Bug 1437602

Summary: non-CA cli looks for CA in the instance during a request
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: arubin, edewata, mharmsen
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.4.1-2.el7 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 22:50:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Roshni 2017-03-30 15:54:29 UTC 
Description of problem:
non-CA cli looks for CA in the instance during a request

Version-Release number of selected component (if applicable):
pki-ca-10.4.1-1.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. Install CA and KRA
2. Import the KRA admin cert in the security database
3.

Actual results:
[root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n "PKI KRA Administrator for Example.Org" kra-group-find
PKI options: -v -d . -c Secret123
PKI command: pki1.example.com -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org kra-group-find
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d . -c Secret123 --verbose -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org kra-group-find
Server URI: http://pki1.example.com:21080
Client security database: /root/multihost_tests/certdb/.
Message format: null
Command: kra-group-find
Initializing security database
Logging into security token
Module: kra
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=8B8FC58EB2540BB6939D2DF41620CDF9; Path=/pki/; HttpOnly
  Content-Type: application/xml
  Content-Length: 106
  Date: Sat, 01 Apr 2017 12:24:11 GMT
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=8B8FC58EB2540BB6939D2DF41620CDF9
  Cookie2: $Version=1
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Content-Type: application/xml
  Content-Length: 106
  Date: Sat, 01 Apr 2017 12:24:11 GMT
HTTP request: GET /kra/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Location: https://pki1.example.com:21443/kra/rest/account/login
  Content-Length: 0
  Date: Sat, 01 Apr 2017 12:24:11 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/account/login
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Set-Cookie: JSESSIONID=12AF5E29953498554C609F4EFE704FFC; Path=/kra/; Secure; HttpOnly
  Content-Type: application/xml
  Content-Length: 248
  Date: Sat, 01 Apr 2017 12:24:11 GMT
Account:
 - User ID: kraadmin
 - Full Name: kraadmin
 - Email: kraadmin
 - Roles: [Administrators, Data Recovery Manager Agents]
Module: group
Module: find
HTTP request: GET /ca/rest/admin/groups HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 404 Not Found
  Server: Apache-Coyote/1.1
  Content-Type: text/html;charset=utf-8
  Content-Language: en
  Content-Length: 991
  Date: Sat, 01 Apr 2017 12:24:11 GMT
com.netscape.certsrv.base.PKIException: Not Found
	at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:417)
	at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:397)
	at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:118)
	at com.netscape.certsrv.group.GroupClient.findGroups(GroupClient.java:45)
	at com.netscape.cmstools.group.GroupFindCLI.execute(GroupFindCLI.java:80)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:344)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:344)
	at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:344)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:626)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:662)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '.', '-c', 'Secret123', '--verbose', '-h', 'pki1.example.com', '-p', '21080', '-n', 'PKI KRA Administrator for Example.Org', 'kra-group-find']' returned non-zero exit status 255


Expected results:
The operation should be successful

Additional info:
The workaround is to use -t option with the cli

[root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n "PKI KRA Administrator for Example.Org" -t kra kra-group-find
PKI options: -v -d . -c Secret123
PKI command: pki1.example.com -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org -t kra kra-group-find
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d . -c Secret123 --verbose -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org -t kra kra-group-find
Server URI: http://pki1.example.com:21080/kra
Client security database: /root/multihost_tests/certdb/.
Message format: null
Command: kra-group-find
Initializing security database
Logging into security token
Module: kra
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=06D409FFE031D937DF8CBA96A51AD405; Path=/pki/; HttpOnly
  Content-Type: application/xml
  Content-Length: 106
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=06D409FFE031D937DF8CBA96A51AD405
  Cookie2: $Version=1
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Content-Type: application/xml
  Content-Length: 106
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP request: GET /kra/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Location: https://pki1.example.com:21443/kra/rest/account/login
  Content-Length: 0
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/account/login
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Set-Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209; Path=/kra/; Secure; HttpOnly
  Content-Type: application/xml
  Content-Length: 248
  Date: Sat, 01 Apr 2017 12:27:06 GMT
Account:
 - User ID: kraadmin
 - Full Name: kraadmin
 - Email: kraadmin
 - Roles: [Administrators, Data Recovery Manager Agents]
Module: group
Module: find
HTTP request: GET /kra/rest/admin/groups HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Location: https://pki1.example.com:21443/kra/rest/admin/groups
  Content-Length: 0
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/admin/groups
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/admin/groups HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209
  Cookie2: $Version=1
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Content-Type: application/xml
  Content-Length: 4664
  Date: Sat, 01 Apr 2017 12:27:06 GMT
-----------------
8 entries matched
-----------------
  Group ID: Data Recovery Manager Agents
  Description: Agents for Data Recovery Manager
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Data+Recovery+Manager+Agents

  Group ID: Subsystem Group
  Description: Subsystem Group
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Subsystem+Group

  Group ID: Trusted Managers
  Description: Managers trusted by this PKI instance
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Trusted+Managers

  Group ID: Administrators
  Description: People who manage the Certificate System
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Administrators

  Group ID: Auditors
  Description: People who can read the signed audits
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Auditors

  Group ID: ClonedSubsystems
  Description: People who can clone the master subsystem
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/ClonedSubsystems

  Group ID: Security Domain Administrators
  Description: People who are the Security Domain administrators
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Security+Domain+Administrators

  Group ID: Enterprise KRA Administrators
  Description: People who are the administrators for the security domain for KRA
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Enterprise+KRA+Administrators
----------------------------
Number of entries returned 8
----------------------------
HTTP request: GET /kra/rest/account/logout HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Location: https://pki1.example.com:21443/kra/rest/account/logout
  Content-Length: 0
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/account/logout
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/account/logout HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209
  Cookie2: $Version=1
HTTP response: HTTP/1.1 204 No Content
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Content-Type: application/xml
  Date: Sat, 01 Apr 2017 12:27:06 GMT
Comment 2 Matthew Harmsen 2017-03-30 21:18:14 UTC 
Upstream ticket:
https://pagure.io/dogtagpki/issue/2626
Comment 3 Endi Sukma Dewata 2017-03-31 01:48:10 UTC 
Fixed in master:
* 1d3216aece7381cbac7b812dfbb969b466b31abe
Comment 5 Roshni 2017-05-15 18:57:25 UTC 
[root@auto-hv-02-guest10 certdb]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.4.1
Release     : 4.el7
Architecture: noarch
Install Date: Wed 10 May 2017 10:43:30 AM EDT
Group       : System Environment/Daemons
Size        : 2299431
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-4.el7.src.rpm
Build Date  : Tue 09 May 2017 09:23:16 PM EDT
Build Host  : ppc-021.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

[root@auto-hv-02-guest10 certdb]# pki -d . -c redhat -n "PKI KRA Administrator for Example.Org" -h auto-hv-02-guest10.idmqe.lab.eng.bos.redhat.com -p 21080 kra-group-find
-----------------
8 entries matched
-----------------
  Group ID: Data Recovery Manager Agents
  Description: Agents for Data Recovery Manager

  Group ID: Subsystem Group
  Description: Subsystem Group

  Group ID: Trusted Managers
  Description: Managers trusted by this PKI instance

  Group ID: Administrators
  Description: People who manage the Certificate System

  Group ID: Auditors
  Description: People who can read the signed audits

  Group ID: ClonedSubsystems
  Description: People who can clone the master subsystem

  Group ID: Security Domain Administrators
  Description: People who are the Security Domain administrators

  Group ID: Enterprise KRA Administrators
  Description: People who are the administrators for the security domain for KRA
----------------------------
Number of entries returned 8
----------------------------
Comment 6 errata-xmlrpc 2017-08-01 22:50:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110