Command Line Interface
The following provides information for troubleshooting CLI issues. To view general troubleshooting tips and search for troubleshooting topics, see EJBCA Troubleshooting.
Problem: Cannot Access the EJBCA CLI
When accessing EJBCA's CLI by running ${EJBCA_HOME}/bin/ejbca.sh
you get the following error message:
> /opt/ejbca/bin/ejbca.sh
Error: CLI could not contact EJBCA instance. Either your application server is not up and running, EJBCA has not been deployed successfully, or some firewall rule is blocking the CLI from the application server.
Cause
Under the hood, this is caused by an IllegalStateException with the error message "No EJB receiver available for handling".
Troubleshooting Steps
It is assumed you are using JBoss as the application server and RHEL as the operating system. The steps for troubleshooting will be very similar if you are using for example Wildfly instead of JBoss, or another Linux distribution such as Debian.
Make sure JBoss is up and running:
CODEps aux | grep ${JBOSS_HOME}/bin/standalone.sh
If JBoss is not running, start it.
Make sure EJBCA has been deployed correctly:
CODEls ${JBOSS_HOME}/standalone/deployments | grep ejbca.ear.deployed
If EJBCA has not been deployed correctly, check the JBoss log file to find out why:
CODEcat ${JBOSS_HOME}/standalone/log/server.log | grep ERROR -C 10 | less
Fix the problem and the redeploy EJBCA by running the following:
CODEcd ${EJBCA_HOME} ant -q clean deployear
Make sure the application server is listening to the port configured in dist/ejbca-ejb-cli/jboss-ejb-client.properties (unless you have edited the configuration, it should be port 4447) .
CODEsudo lsof -i:4447
If connecting remotely this port must be open in the firewall. Inspect your firewall rules and open this port for incoming TCP traffic if necessary.
CODEsudo firewall-cmd --zone=public --list-ports | grep 4447/tcp
Make sure the user running the application server has read and execute access to relevant authentication files:
If using local authentication, the user needs access to files in
${JBOSS_HOME}/domain/tmp/auth
If using remote authentication, the user needs access to files in
${JBOSS_HOME}/standalone/tmp/auth
The easiest way to achieve this is to run the application server as jboss user and ensure
${JBOSS_HOME}
is owned by this user:CODEsudo chown -R jboss:jboss ${JBOSS_HOME} sudo chmod -R 'g=u' ${JBOSS_HOME} sudo find ${JBOSS_HOME} -type d -exec sudo chmod g+s {} \;