Re: [Ejbca-develop] EJBCA behind a proxy and iptables config

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Maxime,

Maxime_V skrev:
> Hello,
>
> To my mind, it's not a pure ejbca problem but probably a firewall issue.
> Maybe someone will still be able to help me.
> I'm using EJBCA 3.9.4 with :
> - JBOSS 5.1.0GA 
> - Java "1.6.0_18"
> - Apache/2.2.3
>
> on RHEL 5.2.
>
> After having installed EJBCA which was working fine on default setup (ports
> 8080 and 8443 for jboss), I decided to add a proxy apache on the same host
> using the HowTo provided on ejbca website.
>
> Everything was working fine until I turned on the Iptables firewall. With
> IPTABLES on, I can not for example edit an end-entity (time out when I try
> to save the modifications) or get an end-entity certificate. I have the
> following error in the apache error log :
>
> [Wed Mar 10 10:30:05 2010] [error] ajp_read_header: ajp_ilink_receive failed
> [Wed Mar 10 10:30:05 2010] [error] (120006)APR does not understand this
> error code: proxy: read response failed from 127.0.0.1:8009 (localhost)
>
> Iptables configuration seems good (extract below ) :
> iptables -L -v -n
>
> Chain INPUT (policy DROP 416 packets, 54428 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination
> 12377 8153K ACCEPT     all  --  lo     *       0.0.0.0/0           
> 0.0.0.0/0
>
> ...
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination
>
> Chain OUTPUT (policy DROP 116 packets, 12440 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination
> 12377 8153K ACCEPT     all  --  *      lo      0.0.0.0/0           
> 0.0.0.0/0
>
> Any idea why I'm facing this behavior ? (everything OK when I stop
> iptables...)
>   
The protocol used between Apache and JBoss is AJP. JBoss listens for 
connections on 127.0.0.1:8009 as the error message shows.

So you need to enable localhost:* to localhost:8009 in iptables.

> I also think I found a small bug in EJBCA.
> When I set the status of an end-entity to "Historical", I still receive the
> expiration warning (with expiration checker service) for this entity. Known
> bug or normal behavior ?
>   
I don't believe changes in the user status affects any of the user's 
certificate(s) (except if you click "Revoke" for an end entity). So this 
is "normal" behaviour..
> Thank your for your help !
> Regards,
> Maxime VERAC
>   
Best Regards,
Johan

-- 
PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact in...@pr... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf