簡介
本文說明當智慧軟體管理器衛星(SSMS)5.1.0在包括Cisco Cloud Service Platform的基於鍵盤/影片/滑鼠(KVM)的核心中安裝失敗時發生的問題的解決方案。
問題
安裝通過控制檯完成,並且使用者介面(UI)可訪問。
在CSSM註冊設定過程中,您會注意到在進行網路註冊和手動註冊時註冊失敗。在基於KVM的系統中對tomcat版本進行了驗證,包括核心和Java虛擬機器(JVM)。請注意,JVM運行1.8.0_102-b14和核心3.10.0-514.el7。請比較基於ESXI的設定(核心運行3.10.0-862.14.4.el7和JVM 1.8.0_191-b12)。
[root@satellite bin]# ./version.sh
Using CATALINA_BASE: /opt/tc
Using CATALINA_HOME: /opt/tc
Using CATALINA_TMPDIR: /opt/tc/temp
Using JRE_HOME: /
Using CLASSPATH: /opt/tc/bin/bootstrap.jar:/opt/tc/bin/tomcat-juli.jar
Using CATALINA_PID: /opt/tomcat/temp/tomcat.pid
Server version: Apache Tomcat/9.0.1
Server built: Sep 27 2017 17:31:52 UTC
Server number: 9.0.1.0
OS Name: Linux
OS Version: 3.10.0-514.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_102-b14
JVM Vendor: Oracle Corporation
元件
平台:基於KVM的核心
軟體:經典5.1 ISO映像
解決方案
步驟1.導覽至cd/opt/tomcat/logs/。
步驟2.開啟catalina.out日誌,並查詢在CSSM註冊時發生的異常。
IAIK提供程式IAIK-JCE是一種Java加密擴展,它包含一組API並可實現加密功能。它用於支援JDK的其他安全功能。由於IAIK jar檔案不可用,LCS模組無法為CSR請求檔案生成金鑰對。
2019-05-15 20:35:01,604 [http-nio-8080-exec-9] INFO controller.LindosController - Invoked GET /lcsSetupStatus
2019-05-15 20:35:01,606 [http-nio-8080-exec-9] INFO controller.LindosController - LCS Setup Status = 0
2019-05-15 23:53:12,226 [http-nio-8080-exec-10] INFO controller.LindosController - Invoked GET /lcsSetupStatus
2019-05-15 23:53:12,230 [http-nio-8080-exec-10] INFO controller.LindosController - LCS Setup Status = 0
2019-05-15 23:53:12,241 [http-nio-8080-exec-1] INFO controller.LindosController - Invoked /lcsSetup
2019-05-15 23:53:12,243 [http-nio-8080-exec-1] DEBUG controller.LindosController - Setup Status = 0 (0=empty, 1=key/CSR generated, 2=Signer certs installed)
2019-05-15 23:53:12,243 [http-nio-8080-exec-1] DEBUG controller.LindosController - First time setup invoked (ID element not present in JSON). CN=5fc62a80-59a0-0137-54ab-023a01ab3207
2019-05-15 23:53:12,243 [http-nio-8080-exec-1] DEBUG domain.LcsSignerSetup - In LcsSignerSetup
2019-05-15 23:53:12,244 [http-nio-8080-exec-1] DEBUG domain.LcsSignerSetup - Generating Key Pair...
2019-05-15 23:53:12,244 [http-nio-8080-exec-1] ERROR error.RestResponseEntityExceptionHandler - java.security.NoSuchProviderException: no such provider: IAIK
com.cisco.ias.lindos.data.domain.LcsSetupException: java.security.NoSuchProviderException: no such provider: IAIK
at com.cisco.ias.lindos.data.domain.LcsSignerSetup.<init>(LcsSignerSetup.java:50)
at com.cisco.ias.lindos.web.controller.LindosController.setupLcs(LindosController.java:126)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:749)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:690)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:83)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:945)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:876)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:961)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:863)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:837)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:500)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1376)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
2019-05-15 23:53:12,254 [http-nio-8080-exec-2] INFO controller.LindosController - Invoked GET /lcsSetupStatus
2019-05-15 23:53:12,256 [http-nio-8080-exec-2] INFO controller.LindosController - LCS Setup Status = 0
步驟3.將所需的安全提供程式放在類路徑中;cp /opt/tomcat/webapps/Lindos/WEB-INF/lib/iaik_jce-5.1.jar /usr/lib/jvm/java/jre/lib/ext/。
步驟4.確保jar可由其他模組讀取;chmod o+r /usr/lib/jvm/java/jre/lib/ext/iaik_jce-5.1.jar。
步驟5.將java.security文件路徑儲存到臨時變數;java_security=/usr/lib/jvm/java/jre/lib/security/java.security。
步驟6.將現有提供程式的優先順序增加; perl -pi -e 's/^security.provider.(\d+)/"security.provider." .($1+1)/e' $java_security。
步驟7.將IAIK插入為清單中的第一個提供程式(請注意轉義新行的反斜線);sed -i '/security.provider.2/i \
security.provider.1=iaik.security.provider.IAIK' $java_security。
步驟8.重新啟動tomcat使更改生效;system重新啟動tomcat。
步驟9.向CSSM註冊衛星,完成衛星註冊後,UI將無法重新啟動。
步驟10.對埠443和8443上用於傳輸層安全(TLS)連線的x509證書進行摺疊,以符合隱私增強型電子郵件(PEM)格式;摺疊 — w 64 /drbd/certs/rails_ssl.crt > /drbd/certs/rails_ssl_folded.crt && mv /drbd/certs/rails_ssl_folded.crt /drbd/certs/rails_ssl.crt
fold -w 64 /drbd/certs/pi_ssl.crt > /drbd/certs/pi_ssl_folded.crt && mv /drbd/certs/pi_ssl_folded.crt /drbd/certs/pi_ssl.crt。
附註:當這些命令損壞了64編碼PEM證書時,請勿執行這些命令摺疊以及移動到不同的行。
步驟11.啟動nginx;systemctl start nginx。
附註:如果UI在同步後無法啟動,則是由於這些證書正在更新/替換。因此,必須重複步驟8-10。
執行以下步驟後,訪問UI,可以看到與CSSM的同步後以及最終註冊成功。
您可以檢視從VA對映的許可證的庫存和許可證部分。您可以將智慧產品例項註冊到衛星。