Re: [Ejbca-develop] Fw: Problem Activating CA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I do not think the problem is the HSM. Because I was running cluster with two nodes
using the same network HSM using master-slave mysql replication. This problem
has happened only in the master but the slave is working fine. I can edit the CA normally
and I can issue certificates from the slave for this CA and the token is active.

There is a Key map database locally in each node that is used by ejbca to access  the keys in the HSM. I replaced 
that one in the master by the one on the slave but I am still having this problem in the master.

I think may be there is something crashed in ejbca or jboss in the master node.

regards,
Mohamed Saeed

________________________________
 From: ejbca-support <ejb...@pr...>
To: Saeed <sae...@ya...> 
Cc: ejbca primekey <ejb...@li...> 
Sent: Sunday, April 15, 2012 2:53 PM
Subject: Re: Fw: [Ejbca-develop] Problem Activating CA

On 2012-04-15 13:46, Saeed wrote:
> 
> ----- Forwarded Message -----
> *From:* Saeed <sae...@ya...>
> *To:* ejbca-support <ejb...@pr...>; "ejb...@li..." <ejb...@li...>
> *Sent:* Thursday, April 12, 2012 2:57 PM
> *Subject:* Re: [Ejbca-develop] Problem Activating CA
> 
> 
> I replaced my database with a working database but the problem still there:
> my CA token can not be activated and I can not edit the CA.

If that's the case I guess there is something seriously wrong with the HSM.
The key must have been deleted or so.

The following is probably the best next step:

./ejbcaClientToolBox.sh PKCS11HSMKeyTool

Anders
tech support

> 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* ejbca-support <ejb...@pr...>
> *To:* Saeed <sae...@ya...>; ejb...@li...
> *Sent:* Wednesday, April 11, 2012 11:17 AM
> *Subject:* Re: [Ejbca-develop] Problem Activating CA
> 
> On 2012-04-11 10:10, Saeed wrote:
>> I tried with clientToolBox to create crl for this CA but it responds with an error message.
>>
>> I think when I imported the CA certificate it made a problem, that always the imported CA is considered external
>> and it has no private keys exists in ejbca. and since the imported CA certificate was the same as the CA that
>> exists in ejbca, ejbca considered my CA has no keys here, I guess.
>> I do not wont to remove the CA how this could be handled.
> 
> If you have a database backup your import should be nullified.
> Otherwise an option is repairing the database manually.
> This is done by comparing working CAs with the non-working.
> CAData seems to be the table...
> 
> You could also backup the current system, load in a working old copy and save
> the configuration data.
> 
> There may be a better way doing this but this is the one I know of :-|
> 
> Anders
> tech support
> 
>>
>> Saeed
>>
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> *From:* ejbca-support <ejb...@pr... <mailto:ejb...@pr...>>
>> *To:* Saeed <sae...@ya... <mailto:sae...@ya...>>
>> *Cc:* ejbca primekey <ejb...@li... <mailto:ejb...@li...>>
>> *Sent:* Tuesday, April 10, 2012 2:27 PM
>> *Subject:* Re: Problem Activating CA
>>
>> On 2012-04-10 13:20, Saeed wrote:
>>
>> It sounds like you have destroyed the key or something like that.
>> Could you try the clientToolBox and see if you get any contact?
>> If it doesn't work in clientToolBox it won't work in EJBCA.
>>
>> The problem with edit CA is new for me.
>>
>> I would consider removing the CA if possible.
>>
>> Anders
>>
>>>
>>> No I have not upgrade.
>>>
>>> What I did before this problem happens, I was testing how to import CA certificate
>>> Then I imported this CA certificate which is already exists. It gave me a red error message
>>> of something like "primary key already exist" after that I found the CA token is inactive.
>>> When I activate it it says CA Activation Successful.
>>>
>>> When I restarted the JBOSS it says  "activated CA token of type PKCS11" but when I log to the GUI
>>> it is still inactive.
>>>
>>> I also wonder that I can not edit the CA properties and that error appear.
>>>
>>> Regards,
>>> Saeed
>>>
>>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>> *From:* Tham Wickenberg <ejb...@pr... <mailto:ejb...@pr...> <mailto:ejb...@pr... <mailto:ejb...@pr...>>>
>>> *To:* Saeed <sae...@ya... <mailto:sae...@ya...> <mailto:sae...@ya... <mailto:sae...@ya...>>>
>>> *Cc:* ejbca primekey <ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>>>
>>> *Sent:* Tuesday, April 10, 2012 12:53 PM
>>> *Subject:* Re: Problem Activating CA
>>>
>>> Hello,
>>>
>>> There is a problem with your configuration. It must have stopped working when you changed the configuration.
>>>
>>> It is strange that you would get a CA Activation Successful message though.
>>>
>>> Regards,
>>> Tham Wickenberg - PrimeKey Support Team
>>>
>>> On 4/10/12 11:48 AM, Saeed wrote:
>>>> Pleeeease Help
>>>>
>>>> My CA was working properly with Hardtoken HSM. Then suddenly the CA Token Status became offline
>>>> When I try to activate it, it says CA Activation Successful. But when I check the status again it is still inactive
>>>> The problem is not with the hardtoken because I have other CA's that uses the same token and working correctly.
>>>> When I try to Edit this CA the Edit page does not show up it gives the following error:
>>>>
>>>>
>>>>    An exception has occurred
>>>>
>>>>
>>>>        HardCAToken is not used, configuration error.
>>>>
>>>>
>>>> java.lang.Exception: HardCAToken is not used, configuration error.
>>>>    at org.apache.jsp.ca.editcas.editcas_jsp._jspService(editcas_jsp.java:1924)
>>>>    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
>>>>    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:373)
>>>>    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:336)
>>>>    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
>>>>    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
>>>>    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
>>>>    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
>>>>    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
>>>>    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
>>>>    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>>>    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
>>>>    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
>>>>    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
>>>>    at java.lang.Thread.run(Thread.java:636)
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Better than sec? Nothing is better than sec when it comes to
>> monitoring Big Data applications. Try Boundary one-second
>> resolution app monitoring today. Free.
>> http://p.sf.net/sfu/Boundary-dev2dev
>>
>>
>>
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li... <mailto:Ejb...@li...>
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li... <mailto:Ejb...@li...>
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 
> 