Bug 1002639

Summary:	ipa-replica-prepare should not prompt for pkcs12 pin when dogtag is installed as internal CA
Product:	Red Hat Enterprise Linux 7	Reporter:	Jenny Severance <jgalipea>
Component:	ipa	Assignee:	Martin Kosek <mkosek>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Namita Soman <nsoman>
Severity:	high	Docs Contact:
Priority:	high
Version:	7.0	CC:	dpal, jgalipea, mgregg, pviktori, rcritten
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-3.3.2-1.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-06-13 10:25:06 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jenny Severance 2013-08-29 16:00:57 UTC

Description of problem:
Rightly so, to support CAless installations, ipa-replica-prepare would need to have the pkcs11 pin supplied for access to the private key, but this should not cause a regression in the command when dogtag is installed as the internal CA.  In this case, it should not prompt for the PIN and I do not think the PIN is even known.



Version-Release number of selected component (if applicable):
latest RHEL 7 

How reproducible:
always

Steps to Reproduce:
1. run ipa-replica-prepare
2.
3.

Actual results:
Enter realm_info/httpcert.p12 unlock password:


Expected results:
with dogtag install no prompt for password that the installer does not know what it is

Additional info:

Comment 1 Jenny Severance 2013-08-29 16:02:12 UTC

meant pkcs12

Comment 3 Rob Crittenden 2013-08-30 12:12:21 UTC

I think an example is in order. Under what circumstances do you get prompted for a PKCS#12 file password?

Comment 4 Martin Kosek 2013-09-03 15:14:14 UTC

Jenny, can you please help us with a reproduction of this bug as Rob requested?

Comment 5 Martin Kosek 2013-09-03 15:54:05 UTC

Lowering the needinfo? request. I just found an e-mail on our team list with relevant information from Michael Gregg:

We have a replica test that is running a command similar to this:

ipa-replica-prepare -p Secret123 --ip-address=1.2.3.4 ipaqavmc.testrelm.com --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin='''

This ipa-replica-prepare still  seems to work on older builds ok IPA, but on newer versions seems to kick back asking the end user for a unknown password.

When I manually run this process, I get the following output:

[root@ipaqavmb tmp]# echo $ADMINPW | gpg --batch --passphrase-fd 0 -d
replica-info-ipaqavmc.testrelm.com.gpg | tar xvf -
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
realm_info/
realm_info/configure.jar
realm_info/pwdfile.txt
realm_info/dscert.p12
realm_info/http_pin.txt
realm_info/krb.js
realm_info/ra.p12
realm_info/dogtag_directory_port.txt
realm_info/dirsrv_pin.txt
realm_info/pwdfile.txt.orig
realm_info/kerberosauth.xpi
realm_info/dogtagcert.p12
realm_info/cacert.p12
realm_info/httpcert.p12
realm_info/preferences.html
realm_info/realm_info
realm_info/ca.crt
[root@ipaqavmb tmp]# ipa-replica-prepare -p Secret123
--ip-address=1.2.3.5 ipaqavmc.testrelm.com
--dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin=''
--http_pkcs12=realm_info/httpcert.p12 --http_pin=''
Enter realm_info/httpcert.p12 unlock password:

incorrect password for pkcs#12 file realm_info/httpcert.p12


As per Jan Cholasta's answer, this is a regression caused by https://fedorahosted.org/freeipa/ticket/3717.

I will clone a ticket to fix this.

Comment 6 Martin Kosek 2013-09-03 15:56:12 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3897

Comment 7 Petr Viktorin (pviktori) 2013-10-04 08:33:04 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/c6113ab89b010bd60eff4084b8d244dde2563dcf
ipa-2-2: https://fedorahosted.org/freeipa/changeset/3a4a7458c72bb70673520a546ba463ec7fc94bcf

Comment 9 Namita Soman 2013-11-12 15:36:35 UTC

Verified using ipa-server-3.3.2-5.el7.x86_64

Steps used below - and there was no promt to Enter realm_info/httpcert.p12 unlock password:

# gpg --batch --passphrase-fd 0 -d /var/lib/ipa/replica-info-hp-dl380pgen8-02-vm-1.testrelm.com.gpg | tar xvf -
DSSecret123
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
realm_info/
realm_info/dirsrv_pin.txt
realm_info/cacert.p12
realm_info/pwdfile.txt.orig
realm_info/dscert.p12
realm_info/dogtagcert.p12
realm_info/dogtag_directory_port.txt
realm_info/http_pin.txt
realm_info/pwdfile.txt
realm_info/httpcert.p12
realm_info/ra.p12
realm_info/ca.crt
realm_info/preferences.html
realm_info/krb.js
realm_info/kerberosauth.xpi
realm_info/configure.jar
realm_info/realm_info


# ipa-replica-prepare --ip-address=1.2.3.4  hp-dl380pgen8-02-vm-1.testrelm.com -p DSSecret123 --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin=''
Preparing replica for hp-dl380pgen8-02-vm-1.testrelm.com from qeblade6.testrelm.com
Copying SSL certificate for the Directory Server from realm_info/dscert.p12
Copying SSL certificate for the Web Server from realm_info/httpcert.p12
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-hp-dl380pgen8-02-vm-1.testrelm.com.gpg
Adding DNS records for hp-dl380pgen8-02-vm-1.testrelm.com
Using reverse zone 3.2.1.in-addr.arpa.
The ipa-replica-prepare command was successful

Comment 10 Ludek Smid 2014-06-13 10:25:06 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.