Bug 1392068

Summary: [RFE] add express archivals and retrievals from KRA
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Harmsen <mharmsen>
Component: pki-coreAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.4CC: alee, ssidhaye
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.4.0-1.el7 Doc Type: Enhancement
Doc Text:
For better performance, Certificate System now supports ephemeral Before this update, Certificate System key recovery agent (KRA) instances always stored recovery and storage requests of secrets in the LDAP back end. This is required to store the state if multiple agents must approve the request. However, if the request is processed immediately and only one agent must approve the request, storing the state is not required. To improve performance, you can now set the "kra.ephemeralRequests=true" option in the `/var/lib/pki/<instance>/kra/conf/CS.cfg` file to no longer store requests in the LDAP back end.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 22:48:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Harmsen 2016-11-04 17:46:26 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/2532

In the IPA and Openstack use cases, secrets are stored and retrieved much more frequently
than the standard PKI use case.  We need to make some enhancements to improve performance.

In particular, in the PKI use case, we store archival and retrieval secrets in LDAP, so that they can be acted on asynchronously later.  Moreover, these requests may often require N agents to approve the request.

In the IPA and Barbican case, we need only one agent for approvals, so the process can be simplified.  In particular, we want to create express archivals and retrievals which do not have requests that are persisted to LDAP.  This prevents a possible LDAP replication storm each time a secret is retrieved/archived.

Instead, the only LDAP write will be to the keyRecord during archival.

Comment 1 Matthew Harmsen 2017-03-03 19:25:07 UTC
alee:

Initial commits

Counting objects: 127, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (93/93), done.
Writing objects: 100% (127/127), 44.35 KiB | 0 bytes/s, done.
Total 127 (delta 72), reused 0 (delta 0)
To ssh://vakwetu @git.fedorahosted.org/git/pki.git
732779d. 308eb25 master -> master

More commits:

commit 0a6289f5d94ec238e66d05782b9fdd2207ac7e9a

commit 0a6289f5d94ec238e66d05782b9fdd2207ac7e9a

Comment 3 Sumedh Sidhaye 2017-05-04 06:12:33 UTC
Please provide steps to verify this RFE.

Comment 4 Sumedh Sidhaye 2017-05-04 13:28:47 UTC
Copying the steps to verify from devel ticket #2532

You can test the patches as follows:

(archive and retrieve a passphrase)
pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-archive --passphrase "foobar" --clientKeyID "test_1"
pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-retrieve --keyID 0xc

(retrieve the passphrase using an approved recovery request)
pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-retrieve --keyID 0xc
pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-request-review --action approve 0x36
pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-retrieve --requestID 0x36

The above should create requests (archival and recovery) in LDAP.
Add the following to CS.cfg (and restart the KRA):

kra.ephemeralRequests=true

Redo the above tests, and no requests should be written to LDAP.

Finally, test a case where more than one approval is needed.
Add the following to CS.cfg and restart the KRA.

kra.noOfRequiredSecurityDataRecoveryAgents=2

pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h hostname -p 8443 key-retrieve --keyID 0xc

This should return a recovery request ID (which will be written to LDAP).
You will need another agent to approve this request before it can be used to retrieve the key.

Comment 5 Sumedh Sidhaye 2017-05-05 10:09:41 UTC
Build used:



[root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-archive --passphrase "foobar" --clientKeyID "test_1"
WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch
------------------------
Archival request details
------------------------
  Request ID: 0x1
  Key ID: 0x1
  Type: securityDataEnrollment
  Status: complete
[root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-retrieve --keyID 0x1
WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch
------------------------
Retrieve Key Information
------------------------
  Nonce data: FP9yBJeKo0/6y1+PTGVuiQ==

  Actual archived data: Zm9vYmFy

The above operations created archival and retrieval requests in LDAP

After setting the flag kra.ephemeralRequests=true in KRA's CS.cfg and restarting no requests were created in LDAP

[root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-archive --passphrase "foobar3" --clientKeyID "test_3"
WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch
------------------------
Archival request details
------------------------
  Request ID: 0x3513a5a4932f0c
  Key ID: 0x3
  Type: securityDataEnrollment
  Status: begin
[root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-request-review --keyID 0x3
WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch
Unrecognized option: --keyID
[root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-request-review --action approve 0x3
WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch
------
Result
------
  Request ID: 0x3
  Key ID: 0x1
  Type: securityDataRecovery
  Status: approved
[root@auto-hv-02-guest09 certdb]# pki -d . -c Secret123 -n "PKI KRA Administrator for Example.Org" -P https -h localhost -p 21443 key-retrieve --requestID 0x3
WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org' indicates a common-name mismatch
------------------------
Retrieve Key Information
------------------------
  Nonce data: CxX2y0cOz8z/0yh0pKE5kA==

  Actual archived data: Zm9vYmFy
 

Also after setting kra.noOfRequiredSecurityDataRecoveryAgents=2 the recovery request ID is written to LDAP

Comment 6 Sumedh Sidhaye 2017-05-05 10:14:16 UTC
Build used to for verification:

[root@auto-hv-02-guest09 certdb]# rpm -qi pki-base
Name        : pki-base
Version     : 10.4.1
Release     : 3.el7
Architecture: noarch
Install Date: Friday 05 May 2017 01:31:47 AM EDT
Group       : System Environment/Base
Size        : 2086078
License     : GPLv2
Signature   : RSA/SHA256, Tuesday 02 May 2017 04:38:09 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.4.1-3.el7.src.rpm
Build Date  : Tuesday 02 May 2017 03:15:26 PM EDT
Build Host  : ppc-015.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - PKI Framework

Comment 8 Ade Lee 2017-07-26 16:03:48 UTC
Made some minor mods.  Looks good now.

Comment 9 errata-xmlrpc 2017-08-01 22:48:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110