Bug 1339304

Summary: CA installed on replica is always marked as renewal master
Product: Red Hat Enterprise Linux 7 Reporter: Marcel Kolaja <mkolaja>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: ipa-maint, jcholast, mbasti, mkosek, ndehadra, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-15.el7_2.17 Doc Type: Bug Fix
Doc Text:
When installing a clone certificate authority (CA) on a replica, the LDAP entry representing the replica was marked with the "caRenewalMaster" flag, even though another server already served as the CA renewal master. However, Identity Management (IdM) supports only one CA renewal master. Consequently, generating a new CA subsystem certificate could potentially cause the certificate to be generated multiple times, and CA operations, such as certificate renewal, could stop working on some servers. Now, the replica is no longer marked as "caRenewalMaster" in the described situation. Also, IdM removes any surplus "caRenewalMaster" flags to ensure only one CA renewal master is available. As a result, generating a CA subsystem certificate does not cause the CA operations to fail.
 Story Points: ---
Clone Of: 1339233 Environment:
Last Closed: 2016-06-23 16:32:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1339233    
Bug Blocks:    
Attachments:
Description Flags
Bug Verification console output none

Description Marcel Kolaja 2016-05-24 15:54:44 UTC 
This bug has been copied from bug #1339233 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 5 Kaleem 2016-05-25 07:39:18 UTC 
Please provide the steps to verify this.
Comment 6 Jan Cholasta 2016-05-25 07:49:52 UTC 
1. install IPA server
2. install one or more IPA replicas with CA
3. upgrade to ipa-4.2.0-15.el7_2.17 if older version was used for install
4. "ldapsearch -H $LDAP_URI -b cn=masters,cn=ipa,cn=etc,$BASEDN '(&(cn=CA)(ipaConfigString=caRenewalMaster))'" must return exactly one entry
Comment 7 Nikhil Dehadrai 2016-06-01 09:45:51 UTC 
IPA server version: ipa-server-4.2.0-15.el7_2.17.x86_64

1. Verified that only one entry is returned on executing the command mentioned inside Comment#6.
2. Refer the attachment for console output.

Thus marking the status of bug to "VERIFIED".
Comment 8 Nikhil Dehadrai 2016-06-01 09:46:50 UTC 
Created attachment 1163562 [details]
Bug Verification console output

Bug Verification console output steps.
Comment 12 errata-xmlrpc 2016-06-23 16:32:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1256