Command Line Interface
The following provides information for troubleshooting CLI issues. To view general troubleshooting tips and search for troubleshooting topics, see EJBCA Troubleshooting.
Problem: Cannot Access the EJBCA CLI
When accessing EJBCA's CLI by running ${EJBCA_HOME}/bin/ejbca.sh
you get the following error message:
> /opt/ejbca/bin/ejbca.sh
Error: CLI could not contact EJBCA instance. Either your application server is not up and running, EJBCA has not been deployed successfully, or some firewall rule is blocking the CLI from the application server.
Cause
Under the hood, this is caused by an IllegalStateException with the error message "No EJB receiver available for handling".
Troubleshooting Steps
It is assumed you are using JBoss as the application server and RHEL as the operating system. The steps for troubleshooting will be very similar if you are using for example Wildfly instead of JBoss, or another Linux distribution such as Debian.
Make sure JBoss is up and running:
ps aux | grep ${JBOSS_HOME}/bin/standalone.sh
CODEIf JBoss is not running, start it.
Make sure EJBCA has been deployed correctly:
ls ${JBOSS_HOME}/standalone/deployments | grep ejbca.ear.deployed
CODEIf EJBCA has not been deployed correctly, check the JBoss log file to find out why:
cat ${JBOSS_HOME}/standalone/log/server.log | grep ERROR -C 10 | less
CODEFix the problem and the redeploy EJBCA by running the following:
cd ${EJBCA_HOME} ant -q clean deployear
CODEMake sure the application server is listening to the port configured in dist/ejbca-ejb-cli/jboss-ejb-client.properties (unless you have edited the configuration, it should be port 4447) .
sudo lsof -i:4447
CODEIf connecting remotely this port must be open in the firewall. Inspect your firewall rules and open this port for incoming TCP traffic if necessary.
sudo firewall-cmd --zone=public --list-ports | grep 4447/tcp
CODEMake sure the user running the application server has read and execute access to relevant authentication files:
If using local authentication, the user needs access to files in
${JBOSS_HOME}/domain/tmp/auth
If using remote authentication, the user needs access to files in
${JBOSS_HOME}/standalone/tmp/auth
The easiest way to achieve this is to run the application server as jboss user and ensure
${JBOSS_HOME}
is owned by this user:sudo chown -R jboss:jboss ${JBOSS_HOME} sudo chmod -R 'g=u' ${JBOSS_HOME} sudo find ${JBOSS_HOME} -type d -exec sudo chmod g+s {} \;
CODE