LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris
User Name
Password
Solaris / OpenSolaris This forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.

Notices


Reply
  Search this Thread
Old 07-24-2013, 03:30 PM   #1
lordtyp0
LQ Newbie
 
Registered: Mar 2004
Location: Las Vegas
Distribution: RHEL (Centos), Debian flavors.
Posts: 12

Rep: Reputation: 0
Issue installing Certificate: Solaris 8 iplanet 4.13 with a crypto card 1000


Greetings.
This has to be the most frustrating problem I have run across. I have been beating my head on my desk for days now.

I have two servers. On each I encountered this issue-the first I eventually got to take the certificate. The other-still fighting.

The skinny:
Solaris 8 running iplanet 4. It has an integrated Sun Crypto Accelerator (1000). (I cant upgrade due to incompatibilities with the code being run and other web servers.).

This is how it goes-from fresh:
1: Remove the DBs in $NSHOME/alias
2: In the Web Administrator tool-create a new Trust DB (for both the eri0 and the Administrator interface).
3: run sslconfig to integrate.

4: Install the Trust certificate as TCA.
5: Install both the chain certs.
6: Attempt to install the Server cert-fails. IE reflects an error 500. Chrome just says internal error.

Logs:

The Error log ((https-admin) 0.0.0.0 = censored):

[24/Jul/2013:12:40:26] failure ( 7788): for host 0.0.0.0 trying to POST /https-eri0/admin/security, cgieng_scan_headers reports: the CGI program /usr2/iws41sp14/bin/https/admin/bin/security did not produce a valid header (program terminated without a valid CGI header. Check for core dump or other abnormal termination)

From Access log:

0.0.0.0 - admin [24/Jul/2013:12:40:25 -0700] "POST /https-eri0/admin/security?cmd=sec-icrt HTTP/1.1" 500 -

I have seemingly stumped the CA company, and am nearing exhaustion on Google. Has anyone else run into this?

Help greatly appreciated.


edit to add: Cert is 1024
 
Old 07-25-2013, 08:30 AM   #2
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 982
Blog Entries: 2

Rep: Reputation: 244Reputation: 244Reputation: 244
Quote:
the CGI program /usr2/iws41sp14/bin/https/admin/bin/security did not produce a valid header (program terminated without a valid CGI header. Check for core dump or other abnormal termination)
Needs more investigation around this area. Does that program log anything? Can you attach truss to it?

Is a server restart needed in relation to this change?
 
Old 07-25-2013, 10:25 AM   #3
lordtyp0
LQ Newbie
 
Registered: Mar 2004
Location: Las Vegas
Distribution: RHEL (Centos), Debian flavors.
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by linosaurusroot View Post
Needs more investigation around this area. Does that program log anything? Can you attach truss to it?

Is a server restart needed in relation to this change?

Alas-that is the entire log for the application in question. It is a web administration tool attached to iplanet-basically a front end to a large set of Java scripts. That error only occurs when I try the new 1024. The old one goes in, though currently fails because the old key pair DB is not there. I am wondering if it is some sort of character/line limitation on what it will accept but, that is probably a red-herring (Old cert is 30 lines. New cert is 36 lines. I say red-herring because I eventually got it inserted into the one server. That trick is not working on 02).

I am wondering if it is still an issue with the crypto-card integration. Several times when I generated a key instead of doing 1024-it popped out a 1023 csr-the CA company says that it isn't that uncommon to happen like that though.

The way it is supposed to go is as detailed in this link: http://www.digicert.com/ssl-certific...on-iplanet.htm

Edit to add: I don't think truss is installed-I do have strace though if that helps us. Also to note-its KSH and not Bash.

Last edited by lordtyp0; 07-25-2013 at 10:34 AM. Reason: Updating
 
Old 07-25-2013, 03:22 PM   #4
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Quote:
Originally Posted by lordtyp0 View Post
I don't think truss is installed-I do have strace though if that helps us.
truss is standard on Solaris while its strace is unrelated to Linux strace.
 
Old 07-25-2013, 06:23 PM   #5
lordtyp0
LQ Newbie
 
Registered: Mar 2004
Location: Las Vegas
Distribution: RHEL (Centos), Debian flavors.
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jlliagre View Post
truss is standard on Solaris while its strace is unrelated to Linux strace.
Havn't been able to locate it.. Whats the default path? (I am not sure there is anything really standard with these boxes. Maybe thats just pessimism).
 
Old 07-25-2013, 06:48 PM   #6
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Should be /usr/bin/truss

What says
Code:
pkgchk -v SUNWtoo
?
 
Old 07-25-2013, 06:50 PM   #7
lordtyp0
LQ Newbie
 
Registered: Mar 2004
Location: Las Vegas
Distribution: RHEL (Centos), Debian flavors.
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jlliagre View Post
Should be /usr/bin/truss

What says
Code:
pkgchk -v SUNWtoo
?
Quote:
# pkgchk -v SUNWtoo
WARNING: no pathnames were associated with <SUNWtoo>
In case was a typo also tried SUNWtool and tools.
 
Old 07-31-2013, 10:28 AM   #8
lordtyp0
LQ Newbie
 
Registered: Mar 2004
Location: Las Vegas
Distribution: RHEL (Centos), Debian flavors.
Posts: 12

Original Poster
Rep: Reputation: 0
The way I fixed it was copying the REALM database for the crypto card from the working server-to the secondary. (have to stop the crypto service first).

It's a cheat, don't know real cause of it and will face it again in short enough time it seems.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Installing Additional Intel PRO/1000 MT Dual Port Card rabjac Red Hat 5 11-10-2009 05:31 AM
How to configure 1000 Base T ethernet card to send at 1000 Base T? trist007 Linux - Newbie 12 09-23-2009 12:59 AM
Issue: Installing pendrive and Software on solaris 10 hiteshthappa Solaris / OpenSolaris 4 08-02-2008 05:19 AM
Solaris 9 temp files for iplanet? Iriel Solaris / OpenSolaris 11 03-22-2006 03:13 PM
How to generate CSR on iPlanet 6.0/Solaris 8? bcarlson Solaris / OpenSolaris 1 12-16-2002 01:08 AM

LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris

All times are GMT -5. The time now is 10:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration