aca_debug - nsacyber/HIRS GitHub Wiki

There are several potential issues with the hirs-AttestationCA application that can occur while installing. HIRS will log all error log files under the tomcat log directory (located at /var/log/tomcat/HIRS*). Note that the file /etc/hirs/logging.properties can be edited to configure the desired level. Valid levels that may be set are, in order of decreasing verbosity: trace, debug, info, warn, error, fatal.

Error/Debug procedure

No Attestation portal appears at Portal URL:

https://<server-address>:8443/HIRS_AttestationCAPortal/

This can be due to multiple reasons. Most common are:

  • Check that the HIRS_Server and HIRS_ACA is installed on the server
    • sudo yum list installed | grep HIRS
  • Check that tomcat is running
    • sudo systemctl tomcat status (Centos 7)
  • Check that there is not a firewall blocking between your browser and the server the ACA is installed on.
    • Use tracetroute, netcat, or other test to see if port is being blocked from your device: traceroute -p 8443 privacyCAaddress
  • For firefox check that there are not multiple certificates in your browser for the ACA application (happens when the ACA is installed more than five times)
  • SeLinux is in enforcing made and the hirs policy has not been applied:
Inspect the ACA Portal Log in found in /var/log/tomcat/HIRS_AttestationCA.log and look following error to confirm this situation:
""GET /HIRS_AttestationCAPortal HTTP/1.1" 404 -
SELinux was blocking the connection from tomcat to mysqld, indicated in the audit logs by: node=server22.simp.test type=AVC msg=audit(1539714234.510:4782): avc: denied { name_connect } for pid=12058 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket"

This indicates that SeLinux was enabled but the HIRS policy has not been applied. Follow the instructions in the HIRS installation page under the SeLinux section for re-installing the HIRS SeLinux policy file.

  • java update blacklists TLSv1 and TLSv1.1 used by maradb.
symptoms: ACA fails to start and the following log files are created but have a length of 0:
        /var/log/tomcat/HIRS_AttestationCA.log
        /var/log/tomcat/HIRS_AttestationCA_Portal.log
Issue: Tomcat rejects the Database connection during TLS negotiation

Background: 
A java update in centos (jre 1.8.0_292 - April 21) has created a conflict with mariadb over "disabledAlgorithms" 
by backlisting of the TLSV1 and 1.1 in the latest version of centos. The default java.security now blackists TLS V1 and 1.1, 
but Centos 7 distributes mariadb 5.5 which does not provide support for TLS 1.2+. The ACA uses TLS to access the database. 
Tomcat is rejecting the connection due to the addition disabledAlgorithms list in the java.security file. 
Newer versions of mariadb should have the updated versions. 

A temporary fix can be achieved following these steps:

1. find your java.security file for the version of java being used (1.8?)
     > sudo find / -name java.security
2. edit the java.security file using sudo and your favorite editor.  For example:
     > sudo nano -c /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el7_9.x86_64/jre/lib/security/java.security
3. Change the following line (around line 699, but be careful as there are lines that look similar to this above this line):
      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    To (remove references to TLS):
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
4. Save and restart tomcat
   > sudo systemctl tomcat restart

Cannot find Keytool

Sometimes java paths can become convoluted when multiple versions of java are installed. Keytool is installed with java and sometime the reference to keytool can be lost even though which ketool seems to work. If edit /etc/hirs/provisioner/hirs-provisioner-config.sh and replace the call to key tool with the full path to key tool. Example:

  • which keytool /usr/bin/keytool
  • sudo nano /etc/hirs/provisioner/hirs-provisioner-config.sh
  • Use the path from the output of which