Bug 1392068
Summary: | [RFE] add express archivals and retrievals from KRA | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
Component: | pki-core | Assignee: | Ade Lee <alee> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | unspecified | ||
Version: | 7.4 | CC: | alee, ssidhaye |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.4.0-1.el7 | Doc Type: | Enhancement |
Doc Text: |
For better performance, Certificate System now supports ephemeral
Before this update, Certificate System key recovery agent (KRA) instances always stored recovery and storage requests of secrets in the LDAP back end. This is required to store the state if multiple agents must approve the request. However, if the request is processed immediately and only one agent must approve the request, storing the state is not required. To improve performance, you can now set the "kra.ephemeralRequests=true" option in the `/var/lib/pki/<instance>/kra/conf/CS.cfg` file to no longer store requests in the LDAP back end.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 22:48:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matthew Harmsen
2016-11-04 17:46:26 UTC
alee: Initial commits Counting objects: 127, done. Delta compression using up to 8 threads. Compressing objects: 100% (93/93), done. Writing objects: 100% (127/127), 44.35 KiB | 0 bytes/s, done. Total 127 (delta 72), reused 0 (delta 0) To ssh://vakwetu @git.fedorahosted.org/git/pki.git 732779d. 308eb25 master -> master More commits: commit 0a6289f5d94ec238e66d05782b9fdd2207ac7e9a commit 0a6289f5d94ec238e66d05782b9fdd2207ac7e9a Please provide steps to verify this RFE. Copying the steps to verify from devel ticket #2532 You can test the patches as follows: (archive and retrieve a passphrase) pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-archive --passphrase "foobar" --clientKeyID "test_1" pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-retrieve --keyID 0xc (retrieve the passphrase using an approved recovery request) pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-retrieve --keyID 0xc pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-request-review --action approve 0x36 pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-retrieve --requestID 0x36 The above should create requests (archival and recovery) in LDAP. Add the following to CS.cfg (and restart the KRA): kra.ephemeralRequests=true Redo the above tests, and no requests should be written to LDAP. Finally, test a case where more than one approval is needed. Add the following to CS.cfg and restart the KRA. kra.noOfRequiredSecurityDataRecoveryAgents=2 pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-retrieve --keyID 0xc This should return a recovery request ID (which will be written to LDAP). You will need another agent to approve this request before it can be used to retrieve the key. Build used: [root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-archive --passphrase "foobar" --clientKeyID "test_1" WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch ------------------------ Archival request details ------------------------ Request ID: 0x1 Key ID: 0x1 Type: securityDataEnrollment Status: complete [root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-retrieve --keyID 0x1 WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch ------------------------ Retrieve Key Information ------------------------ Nonce data: FP9yBJeKo0/6y1+PTGVuiQ== Actual archived data: Zm9vYmFy The above operations created archival and retrieval requests in LDAP After setting the flag kra.ephemeralRequests=true in KRA's CS.cfg and restarting no requests were created in LDAP [root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-archive --passphrase "foobar3" --clientKeyID "test_3" WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch ------------------------ Archival request details ------------------------ Request ID: 0x3513a5a4932f0c Key ID: 0x3 Type: securityDataEnrollment Status: begin [root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-request-review --keyID 0x3 WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch Unrecognized option: --keyID [root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-request-review --action approve 0x3 WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch ------ Result ------ Request ID: 0x3 Key ID: 0x1 Type: securityDataRecovery Status: approved [root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-retrieve --requestID 0x3 WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch ------------------------ Retrieve Key Information ------------------------ Nonce data: CxX2y0cOz8z/0yh0pKE5kA== Actual archived data: Zm9vYmFy Also after setting kra.noOfRequiredSecurityDataRecoveryAgents=2 the recovery request ID is written to LDAP Build used to for verification: [root@auto-hv-02-guest09 certdb]# rpm -qi pki-base Name : pki-base Version : 10.4.1 Release : 3.el7 Architecture: noarch Install Date: Friday 05 May 2017 01:31:47 AM EDT Group : System Environment/Base Size : 2086078 License : GPLv2 Signature : RSA/SHA256, Tuesday 02 May 2017 04:38:09 PM EDT, Key ID 199e2f91fd431d51 Source RPM : pki-core-10.4.1-3.el7.src.rpm Build Date : Tuesday 02 May 2017 03:15:26 PM EDT Build Host : ppc-015.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - PKI Framework Made some minor mods. Looks good now. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |