I found the issue that caused the kra shared instance installation to blow up (after bypassing the ssl issue with the workaround stated in https://fedorahosted.org/pki/ticket/1438#comment:5. In server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java: processCerts() method, there is a call to updateCloneConfiguration() and in there it calls cryptoManager.findCertByNickname(cdata.getNickname()); From my debugging I found that it's trying to find the ca's subsystem cert and it did not prepend the HSM token name.
I'm not certain if the call updateCloneConfiguration() is needed in setting up the KRA, unless it's for preparing cloning info to put in CS.cfg for later if someone wishes to clone this kra? Anyway, I put "if (request.isClone()) " call around it just to bypass the call as a temporarily fix. Which now allows the KRA installation to go all the way successfully on a shared tomcat instance. We need to make sure the final solution does not break anything else.
pushed to master: commit 6db01bd091ce991322b004cdd74bf7c15c57fe8c
A more conservative approach is taken in this patch so that in the case the token is specified, just prepend token name to the nickname before calling findCertByNickname.
Metadata Update from @cfu: - Issue assigned to cfu - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2007
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.