[Pki-users] FW: pki=kra configuration hangs on Administration

Chris Grijalva Chris.Grijalva at soteradefense.com
Thu Mar 28 20:16:48 UTC 2013 

Ade,
Thanks for the help.
It turned out to be a cert issue.
Resolution was to remove all PKI certs in Firefox and then remove and reinstall pki-ocsp, pki-kra and pki-ca.
All 3 modules configured cleanly.


-----Original Message-----
From: Ade Lee [mailto:alee at redhat.com] 
Sent: Thursday, March 28, 2013 9:59 AM
To: Chris Grijalva
Cc: pki-users at redhat.com
Subject: Re: [Pki-users] pki=kra configuration hangs on Administration

Can you try using Firefox to do the configuration of the KRA?
Up to now, we have supported only firefox for the installation servlets.

If that still does not work, we'd need to see some server logs - say everything under /var/log/pki-kra, as well as logs for the CA.

The status says that it still needs to be configured because the configuration did not complete.  As you say, it looks like its failing to generate an administrator cert.  That may be a problem in the client (Chrome), in the KRA/OCSP, or on the CA (which would be receiving the cert request and issuing the cert).  We'd need to look at logs to see where its failing.

Ade

On Wed, 2013-03-27 at 17:39 -0500, Chris Grijalva wrote:
> Hi all, new to the list.
> 
>  
> 
> Installed the following packages on CentOS 6.4
> 
>  
> 
>                   [root at devops-cert tmp]# yum list | grep pki
> 
>                   dogtag-pki-ca-theme.noarch
> 9.0.6-1.fc15
> @/dogtag-pki-ca-theme-9.0.6-1.fc15.noarch
> 
>                   dogtag-pki-common-theme.noarch
> 9.0.6-1.fc15
> @/dogtag-pki-common-theme-9.0.6-1.fc15.noarch
> 
>                   dogtag-pki-console-theme.noarch
> 9.0.6-1.fc15
> @/dogtag-pki-console-theme-9.0.6-1.fc15.noarch
> 
>                   dogtag-pki-kra-theme.noarch
> 9.0.6-1.fc15
> @/dogtag-pki-kra-theme-9.0.6-1.fc15.noarch
> 
>                   dogtag-pki-ocsp-theme.noarch
>           9.0.6-1.fc15
> @/dogtag-pki-ocsp-theme-9.0.6-1.fc15.noarch
> 
>                   pki-ca.noarch
> 9.0.3-30.el6                   @base
> 
>                   pki-common.noarch
> 9.0.3-30.el6                   @base
> 
>                   pki-common-javadoc.noarch
> 9.0.3-30.el6                   @base
> 
>                   pki-console.noarch
> 9.0.3-1.fc15                   @/pki-console-9.0.3-1.fc15.noarch
> 
>                   pki-java-tools.noarch
> 9.0.3-30.el6                   @base
> 
>                   pki-java-tools-javadoc.noarch
> 9.0.3-30.el6                   @base
> 
>                   pki-kra.noarch
> 9.0.4-1.fc15                   @/pki-kra-9.0.4-1.fc15.noarch
> 
>                   pki-native-tools.x86_64
> 9.0.3-30.el6                   @base
> 
>                   pki-ocsp.noarch
> 9.0.3-1.fc15                   @/pki-ocsp-9.0.3-1.fc15.noarch
> 
>                   pki-selinux.noarch
> 9.0.3-30.el6                   @base
> 
>                   pki-setup.noarch
>  9.0.3-30.el6                   @base
> 
>                   pki-silent.noarch
> 9.0.3-30.el6                   @base
> 
>                   pki-symkey.x86_64
> 9.0.3-30.el6                   @base
> 
>                   pki-util.noarch
> 9.0.3-30.el6                   @base
> 
>                   pki-util-javadoc.noarch
> 9.0.3-30.el6                   @base
> 
>                   ipa-pki-ca-theme.noarch                  9.0.3-7.el6
> base
> 
>                   ipa-pki-common-theme.noarch
> 9.0.3-7.el6                    base
> 
>                   krb5-pkinit-openssl.x86_64
> 1.10.3-10.el6_4.1              updates
> 
>  
> 
>                   jss.x86_64
> 4.2.6-24.el6                   @base
> 
>                   tomcatjss.noarch                         2.1.0-2.el6
> @base
> 
>                   osutil.x86_64                            2.0.1-1.el6
> @base
> 
>  
> 
> Configured pki-ca cleanly and then proceeded to configure pki-kra, 
> which hangs on the Administrator panel.
> 
> Debug doesn't show errors, only logging status.
> 
>  
> 
> [27/Mar/2013:12:59:49][http-10445-3]: AdminPanel: display
> 
> [27/Mar/2013:12:59:49][http-10445-3]: panel no=13
> 
> [27/Mar/2013:12:59:49][http-10445-3]: panel name=adminpanel
> 
> [27/Mar/2013:12:59:49][http-10445-3]: total number of panels=16
> 
>  
> 
> I’ve bounced pki-krad, used a new instance of Chrome as admin when 
> running the pki-kra admin console config.
> 
> Used the pki-ca Administrator cert listed below, as a template for 
> pki-kra and still no joy.
> 
>  
> 
> The Dogtag Certificate Manager shows 5 pki-kra DRM certificates, but 
> no admin cert.  pki-krad status shows it's
> 
> running, but must still be CONFIGURED!
> 
>  
> 
> JXplorer shows,
> 
> 2;4;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA Subsystem 
> Certificate,OU=pki-ca,O=Pfi Domain
> 
> 2;10;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=DRM Subsystem 
> Certificate,OU=pki-kra,O=Pfi Domain
> 
> 2;14;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=OCSP Subsystem 
> Certificate,OU=pki-ocsp,O=Pfi Domain
> 
>  
> 
> 2;6;CN=Certificate Authority,OU=pki-ca,O=Pfi Domain;CN=CA 
> Administrator of Instance 
> pki-ca,UID=admin,E=Chris.Grijalva at soteradefense.com,O=Pfi Domain
> 
>  
> 
> Any idea what I’m doing wrong and why this configuration doesn’t 
> generate a pki-kra or pki-ocspd CA Administrator cert to complete the 
> configuration?
> 
>  
> 
>  
> 
> Cheers,
> 
> Chris Grijalva
> 
> 
> 
>  
> 
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list