| Summary: | Unable to create system certificates in different tokens | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
| Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> |
| Status: | CLOSED UPSTREAM | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | alee, arubin, edewata, tlavigne |
| Target Milestone: | rc | ||
| Target Release: | 7.4 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.3.3-10.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-23 20:50:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
commit bc65e12500cbc3381b4e755a4a50214f43049ad3 Author: Endi S. Dewata <edewata> Date: Mon Aug 29 08:33:05 2016 +0200 Cherry-picked into DOGTAG_10_3_RHEL_BRANCH: From f142e739d0296e29914a39c1591a5f1681f0ac31 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edewata> Date: Mon, 29 Aug 2016 08:33:05 +0200 Subject: [PATCH 3/9] Added support to create system certificates in different tokens. Previously all system certificates were always created in the same token specified in the pki_token_name parameter. To allow creating system certificates in different tokens, the configuration.py has been modified to store the system certificate token names specified in pki_<cert>_token parameters into the CS.cfg before the server is started. After the server is started, the configuration servlet will read the token names from the CS.cfg and create the certificates in the appropriate token. https://fedorahosted.org/pki/ticket/2449 (cherry picked from commit bc65e12500cbc3381b4e755a4a50214f43049ad3) (cherry picked from commit 261e550a25ced3c61fc0c3afeb910d17b7472a3c) The fix showed an issue mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1374054#c7 Marking it Failed_QA, The patch has been reverted in master: * b0a4981937abb1a3decad7decc0a788473464039 The patch has been reverted from DOGTAG_10_3_RHEL_BRANCH:
commit b2b617c1372559d03de582c66687df248e77fa7b
Author: Endi S. Dewata <edewata>
Date: Thu Sep 8 20:06:19 2016 +0200
Removed support for creating system certificates in different tokens.
The patch that added the support for creating system certificates
in different tokens causes issues in certain cases, so for now it
has been reverted.
https://fedorahosted.org/pki/ticket/2449
(cherry picked from commit b0a4981937abb1a3decad7decc0a788473464039)
(cherry picked from commit 744c506e41f33c7532c0ce8ab08f12bc75d79506)
Per PKI Bug Council of 03/23/2017: * removed blocker flag * closing as UPSTREAM |
The pkispawn and CS.cfg provide several parameters to specify the token name for each system certificate: pki_ca_signing_token / ca.signing.tokenname pki_ocsp_signing_token / ca.ocsp_signing.tokenname / ocsp.signing.tokenname pki_storage_token / kra.storage.tokenname pki_transport_token / kra.transport.tokenname pki_audit_signing_token / <subsystem>.audit_signing.tokenname pki_ssl_server_token / <subsystem>.sslserver.tokenname pki_subsystem_token / <subsystem>.subsystem.tokenname However, the current code disregards the token names specified in the above parameters and it will only use the token name specified in pki_token_name, which limits its use and may cause some confusions. One option is to fix the code to read the token names from the right parameters, allowing the system certificate to be created in different tokens. For example, the CA certificate might be created in HSM, while the other certificates are created in internal token. Another option is to remove the above parameters, so all system certificates will always be created in the same token.