Bug 1369640
Summary: | Host CA's certificate and key are deleted if LWCA entry deleted | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Fraser Tweedale <ftweedal> | ||||
Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> | ||||
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.3 | CC: | akasurde, ftweedal, ksiddiqu, mharmsen, tlavigne | ||||
Target Milestone: | rc | ||||||
Target Release: | 7.3 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | pki-core-10.3.3-9.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-11-04 05:27:16 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Fraser Tweedale
2016-08-24 04:55:05 UTC
Cherry-picked into DOGTAG_10_3_RHEL_BRANCH: commit 0dd6bf96dc2d711d59d5d7b34eba5953e69e5e4d Author: Fraser Tweedale <ftweedal> Date: Wed Aug 24 14:40:46 2016 +1000 Prevent deletion of host CA cert and key from NSSDB If authorityMonitor observes the deletion of the host CA's authority entry, it will treat it the same as any other lightweight CA and delete the signing cert AND KEY from the NSSDB. Because the database is replicated, the change would be observed and deletion immediately effected on all running clones. Unless the main CA private key is backed up somewhere there is no way to recover from this. Although this scenario does not arise in normal operation, the impact is severe so add a check that prevents cert and key deletion for host authority. Fixes: https://fedorahosted.org/pki/ticket/2443 (cherry picked from commit 68d98b63e18c5c952e0cdf3193b0ce1a5c55d5c1) (cherry picked from commit a1f225e0034d89cc011b81604439111ed725961e) Steps to verify: 1. Find DN of authority entry for main CA: ldapsearch -LLL -D "cn=directory manager" -w4me2Test -b o=ipaca \ "(&(objectclass=authority)(description=Host authority))" 1.1 \ | cut -d " " -f 2 2. Delete that entry ldapdelete -D "cn=directory manager" -w4me2Test $HOST_AUTHORITY_DN 3. Confirm that CA signing key (nickname "caSigningCert cert-pki-ca") HAS NOT deleted from /etc/pki/pki-tomcat/alias NSSDB Verified using IPA version :: ipa-server-4.4.0-11.el7.x86_64 pki-ca-10.3.3-10.el7.noarch Marking BZ as verified. Created attachment 1201640 [details]
console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html |