Bug 1445088
| Summary: | profile modification cannot remove existing config parameters | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
| Component: | pki-core | Assignee: | Fraser Tweedale <ftweedal> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | bbhavsar, edewata, ftweedal |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.4.1-3.el7 | Doc Type: | Bug Fix |
| Doc Text: |
Updating the `LDAPProfileSubsystem` profile now supports removing attributes
Previously, when updating the `LDAPProfileSubsystem` profile on PKI Server, attributes could not be removed. As a result, PKI Server was unable to load the profile or issue certificates after updating the profile in certain situations. A patch has been applied, and now PKI Server clears the existing profile configuration before loading the new configuration. As a result, updates in the `LDAPProfileSubsystem` profile can now remove configuration attributes.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 22:50:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Matthew Harmsen
2017-04-24 21:54:56 UTC
Fixed upstream: * 62419afd831039e7487ba184c6bf8f876f4d21da ProfileService: clear profile attributes when modifying * 6562b05a73090c0f7882a9684a8ceac2666e4401 ISourceConfigStore: add clear() method to interface * 8caedd6723f4885d4aff2348aa3d9fc850627aa1 LDAPProfileSubsystem: avoid duplicating logic in superclass Hi Fraser, could you please add verification steps for this bug? Here's the verification steps: 1. Disable a profile. For example: $ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-profile-disable caServerCert 2. Edit the profile configuration using the pki CLI. For example: $ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-profile-edit caServerCert 3. Delete some attributes from the configuration. For example, remove policy #8: policyset.serverCertSet.list=1,2,3,4,5,6,7 (remove 8) policyset.serverCertSet.8.*=... (remove lines) 4. Retrieve the profile configuration. For example: $ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-profile-show caServerCert The deleted attributes (i.e. policy #8) should no longer exist. Bug verified on build root@pki1 ansible # rpm -qi pki-base Name : pki-base Version : 10.4.1 Release : 4.el7 Architecture: noarch Install Date: Mon 15 May 2017 05:29:53 PM IST Group : System Environment/Base Size : 2086209 License : GPLv2 Signature : RSA/SHA256, Wed 10 May 2017 09:03:58 AM IST, Key ID 199e2f91fd431d51 Source RPM : pki-core-10.4.1-4.el7.src.rpm Build Date : Wed 10 May 2017 06:53:16 AM IST Build Host : ppc-021.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - PKI Framework Steps followed: root@pki1 ansible # pki -d /tmp/nssdb/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-disable caServerCert ------------------------------- Disabled profile "caServerCert" ------------------------------- root@pki1 ansible # pki -d /tmp/nssdb2/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert --output beforeprofilemodify ---------------------- Profile "caServerCert" ---------------------- ------------------------------------------------- Saved profile caServerCert to beforeprofilemodify ------------------------------------------------- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Delete some attributes from the configuration. For example, remove policy #8: policyset.serverCertSet.list=1,2,3,4,5,6,7 (remove 8) policyset.serverCertSet.8.*=... (remove lines) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ root@pki1 ansible # pki -d /tmp/nssdb/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert ---------------------- Profile "caServerCert" ---------------------- Profile ID: caServerCert Name: Manual Server Certificate Enrollment Description: This certificate profile is for enrolling server certificates. Name: Certificate Request Input Class: certReqInputImpl Attribute Name: cert_request_type Attribute Description: Certificate Request Type Attribute Syntax: cert_request_type Attribute Name: cert_request Attribute Description: Certificate Request Attribute Syntax: cert_request Name: Requestor Information Class: submitterInfoInputImpl Attribute Name: requestor_name Attribute Description: Requestor Name Attribute Syntax: string Attribute Name: requestor_email Attribute Description: Requestor Email Attribute Syntax: string Attribute Name: requestor_phone Attribute Description: Requestor Phone Attribute Syntax: string Name: Certificate Output Class: certOutputImpl Attribute Name: pretty_cert Attribute Description: Certificate Pretty Print Attribute Syntax: pretty_print Attribute Name: b64_cert Attribute Description: Certificate Base-64 Encoded Attribute Syntax: pretty_print root@pki1 ansible # pki -d /tmp/nssdb/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert --raw #Fri May 19 20:35:50 IST 2017 policyset.serverCertSet.4.constraint.name=No Constraint policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false policyset.serverCertSet.5.default.params.authInfoAccessCritical=false policyset.serverCertSet.2.default.params.range=720 policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 input.i2.class_id=submitterInfoInputImpl policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true output.o1.class_id=certOutputImpl policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl policyset.serverCertSet.3.constraint.name=Key Constraint policyset.serverCertSet.3.constraint.params.keyType=- policyset.serverCertSet.2.constraint.params.range=720 policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false policyset.serverCertSet.6.constraint.params.keyUsageCritical=true output.list=o1 policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 input.list=i1,i2 policyset.serverCertSet.3.default.name=Key Default policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false visible=true policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true desc=This certificate profile is for enrolling server certificates. policyset.serverCertSet.2.constraint.name=Validity Constraint policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName profileId=caServerCert policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false auth.class_id= policyset.serverCertSet.5.constraint.class_id=noConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 policyset.serverCertSet.2.default.name=Validity Default policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl enable=false policyset.serverCertSet.1.constraint.params.pattern=.*CN\=.* policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 policyset.serverCertSet.2.constraint.params.notAfterCheck=false policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default input.i1.class_id=certReqInputImpl enableBy=admin policyset.serverCertSet.7.constraint.name=No Constraint policyset.serverCertSet.list=1,2,3,4,5,6,7 policyset.serverCertSet.1.default.name=Subject Name Default policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl name=Manual Server Certificate Enrollment policyset.serverCertSet.4.constraint.class_id=noConstraintImpl policyset.serverCertSet.2.default.class_id=validityDefaultImpl policyset.serverCertSet.6.default.name=Key Usage Default /bin/bash=indent\: command not found policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.serverCertSet.6.default.params.keyUsageCritical=true policyset.serverCertSet.1.default.params.name= policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl policyset.serverCertSet.2.default.params.startTime=0 policyset.serverCertSet.7.constraint.class_id=noConstraintImpl policyset.list=serverCertSet policyset.serverCertSet.5.constraint.name=No Constraint policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true policyset.serverCertSet.2.constraint.params.notBeforeCheck=false policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true policyset.serverCertSet.5.default.name=AIA Extension Default classId=caEnrollImpl policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl policyset.serverCertSet.6.default.params.keyUsageCrlSign=false policyset.serverCertSet.4.default.name=Authority Key Identifier Default policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= policyset.serverCertSet.1.constraint.params.accept=true root@pki1 ~ # pki -d /tmp/nssdb2/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert --output aftereditingprofile ---------------------- Profile "caServerCert" ---------------------- ------------------------------------------------- Saved profile caServerCert to aftereditingprofile ------------------------------------------------- root@pki1 ~ # diff beforeprofilemodify aftereditingprofile 8c8 < <enabledBy>admin</enabledBy> --- > <enabledBy>caadmin</enabledBy> 496,522d495 < </constraint> < </value> < <value id="8"> < <def id="Signing Alg" classId="signingAlgDefaultImpl"> < <description>This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA512withRSA</description> < <policyAttribute name="signingAlg"> < <Descriptor> < <Syntax>choice</Syntax> < <Constraint>SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA</Constraint> < <Description>Signing Algorithm</Description> < </Descriptor> < </policyAttribute> < <params name="signingAlg"> < <value>-</value> < </params> < </def> < <constraint id="No Constraint"> < <description>This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC</description> < <classId>signingAlgConstraintImpl</classId> < <constraint id="signingAlgsAllowed"> < <descriptor> < <Syntax>string</Syntax> < <Description>Allowed Signing Algorithms</Description> < <DefaultValue>SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</DefaultValue> < </descriptor> < <value>SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC</value> < </constraint> Doc text is perfect. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |