Overview#
Dogtag Certificate System and its underlying components can often benefit from the use of various diagnostic and debugging techniques. A few of the most valuable methods are discussed below. Feel free to add other suggestions in the future.
Debugging NSS#
Debugging JSS#
Debugging Tomcat JSS#
Tomcat JSS acts as a bridge between the tomcat webserver and our JSS security component. See Configuring Tomcat JSS Logging.
Debugging Dogtag CS servers with strace#
This section shows how to run strace with Dogtag servers.
If you are debugging with the CA, then look for the file /usr/bin/dtomcat5-: e.g. /usr/bin/dtomcat5-pki-ca. Edit it, and search for the line that looks like the following:
`` elif [ “$1” = “start” ] ; then``
and within that elif block, find the “else” block of “if [ “$1” = “-security” ] ; then” strace -o /tmp/strace.log “$_RUNJAVA” $JAVA_OPTS $CATALINA_OPTS \
Start/restart the server.
`` /etc/init.d/pki-cad restart``
This will write the strace generated log in the file /tmp/strace.log
This can be used with the NSS(PKCS11) debugging method above.
Debugging CS Using Tomcat with a Security Manager#
Out-of-the-box, Dogtag 1.1 will not run Tomcat using the Security Manager. The means used to debug and create a valid “security policy” follows:
(1) Prepare the “/etc/init.d/<pki_instance>” to start using the Security Manager by adding the -security option to the start section of this script:
\ **-security``**" > /dev/null\ **-security``**" > /dev/nullSet the following in “/usr/bin/dtomcat5-<pki_instance>”:
`` export CATALINA_OPTS=-Djava.security.debug=all``
or, for less, but far more relevant info, use:
`` export CATALINA_OPTS=-Djava.security.debug=access,failure``
In both cases, perform the following command sequences:
Execute “/sbin/service <pki_instance> stop”, place a new policy rule for each failure into the “/var/lib/<pki_instance>/conf/catalina.out”, and re-run commands (a), (b), and (c) until all failures have been accounted for.