Bug 1363608
| Summary: | Kra-selftest behavior is not as expected | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Geetika Kapoor <gkapoor> |
| Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | edewata, mharmsen |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | 7.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.3.3-7.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 05:26:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Geetika Kapoor
2016-08-03 07:47:19 UTC
Upstream ticket: https://fedorahosted.org/pki/ticket/2432 Fixed in master (10.4): * 6bfee0e46aee93e1255ecb5652d46348557664d5 * 4001335ed5105112c64c433a26272286ecf66196 Just a note, the problem can be reproduced by executing pki kra-selftest-find against a basic KRA installation. It's not necessary to modify the CS.cfg/server.xml or import the OCSP certificate. The following were checked in to DOGTAG_10_3_RHEL_BRANCH:
commit 561191eacd168ed3b75de0c502ee82a6517f4348
Author: Endi S. Dewata <edewata>
Date: Tue Aug 16 01:43:36 2016 +0200
Fixed SelfTestService.findSelfTests().
The SelfTestService.findSelfTests() has been modified to return
all selftests defined in the CS.cfg.
https://fedorahosted.org/pki/ticket/2432
(cherry picked from commit 4001335ed5105112c64c433a26272286ecf66196)
(cherry picked from commit e860276fc5889aae40beda33ea523358fbe76911)
commit 90c6537038caa9a241d1c4123e1a642860a0aa5a
Author: Endi S. Dewata <edewata>
Date: Tue Aug 16 00:15:15 2016 +0200
Removed misleading log in SelfTestSubsystem.
To avoid confusion, the isSelfTestCriticalAtStartup() and
isSelfTestCriticalOnDemand() in SelfTestSubsystem have been
modified to no longer log an error message if the selftest
being checked does not exist in the corresponding property
in CS.cfg.
https://fedorahosted.org/pki/ticket/2432
(cherry picked from commit 6bfee0e46aee93e1255ecb5652d46348557664d5)
(cherry picked from commit 422fc92597d80aa115efa59a592fbaf8851b243e)
build: pki-kra-10.3.3-10.el7.noarch Test case 1: Check the output of kra-selftest-find. Expected Result : It should return 2 entries based on what is mentioned in CS.cfg. -- PASS pki -d /tmp/abc -c Secret123 -h `hostname` -p 8080 -n "PKI Administrator for idm.lab.eng.rdu2.redhat.com" kra-selftest-find WARNING: UNTRUSTED ISSUER encountered on 'CN=nocp30.idm.lab.eng.rdu2.redhat.com,OU=pki-tomcat,O=EXAMPLE' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE' Import CA certificate (Y/n)? n ----------------- 2 entries matched ----------------- SelfTest ID: KRAPresence Enabled at startup: false Enabled on demand: true Critical on demand: true SelfTest ID: SystemCertsVerification Enabled at startup: true Critical at startup: true Enabled on demand: false ---------------------------- Number of entries returned 2 ---------------------------- Test Case 2 : Disable on of the "SystemCertsVerification" from CS.cfg. Expected Result: Works as expected --PASS pki -d /tmp/abc -c Secret123 -h `hostname` -p 8080 -n "PKI Administrator for idm.lab.eng.rdu2.redhat.com" kra-selftest-show SystemCertsVerification WARNING: UNTRUSTED ISSUER encountered on 'CN=nocp30.idm.lab.eng.rdu2.redhat.com,OU=pki-tomcat,O=EXAMPLE' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE' Import CA certificate (Y/n)? n ---------------------------------- SelfTest "SystemCertsVerification" ---------------------------------- SelfTest ID: SystemCertsVerification Enabled at startup: false Enabled on demand: false pki -d /tmp/abc -c Secret123 -h `hostname` -p 8080 -n "PKI Administrator for idm.lab.eng.rdu2.redhat.com" kra-selftest-find WARNING: UNTRUSTED ISSUER encountered on 'CN=nocp30.idm.lab.eng.rdu2.redhat.com,OU=pki-tomcat,O=EXAMPLE' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE' Import CA certificate (Y/n)? n ----------------- 1 entries matched ----------------- SelfTest ID: KRAPresence Enabled at startup: false Enabled on demand: true Critical on demand: true ---------------------------- Number of entries returned 1 ---------------------------- Test Case 3 : Disable on of the "KRAPresence" in CS.cfg <CS.cfg> CS.cfg : root@nocp30 externalCA # grep -i "presence" /etc/pki/pki-tomcat/kra/CS.cfg #selftests.container.instance.KRAPresence=com.netscape.cms.selftests.kra.KRAPresence #selftests.container.order.onDemand=KRAPresence:critical #selftests.plugin.KRAPresence.SubId=kra </CS.cfg> 1. pki -d /tmp/abc -c Secret123 -h `hostname` -p 8080 -n "PKI Administrator for idm.lab.eng.rdu2.redhat.com" kra-selftest-find WARNING: UNTRUSTED ISSUER encountered on 'CN=nocp30.idm.lab.eng.rdu2.redhat.com,OU=pki-tomcat,O=EXAMPLE' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE' Import CA certificate (Y/n)? n ----------------- 1 entries matched ----------------- SelfTest ID: KRAPresence Enabled at startup: false Enabled on demand: true Critical on demand: true ---------------------------- Number of entries returned 1 --------------------------- 2. pki -d /tmp/abc -c Secret123 -h `hostname` -p 8080 -n "PKI Administrator for idm.lab.eng.rdu2.redhat.com" kra-selftest-find WARNING: UNTRUSTED ISSUER encountered on 'CN=nocp30.idm.lab.eng.rdu2.redhat.com,OU=pki-tomcat,O=EXAMPLE' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE' Import CA certificate (Y/n)? n ----------------- 1 entries matched ----------------- SelfTest ID: KRAPresence Enabled at startup: false Enabled on demand: true Critical on demand: true ---------------------------- Number of entries returned 1 --------------------------- 3. pki -d /tmp/abc -c Secret123 -h `hostname` -p 8080 -n "PKI Administrator for idm.lab.eng.rdu2.redhat.com" kra-selftest-run WARNING: UNTRUSTED ISSUER encountered on 'CN=nocp30.idm.lab.eng.rdu2.redhat.com,OU=pki-tomcat,O=EXAMPLE' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE' Import CA certificate (Y/n)? n Selftest ID: KRAPresence Status: PASSED ------------------- Selftests completed ------------------- Hello , According to my test case 3, if i disable KRAPresence in kra's CS.cfg, how it should behave. Do you think output of the the commands as mentioned in Test case 3 returns the accurate data? Thanks Geetika Geetika, Did you restart Tomcat after changing the CS.cfg? Tomcat should restart, but the PKI subsystem will fail to start if any of the following parameters is missing or blank: * selftests.container.order.onDemand * selftests.container.order.startup So test case #2 & #3 in comment #7 is currently not supported. I'd suggest creating a separate bug to fix this limitation (i.e. PKI server should support running without any selftests). Sure I'll test test case 1 here and for test case 2 and 3 i'll raise a seperate bug. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html |