Hi,
Kant, D (Dave) wrote:
>Alessandra,
>
> I did this.
>
> openssl pkcs12 -in goc01.pfx -clcerts -nokeys -out hostcert.pem
> openssl pkcs12 -in goc01.pfx -nocerts -out hostkey.pem
> chmod 400 userkey.pem
> chmod 400 usercert.pem
>
>
>
hostkey or userkey??
Anyhow.... the
http://grid-deployment.web.cern.ch/grid-deployment/documentation/LCG2-Manual-Install/
says:
" make sure to place the two files in the target node into the directory
and check the access right hostkey.pem only readable by root and the
certificate readable by everybody."
and config_host_certs ( glite-yaim):
chmod 644 /etc/grid-security/hostcert.pem
that is copied in all other places needed ("cp -pf")
Cristina
> Dave
>
>=========================================================
>Dr Dave Kant
>CCLRC eScience Department Phone: (+44)|(0) 1235 778178
>Rutherford Appleton Laboratory Fax: (+44)|(0) 1235 446626
>Chilton, Didcot, Oxon, OX11 0QX, UK Email: [log in to unmask]
>==========================================================
>
>
>-----Original Message-----
>From: LHC Computer Grid - Rollout
>[mailto:[log in to unmask]]On Behalf Of Alessandra Forti
>Sent: 06 December 2006 13:12
>To: [log in to unmask]
>Subject: Re: [LCG-ROLLOUT] Host Certificate renewal on RGMA MON
>
>
>Hi Dave,
>
>did you export the p12 certificate from the browser with a password?
>
>cheers
>alessandra
>
>
>Kant, D (Dave) wrote:
>
>
>>Hi,
>>
>> I have renewed the host certificate on the APEL accounting archiver and tried to re-start the tomcat, then the flexy archiver service.
>> The certificate looks fine and has been copied to the various locations. But, we have lots of certificate related errors when starting tomcat services.
>> Any suggestions?
>>
>>Dave
>>
>>
>>[root@goc01 grid-security]# ls -l `locate hostkey`
>>-r-------- 1 root root 1202 Dec 6 10:41 /etc/grid-security/hostkey.pem
>>-r-------- 1 tomcat4 tomcat4 1202 Dec 6 10:46 /etc/tomcat5/hostkey.pem
>>-r-------- 1 rgma rgma 1202 Dec 6 10:45 /opt/glite/var/rgma/.certs/hostkey.pem
>>
>>[root@goc01 grid-security]# ls -l `locate hostcert`
>>-r-------- 1 root root 1989 Dec 6 10:40 /etc/grid-security/hostcert.pem
>>-r-------- 1 tomcat4 tomcat4 1989 Dec 6 10:44 /etc/tomcat5/hostcert.pem
>>-r-------- 1 rgma rgma 1989 Dec 6 10:45 /opt/glite/var/rgma/.certs/hostcert.pem
>>
>>[root@goc01 grid-security]# openssl verify -CApath /etc/grid-security/certificates/ hostcert.pem
>>hostcert.pem: OK
>>
>>[root@goc01 grid-security]# tail -150 /usr/share/tomcat5/logs/catalina.out | less
>>
>>INFO: Installing web application at context path /webdav from URL file:/var/lib/tomcat5/webapps/webdav
>>java.io.IOException: problem creating RSA private key: java.io.IOException: No password finder specified, but a password is required
>> at org.bouncycastle.openssl.PEMReader.readObject(PEMReader.java:113)
>> at org.glite.security.util.PrivateKeyReader.read(PrivateKeyReader.java:78)
>> at org.glite.security.util.KeyStoreGenerator.generate(KeyStoreGenerator.java:59)
>> at org.glite.security.trustmanager.UpdatingKeyManager.loadKeystore(UpdatingKeyManager.java:190)
>> at org.glite.security.trustmanager.UpdatingKeyManager.<init>(UpdatingKeyManager.java:106)
>> at org.glite.security.trustmanager.ContextWrapper.initKeyManagers(ContextWrapper.java:338)
>> at org.glite.security.trustmanager.ContextWrapper.init(ContextWrapper.java:285)
>> at org.glite.security.trustmanager.ContextWrapper.<init>(ContextWrapper.java:161)
>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.initProxy(TMSSLServerSocketFactory.java:298)
>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.init(TMSSLServerSocketFactory.java:185)
>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.createSocket(TMSSLServerSocketFactory.java:106)
>> at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:259)
>> at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:281)
>> at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:171)
>> at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1527)
>> at org.apache.catalina.core.StandardService.start(StandardService.java:489)
>> at org.apache.catalina.core.StandardServer.start(StandardServer.java:2313)
>> at org.apache.catalina.startup.Catalina.start(Catalina.java:556)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>> at java.lang.reflect.Method.invoke(Method.java:324)
>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:287)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425)
>>SEVERE: Server socket factory creation failed: java.security.cert.CertificateException: Identity reading failed: problem creating RSA private key: jav
>>a.io.IOException: No password finder specified, but a password is required
>>java.security.cert.CertificateException: Identity reading failed: problem creating RSA private key: java.io.IOException: No password finder specified,
>>but a password is required
>> at org.glite.security.trustmanager.UpdatingKeyManager.loadKeystore(UpdatingKeyManager.java:216)
>> at org.glite.security.trustmanager.UpdatingKeyManager.<init>(UpdatingKeyManager.java:106)
>> at org.glite.security.trustmanager.ContextWrapper.initKeyManagers(ContextWrapper.java:338)
>> at org.glite.security.trustmanager.ContextWrapper.init(ContextWrapper.java:285)
>> at org.glite.security.trustmanager.ContextWrapper.<init>(ContextWrapper.java:161)
>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.initProxy(TMSSLServerSocketFactory.java:298)
>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.init(TMSSLServerSocketFactory.java:185)
>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.createSocket(TMSSLServerSocketFactory.java:106)
>> at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:259)
>> at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:281)
>> at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:171)
>> at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1527)
>> at org.apache.catalina.core.StandardService.start(StandardService.java:489)
>> at org.apache.catalina.core.StandardServer.start(StandardServer.java:2313)
>> at org.apache.catalina.startup.Catalina.start(Catalina.java:556)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>> at java.lang.reflect.Method.invoke(Method.java:324)
>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:287)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425)
>>06-Dec-2006 12:50:57 org.apache.coyote.http11.Http11Protocol start
>>
>>
>
>
>
--
---
Cristina Aiftimiei - EGEE Project
Ist. Naz. di Fisica Nucleare - Padova
Address: via F. Marzolo, 8 - 35131 Padova - ITALY
Phone: +39.049.8277005
Mobile: +39.3460230488
|