Freeipa Unable to Communicate With Cms 403

A new post, a new problem, and a solution.

Earlier today I worked on a task involving SSSD, System Security Services Daemon, a system service to access remote directories and authentication mechanisms. It got both excited and a little worried at the same times, since it’s been a long while since I had do anything with SSSD.

Fast forward to the evening, I realized I had a FreeIPA server set up a long time ago right after passing the Red Hat Certified Specialist in Identity Management exam (EX362). Note this FreeIPA server was actually a second server I had set up after the EX362 exam. The original server was based on CentOS 7. The problem

… issue with certificate…

include png screenshot

Solution:

Upgrading the above *added* requiredSecret="newSecret" to the AJP Connector 
elements within /etc/pki/pki-tomcat/server.xml.

The existing secret="oldSecret" attribute was not changed. Neither was 
"secret=oldSecret" changed in the ProxyPassMatch directives in 
/etc/httpd/conf.d/ipa-pki-proxy.conf.

It looks like tomcat uses the value of requiredSecret= in preference to secret= 
if both are supplied.

The fix was to remove requiredSecret="newSecret" from the tomcat config file & 
restart pki-tomcatd@pki-tomcat.

Ref:

• Re: Unable to communicate with CMS (403)
• Bug 2006070 - Upgrades incorrectly add secret attribute to connectors