TPS installation fails when the CA is externally signed
Steps to Reproduce:
1. The same setup as in https://bugzilla.redhat.com/show_bug.cgi?id=1381084 2. TPS config [DEFAULT] pki_instance_name = pki-tps pki_https_port = 25443 pki_http_port = 25080 pki_admin_password = Secret123 pki_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com pki_security_domain_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com pki_security_domain_https_port = 8443 pki_security_domain_password = Secret123 pki_client_dir = /opt/topology-TPS pki_client_pkcs12_password = Secret123 pki_ds_password = Secret123 pki_ds_ldap_port = 8389 pki_client_database_password = Secret123 pki_token_password=Secret123 [Tomcat] pki_ajp_port = 25009 pki_tomcat_server_port = 25005 [TPS] pki_import_admin_cert = False pki_ds_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com pki_authdb_basedn = ou=People,dc=pki-tps pki_authdb_hostname=cisco-b200m1-04.rhts.eng.bos.redhat.com pki_authdb_port=8389 pki_ca_uri=https://cisco-b200m1-04.rhts.eng.bos.redhat.com:8443 pki_tks_uri=https://cisco-b200m1-04.rhts.eng.bos.redhat.com:23443 pki_kra_uri=https://cisco-b200m1-04.rhts.eng.bos.redhat.com:21443 pki_admin_nickname=PKI TPS Administrator for Example.Org pki_enable_server_side_keygen=True pki_import_shared_secret=True pki_server_pkcs12_path=pki-server.p12 pki_server_pkcs12_password=Secret123
Actual results:
TPS installation fails
Expected results:
TPS installation should be successful
Additional info:
log messages [30/Sep/2016:17:19:11][http-bio-25443-exec-3]: registerUser: Successfully added user TPS-cisco-b200m1-04.rhts.eng.bos.redhat.com-25443 to https://cisco-b200m1-04.rhts.eng.bos.redhat.com:8443 using /ca/admin/ca/registerUser [30/Sep/2016:17:19:11][http-bio-25443-exec-3]: ConfigurationUtils: getSubsystemCert: nickname=subsystemCert cert-pki-tps [30/Sep/2016:17:19:11][http-bio-25443-exec-3]: ConfigurationUtils: POST https:/ /cisco-b200m1-04.rhts.eng.bos.redhat.com:23443/tks/admin/tks/registerUser [30/Sep/2016:17:19:12][http-bio-25443-exec-3]: Server certificate: [30/Sep/2016:17:19:12][http-bio-25443-exec-3]: - subject: CN=cisco-b200m1-04.rhts.eng.bos.redhat.com,OU=pki-tks,O=rhts.eng.bos.redhat.com Security Domain [30/Sep/2016:17:19:12][http-bio-25443-exec-3]: - issuer: CN=CA Signing Certificate,OU=pki-sdCA,O=rhts.eng.bos.redhat.com Security Domain javax.ws.rs.NotFoundException: HTTP 404 Not Found at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErro rStatus(ClientInvocation.java:181) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractRes ult(ClientInvocation.java:154) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(Cli entInvocation.java:444) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.pos t(ClientInvocationBuilder.java:201) at com.netscape.certsrv.client.PKIConnection.post(PKIConnection.java:476) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.post(Configurati onUtils.java:254) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.registerUser(Con figurationUtils.java:4455) at org.dogtagpki.server.tps.rest.TPSInstallerService.finalizeConfigurat ion(TPSInstallerService.java:136) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig Service.java:228) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig Service.java:121) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc eMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:234) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:221) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher .service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicati onFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicati onFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper Valve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContext Valve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentic atorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa lve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHtt p11Processor.java:1078) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process (AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoi nt.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskT hread.java:61) at java.lang.Thread.run(Thread.java:745) [30/Sep/2016:17:19:12][http-bio-25443-exec-3]: Errors in registering TPS to CA, TKS or KRA: javax.ws.rs.NotFoundException: HTTP 404 Not Found
Per PKI Bug Council Meeting of 10/04/2016: 10.4.0
On October 7, 2016 rpattath wrote:
When the CA was installed with the full certificate chain, TPS installed successfully. Token enrollment was also successful
Metadata Update from @rpattath: - Issue set to the milestone: 10.3.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2614
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.