dogtagpki

Clone
Source Code
GIT

#1526 When self test fail 'pkidaemon status tomcat' shows running subsystem process
Closed: Duplicate None Opened 9 years ago by aakkiang.

Closed: Duplicate
Reopen Issue

When self test fail 'pkidaemon status tomcat' shows running tomcat process. No
indication of subsystem process is down.

Steps to Reproduce:

1. CA, KRA and OCSP installed on separate tomcats.

2. OCSP subsystem CS.cfg has following configuration:

ocsp.cert.list=signing,sslserver,subsystem,audit_signing

Note the self tests that are listed as critical, for example:

selftests.container.order.startup=OCSPPresence:critical,
SystemCertsVerification:critical

Edit CS.cfg with in-correct nickname for one of the system certificates:

ocsp.cert.audit_signing.nickname=Bogus ocsp3auditsigningcert

3. Restart OCSP
systemctl restart pki-tomcatd@rootocsp.service

4. Self test failed, audit logs shows:
0.localhost-startStop-1 - [30/Jul/2015:01:52:10 IST] [14] [6] [AuditEvent=CIMC_
CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=Bogus
ocsp3auditsigningcert] CIMC certificate verification
0.localhost-startStop-1 - [30/Jul/2015:01:52:10 IST] [14] [6]
[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self
tests execution (see selftests.log for details)
0.localhost-startStop-1 - [30/Jul/2015:01:52:10 IST] [14] [6]
[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit
function shutdown
0.localhost-startStop-1 - [30/Jul/2015:01:52:10 IST] [14] [6]
[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit
function shutdown

Actual results:

'pkidaemon status tomcat' shows ocsp subsystem running
Status for rootocsp: rootocsp is running ..

    [OCSP Status Definitions]
    Unsecure URL        = http://XXXXXX:30755/ocsp/ee/ocsp
    Secure Agent URL    = https://XXXXXX:31172/ocsp/agent/ocsp
    Secure EE URL       = https://XXXXXX:31172/ocsp/ee/ocsp
    Secure Admin URL    = https://XXXXXX:31172/ocsp/services
    PKI Console Command = pkiconsole https://XXXXXX:31172/ocsp
    Tomcat Port         = 31927 (for shutdown)

    [OCSP Configuration Definitions]
    PKI Instance Name:   rootocsp

    PKI Subsystem Type:  OCSP

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  xxx.xxx.xx.xxx
    URL:   https://XXXXXX:30042
    =========================================================


Also, systemctl status shows active:

# systemctl status pki-tomcatd@rootocsp.service
pki-tomcatd@rootocsp.service - PKI Tomcat Server rootocsp
   Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled)
   Active: active (running) since Thu 2015-07-30 01:51:55 IST; 19min ago

Expected results:

User should be informed that ocsp process is dead.

Additional info:

Accessing ocsp urls gives 404 as expected.

Per CS/DS Meeting of 08/03/2015: closed as duplicate of PKI TRAC Ticket #1496 - Consolidate pkidaemon into pki-server. since 'pkidaemon' was never intended to work at the individual subsystem level within a shared instance.

Metadata Update from @aakkiang:
- Issue set to the milestone: 10.3.0
8 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2085

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Log in to comment on this ticket.

Metadata
None
None
None
None
major
None
None
defect
None
None
None
None
None
QE
None
None
None
None
None
None
General
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.