System Manager trust_initializer_install.sh failing with error code 1

[jimbojimbo]

After creating and loading a new CA I am attempting to complete the setup by running the trust_initializer.sh script however it is failing with error code 1. The documentation is definitely incorrect so I'm not even sure the right ports are being used.

'./trust_initializer_install.sh -RMIPORT 1399 -HTTPSPORT 443 -TMCONFIGLOC /opt/Avaya/JBoss/6.3.8/jboss-as/server/avmgmt/conf/tm'

This is on System Manager 6.3.13.

Anyone get this to work?

 

[mattKnight]

I've just looked on my test box

root >./trust_initializer_install.sh
Usage: For running on Panther node where CA is installed -
sh trust_initializer_install.sh -RMIPORT rmi_port [-HTTPPORT http_Port OR -HTTPSPORT https_Port] -TMCONFIGLOC tm_folder_location

rmi_port: 1399 on Panther VM
http_Port : 8380 on Panther VM
https_Port: 8743 on Panther VM
tm_folder_location: Location of the TM folder which is available under the <JBOSS_HOME>/server/<server_profile>/conf folder

Example:
If the web server is running on an unsecured port:
trust_initializer_install.bat -RMIPORT 1399 -HTTPPORT 8380 -TMCONFIGLOC <JBOSS_HOME>/server/production/conf/tm

If the web server is running on a secured port:
trust_initializer_install.bat -RMIPORT 1399 -HTTPSPORT 8743 -TMCONFIGLOC <JBOSS_HOME>/server/production/conf/tm

so the ports look wrong according to the utility...

However wouldn't running trust_ca_initializer_install.sh be a better bet? (and I'm guessing)

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[jimbojimbo]

Already tried the other port. Port 8743 is not even active. I don't want to re-initialize the CA since that is what I am updating. After installing the new CA and changing the default CA the current certificates need to be initialized to use the new CA. Unfortunately it is failing. Thanks for looking though.

 

[rbijl]

Hi JimboJimbo, Did you already solved this issue? I have the same problem on one of my systems.

 

[jimbojimbo]

Yes, I have resolved the issue. I think I initially failed to correctly update the certificate profiles correctly. Documentation sucks. Download the latest Admin Guide and after creating the CA update the CA and RA entity profiles per the documentation. Once I did the command above worked. The correct ports are RMI = 1399 and HTTPS = 443.

 

[mattKnight]

Hi Jimbo

I realise this a month ago now, but I'm hitting the same problems here (6.3.14)

Can you tell me if you used a 3rd party certificate as a subordinate CA or did you go self-signed?

If you went with a 3rd party cert; how did you manage that as I'm getting nowhere with it (I'm having difficulty getting a 3rd party cert signed with the CA:TRUE extension... Although they seem to be ok from the preserveDN point of view (the subordinate cert is loaded ok by SMGR and all the follow up config looks good - entity names etc)

I am wondering about the certificate chain - do I need to install the "true" root CA and intermediate cert first?

root >./trust_initializer_install.sh -RMIPORT 1399 -HTTPSPORT 443 -TMCONFIGLOC /opt/Avaya/JBoss/6.1.0/jboss-as/server/avmgmt/conf/tm
Updating virtual FQDN in CRDJEE_Input.xml successfull
****************************
You are installing on machine :1.1.1.1
****************************
Setting up TM service with config /opt/Avaya/JBoss/6.1.0/jboss-as/server/avmgmt/conf/tm and service name container_tls
System property has been set for javax.net.ssl.keyStore with value /opt/Avaya/JBoss/6.1.0/jboss-as/server/avmgmt/conf/tm/keystore/container_tls_keystore.jks
System property has been set for javax.net.ssl.keyStorePassword with value
Setting up TM service with config /opt/Avaya/JBoss/6.1.0/jboss-as/server/avmgmt/conf/tm and service name TM_INBOUND_TLS
System property has been set for javax.net.ssl.trustStore with value /opt/Avaya/JBoss/6.1.0/jboss-as/server/avmgmt/conf/tm/truststore/default_truststore.jks
System property has been set for javax.net.ssl.trustStorePassword with value
Checking if the enrollment password has expired.
Enrollment password has not expired.
tmConfigurationLocation in TMCli  is  /opt/Avaya/JBoss/6.1.0/jboss-as/server/avmgmt/conf/tm
com.avaya.mgmt.trust.tmclient.TMClientLibException: OK
        at com.avaya.mgmt.trust.tmclient.remote.TMServiceRequestRemoteBase.performOperation(TMServiceRequestRemoteBase.java:173)
        at com.avaya.mgmt.trust.tmclient.remote.TMServiceRequestRemoteBase.update(TMServiceRequestRemoteBase.java:237)
        at com.avaya.mgmt.trust.tmconsole.utils.InitializeTMCli.initialize(InitializeTMCli.java:425)
        at com.avaya.mgmt.trust.tmconsole.utils.InitializeTMCli.main(InitializeTMCli.java:182)
****************************
TM Initialization failed. Unable to contact TM Service.
****************************
Return Code: 1 (TM Initialization failed. Unable to contact TM Service.)

as you've evidently suceeded at this have you any other clues?

Much appreciated

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[jimbojimbo]

I used a self signed CA.

In addition to importing the third part CA cert did you update the profiles to utilize the new certificate and move the tmdefault to tmdefaultold per the documentation (yes, you have to wade through the documentation but it is in there. Make sure you have the June 2015 documentation set).

As a separate note, the documentation only mentions modifying the INBOUND_OUTBOUND_TLS, INBOUND_TLS, and OUTBOUND_TLS entries however the 4th profile also needs to be modified. GR-HA configuration will fail otherwise.

 

[mattKnight]

Hi Jimbo

I've been snowed under with other things and I haven't looked at this for a while.

I'm also away of leave for the next 14 days - and don't intend to look at it until I get back!

That being said; I've followed the documentation and altered the 4 certificate profiles (again even though only 3 mentioned) and changed the entities to use new CA

I then used the EBJCA interface to generate the new certs

At this point I ran out of time and had to move to other things




Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[jimbojimbo]

Matt,

You are correct in modifying all 4 certificate profiles. System Manager Geo-Redundancy will not work and will fail with an External_CSR_Profile error if you only update 3 of them per the documentation. Avaya has since updated the documentation. Make sure you have the correct DNS entries for each System Manager.