iDM: pki-tomcat fails to start (solution test by customer)

Latest response

Sharing our solution, created by one of my team members:

Diagnosis:
LDAP authentication failures
We found multiple messages in /var/log/pki/pki-tomcat/ca/debug:
Internal Database Error encountered: Could not connect to LDAP server host suct2v259.luna.kpn.org port 636 Error netscape.ldap.LDAPException: Authentication failed (48)

Missing subsystemCert

certutil -d /etc/pki/pki-tomcat/alias -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
ocspSigningCert cert-pki-ca                                  u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
subsystemCert cert-pki-ca                                    u,u,u            # on a broken server this will be missing
Server-Cert cert-pki-ca                                      u,u,u
Repeat if multiple servers show pki-tomcatd fails to start

Solution
On a working IPA server

  • login into a working IPA server
ssh working-IPA-server
  • become the root user
sudo -i
  • tar the /etc/pki/pki-tomcat/alias/ directory
tar  --selinux -cvpPf my-pki-tomcat-alias.tgz /etc/pki/pki-tomcat/alias/
  • secure copy the tar file to the broken server
    • this may be different for each security setup

On a broken IPA server

  • login to the broken server
ssh broken-IPA-server
  • become root
sudo -i
  • backup the current /etc/pki/pki-tomcat/alias
mkdir /etc/pki/pki-tomcat/alias
cp -avr /etc/pki/pki-tomcat/alias/* /etc/pki/pki-tomcat/alias-backup
tar  --selinux -xvpPf my-pki-tomcat-alias.tgz
  • reset the private key password
cat /etc/pki//pki-tomcat/alias/pwdfile.txt #contains foreign password
cat /etc/pki/pki-tomcat/alias-backup/pwdfile.txt #contains password you should restore
certutil -d /etc/pki/pki-tomcat/alias/ -W
  • restart ipa processes
ipactl restart
  • check ipa settings
kinit admin
ipa config_show
ipa pkinit-status
ipa-pkinit-manage status
ipa domainlevel-get
ipa-pkinit-manage enable    # if your system should need this feature, but it show up in ipa-pkinit-manage status as disabled.
ipa-pkinit-manage status     # to check if the previous command did change the status
ipa config_show                       # final check

All is running fine now

If this recipe does not solve your problem, open a support ticket and point out that you already tried this

Responses

Thanks for sharing your solution, Jan ! :)

You're welcome

Nice tips Jan!