[Pki-users] Cloning CA

Ade Lee alee at redhat.com
Tue Feb 18 16:00:02 UTC 2014 

Great finding the root cause!

The problem here is that your directory server instance has syntax
checking enabled.  We will fix this issue in Dogtag 10.

For dogtag 9, you can work around this issue by disabling syntax
checking in the DB.  

1. Shut down your directory server. 
2 .Edit the dse.ldif and set:
nsslapd-syntaxcheck: off
3. Restart your directory server.

Ade

On Tue, 2014-02-18 at 16:49 +0100, Jindrich Dolezal wrote:
> so the root cause seems to be this (was bit higher in the debug log
> than previous post):
> 
> [18/Feb/2014:15:34:58][http-9445-2]: SecurityDomainSessionTable:
> unable to create session entry-1411012119543770863:
> netscape.ldap.LDAPException: error result (21); host: value #0 invalid
> per syntax
> 
> i found this ticket https://fedorahosted.org/pki/ticket/457
> 
> anyone knows if this was fixed or any workaround?
> 
> jd
> 
> 
> On 02/18/2014 03:03 PM, Jindrich Dolezal wrote:
> 
> > additional info:
> > on the master ca machine i found following in the log file:
> > 
> > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet:service() uri
> > = /ca/ee/ca/updateNumberRange
> > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param
> > name='type' value='request'
> > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param
> > name='xmlOutput' value='true'
> > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet::service() param
> > name='sessionID' value='-1411012119543770863'
> > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet: caUpdateNumberRange
> > start to service.
> > [18/Feb/2014:14:00:19][http-9444-2]: UpdateNumberRange:
> > processing...
> > [18/Feb/2014:14:00:19][http-9444-2]: UpdateNumberRange process:
> > authentication starts
> > [18/Feb/2014:14:00:19][http-9444-2]: IP: 10.10.16.73
> > [18/Feb/2014:14:00:19][http-9444-2]: AuthMgrName: TokenAuth
> > [18/Feb/2014:14:00:19][http-9444-2]: CMSServlet: no client
> > certificate found
> > [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication: start
> > [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication:
> > content=sessionID=-1411012119543770863&hostname=10.10.16.73
> > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet:service() uri
> > = /ca/ee/ca/tokenAuthenticate
> > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet::service() param
> > name='hostname' value='10.10.16.73'
> > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet::service() param
> > name='sessionID' value='-1411012119543770863'
> > [18/Feb/2014:14:00:19][http-9444-1]: CMSServlet: caTokenAuthenticate
> > start to service.
> > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication:
> > sessionId=-1411012119543770863
> > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication:
> > givenHost=10.10.16.73
> > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: checking
> > session in the session table
> > [18/Feb/2014:14:00:19][http-9444-1]: CMSEngine: getPasswordStore():
> > password store initialized before.
> > [18/Feb/2014:14:00:19][http-9444-1]: CMSEngine: getPasswordStore():
> > password store initialized.
> > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication: session
> > not found
> > [18/Feb/2014:14:00:19][http-9444-1]: TokenAuthentication
> > authenticate failed, session id does not exist.
> > [18/Feb/2014:14:00:19][http-9444-2]: TokenAuthentication: status=1
> > [18/Feb/2014:14:00:19][http-9444-2]: SignedAuditEventFactory:
> > create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified
> > $][Outcome=Failure][AuthMgr=TokenAuth][AttemptedCred=$Unidentified$]
> > authentication failure
> > 
> > 
> > 
> > 
> > On 02/18/2014 02:47 PM, Jindrich Dolezal wrote:
> > 
> > > hi, 
> > > 
> > > im using dogtag 9.0 (pki-ca-9.0.3) on rhel 6.2 and want to make
> > > clone. i'm following 'Deploy and Install guide' chapter 10.3. So
> > > have master ca, created clone ca and run the configuration wizard.
> > > i got to point (point 10) where i am supposed to "Import Keys and
> > > Certificates". After filling p12 file and password i ended with: 
> > > 
> > > " org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 15;
> > > Open quote is expected for attribute "BGCOLOR" associated with an
> > > element type "BODY"." 
> > > 
> > > error appearing on the page (see attached picture). 
> > > Note that when i fill incorrect file or invalid passord, the
> > > wizard tells me with appropriate error (like no such file/...) but
> > > when everything is correct SAX exception appears. SAX exception
> > > also appears when i left the inputs blank and click next =>
> > > therefore this step is unpassable. 
> > > 
> > > has anyone performed cloning with success? 
> > > 
> > > thanks, 
> > > 
> > > jd 
> > > 
> > > 
> > > </pre>****************************************************************************************<br>This email and any files transmitted with are confidential and intended solely for the<br>use of the individual or entity to whom they are addressed.  If you have received this<br>email in error then please delete it and notify the sender. Do not make a copy or forward<br>it to anyone.  This footnote also confirms that this email message has been swept for the<br>presence of computer viruses.<br><br>Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland<br>Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).<br>Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O<br>****************************************************************************************</pre>
> > > 
> > > 
> > > _______________________________________________
> > > Pki-users mailing list
> > > Pki-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-users
> > 
> > 
> > 
> > </pre>****************************************************************************************<br>This email and any files transmitted with are confidential and intended solely for the<br>use of the individual or entity to whom they are addressed.  If you have received this<br>email in error then please delete it and notify the sender. Do not make a copy or forward<br>it to anyone.  This footnote also confirms that this email message has been swept for the<br>presence of computer viruses.<br><br>Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland<br>Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).<br>Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O<br>****************************************************************************************</pre>
> > 
> > 
> > 
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
> 
> 
> 
> </pre>****************************************************************************************<br>This email and any files transmitted with are confidential and intended solely for the<br>use of the individual or entity to whom they are addressed.  If you have received this<br>email in error then please delete it and notify the sender. Do not make a copy or forward<br>it to anyone.  This footnote also confirms that this email message has been swept for the<br>presence of computer viruses.<br><br>Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland<br>Directors: B. Collins, G. Maclachlan (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK).<br>Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O<br>****************************************************************************************</pre>
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list