Pki-tomcatd service fails to start in RHEL 8 After completing ipa-backup.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 8
  • Red Hat Identity Management

Issue

  • Running the ipa-backup command stops all IPA services successfully and a backup is taken. When the backup completes, sometimes the pki-tomcatd service fails to start.

  • The following errors are displayed in /var/log/messages.

    Nov 21 09:48:59 ipa-server01 systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Nov 21 09:49:07 ipa-server01 server[1199252]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar
Nov 21 09:49:07 ipa-server01 server[1199252]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager     -Djava.security.manager     -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
Nov 21 09:50:37 ipa-server01 systemd[1]: pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping.
Nov 21 09:50:37 ipa-server01 systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'timeout'.
Nov 21 09:50:37 ipa-server01 systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.
Nov 21 09:50:37 ipa-server01 systemd[1]: Reached target PKI Tomcat Server.
Nov 22 09:05:33 ipa-server01 systemd[1]: Stopped target PKI Tomcat Server.

Resolution

  • Red Hat is aware of this issue, currently under investigation.
  • Should this issue occur in your environment, open a new support case in the Red Hat Customer Portal referring to this solution.

  • There are two workarounds available.

    1. Restart the IPA services manually by running the following command as a user with root privileges.

      # ipactl restart

    2. Increase the startup timeout for the pki-tomcatd service in the /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf configuration file, from the default value of 1 min 30 seconds to a higher value. Note: Take a backup of the file before making changes.

      # systemctl show pki-tomcatd -p TimeoutStartUSec
TimeoutStartUSec=1min 30s

Diagnostic Steps

  • Create a full server backup including logs, as a user with root privileges.

    # ipa-backup --logs

  • Check the status of IPA services. If the pki-tomcatd service is not running, inspect /var/log/messages.

    # ipactl status
  • Component
  • ipa

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments