Bug 1364567

Summary: CA Agent certificate list is not sorted by serial number in migration case
Product: Red Hat Enterprise Linux 7 Reporter: Jack Magne <jmagne>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.3CC: alee, cfu, edewata, mharmsen, nkinder, rpattath
Target Milestone: rc   
Target Release: 7.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.3.3-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:26:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jack Magne 2016-08-05 18:01:33 UTC 
Description of problem:


When a migration of cert data is done from one version of cert system to the latest version of cert system on el7, the cert objects can be written to the ldap store in an unpredictable order.

Consequently, the agent GUI interface has a couple of places where the user can search for a list of certs based on a set of search terms.

In the non migration case, it turns out that the user will see any returned list in serial number order. This is basically the accidental side effect of having each cert added to the ldap store in order of creation.

The migration case allows no such convenient scenario and the migrated certs are added in random order.

Since the current search mechanism places no sorting constraints upon the search, the list can come up in unexpected order.

We need a simple bit of code to make sure the ldap server searches the data with sorting by serial number in mind.
Comment 1 Matthew Harmsen 2016-08-05 18:06:18 UTC 
Upstream ticket:
https://fedorahosted.org/pki/ticket/2430
Comment 2 Jack Magne 2016-08-05 18:14:09 UTC 
commit f0b1854a8f5cfe97d2d267ea16e4556d94666bb6
Author: Jack Magne <jmagne.redhat.com>
Date:   Wed Aug 3 18:01:23 2016 -0700

    Fix to sort the output of a cert search by serialno.


The preceding fix checked into upstream master, putting the bug in POST
Comment 5 Roshni 2016-09-13 15:57:43 UTC 
[root@cypher ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.3.3
Release     : 10.el7
Architecture: noarch
Install Date: Tue 13 Sep 2016 09:58:32 AM EDT
Group       : System Environment/Daemons
Size        : 2431460
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.3.3-10.el7.src.rpm
Build Date  : Sat 10 Sep 2016 02:18:45 AM EDT
Build Host  : ppc-042.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Followed comment 3 and http://pki.fedoraproject.org/wiki/Migrating_a_CA_using_existing_CA_mechanism for verification. seeing the certificates are listed in the order of serial number.
Comment 7 errata-xmlrpc 2016-11-04 05:26:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html