Issue installing Certificate: Solaris 8 iplanet 4.13 with a crypto card 1000
 

Greetings.
This has to be the most frustrating problem I have run across. I have been beating my head on my desk for days now.

I have two servers. On each I encountered this issue-the first I eventually got to take the certificate. The other-still fighting.

The skinny:
Solaris 8 running iplanet 4. It has an integrated Sun Crypto Accelerator (1000). (I cant upgrade due to incompatibilities with the code being run and other web servers.).

This is how it goes-from fresh:
1: Remove the DBs in $NSHOME/alias
2: In the Web Administrator tool-create a new Trust DB (for both the eri0 and the Administrator interface).
3: run sslconfig to integrate.

4: Install the Trust certificate as TCA.
5: Install both the chain certs.
6: Attempt to install the Server cert-fails. IE reflects an error 500. Chrome just says internal error.

Logs:

The Error log ((https-admin) 0.0.0.0 = censored):

[24/Jul/2013:12:40:26] failure ( 7788): for host 0.0.0.0 trying to POST /https-eri0/admin/security, cgieng_scan_headers reports: the CGI program /usr2/iws41sp14/bin/https/admin/bin/security did not produce a valid header (program terminated without a valid CGI header. Check for core dump or other abnormal termination)

From Access log:

0.0.0.0 - admin [24/Jul/2013:12:40:25 -0700] "POST /https-eri0/admin/security?cmd=sec-icrt HTTP/1.1" 500 -

I have seemingly stumped the CA company, and am nearing exhaustion on Google. Has anyone else run into this?

Help greatly appreciated.


edit to add: Cert is 1024

Needs more investigation around this area. Does that program log anything? Can you attach truss to it?

Is a server restart needed in relation to this change?

Alas-that is the entire log for the application in question. It is a web administration tool attached to iplanet-basically a front end to a large set of Java scripts. That error only occurs when I try the new 1024. The old one goes in, though currently fails because the old key pair DB is not there. I am wondering if it is some sort of character/line limitation on what it will accept but, that is probably a red-herring (Old cert is 30 lines. New cert is 36 lines. I say red-herring because I eventually got it inserted into the one server. That trick is not working on 02).

I am wondering if it is still an issue with the crypto-card integration. Several times when I generated a key instead of doing 1024-it popped out a 1023 csr-the CA company says that it isn't that uncommon to happen like that though.

The way it is supposed to go is as detailed in this link: http://www.digicert.com/ssl-certific...on-iplanet.htm

Edit to add: I don't think truss is installed-I do have strace though if that helps us. Also to note-its KSH and not Bash.

truss is standard on Solaris while its strace is unrelated to Linux strace.

Havn't been able to locate it.. Whats the default path? (I am not sure there is anything really standard with these boxes. Maybe thats just pessimism).

Should be /usr/bin/truss

What says?

In case was a typo also tried SUNWtool and tools.

The way I fixed it was copying the REALM database for the crypto card from the working server-to the secondary. (have to stop the crypto service first).

It's a cheat, don't know real cause of it and will face it again in short enough time it seems.