Bug 1360525
Summary: | CA subsystem OSCP responder fails when LWCAs are not used | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Fraser Tweedale <ftweedal> | |
Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 7.3 | CC: | alee, ftweedal, gkapoor, mharmsen | |
Target Milestone: | rc | |||
Target Release: | 7.3 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | pki-core-10.3.3-5.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1360526 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-04 05:26:33 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1360526 |
Description
Fraser Tweedale
2016-07-27 01:46:01 UTC
*** Bug 1360526 has been marked as a duplicate of this bug. *** On August 7, 2016, ftweedal wrote: Fixed in master (018b5c1f3295fadd263d256d00866dd7b9d31163) In CA logs i could see: debug:[21/Sep/2016:22:28:58][http-bio-20080-exec-5]: OCSPServlet: OCSP Request: debug:[21/Sep/2016:22:28:58][http-bio-20080-exec-5]: OCSPServlet: MEcwRaADAgEAMD4wPDA6MAkGBSsOAwIaBQAEFI+f1p94B6E7gFyBxU3fvfSauVLG debug:[21/Sep/2016:22:28:58][http-bio-20080-exec-5]: OCSPServlet: OCSP Response Size: debug:[21/Sep/2016:22:28:58][http-bio-20080-exec-5]: OCSPServlet: 2507 debug:[21/Sep/2016:22:28:58][http-bio-20080-exec-5]: OCSPServlet: OCSP Response Data: debug:[21/Sep/2016:22:28:58][http-bio-20080-exec-5]: OCSPServlet: MIIJxwoBAKCCCcAwggm8BgkrBgEFBQcwAQEEggmtMIIJqTCBzqFoMGYxJTAjBgNV Do you think its enough.please add more test scenario if it's needed To verify this fix, the lightweight CAs LDAP subtree must be absent. Procedure: 1. If ou=authorities,ou=ca,{basedn} subtree exists: 1.1. Stop Dogtag 1.2. Delete the whole subtree *including the ou=authorities container itself* 1.3. Start Dogtag 2. Perform an OCSP request against the CA subsystem. If request succeeds -> verified. (In reply to Fraser Tweedale from comment #6) > To verify this fix, the lightweight CAs LDAP subtree must be absent. > Procedure: > > 1. If ou=authorities,ou=ca,{basedn} subtree exists: > 1.1. Stop Dogtag > 1.2. Delete the whole subtree *including the ou=authorities container > itself* > 1.3. Start Dogtag > > 2. Perform an OCSP request against the CA subsystem. If request succeeds -> > verified. Moving back to ON_QA based upon these comments. Test steps: 1. I have deleted ou=authorities,ou=ca,{basedn} subtree. But what is the use for it? Another question, If i do a OCSP query will it save something in LDAP and ou=authorities,ou=ca,{basedn} subtree will get created again? Below is the result of the OCSP query. OCSPClient -h pki1.example.com -p 30144 -d /var/lib/pki/TestExternal/alias/ -t /ca/ocsp -c 'caSigningCert cert-TestExternal CA' --serial 1 -v Initializing security database Creating request for serial number 1 Submitting OCSP request URL: http://pki1.example.com:30144/ca/ocsp Data Length: 68 Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQmZlUQJMv/qPoB+ReYFx1PO/SjVQQUKHLR YOI4kcprgNYqlWpSnXWfbI4CAQE= CertID.serialNumber=1 CertStatus=Good The subtree is being removed to simulate a case where the LWCA subtree did not exist to begin with. This would occur when an instance is created by an old version of dogtag (before LWCAs), and then we update to the latest software. You will notice that this bug was originally was reported during an IPA migration test. The test you have done is sufficient as test that triggers the newly fixed code. A good end-to-end test would be to do an IPA migration - and confirm that the error reported above is no longer observed. IPA QE team confirmed that IPA upgrade from 4.2 to 4.4 worked fine. Based off of comment #9 response, marking the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html |