dogtagpki

Clone
Source Code
GIT

#714 CS.cfg cleared?
Closed: Fixed None Opened 10 years ago by pbbunny.

Closed: Fixed
Reopen Issue

After performing the following tasks, the process restart seemed to have wiped the content of the CS.cfg:

1) cp /etc/pki/pki-district/server.xml /etc/pki/pki-district/server.xml.orig
2) modify the content with the following data:
ORIGINAL

<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
MODIFIED

<!-- This Realm uses the UserDatabase configured in the global JNDI

resources under the key "UserDatabase". Any edits

that are performed against this UserDatabase are immediately

available for use by the Realm. -->

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"

resourceName="UserDatabase"/>

  <Realm className="org.apache.catalina.realm.JNDIRealm"
      connectionURL="ldap://OURSERVER:389"
      userPattern="uid={0},o=ca"
      roleBase="ou=groups,o=ca"
      roleName="cn"
    roleSearch="(uniqueMember={0})"
  />

3) cp /var/lib/pki/pki-district/webapps/ca/WEB-INF/web.xml /var/lib/pki/pki-district/webapps/ca/WEB-INF/web.xml.orig
4) modify the content with the following data:
ORIGINAL
<login-config>
<realm-name>Certificate Authority</realm-name>
</login-config>

<security-role>
    <role-name>*</role-name>
</security-role>

MODIFIED

<login-config>

<realm-name>Certificate Authority</realm-name>

</login-config>

<security-role>

<role-name>*</role-name>

</security-role>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>PKI Certificate Authority</realm-name>
</login-config>

<security-role>
<role-name>*</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>EE Services</web-resource-name>
<url-pattern>/ee/ca/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name></role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

5) Restarted the service: systemctl restart pki-tomcatd.target & systemctl restart pki-tomcatd@pki-district.services

After performing the restarted, I started getting an HTTP 500 within the subsystem's admin and EE pages.

Turns out, the CS.cfg was wiped, it is completely empty. I'm attaching the catalina.out FYI.

The original catalina.out, prior to a clean restart of dir and ca services, and the new catalina.out created after performing a dir and ca services restart.
catalina.out.zip

Applied patch to not write to CS.cfg on startup/shutdown:

To ssh://vakwetu@git.fedorahosted.org/git/pki.git
9d70b93..05ff18e master -> master

To ssh://vakwetu@git.fedorahosted.org/git/pki.git
0beaa10..265f790 DOGTAG_10_0_BRANCH -> DOGTAG_10_0_BRANCH

Metadata Update from @pbbunny:
- Issue assigned to vakwetu
- Issue set to the milestone: 10.0.5
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1283

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
major
None
None
None
defect
None
cs.cfg
alee@redhat.com
None
None
Community
None
None
None
None
None
None
CA
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.