[Pki-users] Unable to clone pki-kra (Clone is not ready)

Mike Mercier mmercier at gmail.com
Mon May 25 13:36:32 UTC 2009 

Hello,

I posted a message about this last week:

I will post more details here:

2 servers:

service-1:  running fedora-ds and will be prime pki system (running
all subsystems)
service-2:  running fedora-ds and will be clone for all (cloneable)
subsystems on service-1

[root at service-1 pki-kra]# rpm -qa|grep pki
pki-selinux-1.1.0-1.fc10.noarch
pki-kra-1.1.0-1.fc10.noarch
pki-common-1.1.0-1.fc10.noarch
pki-native-tools-1.1.0-1.fc10.x86_64
dogtag-pki-ca-ui-1.1.0-1.fc10.noarch
pki-util-1.1.0-1.fc10.noarch
pki-ca-1.1.0-1.fc10.noarch
dogtag-pki-common-ui-1.1.0-1.fc10.noarch
pki-java-tools-1.1.0-1.fc10.noarch
dogtag-pki-kra-ui-1.1.0-1.fc10.noarch
pki-setup-1.1.0-1.fc10.noarch


I did the following steps:

1. yum install pki-ca on service-1 and create instance - success
2. yum install pki-ca on service-2 cloning instance from step 1 - success
3. yum install pki-kra on service-1 - installation seems to be
succeful using security domain from service-1
   Note: on the page for the login, I get Security Domain () login (Is
this correct or should it show the security domain name between the
()?)
4. yum install pki-kra on service-2
  a) select security domain from service-1
  b) join security domain on service-1:9444
  c) select to clone domain from step 3
  when clicking next on this screen service-1/var/log/pki-kra/debug shows
[25/May/2009:09:19:31][http-10444-Processor23]: CMSServlet:service()
uri = /kra/ee/kra/getTokenInfo
[25/May/2009:09:19:31][http-10444-Processor23]: CMSServlet:
kraGetTokenInfo start to service.
[25/May/2009:09:19:31][http-10444-Processor23]: CMSServlet:
curDate=Mon May 25 09:19:31 EDT 2009 id=kraGetTokenInfo time=3

service-1/var/log/pki-kra/localhost_access_log shows:
192.168.0.26 - - [25/May/2009:09:19:31 -0400] "POST
/kra/ee/kra/getTokenInfo HTTP/1.0" 200 565
  d) at "Import Keys and Certificates" page, I type in the name of the
file that was copied to the system and I get "Clone is not ready"
on service-2 I can run pk12util -l pki-kra-savepkcs -w <file> and it
will output the keys and shows the correct security domain
I don't see anything new in the logs at this step anymore (not sure
where the error came from in my last post)



On service-1:
[root at service-1 ~]# service pki-kra status
pki-kra (pid 8444) is running ...

    Unsecure Port     = http://service-1.internaldomain:10180/kra/ee/kra
    Secure Agent Port = https://service-1.internaldomain:10443/kra/agent/kra
    Secure EE Port    = https://service-1.internaldomain:10444/kra/ee/kra
    Secure Admin Port = https://service-1.internaldomain:10445/kra/services
    Secure Admin Port = pkiconsole https://service-1.internaldomain:10445/kra
    Tomcat Port       = 10701 (for shutdown)


Thanks,
Mike

More information about the Pki-users mailing list