Command Line Interface

 I cannot access the EJBCA CLI

When accessing EJBCA's CLI by running ${EJBCA_HOME}/bin/ejbca.sh you get the following error message:

> /opt/ejbca/bin/ejbca.sh 
Error: CLI could not contact EJBCA instance. Either your application server is not up and running, EJBCA has not been deployed successfully, or some firewall rule is blocking the CLI from the application server.

Under the hood, this is caused by an IllegalStateException with the error message "No EJB receiver available for handling".

It is assumed you are using JBoss as application server and RHEL as operating system. The steps for troubleshooting will be very similar if you are using for example Wildfly instead of JBoss or another Linux distribution such as Debian.

  1. Make sure JBoss is up and running:

    ps aux | grep ${JBOSS_HOME}/bin/standalone.sh

    If JBoss is not running, start it.

  2. Make sure EJBCA has been deployed correctly:

    ls ${JBOSS_HOME}/standalone/deployments | grep ejbca.ear.deployed

    If EJBCA has not been deployed correctly, check the JBoss log file to find out why:

    cat ${JBOSS_HOME}/standalone/log/server.log | grep ERROR -C 10 | less

    Fix the problem and the redeploy EJBCA by running the following:

    cd ${EJBCA_HOME}
    ant -q clean deployear
  3. Make sure the application server is listening to the port configured in dist/ejbca-db-cli/jboss-ejb-client.properties (unless you have edited the configuration, it should be port 4447) .

    sudo lsof -i:4447

    If connecting remotely this port must be open in the firewall. Inspect your firewall rules and open this port for incoming TCP traffic if necessary.

    sudo firewall-cmd --zone=public --list-ports | grep 4447/tcp
  4. Make sure the user running the application server has read and execute access to relevant authentication files:

    1. If using local authentication, the user needs access to files in ${JBOSS_HOME}/domain/tmp/auth

    2. If using remote authentication, the user needs access to files in ${JBOSS_HOME}/standalone/tmp/auth

    The easiest way to achieve this, is to run the application server as jboss user and ensure ${JBOSS_HOME} is owned by this user:

    sudo chown -R jboss:jboss ${JBOSS_HOME}
    sudo chmod -R 'g=u' ${JBOSS_HOME}
    sudo find ${JBOSS_HOME} -type d -exec sudo chmod g+s {} \;