Sunday, April 27, 2014
How to Install EJBCA 6.1.1 on JBoss 7.1.1 and CentOS 6
So.
As of today, I am no longer using Google products and services. At some point in the future, I will be re-publishing both the historical and updated versions of this document on my own hosting solution.
I wish all of you the best of luck in your endeavors.
Subscribe to:
Post Comments (Atom)
If using a mysql connector greater than 5.1.30, follow this advise: https://community.jboss.org/message/866702#866702
ReplyDeleteThanks! I have rewritten the mysql portion of the document to better explain this.
ReplyDeleteThanks to you, as this is the most comprehensive tutorial about deploying EJBCA along with JBoss that I've found.
DeleteWhoever is hitting the blog using MultiZilla: Respect, you circa-2001 badass.
ReplyDeleteHi,
ReplyDeleteI install EJBCA following your guide, but i have an error. When i run sudo -u jboss ant install it run to:
ejbca:init:
[echo]
[echo] ------------------- CA Properties ----------------
[echo] ca.name : atttca
[echo] ca.dn : CN=atttca,O=HVKTMM,C=VN
[echo] ca.tokentype : soft
[echo] ca.keytype : RSA
[echo] ca.keyspec : 4096
[echo] ca.signaturealgorithm : SHA256WithRSA
[echo] ca.validity : 3650
[echo] ca.policy : null
[echo] ca.tokenproperties : /opt/ejbca/conf/catoken.properties
[echo] httpsserver.hostname : rootca.attt.vn
[echo] httpsserver.dn : CN=rootca.attt.vn,O=HVKTMM,C=VN
[echo] superadmin.cn : superadmin
[echo] superadmin.dn : CN=superadmin,O=HVKTMM,C=VN
[echo] superadmin.batch : true
[echo] appserver.home : /opt/jboss
[echo]
ejbca:install:
ejbca:initCA:
[echo] Initializing CA with 'atttca' 'CN=atttca,O=HVKTMM,C=VN' 'soft' '4096' 'RSA' '3650' 'null' 'SHA256WithRSA' /opt/ejbca/conf/catoken.properties -certprofile ROOTCA -superadmincn 'superadmin'...
AND SUSPEND (not run).
a Pragraph of LOG jboss file:
21:16:12,837 INFO [javax.enterprise.resource.webcontainer.jsf.application] (MSC service thread 1-2) JSF1048: PostConstruct/PreDestroy annotations present. ManagedBeans methods marked with these annotations will have said annotations processed.
21:16:13,369 INFO [org.ejbca.ui.web.admin.configuration.StartServicesServlet] (MSC service thread 1-2) Init, EJBCA 6.1.1 (working copy) startup.
21:16:13,722 INFO [org.cesecore.keys.token.CryptoTokenFactory] (MSC service thread 1-2) Class not found: se.primeKey.caToken.card.PrimeCAToken.
21:16:13,726 INFO [org.cesecore.keys.token.CryptoTokenFactory] (MSC service thread 1-2) Can not register se.primeKey.caToken.card.PrimeCAToken. This is normally not an error.
21:16:51,625 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment "ejbca.ear" was rolled back with failure message Operation cancelled
21:16:51,633 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS015052: Did not receive a response to the deployment operation within the allowed timeout period [60 seconds]. Check the server configuration file and the server logs to find more about the status of the deployment.
21:21:13,791 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff7f000001:-64530e7e:53776f17:8 in state RUN
21:21:13,823 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012095: Abort of action id 0:ffff7f000001:-64530e7e:53776f17:8 invoked while multiple threads active within it.
21:21:13,824 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012108: CheckedAction::check - atomic action 0:ffff7f000001:-64530e7e:53776f17:8 aborting with 1 threads active!
21:21:13,831 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffff7f000001:-64530e7e:53776f17:8
=============================
could you help me solve it. Thank a lot.
Looks like a configuration problem. I'd suggest reviewing your properties files and standalone.xml. The relevant message is:
Delete21:16:51,633 ERROR [org.jboss.as.server.
deployment.scanner] (DeploymentScanner-threads - 1) JBAS015052: Did not receive a response to the deployment operation within the allowed timeout period [60 seconds]. Check the server configuration file and the server logs to find more about the status of the deployment.
The problem itself is that jboss hung while attempting to deploy your ear file. Either your config file is incomprehensible, your jboss installation is corrupt, or you have a permissions problem.
If I had to guess, either the datasource definition in your standalone.xml file is bad, or the database itself did not respond to attempts to update it.
Lê Tùng, i have the same issue, can you tell me what was the problem and how have you solved it. thanks
DeleteThis comment has been removed by the author.
ReplyDeletePlease check your va-publisher properties file. It should read:
Deleteocsp-datasource.jndi-name=OcspDS
ocsp-database.url=jdbc:mysql://127.0.0.1:3306/ejbcadb?characterEncoding=UTF-8
Note that the jndi-name for the OCSP datasource is not "EjbcaDS", but "OcspDS". If the entries in ejbca.properties and va-publisher.properties are different, you should not see this error.
Hello, Warren !
ReplyDeleteThank you for your advice.
1) Checking va-publisher.properties I see ocsp-datasource.jndi-name=OcspDS - so no mistake here. Probably EjbcaDS was registered in JBoss 7 at first running of "ant deploy". I reinstalled EJBCA from the scratch adding
ocsp.properties
va.properties
va-publisher.properties
before very first running of "ant deploy" and i get "Build successfull", no any errors. "ant install" also gives "build successfull", no any errors.
But DefaultCA didn'appear in the list of CA in /ejbca/adminweb, only Management CA. ROOTCA is also absent in the list of CA and I created one myself through console.
2)I use Oracle DB 9i (9.2.0.5.0) and checking DB I see that ejbca db scheme was successfully auto-populated :
SQL> select count(*) from dba_objects where owner='EJBCA';
COUNT(*)
----------
108
No mistakes in Oracle DB alert log.
It means that db driver is OK - I use ojdbc6.jar , JBoss 7.1.1.Final, EJB 6.1.1, jdk 7u55 (I need only SHA1RSA, no need for ECDSA).
But in EJBCA console log I see:
"20:05:46,064 INFO [org.hibernate.dialect.Dialect] (MSC service thread 1-4) HHH000400: Using dialect: org.hibernate.dialect.Oracle10gDialect"
I confirm that ojdbc6.jar is compatible both with Java 7 and Oracle DB 9.2.x as per Oracle note "Starting With Oracle JDBC Drivers (Doc ID 401934.1)".
Is EJBCA 6.1.1 compatible with Oracle DB 9.2 ?
3) There are no any mistakes at EJBCA installation time with your guide, but trouble is at configuring EJBCA with web-console /ejbca/adminweb - I cannot do the creation of my first End Entity - "Add End Entity" failes with error (in console.log):
12:41:35,409 ERROR [org.jboss.ejb3.invocation] (http--0.0.0.0-8443-5) JBAS014134: EJB Invocation failed on component EndEntityManagementSessionBean for method public abstract void org.ejbca.core.ejb.ra.EndEntityManagementSession.addUser(org.cesecore.authentication.tokens.AuthenticationToken,org.cesecore.certificates.endentity.EndEntityInformation,boolean) throws org.cesecore.authorization.AuthorizationDeniedException,org.ejbca.core.model.ra.raadmin.UserDoesntFullfillEndEntityProfile,org.ejbca.core.ejb.ra.EndEntityExistsException,org.ejbca.core.model.approval.WaitingForApprovalException,org.cesecore.certificates.ca.CADoesntExistsException,org.ejbca.core.EjbcaException: javax.ejb.EJBException: java.lang.NullPointerException
at org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:166) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:230) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:304) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:190) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
Caused by: java.lang.NullPointerException
at org.ejbca.core.model.ra.raadmin.EndEntityProfile.doesUserFullfillEndEntityProfile(EndEntityProfile.java:899) [ejbca-util.jar:EJBCA 6.1.1 (working copy)]
at org.ejbca.core.ejb.ra.EndEntityManagementSessionBean.addUser(EndEntityManagementSessionBean.java:311) [ejbca-ejb.jar:]
Could you please to give light to the error ?
Thank you beforehand,
Timur.
In my previous post I forgot to say that I use Ubuntu Linux ("13.04, Raring Ringtail") and Java 7 is not openjdk - it's usual oracle jdk 1.7u55 which does not use /etc/alternatives (jdk 1.7u55 was installed from tar.gz distr)
ReplyDeleteSorry Timur,
DeleteSince you are using Oracle Java 1.7, as well as Ubuntu, I'm afraid I can't do much to help you out. What I've observed is that ejbca is very sensitive to the combination of software modules you run it on, which is largely why I wrote the guide. I was so irritated a having to test 100 different build combinations that I just wrote a guide for the combination that seems to work most reliably.
Just glancing at your error, it seems that the null pointer error you are receiving could be from an internal mismatch between some limitation associated with your end entity profile. But I can't really take the time to read through the source code to figure out just what is wrong.
For questions like these, you're probably best off sending emails to the ejbca discussion lists on sourceforge.
Good luck-
Warren V
I followed your advice about using openjdk 6 - all is ok with openjdk 6 , Oracle 9.2.0.5, ojdbc6.jar, Ubuntu Linux ("13.04, Raring Ringtail"), JBoss 7.1.1.Final, EJBCA 6.1.1 - no any mistakes for this software modules combination also and I have reached the very end of your superb rich in content guide. I have successfully issued my first certificate ! Thank you for your creative job and good luck to you !
ReplyDeleteI'm glad to hear it, Timur!
Delete-Warren V
Warren,
ReplyDeleteInstallation fails with error messages:
16:08:11,586 INFO [org.hibernate.tool.hbm2ddl.SchemaUpdate] (MSC service thread 1-2) HHH000232: Schema update complete
16:08:58,673 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment "ejbca.ear" was rolled back with failure message Operation cancelled
16:08:58,684 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS015052: Did not receive a response to the deployment operation within the allowed timeout period [60 seconds]. Check the server configuration file and the server logs to find more about the status of the deployment.
Oddly enough, first run of ant deply fails (couldn't contact JBoss error message).
Howerver, second runs ok but stops with the mentioned message.
Any hint?
Hello Andreas,
DeleteI found these three articles within 10 seconds of Googling:
http://stackoverflow.com/questions/15001342/jboss-7-war-deployment-failed
https://www.openshift.com/kb/kb-e1037-timeout-deploying-jboss-applications
http://vinynigam.blogspot.com/2013/04/increasing-deployment-timeout-for.html
Moral of the story: the machine you are running ejbca on is probably too slow for the deployment to finish. Extend the timeout and see what happens. Beyond that, you're on your own.
-Warren V
This comment has been removed by the author.
ReplyDeleteSorry Timur,
DeleteYour best bet is to post this question to the EJBCA Sourceforge mailing list.
-Warren V
Dear warren,
ReplyDeleteThank for this beautiful How to, please have you another to build OCSP with EJBCA ?
Hello Pascal,
DeleteOCSP configuration is included in this how-to.
-Warren V
A belated update: Pascal was totally correct - the OCSP instructions relating to the va.properties file were quite bad. I've cleaned them up.
DeleteHello, Warren !
ReplyDeleteThere is a stanza in your guide:
"...Production Deployment and Test
Now we can perform our first true deployment that should give us a functional ejbca server:
sudo -u jboss ant deploy"
Do I understand correctly the following flow is correct:
a) ant deploy
b) ant install
c) ant deploy ?
Actually, I have missed c). What does c) do ?
I have successfully created CA and issued certificates.
Thanks a lot, Timur
The deploy in step "c" pushes the compiled ear file created in the install step to jboss. It is an artifact of how jboss works.
ReplyDelete-W
Warren.
ReplyDeleteDe verdad muy bueno tu artículo. Muchas gracias. Estamos tratando de armar un CA en el Municipio de Río Grande - Tierra del Fuego y me estoy basando en tu artículo. Cuando lo terminemos te comento. Usamos Centos 7, jboss 7.1.1 y ejbca 6.2.0.
Saludos.
Luis.
DeleteDe nada, Luis,
Por favor dígame que los cambios que realice con la versión 6.2.0, y voy a actualizar la guía.
-Warren
This comment has been removed by the author.
ReplyDeleteWarren
ReplyDeleteExcellent post and thank you for sharing the details. I was planning to write up something myself but landed on your post and it is way beyond what I had in mind, so kudos!
You have mentioned some best practices in few sections but was wondering if there is more to it? Also, do you plan to release more articles around EJBCA?
Rohit Jain
I intend to publish an update for the newer versions of ejbca as soon as I have time. I've been focusing on vSphere and storage lately, so not sure when that will be.
DeleteAs for your question, I'm not sure what exactly what you are asking. There are many possible requirements for setting up a CA, so I've tried to focus on the simple lab installation paradigm. I do intend to write some articles on Active Directory integration, as getting AD to play nice with an external CA is never easy. But I'll probably throw in some stuff about SCEP and mobility while I'm at it.
Hi.
ReplyDeleteCongratulations for making a very good guide
I deploy EJBCA inside LXC with debian OS and it works very well
The LXC containers I use are:
* lxc-ejbca
* lxc-mysql
* lxc-apache
I am doing the configuration in order to login via apache to jboss. review the documentation http://www.ejbca.org/guides.html
and I have a problem generating the certificate using the command
bin/ejbca.sh ra addendentity apache-ssl foo123 "CN=ca-server.company.local,O=EJBCA Sample,C=SE" "" ManagementCA "" 1 PEM SERVER
how I can fix it
greetings
HI,
ReplyDeleteI follow your guide step by step but when i try sudo -u jboss ant deploy i take this error:
BUILD FAILED
/opt/ejbca_ce_6_1_1/build.xml:79: Execute failed: java.io.IOException: Cannot run program "java": java.io.IOException: error=2, No such file or directory
Can you help me to fix it?
Thanks a lot,
-P
Warren,
ReplyDeleteCongrats on such a fantastic guide. One issue I ran into is likely specific to deploying EJBCA and JBoss on Ubuntu 14.04 LTS, but it doesn't seem that JBoss 7.1.1 supports ":reload" on Ubuntu. I had to modify /opt/ejbca/bin/jboss.xml to use ":shutdown(restart=true)" instead.
For others, note that Ubuntu does not offer support for /etc/init.d/functions, so you'll also need to modify the init script to eliminate the instances of "success" and "failure" that occur.
I want upgrade ocsp and ca from ejbca 4.0.X to ejbca 6.0.X
ReplyDeleteI read doc/UPGRADE but there is only mentioned upgrade from version 5.0.X. But as I know version 5 never version community.
I tested upgrade ocsp 4 -> 6. the steps are as follows
1. config on ejbca config: ejbca.properties, database.properties, ocsp.properties, web.properties.
2. backup db.
3. ant deploy + ant install
4. ocsp have Admin Gui
upgrades on the right or wrong? Why, In Admin GUI ocsp have a CA default and issue certificate from this?
if true, can i upgrade ca same upgrade ocsp?
Hi,
ReplyDeleteExcuse me. I got this error when I added new datasouce then build by ant deploy.
---
10:56:39,945 ERROR [org.jboss.as.controller.management-operation] (HttpManagementService-threads - 2) JBAS014612: Operation ("enable") failed - address: ([
("subsystem" => "datasources"),
("data-source" => "XXX-DS")
]): org.jboss.msc.service.DuplicateServiceException: Service jboss.data-source-config.XXX-DS is already registered
---
Build itself by ant was fine but datasouce was false.
I want to deploy mariaDB instead of H2.
Before ant deploy, I checked all files HOME_ejbca and HOME_jboss but XXX-DS not found.
But after ant deploy, I got the above error.
I checked build.xml and jboss.xml, but is there any correct procedure to add new datasouce?
I followed as you customized database.properties but, in this case, I got Service jboss.data-source-config.ejbcads is already registered.
# But you didn't?
I checked with the keyword "ejbcads", I found out:
---
HOME_ejbca/bin/jboss.xml
306
307
308
---
When I set "ant deploy", EJBCA uses the parameter "308 <jboss:adm arg='data-source add --name=ejbcads" automatically?
Sorry for my assumption but, --name=ejbcads is used twice when I set "ant deploy" for some reason? That might be why I get the error "ejbcads is already registered".
I stepped as follows:
1. setup DB
2. JBoss setup
3. deploy driver
4. customize database.properties and ejbca.properties
5. ant deploy
version
EJBCA 6.3.1.1
JBoss AS 7
JDK 1.7 <<< I used this version because I got the failure when "ant deploy"
ANT 1.8
MariaDB 5.5
Great, fantastic manual. Without your manual I never installed ejbca. Thank you. Thank you. Thank you.
ReplyDeleteI installed on Centos 7.1.1503 and ejbca_ce_6_3_1_1 without problems.
I think that in your documentation there is only one little error:
"sudo -u jboss ant install" give me "[java] Can't define a CAToken properties file for a soft token" so I changed
install.properties
from
ca.tokenproperties=/opt/ejbca/conf/catoken.properties
to
#ca.tokenproperties=/opt/ejbca/conf/catoken.properties
Thank you again!!
You're Welcome! And yes, this is totally a mistake on my part which has been fixed. I actually ran into this error while working on the new 6.3.1.1 version of this document, and a Google search took me to your comment. It's a strange feeling to have a bug search take you back to your own documentation :-)
Deletethank you,
ReplyDeleteI have build ocsp with: ejbca 6.3.1, Jboss 7.1.1, jdk 7, ant 1.9 in centos 5 32 bit.
The build seems unstable. sometimes successfully, sometimes errors.
When run "ant deploy" error in file: jboss.xml. I have check error in line:
seems to work: cli reload JBoss with CLI JBoss unstable.
But strangely, sometimes I successfully deploy.
I stepped as follows:
Config ejbca/conf/ in file: ejbca.properties, database.properties, ocsp.properties, web.properties.
Config jdk 7, ant 1.9
Config jboss: add mysql connector, pkcs#11
Please tell me I'm wrong step.
Thank you.
Hi Warren,
ReplyDeleteI want to thank you for the lengthy how-to. All others don't come close! First time working with EJBCA. I see the last comment here was from last year. I imagine much has changed since you posted this. Namely fixes and modifications.
I am on CentOS 7.1, 64bit. I am at the ant install section and experience a Build Failed message with the following:
/opt/ejbca_ce_6_3_1_1/build.xml:64: The following error occurred while executing this line:
/opt/ejbca_ce_6_3_1_1/build.xml:70: The following error occurred while executing this line:
/opt/ejbca_ce_6_3_1_1/bin/cli.xml:94: The following error occurred while executing this line:
/opt/ejbca_ce_6_3_1_1/bin/cli.xml:112: The following error occurred while executing this line:
/opt/ejbca_ce_6_3_1_1/bin/cli.xml:186: Java returned: 1
The below are the lines referenced above for each file: I removed the less than and greater than syntax.
Line 64 in build.xml - antcall target="runinstall"
Line 70 in build.xml - ant dir="${ejbca.home}/bin" antfile="cli.xml" target="ejbca:install"
Line 94 in cli.xml - antcall target="ejbca:initCA"
Line 112 in cli.xml - ejbca:cli-hideargs arg="ca init "${ca.name}" "${ca.dn}" ${ca.tokentype} ${ca.tokenpassword} ${ca.keyspec} ${ca.keytype} ${ca.validity} ${ca.policy} ${ca.signaturealgorithm} ${install.catoken.command} ${install.certprofile.command} -superadmincn "${superadmin.cn}""
Line 186 in cli.xml - java dir="${ejbca.home}" jar="${ejbca.home}/dist/ejbca-ejb-cli/ejbca-ejb-cli.jar" fork="true" failonerror="true"
Can you give assistance with the Ant Build Failure? Thank you sir!
noobh
Very detailed information. Thank you for helping me in my jboss online training.
ReplyDeleteHello All,
ReplyDeleteAfter a long hiatus, I'm returning to the subject of EJBCA. A new version of the install guide using MariaDB, Java 1.8, and Wildfly 8 is in the works.
In the meantime, I'm cleaning up a few small errors in this guide (fixing broken reference links, and a couple small bugs in the suggested my.cnf).
Oh, and for those who are requesting help: I'm sorry, but I can't help with particular install problems. However, if you find a bug in this or any other guide of mine, please do let me know.
ReplyDeleteI really appreciated this tutorial. I adapted it for wildfly 10 and the latest version of ejbca but without this guide, I would never had stood it up in my lab.
ReplyDeleteHello Errol,
DeleteI'm writing a Wildfly 9 version of this document right now. If you have particular changes that were made to support Wildfly 10, please forward them to me, and I will include them in the new guide.
Basically, the adaptations where taken right from the Wildfly site! https://www.ejbca.org/docs/installation.html#WildFly 10
DeleteI know the big issue for me was the the deploy kept failing because remoting wasn't enabled OOTB it seemed
I'm using Ubuntu 16.04.1 and OpenJDK 1.8
I Installed CA server by following your blog. I am able to access https://myhttpservername:8443/ejbca/adminhweb but i'm unable to access with out port number can you olease help me.
ReplyDeleteI'm new to this i just followed what you said please help how can I access with out port number. I changed the web.properties file as you said but i'm unable to access. please guide me.
ReplyDelete22:50:49,407 ERROR [org.jboss.web] (MSC service thread 1-1) JBAS018211: Could not load JSF managed bean class: org.ejbca.ui.web.admin.peerconnector.PeerConnectorMBean
ReplyDeleteI am getting this error any help??????????????
Great guide that really helps address PrimeKey's documentation woes! I was able to adapt it to get EJBCA 6.3.1.1 running on Ubuntu 16.04 / JBoss 7.1.1 / OpenJDK 7 with one tiny change: the JAVA_HOME environment variable must be configured before running apt install, otherwise there are issues with it finding the keytool program. Hope this tiny bit helps somebody!
ReplyDeletethx for this tutorial. took a week to get centos installed and running. with the multiple issues introduced with Jboss, Wildfly ANT, OpenJDK...
ReplyDeletecoming from a windows environment i sometimes ask myself. why on earth did i decide to change over... its sure as hell does not seem worth this amount of effort.
i mean ejbca. been a long ass week
DeleteFirst of all, this is hands down best tutorial on installing and configuring EJBCA, that I have came across.
ReplyDeleteI have few questions, so if you can, please reply.
1. I dont need Server signing function. Using Comodo certs for that, I need only Client auth functions for publicly accessible url-s on my site. That mean, that I am creating End Entity and signing it with my RootCA, right?
2. Does this tutorial assume that your EJBCA installation has to be publicly accessible as well for sake of OSCP and other things, or I can put it in my intranet, set it up, and then manually transfer certificates, CRL-s to publicly accessible server each time I publish new CRL/Certificate?
3. If I don't need SSL Server keys (which I don't) do I still need to follow routine RootCA->SubordinateCa->Client certs or I can go with RootCA->Client certs? Pros-cons?
Thanks in advance
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHello. I'm facing an error when I want to 'ant install'. 'ant deploy' works fine. The error displayed is ejbca:initCA:
ReplyDelete[echo] Initializing CA with 'mgmtca' 'CN=mgmtca,O=Your Company,C=US' 'soft' '4096' 'RSA' '3652' 'null' 'SHA256WithRSA' -certprofile ROOTCA -superadmincn 'superadmin'...
[java] Could not run execute method for class ca
[java] java.lang.RuntimeException: Internal admin was denied access. This should not be able to happen.
......
I found somewhere that it is a database related error, so I tried /opt/ejbca/bin/ejbca.sh ca listcas ( after successful ant deploy) and I received somehow the same error:
java.lang.RuntimeException: Internal admin was denied access. This should not be able to happen.
........
Can anyone help?
Wow, this is the best blog I have visited today and I have found the article to be very informative and comprehensively written. Although I am not a programming specialist, I have learned a lot from the article and improve my general programming skills. I am looking forward to reading more blog posts from this site especially when taking a break from my work of administering Errors Correction Help to students.
ReplyDeleteHi where is guide :-)
ReplyDeleteHello, I have a issue when using OCSP in Ejbca. Could you help me to check it? thanks
ReplyDelete15:08:05,017 ERROR [org.jboss.ejb3.invocation] (http--0.0.0.0-8080-2) JBAS014134: EJB Invocation failed on component OcspResponseGeneratorSessionBean for method public abstract org.cesecore.certificates.ocsp.OcspResponseInformation org.cesecore.certificates.ocsp.OcspResponseGeneratorSession.getOcspResponse(byte[],java.security.cert.X509Certificate[],java.lang.String,java.lang.String,java.lang.StringBuffer,org.cesecore.certificates.ocsp.logging.AuditLogger,org.cesecore.certificates.ocsp.logging.TransactionLogger) throws org.cesecore.certificates.ocsp.exception.MalformedRequestException,org.bouncycastle.cert.ocsp.OCSPException: org.cesecore.certificates.ocsp.exception.OcspFailureException: Failure encountered while retrieving OCSP response.
at org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean.generateBasicOcspResp(OcspResponseGeneratorSessionBean.java:1634) [cesecore-ejb.jar:]
at org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean.signOcspResponse(OcspResponseGeneratorSessionBean.java:1579) [cesecore-ejb.jar:]
at org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean.getOcspResponse(OcspResponseGeneratorSessionBean.java:1349) [cesecore-ejb.jar:]
at sun.reflect.GeneratedMethodAccessor800.invoke(Unknown Source) [:1.7.0_151]
Caused by: java.util.concurrent.ExecutionException: java.lang.IllegalArgumentException: Unknown signature type requested: SHA2WITHRSA
at java.util.concurrent.FutureTask.report(FutureTask.java:122) [rt.jar:1.7.0_151]
at java.util.concurrent.FutureTask.get(FutureTask.java:202) [rt.jar:1.7.0_151]
at org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean.generateBasicOcspResp(OcspResponseGeneratorSessionBean.java:1628) [cesecore-ejb.jar:]
... 59 more
Hello Guys,
ReplyDeleteI am upgrading ejbca_4_0_16 to ejbca_ce_6_3_2_6 for production linux environment. I did following steps that mentioning on ejbca and sourceforge website. I have also copying older ejbca.properties, cesecore.properties to conf/cesecore.properties, ejbca.properties, however it was throwing an error your JBoss is up and running which is running find on environment and it is not creating ejbca.ear file to /opt/jboss-as-7.1.1.Final/standalone/deployments/ejbca.ear (default location). Please advice me in this case to resolving issue and correct way to upgrade ejbca.
ant deploy
ant deploy-keystore
ant deploy web-configue
ant upgrade
old ejbca environment
ejbca -> ejbca_4_0_16
ant -> apache-ant-1.8.3
java -> jdk1.6.0_45
jboss -> jboss-5.1.0.GA
upgrading environment
ejbca -> ejbca_ce_6_3_2_6
ant -> apache-ant-1.8.3
java -> jdk1.7.0_80
jboss -> jboss-as-7.1.1.Final
http://blog.ejbca.org/2017/12/the-definitive-ejbca-upgrade-guide.html
http://www.ejbca.org/docs/installation.html#Install
https://sourceforge.net/p/ejbca/discussion/123123/thread/a08b4cee/
netstat -tunap | grep java
tcp 0 0 172.20.20.180:4447 0.0.0.0:* LISTEN 11604/java
tcp 0 0 172.20.20.180:9990 0.0.0.0:* LISTEN 11604/java
tcp 0 0 172.20.20.180:9999 0.0.0.0:* LISTEN 11604/java
tcp 0 0 172.20.20.180:8080 0.0.0.0:* LISTEN 11604/java
customejbca.message:
appserver.error.message:
va_replacings_in_application.xml:
[echo] Enabled module status.war
[echo] Disabled module certstore.war
[echo] Disabled module crlstore.war
customejbca.message:
appserver.error.message:
plugin-bootstrap-build:
[ear] Building ear: /opt/ejbca_ce_6_3_2_6/dist/ejbca.ear
customejbca.message:
appserver.error.message:
websphere-specials:
customejbca.message:
appserver.error.message:
signjar:
[echo] Specify -Dsignjar.keystore=/path/keystore.jks if you want to sign the release.
customejbca.message:
appserver.error.message:
signjar.internal:
build:
inputDatabasePassword:
[input] skipping input as property database.password has already been set.
deploy:
customejbca.message:
appserver.error.message:
jee:undeployJBoss7:
[exec] Result: 1
jee:undeploy:
set-paths-jboss7:
set-paths-not-jboss7:
set-paths:
jee:deployServicesJBoss5:
jee:assert-runJBoss7:
[echo] Checking if JBoss is up and running...
[echo] Waiting (up to 30 seconds in total) for the application server to become ready for the next step...
[exec] Result: 1
BUILD FAILED
/opt/ejbca_ce_6_3_2_6/build.xml:696: The following error occurred while executing this line:
/opt/ejbca_ce_6_3_2_6/bin/jboss.xml:429: The requested action requires that JBoss is up and running.
Total time: 1 minute 33 seconds
-------
Thank you,
Mehul Chhayani | Deployment Specialist
chhayani@echoworx.com
T:416-226-8600 EXT-246