[SOLVED] Issue installing Certificate: Solaris 8 iplanet 4.13 with a crypto card 1000
Solaris / OpenSolarisThis forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Issue installing Certificate: Solaris 8 iplanet 4.13 with a crypto card 1000
Greetings.
This has to be the most frustrating problem I have run across. I have been beating my head on my desk for days now.
I have two servers. On each I encountered this issue-the first I eventually got to take the certificate. The other-still fighting.
The skinny:
Solaris 8 running iplanet 4. It has an integrated Sun Crypto Accelerator (1000). (I cant upgrade due to incompatibilities with the code being run and other web servers.).
This is how it goes-from fresh:
1: Remove the DBs in $NSHOME/alias
2: In the Web Administrator tool-create a new Trust DB (for both the eri0 and the Administrator interface).
3: run sslconfig to integrate.
4: Install the Trust certificate as TCA.
5: Install both the chain certs.
6: Attempt to install the Server cert-fails. IE reflects an error 500. Chrome just says internal error.
Logs:
The Error log ((https-admin) 0.0.0.0 = censored):
[24/Jul/2013:12:40:26] failure ( 7788): for host 0.0.0.0 trying to POST /https-eri0/admin/security, cgieng_scan_headers reports: the CGI program /usr2/iws41sp14/bin/https/admin/bin/security did not produce a valid header (program terminated without a valid CGI header. Check for core dump or other abnormal termination)
the CGI program /usr2/iws41sp14/bin/https/admin/bin/security did not produce a valid header (program terminated without a valid CGI header. Check for core dump or other abnormal termination)
Needs more investigation around this area. Does that program log anything? Can you attach truss to it?
Is a server restart needed in relation to this change?
Needs more investigation around this area. Does that program log anything? Can you attach truss to it?
Is a server restart needed in relation to this change?
Alas-that is the entire log for the application in question. It is a web administration tool attached to iplanet-basically a front end to a large set of Java scripts. That error only occurs when I try the new 1024. The old one goes in, though currently fails because the old key pair DB is not there. I am wondering if it is some sort of character/line limitation on what it will accept but, that is probably a red-herring (Old cert is 30 lines. New cert is 36 lines. I say red-herring because I eventually got it inserted into the one server. That trick is not working on 02).
I am wondering if it is still an issue with the crypto-card integration. Several times when I generated a key instead of doing 1024-it popped out a 1023 csr-the CA company says that it isn't that uncommon to happen like that though.
truss is standard on Solaris while its strace is unrelated to Linux strace.
Havn't been able to locate it.. Whats the default path? (I am not sure there is anything really standard with these boxes. Maybe thats just pessimism).
The way I fixed it was copying the REALM database for the crypto card from the working server-to the secondary. (have to stop the crypto service first).
It's a cheat, don't know real cause of it and will face it again in short enough time it seems.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.