DDF fails to start after keystore and domain change

[Matthew DeFazio]

Hello,

I am having an issue with the DDF setup. I am using Version 2.9.2. Using the admin console, I clicked through the steps and imported the keys and certs into DDF's keystore and trustStore and changed the domain name. After DDF reboots, DDF fails to come up cleanly, several bundles are in the graceperiod state then fails to start. The only thing that stands out in the log is this warning:

No Subject DN Certificates were defined. This could be a security issue.

There where also errors that the Solr client cannot be created:

Failed to create Solr client, trying again in x minute x seconds

Next I tried to configure DDF to use my KeyStore and Trust Store by modifying system.properties but DDF still fails to come up cleanly.

Next I used the url https://localhost:8993/admin?dev=true to generate certificates and to change the domain name. After the reboot, DDF comes up cleanly. Then I imported my Keys and Certs including the CA cert into DDF's keyStore and TrustStore, overwriting the private key that DDF generated and rebooted DDF. DDF fails to come up cleanly. The CN of the private key that DDF generated on setup matched the CN of the Private key that I imported.

Am I skipping a step? Should I try a later version?

Thanks,

Matt

[Scott Tustison]

The Subject DN constraints warning that pops up is definitely something you should fix once you get everything working. That will limit who can connect to the Security Token Service within DDF and is necessary for a secure install. It isn't the source of your issues, however.

The fact that you can get up and running using ?dev=true during the install and that it fails after you drop your key/cert in leads me to believe that there is an issue with the key/cert that you're using. Do you have any subordinate or root CAs that you're missing by any chance? You also need to put the CAs into both the keystore and the truststore. The keystore is used for verifying signatures and will require the CAs.

You could also try a newer version of DDF. There have been quite a few security updates to 2.10.x that aren't included in 2.9.x, we only support 1 minor release back from master and you'd want those updates if this is going to be something running on the open internet.

Scott

[Matthew DeFazio]

So I reimported my keys and certs and noticed the following exception:

 java.security.UnrecoverableKeyException: Cannot recover key

I think this is due to a password missmatch between the keystore and the private key so I fixed that and rebooted DDF.

I can now access the admin console using the new domain name but DDF still does not come up cleanly. One of the bundles that failed to start is the catalog-core-camelcomponent bundle. The following error was in the logs

Unable to start blueprint container for bundle catalog-core-camelcomponent/2.10.3 due to unresolved dependencies [(objectClass=ddf.catalog.CatalogFramework)]

I noticed that DDF catalog core standard framework was in a resolved state so I started it up and rebooted DDF.

After Rebooting DDF, It comes up cleanly.

I guess the keystore/private key password mismatch put DDF in a bad state that required a manual fix.

Thanks Scott!

-Matt

[Scott Tustison]

Cool! Glad you got it up and running ;)