Bug 1447144
| Summary: | CA brought down during separate KRA instance creation | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Christina Fu <cfu> | ||||||
| Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||||
| Severity: | unspecified | Docs Contact: | Petr Bokoc <pbokoc> | ||||||
| Priority: | unspecified | ||||||||
| Version: | 7.4 | CC: | arubin, cfu, edewata, jmagne, mharmsen, pbokoc, rpattath, ssidhaye | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | pki-core-10.4.1-8.el7 | Doc Type: | Enhancement | ||||||
| Doc Text: |
Section headers in PKI deployment configuration file are no longer case sensitive
The section headers (such as `[Tomcat]`) in the PKI deployment configuration file were previously case-sensitive. This behavior increased the chance of an error while providing no benefit. Starting with this release, section headers in the configuration file are case-insensitive, reducing the chance of an error occurring.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2017-08-01 22:50:57 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Christina Fu
2017-05-01 23:35:40 UTC
Created attachment 1275498 [details]
ca pkispawn config file
Created attachment 1275499 [details]
kra pkispawn config file
snippet of the log that shows how CA was seems to be doing fine, but right after an audit event eventType=ACCESS_SESSION_TERMINATED is written, CA suddenly shutdown. [02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm: Roles: [02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm: Certificate Manager Agents [02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm: Administrators [02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm: Security Domain Administrators [02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm: Enterprise CA Administrators [02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm: Enterprise KRA Administrators [02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm: Enterprise OCSP Administrators [02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm: Enterprise TKS Administrators [02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm: Enterprise RA Administrators [02/May/2017:08:56:24][http-bio-18443-exec-2]: PKIRealm: Enterprise TPS Administrators [02/May/2017:08:56:24][http-bio-18443-exec-2]: SessionContextInterceptor: AccountResource.login() [02/May/2017:08:56:24][http-bio-18443-exec-2]: SessionContextInterceptor: principal: caadmin [02/May/2017:08:56:24][http-bio-18443-exec-2]: AuthMethodInterceptor: AccountResource.login() [02/May/2017:08:56:24][http-bio-18443-exec-2]: AuthMethodInterceptor: mapping: account [02/May/2017:08:56:24][http-bio-18443-exec-2]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [02/May/2017:08:56:24][http-bio-18443-exec-2]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [02/May/2017:08:56:24][http-bio-18443-exec-2]: AuthMethodInterceptor: access granted [02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: AccountResource.login() [02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: principal: caadmin [02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: will use authz manager DirAclAuthz [02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: mapping: account.login [02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: loading /usr/share/pki/ca/conf/acl.properties [02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: checking /var/lib/pki/pki-ca-0502/ca/conf/acl.properties [02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: ACL: certServer.ca.account,login [02/May/2017:08:56:24][http-bio-18443-exec-2]: checkACLS(): ACLEntry expressions= user="anybody" [02/May/2017:08:56:24][http-bio-18443-exec-2]: evaluating expressions: user="anybody" [02/May/2017:08:56:24][http-bio-18443-exec-2]: evaluated expression: user="anybody" to be true [02/May/2017:08:56:24][http-bio-18443-exec-2]: DirAclAuthz: authorization passed [02/May/2017:08:56:24][http-bio-18443-exec-2]: ACLInterceptor: access granted [02/May/2017:08:56:24][http-bio-18443-exec-2]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS [02/May/2017:08:56:24][http-bio-18443-exec-2]: MessageFormatInterceptor: AccountResource.login() [02/May/2017:08:56:24][http-bio-18443-exec-2]: MessageFormatInterceptor: content-type: null [02/May/2017:08:56:24][http-bio-18443-exec-2]: MessageFormatInterceptor: accept: [application/json] [02/May/2017:08:56:24][http-bio-18443-exec-2]: MessageFormatInterceptor: response format: application/json [02/May/2017:08:56:24][http-bio-18443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS [02/May/2017:08:56:24][http-bio-18443-exec-3]: SessionContextInterceptor: AccountResource.logout() [02/May/2017:08:56:24][http-bio-18443-exec-3]: SessionContextInterceptor: principal: caadmin [02/May/2017:08:56:24][http-bio-18443-exec-3]: AuthMethodInterceptor: AccountResource.logout() [02/May/2017:08:56:24][http-bio-18443-exec-3]: AuthMethodInterceptor: mapping: account [02/May/2017:08:56:24][http-bio-18443-exec-3]: AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr] [02/May/2017:08:56:24][http-bio-18443-exec-3]: AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr [02/May/2017:08:56:24][http-bio-18443-exec-3]: AuthMethodInterceptor: access granted [02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: AccountResource.logout() [02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: principal: caadmin [02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: will use authz manager DirAclAuthz [02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: mapping: account.logout [02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: ACL: certServer.ca.account,logout [02/May/2017:08:56:24][http-bio-18443-exec-3]: checkACLS(): ACLEntry expressions= user="anybody" [02/May/2017:08:56:24][http-bio-18443-exec-3]: evaluating expressions: user="anybody" [02/May/2017:08:56:24][http-bio-18443-exec-3]: evaluated expression: user="anybody" to be true [02/May/2017:08:56:24][http-bio-18443-exec-3]: DirAclAuthz: authorization passed [02/May/2017:08:56:24][http-bio-18443-exec-3]: ACLInterceptor: access granted [02/May/2017:08:56:24][http-bio-18443-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS [02/May/2017:08:56:24][http-bio-18443-exec-3]: MessageFormatInterceptor: AccountResource.logout() [02/May/2017:08:56:24][http-bio-18443-exec-3]: MessageFormatInterceptor: content-type: null [02/May/2017:08:56:24][http-bio-18443-exec-3]: MessageFormatInterceptor: accept: [application/json] [02/May/2017:08:56:24][http-bio-18443-exec-3]: MessageFormatInterceptor: response format: application/json [02/May/2017:08:56:45][http-bio-18443-exec-4]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED [02/May/2017:08:56:46][localhost-startStop-2]: CMSEngine.shutdown() These are the config files I used and I did not see this issue [root@pki1 ~]# cat /tmp/test_dir/ca.cfg [DEFAULT] pki_instance_name = topology-02-CA pki_https_port = 20443 pki_http_port = 20080 pki_token_password = Secret123 pki_admin_password = Secret123 pki_hostname = pki1.example.com pki_security_domain_name = topology-02_Foobarmaster.org pki_security_domain_password = Secret123 pki_client_dir = /opt/topology-02-CA pki_client_pkcs12_password = Secret123 pki_backup_keys = True pki_backup_password = Secret123 pki_ds_password = Secret123 pki_ds_ldap_port = 3389 pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_key_size=2048 pki_ssl_server_key_type=rsa pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_key_size=2048 pki_subsystem_key_type=rsa [Tomcat] pki_ajp_port = 20009 pki_tomcat_server_port = 20005 [CA] pki_import_admin_cert = False pki_ds_hostname = pki1.example.com pki_admin_nickname = PKI CA Administrator for Example.Org pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_key_size=2048 pki_ca_signing_key_type=rsa pki_ca_signing_signing_algorithm=SHA512withRSA pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa pki_ocsp_signing_signing_algorithm=SHA512withRSA [root@pki1 ~]# cat /tmp/test_dir/kra.cfg [DEFAULT] pki_instance_name = topology-02-KRA pki_https_port = 21443 pki_http_port = 21080 pki_token_password = Secret123 pki_admin_password = Secret123 pki_hostname = pki1.example.com pki_security_domain_hostname = pki1.example.com pki_security_domain_https_port = 20443 pki_security_domain_name = topology-02_Foobarmaster.org pki_security_domain_password = Secret123 pki_client_dir = /opt/topology-02-KRA pki_client_pkcs12_password = Secret123 pki_backup_keys = True pki_backup_password = Secret123 pki_ds_password = Secret123 pki_ds_ldap_port = 3389 pki_client_database_password = Secret123 pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_key_size=2048 pki_ssl_server_key_type=rsa pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_key_size=2048 pki_subsystem_key_type=rsa [Tomcat] pki_ajp_port = 21009 pki_tomcat_server_port = 21005 [KRA] pki_import_admin_cert = False pki_ds_hostname = pki1.example.com pki_admin_nickname = PKI KRA Administrator for Example.Org pki_storage_key_algorithm=SHA512withRSA pki_storage_key_size=2048 pki_storage_key_type=rsa pki_storage_signing_algorithm=SHA512withRSA pki_transport_key_algorithm=SHA512withRSA pki_transport_key_size=2048 pki_transport_key_type=rsa pki_transport_signing_algorithm=SHA512withRSA [root@pki1 ~]# rpm -qi pki-ca Name : pki-ca Version : 10.4.1 Release : 3.el7 Architecture: noarch Install Date: Wed 03 May 2017 01:28:24 PM EDT Group : System Environment/Daemons Size : 2299369 License : GPLv2 Signature : (none) Source RPM : pki-core-10.4.1-3.el7.src.rpm Build Date : Tue 02 May 2017 03:15:26 PM EDT Build Host : ppc-015.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - Certificate Authority It looks like the section header in the deployment configuration is case sensitive so [TOMCAT] should have been written as [Tomcat] as shown in /etc/pki/default.cfg. Christina, could you try again with the correct [Tomcat] header for both CA and KRA? Thanks. (In reply to Endi Sukma Dewata from comment #16) > It looks like the section header in the deployment configuration is case > sensitive so [TOMCAT] should have been written as [Tomcat] as shown in > /etc/pki/default.cfg. > > Christina, could you try again with the correct [Tomcat] header for both CA > and KRA? Thanks. edewata: I could check that as the replication is on my laptop; I will try to replicate it with that change. commit ea036b22d7d15cefb8f7a56e9c9781b545dec8ee
Author: Matthew Harmsen <mharmsen>
Date: Wed May 17 17:17:42 2017 -0600
Correct section headings in user deployment configuration file
Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation
dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance
creation
Build used for verification [root@pki1 ~]# rpm -qi pki-base Name : pki-base Version : 10.4.1 Release : 6.el7 Architecture: noarch Install Date: Thursday 25 May 2017 02:19:29 AM EDT Group : System Environment/Base Size : 2086704 License : GPLv2 Signature : (none) Source RPM : pki-core-10.4.1-6.el7.src.rpm Build Date : Tuesday 23 May 2017 04:37:48 PM EDT Build Host : ppc-016.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - PKI Framework ca.cfg [DEFAULT] pki_instance_name=pki-ca pki_admin_email=admin pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret123 pki_admin_uid=caadmin pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_ds_base_dn=dc=example,dc=com pki_ds_database=pki-ca pki_ds_ldap_port = 389 pki_ds_password=Secret123 pki_ds_remove_data=True pki_http_port=18080 pki_https_port=18443 pki_hostname=pki.example.com pki_security_domain_https_port=18443 pki_security_domain_name=ExampleCom [TOMCAT] pki_ajp_port=18009 pki_tomcat_server_port=18005 kra.cfg [DEFAULT] pki_instance_name=pki-kra pki_admin_cert_file=/root/.dogtag/pki-kra/ca_admin.cert pki_admin_email=admin pki_admin_name=kraadmin pki_admin_nickname=kraadmin pki_admin_password=Secret123 pki_admin_uid=kraadmin pki_client_database_password=Secret123 pki_client_pkcs12_password=Secret123 pki_ds_base_dn=dc=example,dc=com pki_ds_database=pki-kra pki_ds_password=Secret123 pki_ds_password = Secret123 pki_ds_ldap_port = 389 pki_ds_remove_data=True pki_token_password=Secret123 pki_http_port=28080 pki_https_port=28443 pki_hostname=pki.example.com pki_issuing_ca=https://pki.example.com:18443 pki_security_domain_hostname=pki.example.com pki_security_domain_https_port=18443 pki_security_domain_user=caadmin pki_security_domain_password=Secret123 [TOMCAT] pki_ajp_port=28009 pki_tomcat_server_port=28005 [KRA] pki_import_admin_cert=False [root@pki1 ~]# setup-ds.pl --silent --file=ldap.cfg Your new DS instance 'test-ldap' was successfully created. Exiting . . . Log file is '/tmp/setup_fb1Ke.log' [root@pki1 ~]# pkispawn -s CA -f ca.cfg Log file: /var/log/pki/pki-ca-spawn.20170529030743.log Loading deployment configuration from ca.cfg. Installing CA into /var/lib/pki/pki-ca. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-ca/ca/deployment.cfg. Notice: Trust flag u is set automatically if the private key is present. ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: caadmin Administrator's PKCS #12 file: /root/.dogtag/pki-ca/ca_admin_cert.p12 Administrator's certificate nickname: PKI Administrator for example.com Administrator's certificate database: /root/.dogtag/pki-ca/ca/alias To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://pki.example.com:18443/ca PKI instances will be enabled upon system boot ========================================================================== [root@pki1 ~]# vim kra.cfg [root@pki1 ~]# pkispawn -s KRA -f kra.cfg Log file: /var/log/pki/pki-kra-spawn.20170529031955.log Loading deployment configuration from kra.cfg. Installing KRA into /var/lib/pki/pki-kra. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-kra/kra/deployment.cfg. Notice: Trust flag u is set automatically if the private key is present. ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: kraadmin Administrator's PKCS #12 file: /root/.dogtag/pki-kra/kra_admin_cert.p12 To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://pki.example.com:28443/kra PKI instances will be enabled upon system boot ========================================================================== As discussed on IRC, the previous patch generates unnecessary backups of the deployment configuration file. It's been fixed in the following patch:
commit 772e05e746570c13afeb60516c07a3fb95ca3e78
Author: Endi S. Dewata <edewata>
Date: Thu Jun 1 23:38:04 2017 +0200
Removed superfluous deployment configuration backup.
The pkispawn has been modified to generate a temporary backup
file (instead of permanent and timestamped backup files) of the
deployment configuration file before normalizing its content.
The temporary backup will be removed automatically when the
normalization is complete.
https://pagure.io/dogtagpki/issue/2674
Build used for verification: [root@vm-idm-027 config_templates]# pki --version PKI Command-Line Interface 10.4.1-8.el7 [root@vm-idm-027 config_templates]# rpm -qi pki-server Name : pki-server Version : 10.4.1 Release : 8.el7 Architecture: noarch Install Date: Monday 12 June 2017 08:51:06 AM IST Group : System Environment/Base Size : 4630365 License : GPLv2 Signature : RSA/SHA256, Wednesday 07 June 2017 06:34:39 AM IST, Key ID 199e2f91fd431d51 Source RPM : pki-core-10.4.1-8.el7.src.rpm Build Date : Tuesday 06 June 2017 10:16:27 AM IST Build Host : ppc-046.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - PKI Server Framework [root@vm-idm-027 config_templates]# ls ca.cfg kra.cfg ldap.cfg ocsp.cfg setup_cs.sh tks.cfg tps.cfg [root@vm-idm-027 config_templates]# ./setup_cs.sh Your new DS instance 'testingmaster' was successfully created. Exiting . . . Log file is '/tmp/setupUcWHC5.log' Log file: /var/log/pki/pki-ca-spawn.20170612120605.log Loading deployment configuration from ca.cfg. Installing CA into /var/lib/pki/FoobarCAmaster. Storing deployment configuration into /etc/sysconfig/pki/tomcat/FoobarCAmaster/ca/deployment.cfg. Notice: Trust flag u is set automatically if the private key is present. Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target. ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: caadmin Administrator's PKCS #12 file: /opt/FoobarCAmaster/ca_admin_cert.p12 To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://pki11.example.com:8443/ca PKI instances will be enabled upon system boot ========================================================================== Log file: /var/log/pki/pki-kra-spawn.20170612120706.log Loading deployment configuration from kra.cfg. Installing KRA into /var/lib/pki/FoobarCAmaster. Storing deployment configuration into /etc/sysconfig/pki/tomcat/FoobarCAmaster/kra/deployment.cfg. ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: kraadmin To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://pki11.example.com:8443/kra PKI instances will be enabled upon system boot ========================================================================== Log file: /var/log/pki/pki-ocsp-spawn.20170612120818.log Loading deployment configuration from ocsp.cfg. Installing OCSP into /var/lib/pki/FoobarCAmaster. Storing deployment configuration into /etc/sysconfig/pki/tomcat/FoobarCAmaster/ocsp/deployment.cfg. ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: ocspadmin To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://pki11.example.com:8443/ocsp PKI instances will be enabled upon system boot ========================================================================== Log file: /var/log/pki/pki-tks-spawn.20170612120935.log Loading deployment configuration from tks.cfg. Installing TKS into /var/lib/pki/FoobarCAmaster. Storing deployment configuration into /etc/sysconfig/pki/tomcat/FoobarCAmaster/tks/deployment.cfg. ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: tksadmin To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://pki11.example.com:8443/tks PKI instances will be enabled upon system boot ========================================================================== Log file: /var/log/pki/pki-tps-spawn.20170612121056.log Loading deployment configuration from tps.cfg. Installing TPS into /var/lib/pki/FoobarCAmaster. Storing deployment configuration into /etc/sysconfig/pki/tomcat/FoobarCAmaster/tps/deployment.cfg. ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: tpsadmin To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://pki11.example.com:8443/tps PKI instances will be enabled upon system boot ========================================================================== [root@vm-idm-027 config_templates]# ls ca.cfg kra.cfg ldap.cfg ocsp.cfg setup_cs.sh tks.cfg tps.cfg [root@vm-idm-027 config_templates]# Backups for deployment configuration files are not generated anymore. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |