| *** werebutt (~buttbutt@46.165.251.66) has joined #wikid | 13:50 | |
| *** werebutt has parted #wikid (None) | 13:50 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 14:23 | |
| *** qu3sti0n has quit (Remote host closed the connection) | 15:44 | |
| *** RichardY (46c140ae@gateway/web/freenode/ip.70.193.64.174) has joined #wikid | 17:13 | |
| RichardY | Hello | 17:14 |
|---|---|---|
| nowen | Hey! | 17:14 |
| nowen | woot! | 17:14 |
| nowen | I think you will find this a better support option. plus, WiKIDLogBot takes notes for us | 17:15 |
| RichardY | Great | 17:15 |
| nowen | ok - review questions: did you get jsvc compiled? | 17:15 |
| RichardY | So nothing bad in the catalina.out | 17:15 |
| RichardY | No, no jsvc | 17:16 |
| RichardY | Things are running without it | 17:16 |
| nowen | just not sure if all the things are running | 17:17 |
| RichardY | I could not hunt down the right mixture of libraries for it | 17:17 |
| nowen | did you create a tomcatkeystore during setup? | 17:17 |
| RichardY | postgres is running and tomcat is running | 17:17 |
| RichardY | yes | 17:17 |
| nowen | how did you do that? I keep getting errors | 17:17 |
| nowen | oh wait, wrong, I did get that done | 17:18 |
| RichardY | The hurdle with that one was the java policy files | 17:18 |
| nowen | that's right | 17:18 |
| RichardY | Simply needed to download the version with the higher level of encryption | 17:18 |
| nowen | and add BC to java.securiy | 17:19 |
| RichardY | That is where we are at, BC and trying to get a "client" system to connect | 17:19 |
| nowen | and you were able to create an intermediate CA? | 17:21 |
| RichardY | So the question is how to debug this one with the errors I am seeing | 17:21 |
| RichardY | Yes to the I CA | 17:22 |
| nowen | ok - let me install the jce policy files | 17:23 |
| nowen | ugh, where are they? | 17:24 |
| RichardY | Just a second | 17:25 |
| nowen | got them, I think | 17:25 |
| RichardY | Ok, otherwise general instructions can be found http://pic.dhe.ibm.com/infocenter/lmt/v7r2m2/topic/com.ibm.license.mgmt.security.doc/lmt_scr_downloading_installing_jce_policyfiles.html | 17:26 |
| nowen | ok, certs and domain created, restart | 17:35 |
| nowen | invalid server response | 17:36 |
| nowen | yay, problem recreated | 17:36 |
| nowen | ok, so it looks like it is more java.security errors. | 17:37 |
| nowen | can you use openjdk? | 17:37 |
| RichardY | I can't find openjdk on s390x | 17:37 |
| nowen | sun java? | 17:38 |
| RichardY | I need it on SLES and I have only seen it discussed for s390x on Debian | 17:38 |
| RichardY | No Oracle/Sun does not produce a Java for s390x | 17:38 |
| nowen | will something like this work: http://rpmfind.net//linux/RPM/opensuse/updates/12.1/x86_64/java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.5-36.2.x86_64.html? | 17:41 |
| RichardY | I could not purpose to my customer running it on that code unfortunately. Security requires everything to be "supported". They have a support contract with SuSE, so it has to be part of the SuSE SLES distro | 17:42 |
| nowen | did you get a mostly blank page after creating the domain? | 17:44 |
| nowen | I get an error in catalina.out: java.security.NoSuchProviderException: No such provider: SunJCE | 17:45 |
| RichardY | I have to drop for a bit | 17:45 |
| nowen | which I think is why the domain keys are not getting created | 17:45 |
| RichardY | I will be back, but any "SUN" is not in the IBM JDK | 17:45 |
| nowen | ok., I'll keep digging | 17:46 |
| nowen | understood | 17:46 |
| *** RichardY has quit (Ping timeout: 245 seconds) | 17:50 | |
| *** RichardY (46c140ae@gateway/web/freenode/ip.70.193.64.174) has joined #wikid | 20:04 | |
| RichardY | Hello, sorry I had to drop earlier | 20:04 |
| nowen | no problem | 20:04 |
| RichardY | So you had a message that there was no provider of a Sun security package | 20:05 |
| nowen | I've been testing though, and IBM java is going to be an issue | 20:05 |
| nowen | I tried just dropping in the sun JCE jar file, but more errors | 20:05 |
| RichardY | Ok (unfortunate) It is my only option. | 20:05 |
| RichardY | I don't think they are designed in a way where some of the security infrastructure can be interchanged | 20:05 |
| nowen | not what you would expect from java | 20:06 |
| RichardY | Some parts of the security infrastructure are not covered by the Java specs | 20:06 |
| nowen | you sure Openjdk is not an option? | 20:06 |
| RichardY | I am fairly sure the security folks here would shut it down. | 20:07 |
| RichardY | They have to be able to buy support from some vendor | 20:07 |
| RichardY | Is it looking like adding support for the IBM Java is large development effort? | 20:07 |
| nowen | how many seats would this customer have? | 20:08 |
| RichardY | Let me ask... | 20:08 |
| RichardY | It could be tomorrow before we have a good estimate. | 20:13 |
| RichardY | I am not familar with the application they want to host with the 2 factor auth. | 20:14 |
| RichardY | I don't know how many users it has, so we have to ask a couple of managers here, one of which is out today. | 20:14 |
| RichardY | Have you tested with the Openjdk on your platform with Wikid? | 20:15 |
| nowen | yeah, we ship our iso with the openjdk | 20:16 |
| nowen | it performs as well as or better than Sun's jdk | 20:16 |
| nowen | I'm not sure how much work it would be to get it running on IBM java | 20:17 |
| RichardY | Hmmm. Would you ship the openJdk for s390x on your iso as well? Here is my thought. If you ship it as part of your product offering, it is considered "supported" in a sense. | 20:17 |
| nowen | yeah, but our iso is based on Centos | 20:19 |
| nowen | will that run on s390x? | 20:19 |
| RichardY | I don't think there is a Centos for s390x and the customer doesn't run Centos, they run SuSE SLES. | 20:20 |
| nowen | they must have other operating systems. do they run Ciscos? | 20:20 |
| nowen | the ISO is designed to be a virtual appliance, as little OS knowledge as possible is required | 20:21 |
| RichardY | The two main supported vendors of Linux on s390x is Redhat and SuSE | 20:22 |
| nowen | well, redhat should work great | 20:22 |
| RichardY | You can't buy a commercial distro copy and support for Centos | 20:22 |
| RichardY | Yeah, but they bought and pay for SuSE SLES already. | 20:23 |
| nowen | for WiKID? | 20:23 |
| RichardY | I think they would be happy here, if you had a way to send what you previously sent me (Wikid code), with the OpenJDK. It is less of a virtual appliance but they can put it on top of their existing tested and supported Linux. I doubt the Centos you are shipping supports s390x and you would have a headache building a new virtual image for s390x anyway. For example, it has its own boot loader | 20:25 |
| nowen | yeah | 20:26 |
| nowen | ok, so openjdk on suse s390x. | 20:29 |
| nowen | looks like even the src packages are arch specific | 20:30 |
| RichardY | Not surprising. The JVM is itself like a compiler that has to generate machine executable code | 20:36 |
| nowen | what's their deployment time-frame? | 20:41 |
| *** RichardY has quit (Ping timeout: 245 seconds) | 20:57 | |
| *** RichardY (46c140ae@gateway/web/freenode/ip.70.193.64.174) has joined #wikid | 21:59 | |
| RichardY | I was able to get the openjdk in place and tested, but I am receiving the same results | 22:02 |
| nowen | hmm | 22:02 |
| RichardY | "Create new domain" results in "Invalid Server Response" | 22:03 |
| RichardY | "Pre-Register Domain" results in InvalidKeySpecException | 22:03 |
| nowen | did you create new certs and a new domain? | 22:06 |
| RichardY | No, I just changed the JVM out | 22:09 |
| RichardY | I changed the shell scripts that pointed to the old path to point to the new path | 22:10 |
| RichardY | I never saw the error message you mentioned you had | 22:10 |
| nowen | delete CACertStore and the p12s from /opt/WiKID/private and delete and recreate the domain. They were created with the old java | 22:10 |
| *** RichardY has quit (Ping timeout: 245 seconds) | 22:23 | |
| *** nowen has quit (Ping timeout: 265 seconds) | 23:07 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 23:12 | |
| *** nowen has quit (Client Quit) | 23:14 | |
| *** estrang3r (~russ@209.183.177.118) has joined #wikid | 23:46 | |
| *** estranger has quit (Ping timeout: 272 seconds) | 23:48 | |
| *** coolacid has quit (Ping timeout: 272 seconds) | 23:48 | |
| *** joevano has quit (Read error: Connection reset by peer) | 23:49 | |
| *** joevano (~joevano@bzflag/developer/JoeVano) has joined #wikid | 23:49 | |
| *** coolacid_ (~CoolAcid@216.99.98.39) has joined #wikid | 23:49 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!