS
by NAZAN CENGIZ
Hi all,
Novajoin is for compute machine entegreted Free ipa server.But I want configuration insteance on compute.
How are we use for Openstack insteance on compute machine?
Could you please help me?
Best Regards,
Nazan.
This e-mail and any attached files are confidential and may be legally privileged. If you are not the addressee, any disclosure, reproduction, copying, distribution, or other dissemination or use of this communication is strictly prohibited. If you have received this transmission in error please notify the sender immediately and then delete this mail.<br>
4 years, 9 months
issues with renewing an externally-signed certificate
by Saurabh Garg
Hi All,
We are trying to install externally signed certificate for WebUI / HTTPS service on our RHEL IdM servers (primary and replica both).
As the first step, we are trying to install the CA certificate chain of the issuer of the 3rd party certificate to IPA using "ipa-cacert-manage install”
Step:1 ipa-cacert-manage install idm-app-pilot-file.pem
We have put the certificate issued by intermediate CA for the CSR generated at "/var/lib/ipa/ca.csr" from "ipa-cacert-manage renew --external-ca". command excepts the certificate as expected.
Step2: ipa-certupdate
We ran this command on both primary & replica and also the clients registered to the
Step3: ipa-cacert-manage renew --external-cert-file=idm-app-pilot-file.pem --external-cert-file=ca_chain_cert.pem
In this step, we are running the "ipa-cacert-manage renew" command with renewed CA certificate and the external CA certificate chain. "ca_chain_cert.pem" has intermediate and root cert of the signing CA.
Step3 command fails:
[root@ldmserver01 certs]# ipa-cacert-manage renew --external-cert-file=idm-app-pilot-file.pem --external-cert-file=ca_chain_cert.pem
Importing the renewed CA certificate, please wait
CA certificate CN=ABC Root CA,ST=California,OU=ABC_CA_Authority,O=ABCInc,L=PaloAlto,C=US in idm-app-pilot-file.pem, ca_chain_cert.pem is not valid: not a CA certificate
The ipa-cacert-manage command failed.
We have validated our certs using openssl verify -trusted as pasted below:
[root@ldmserver01 certs]# openssl verify -trusted ca_chain_cert.pem idm-app-pilot-file.pem
idm-app-pilot-file.pem: OK
Could someone please help us with what step we are doing it wrong.
What should be the content expected by IdM server for ca_chain_cert.pem in terms of the order of root and intermediate section. We have even tried with ca_cert chain appending to idm-app-pilot-file.pem, but no luck.
Thanks in advance.
Regards,
Saurabh Garg
4 years, 9 months
[Announce] FreeIPA 4.6.6 released
by Alexander Bokovoy
Hello!
The FreeIPA team would like to announce FreeIPA 4.6.6 release!
It can be downloaded from http://www.freeipa.org/page/Downloads.
== Highlights in 4.6.6 ==
=== Enhancements ===
* 6077: [RFE] Support One-Way Trust authenticated by trust secret
With this enhancement, Identity Management (IdM) supports establishing a
one-way forest trust to Active Directory (AD) authenticated by a shared
secret from the Windows AD domain controller (DC). Previous IdM versions
did not contain the features that allowed AD DCs to contact an IdM DC in
the mentioned scenario. As a result, IdM now supports establishing a
one-way forest trust using a shared secret from both Active Directory and
from IdM.
--------
* 7206: [RFE] Provide an option to include FQDN in IDM topology graph
IdM WebUI is now able to display the fully qualified domain name (FQDN) of
the nodes in its Topology Graph.
As a result, the topology graph is able to distinguish nodes with the
same short hostname but within different domains.
--------
* 7658: [RFE] sysadm_r should be included in default SELinux user map order
The default SELinux user map order now includes sysadm_r. This
parameter defines the list of SELinux users available for mapping.
As a result, IdM now allows to map users to the SELinux role sysadm_r.
--------
* 7716: [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None.
In verbose mode, the command ipa-replica-manage list <server> displays
additional details such as the status and timestamp of the last initialization
or the last update.
When no initialization occurred on the server, the command doesn't display
any more the labels 'last init status: None' and
'last init ended: 1970-01-01 00:00:00+00:00' which were confusing.
--------
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.6.6 is a stabilization release for the features delivered as a
part of 4.6.0.
There are more than 50 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 4812 Switch nsslapd-unhashed-pw-switch to nolog
* 6077 [RFE] Support One-Way Trust authenticated by trust secret
* 6250 Replica uninstallation does not remove the topology segment on master
* 6627 WebUI: Enable pagination
* 6951 Update samba config file and use sss idmap module
* 7139 Traceback is seen when modification is done for user from ID Views - Default Trust View Tab.
* 7206 [RFE] Provide an option to include FQDN in IDM topology graph
* 7239 Using --auto-reverse and --allow-zone-overlap does not skip zone overlap check
* 7304 double ca acl provoke console error.
* 7366 RFE: ipa client should setup openldap for GSSAPI
* 7598 ipa-client-install: autodiscovery must refuse single label domains
* 7647 Error message should be more useful while ipa-backup fails for insufficient space
* 7649 error shown when options are added to an existing sudo rule
* 7651 ipa-replica-install --setup-kra broken on DL1
* 7658 [RFE] sysadm_r should be included in default SELinux user map order
* 7667 When setting up mod_ssl, define range o f the TLS protocols within the system-wide crypto policy
* 7705 Support Samba 4.9
* 7708 Create a warning that SSSD needs restart after idrange-mod
* 7716 [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None.
* 7744 ipa-replica-install picks wrong replica for CA initial replication
* 7783 use non-symlink (aliases) NFS unit names
* 7805 [NFS] test kerberized NFS
* 7835 Cert revokation for services and hosts is inefficient
* 7843 [WebUI] Use generated certificates and CSR for testing
* 7844 testcase test_change_sysaccount_password_issue7561 fails with some test configurations
* 7857 Create tests for ipa-winsync-migrate
* 7874 testcase test_commands.py::TestIPACommand::test_ssh_key_connection fails with some test configurations
* 7876 Fail replica install
* 7884 Coverity: New defect found in ipa-4.6.5
* 7885 RFE: wrapper for Dogtag cert-fix command
* 7886 ipa-replica-manage force-sync --from keeps prompting "No status yet"
* 7889 test_integration/test_trust.py need improvement
* 7892 Implement hidden / unadvertised IPA replicas
* 7895 ipa trust fetch-domains, server parameter ignored
* 7896 ipa-server-upgrade fails with ConversionError: invalid 'cn': must be Unicode text
* 7897 ipa-kra-install failing with invalid 'role_servrole': must be Unicode text error
* 7901 IPA Web UI is slow to display user details page.
* 7903 d-bus interface signature failure for oddjobd helper trust-fetch-domains
* 7918 ipa-client-automount needs option to specify domain
* 7922 Command ipa conole is broken
* 7926 cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign
* 7927 Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd
* 7928 cn=cacert could show expired certificate
* 7929 ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
* 7931 test_integration/test_server_del.py fails due to inability to use command line option --ignore-topology-diconnect
* 7932 FreeIPA queries rely on missing attribute altsecurityidentities
* 7933 FreeIPA must index certmap attributes.
* 7934 ipa-server-common expected file permissions in package don't match runtime permissions
* 7939 Upgrade failure when ipa-server-upgrade is being run on a system with no trust established but trust configured
* 7959 ipa-client-install fails to add SSH public keys that are missing a whitespace as the last character
* 7963 x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs
* 7970 test failure in test_backup_and_restore.py::TestBackupAndRestore
* 7976 Issue with adding multiple RHEL 7 IPA replica to RHEL 6 IPA master
* 7982 Cannot modify TTL with ipa dnsrecord-mod --ttl alone on command line
* 7983 Staged user is not being recognized if the user entry doesn't have an objectClass "posixaccount"
* 7988 test_nfs.py: errors when running ipa-client-automount
* 7992 ipa upgrade fails with trust entry already exists
* 7995 Removing TLSv1.0, TLSv1.1 from nss.conf
* 8000 [ipa-4-6] Restrict cipher lists used by openssl connections
== Detailed changelog since 4.6.5 ==
=== Armando Neto (2) ===
* tox: force pytest version to the 4.6.4
* Bump template version
=== Alexander Bokovoy (22) ===
* translations: update from Zanata for IPA 4.6
* certmaprule: add negative test for altSecurityIdentities
* certmap rules: altSecurityIdentities should only be used for trusted domains
* Create indexes for altSecurityIdentities and ipaCertmapData attributes
* Add altSecurityIdentities attribute from MS-WSPP schema definition
* trust-fetch-domains: make sure we use right KDC when --server is specified
* adtrust upgrade: fix wrong primary principal name, part 2
* adtrust upgrade: fix wrong primary principal name
* upgrade: adtrust - catch empty result when retrieving list of trusts
* Enforce SMBLoris attack protection in default Samba configuration
* Set idmap config for Samba to follow IPA ranges and use SSSD
* Bypass D-BUS interface definition deficiences for trust-fetch-domains
* net groupmap: force using empty config when mapping Guests
* adtrust: define Guests mapping after creating cifs/ principal
* oddjob: allow to pass options to trust-fetch-domains
* upgrade: add trust upgrade to actual upgrade code
* upgrade: upgrade existing trust agreements to new layout
* trusts: add support for one-way shared secret trust
* trust: allow trust agents to read POSIX identities of trust
* Add design page for one-way trust to AD with shared secret
* Support Samba 4.9
* domainlevel-get: fix various issues when running as non-admin
=== amitkuma (1) ===
* RFE: ipa client should setup openldap for GSSAPI
=== Anuja More (1) ===
* ipatests: POSIX attributes are no longer overwritten or missing
=== Christian Heimes (24) ===
* Use only TLS 1.2 by default
* Refactor tasks to include is_selinux_enabled()
* Forbid imports of ipaserver and install packages
* Don't import ipaserver in conf.py
* Replace imports from ipaserver
* Delay import of SSSDConfig
* Consider configured servers as valid
* Adapt cert-find performance workaround for users
* Don't fail if config-show does not return servers
* Add design draft
* Test replica installation from hidden replica
* Synchronize hidden state from IPA master role
* Don't allow to hide last server for a role
* More test fixes
* Improve config-show to show hidden servers
* Consider hidden servers as role provider
* Implement server-state --state=enabled/hidden
* Simplify and improve tests
* Add hidden replica feature
* Replace hard-coded paths with path constants
* Consolidate container_masters queries
* Use api.env.container_masters
* Unify and simplify LDAP service discovery
* replica install: acknowledge ca_host override
=== François Cami (11) ===
* ipatests: add proper timeouts to nfs.py
* ipa-client-automount: fix '--idmap-domain DNS' logic
* ipatests: add tests for the new NFSv4 domain option of ipa-client-automount
* ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf)
* nfs.py: fix user creation
* Hidden replica documentation: fix typo
* ipa-backup: better error message if ENOSPC
* ipatests: add nfs tests
* ipatests: add a test for ipa-client-automount
* ipatests: Exercise hidden replica feature
* Add sysadm_r to default SELinux user map order
=== Florence Blanc-Renaud (25) ===
* Update the ciphers list
* DL0 replica install: fix nsDS5ReplicaBindDN config
* mod_nss: stop using NSSProtocols TLS 1.0 and 1.1
* ipatests: fix ipatests/test_xmlrpc/test_dns_plugin.py
* XMLRPC tests: add new test for ipa dsnrecord-mod $ZONE $RECORD --ttl
* dnsrecord-mod: allow to modify ttl without passing the record
* ipatests: add a test for stageuser-find with non-posix account
* stageuser-find: fix search with non-posix user
* ipatests: fix test_backup_and_restore.py::TestBackupAndRestore
* ipatests: add integration test for ipa-replica-manage list
* ipa-replica-manage: remove "last init status" if it's None.
* NSSDatabase: fix get_trust_chain
* ipatests: CA renewal must refresh cn=CAcert
* CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
* ipatests: add integration test checking the files mode
* Fix expected file permissions for ghost files
* ipactl restart: fix wrong logic when checking service list
* tests: correctly place xfail for test_integration/test_installation.py
* ipa-client-install: autodiscovery must refuse single-label domains
* tests: fix test_user_permissions.py::TestInstallClientNoAdmin
* PRCI: add nightly definition for ipa-4-6 branch
* ipa-setup-kra: fix python2 parameter
* ipa-server-upgrade: fix add_systemd_user_hbac
* ipa-replica-manage: fix force-sync
* Coverity: fix issue in ipa_extdom_extop.c
=== Fraser Tweedale (11) ===
* dn: sort AVAs when converting from x509.Name
* ipa-cert-fix: fix spurious renewal master change
* ipa-cert-fix: handle 'pki-server cert-fix' failure
* dn: handle multi-valued RDNs in Name conversion
* ipa-cert-fix: use customary exit statuses
* ipa-cert-fix: add man page
* Add ipa-cert-fix tool
* constants: add ca_renewal container
* cainstance: add function to determine ca_renewal nickname
* Extract ca_renewal cert update subroutine
* Add uniqueness constraint on CA ACL name
=== Justin Stephenson (1) ===
* Skip zone overlap check with auto-reverse
=== Mohammad Rizwan Yusuf (1) ===
* Test if ipactl restart restarts the pki-tomcatd
=== Petr Vobornik (1) ===
* Fix order of commands in test for removing topology segments
=== Rob Crittenden (6) ===
* When reading SSH pub key don't assume last character is newline
* Convert members into types in sudorule-*-option
* Remove tests which install KRA on replica w/o KRA on master
* Fix uninstallation test, use different method to stop dirsrv
* Extend CALessBase::installer_server to accept extra_args
* VERSION.m4: Set back to git snapshot
=== Sergey Orlov (17) ===
* ipatests: new test for trust with partially unreachable AD topology
* ipatests: new tests for establishing one-way AD trust with shared secret
* ipatests: fix replica uninstallation in test_integration/test_server_del.py
* ipatests: make encoding to base64 compatible with python2
* ipatests: new tests for ipa-winsync-migrate utility
* ipa console: catch proper exception when history file can not be open
* ipatests: coerce tmpdir to string
* ipatests: fix host name for ssh connection from controller to master
* ipatests: fix ldap server url
* ipatests: refactor test_trust.py
* ipatests: adapt test_trust.py for changes in multihost fixture
* ipatests: allow AD hosts to be placed in separate domain config objects
* ipatests: fix expectations of `ipa trust-find` output for trust with root domain
* ipatests: in test_trust.py fix parent class
* ipatests: disable bind dns validation when preparing to establish AD trust
* ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust
* Revert "Tests: Remove DNS configuration from trust tests"
=== Serhii Tsymbaliuk (5) ===
* WebUI: Fix automount maps pagination
* WebUI: Fix 'user not found' traceback on user ID override details page
* Fix test_arbitrary_certificates for Web UI
* Web UI tests: Get rid of *_cert_path and *_csr_path config variables
* Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone
=== Thierry Bordaz (1) ===
* Switch nsslapd-unhashed-pw-switch to nolog
=== Oleg Kozlov (1) ===
* Show a notification that sssd needs restarting after idrange-mod
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4 years, 9 months
IPA Client failed login after screen lock
by Boyd Ako
So, I created a Red Hat ticket to assist and the support is pretty non-productive.
I have a RHEL 7 "Workstation" setup as an IPA client that most of the time works. However, there are occasions when the screen locks out due to inactivity that I can't log back in. Most of the time it occurs when I use smartcard x.509 to login; but it also occasionally happens I use password to login intially. It's not very consistent on the failures. The only way to login AFTER that is to annoyingly reboot or console in as root and start a kerberos session.
The IPA server is using an external CA. On the client, the CA certs on the smartcard are in /etc/pki/nssdb. The chain is Root CA -> ID Intermediate CA -> x.509 cert on token. All the CA's are external. The token cert did validate when using the Root Ca and ID CA certs tacked together for the CAfile in `openssl verify`. I added the following to the sssd.conf:
===============================
[domain/mydomain.com]
debug_level = 8
account_cache_expiration = 5
entry_cache_timeout = 28800
[pam]
debug_level = 8
offline_credentials_expiration = 5
===============================
"pam_cert_auth = True" is in the PAM sect. I did run the script from the `ipa-advise` client-smart_card_script.
4 years, 9 months
DNS A Record Disappears after IPA Server reboot
by Mariusz Stolarczyk
Hi all,
Whenever I have to reboot my IPA server I loose one of my IPA client's DNS A Record. Curiously all of the IPA client related SSHFP records are intact as well as the reverse lookup record.
The only thing that was slightly different about this client is at some point the IP address was changed. I did however change the IP address on a different client with no problems.
Thanks,
-Mark
4 years, 9 months
adding external 2FA
by Andrew Meyer
I am trying to research how to add other 2FA providers to FreeIPA. Has anyone added Duo or something else to FreeIPA/IPA in the most recent versions?
4 years, 9 months
Re: OPEN TOOLS
by Rob Crittenden
NAZAN CENGIZ wrote:
> Hi Rob,
> You talked ;
> nova-join create under Openstack compute node a insteance.
> We company is support Redhat and start Tempest.
> Tempest says Tripleo Compute and Controller testing.
> https://vakwetu.fedorapeople.org/novajoin-OpenStackBoston2017.pdf
> I don't see connected Openstack compute insteance.
novajoin in OOO is installed in the undercloud and provisions
certificates for use in the overcloud.
This is different than what you're looking for but can still be
achieved. The picture will look the same.
I did the initial development on a plain OpenStack installation and
tested just creating instances and ensuring they got enrolled properly
(including some deployments using devstack).
This was subsequently moved into the Director installer for providing
TLS everywhere in the overcloud.
novajoin is pretty simple, just a couple of services. One is a metadata
service that nova obtains the OTP from. The second is an AMQP listener
that reacts to instance create and delete requests from nova.
rob
4 years, 9 months
ipa-replica-install fails to start pki-tomcatd
by Till Hofmann
Hi all,
I'm trying to set up a replica on CentOS 7, the master is on CentOS 6. Eventually, I want to retire the CentOS 6 host. I'm following this migration guide: https://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_d...
However, running `ipa-replica-install --setup-ca ./replica-info-replica.fqdn.gpg` always gets stuck and eventually fails when setting up pki-tomcatd:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
[2/28]: exporting Dogtag certificate store pin
[3/28]: stopping certificate server instance to update CS.cfg
[4/28]: backing up CS.cfg
[5/28]: disabling nonces
[6/28]: set up CRL publishing
[7/28]: enable PKIX certificate path discovery and validation
[8/28]: starting certificate server instance
[9/28]: configure certmonger for renewals
[10/28]: importing RA certificate from PKCS #12 file
[11/28]: setting audit signing renewal to 2 years
[12/28]: restarting certificate server
[13/28]: authorizing RA to modify profiles
[14/28]: authorizing RA to manage lightweight CAs
[15/28]: Ensure lightweight CAs container exists
[16/28]: Ensuring backward compatibility
[17/28]: configure certificate renewals
[18/28]: configure Server-Cert certificate renewal
[19/28]: Configure HTTP to proxy connections
[20/28]: restarting certificate server
[21/28]: updating IPA configuration
[22/28]: enabling CA instance
[23/28]: exposing CA instance on LDAP
[24/28]: migrating certificate profiles to LDAP
[25/28]: importing IPA certificate profiles
[26/28]: adding default CA ACL
[27/28]: adding 'ipa' CA entry
[28/28]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR CA did not start in 300.0s
ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Looking at `ipareplica-install.log`:
2019-07-24T11:14:21Z DEBUG stderr=
2019-07-24T11:14:21Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300
2019-07-24T11:14:21Z DEBUG waiting for port: 8080
2019-07-24T11:14:21Z DEBUG Failed to connect to port 8080 tcp on ::1
2019-07-24T11:14:21Z DEBUG Failed to connect to port 8080 tcp on 127.0.0.1
2019-07-24T11:14:25Z DEBUG SUCCESS: port: 8080
2019-07-24T11:14:25Z DEBUG waiting for port: 8443
2019-07-24T11:14:25Z DEBUG SUCCESS: port: 8443
2019-07-24T11:14:25Z DEBUG Start of pki-tomcatd(a)pki-tomcat.service complete
2019-07-24T11:14:25Z DEBUG Waiting until the CA is running
2019-07-24T11:14:25Z DEBUG request POST http://replica.fqdn:8080/ca/admin/ca/getStatus
2019-07-24T11:14:25Z DEBUG request body ''
2019-07-24T11:14:44Z DEBUG response status 500
2019-07-24T11:14:44Z DEBUG response headers Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 2208
Date: Wed, 24 Jul 2019 11:14:44 GMT
Connection: close
2019-07-24T11:14:44Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this requ
est.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThrea
d$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>'
2019-07-24T11:14:44Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2019-07-24T11:14:44Z DEBUG Waiting for CA to start...
2019-07-24T11:14:45Z DEBUG request POST http://replica.fqdn:8080/ca/admin/ca/getStatus
2019-07-24T11:14:45Z DEBUG request body ''
2019-07-24T11:14:45Z DEBUG response status 500
2019-07-24T11:14:45Z DEBUG response headers Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 2208
Date: Wed, 24 Jul 2019 11:14:45 GMT
Connection: close
Looking into the log of pki-tomcatd, I see the following:
Internal Database Error encountered: Could not connect to LDAP server host replica.fqdn port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
[...]
WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@6ae79124 background process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
at java.lang.Thread.run(Thread.java:748)
I checked that the pki-tomcatd uses the right certificates, following this guide:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
Everything looked fine, i.e., tomcat uses the correct certificate and can also read the private key.
Interestingly, during the setup of the replica, the setup is stuck for quite some time (~30 minutes) in the step " [1/28]: configuring certificate server instance". In the ns-slapd log, I can see a lot of the following:
INFO - import_monitor_threads - import ipaca: Processed 40105 entries -- average rate 123.8/sec, recent rate 114.0/sec, hit ratio 100%
I'm surprised by the number of entries. I had set up the same host as a replica in a previous try, but needed to remove it due to another error. May those be left-overs from the previous replica instance? I didn't see this happening on the first attempt. Before redoing the setup, I removed the host from the replica set with `ipa-replica-manage del --force`, from the csreplica with `ipa-csreplica-manage del --force`, and also deleted the host entry itself with `ipa host-del`. I also uninstalled the freeipa server on the replica host.
I'm also wondering about the `Authentication failed (48)`, as 48 indicates LDAP_INAPPROPRIATE_AUTH.
I'm not sure how to debug this. Any help is appreciated!
Kind regards,
Till
4 years, 9 months
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)
by Harald Dunkel
Hi folks,
Setup: ipa-server 4.6.4-7 on CentOS 7
Problem:
ipa host-del gives me
[root@ipa1 ~]# ipa host-del ppcl027.example.com
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)
Google pointed me to https://access.redhat.com/solutions/3624671,
but AFAICS this fix is not applicable. "^/ca/rest/certs/search" is
already in
:
# matches for CA REST API
<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove|^/ca/rest/certs/search">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient optional
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
:
?
Every helpful comment is highly appreciated
Harri
4 years, 9 months