Bug 1447762

Summary: pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Petr Bokoc <pbokoc>
Priority: urgent    
Version: 7.4CC: arubin, dsirrine, edewata, mharmsen, msauton, pbokoc
Target Milestone: rcKeywords: Reopened, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.4.1-8.el7 Doc Type: Bug Fix
Doc Text:
"pkispawn" no longer generates invalid *NSS* database passwords Prior to this update, "pkispawn" generated a random password for the *NSS* database which in some cases contained a backslash (`\`) character. This caused problems when *NSS* established *SSL* connections, which in turn caused the installation to fail with a `ACCESS_SESSION_ESTABLISH_FAILURE` error. This update ensures that the randomly generated password can not contain the backslash character and a connection can always be established, allowing the installation to finish successfully.
 Story Points: ---
Clone Of:
: 1462973 1463358 (view as bug list) Environment:
Last Closed: 2017-08-01 22:50:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1463358    

Description Roshni 2017-05-03 18:25:20 UTC 
Description of problem:
pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE  

Version-Release number of selected component (if applicable):
pki-ca-10.4.1-3.el7.noarch

How reproducible:
inconsistent

Steps to Reproduce:
1. [DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080
pki_token_password = 
pki_admin_password = 
pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-02-CA
pki_client_pkcs12_password = 
pki_backup_keys = True
pki_backup_password = 
pki_ds_password = 
pki_ds_ldap_port = 3389
pki_ssl_server_key_algorithm=SHA512withRSA
pki_ssl_server_key_size=2048
pki_ssl_server_key_type=rsa
pki_subsystem_key_algorithm=SHA512withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA

Using the above installation file run pkispawn -s CA -f ca.cfg
2.
3.

Actual results:
pkispawn fails

Expected results:
pkispawn should be successful

Additional info:
03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: selftests startup start
[03/May/2017:13:39:58][localhost-startStop-1]: SelfTestSubsystem.startup(): Do not run selftests in pre-op mode
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: selftests startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: stats startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: stats startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: auths startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: auths startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: authz startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: authz startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: jobsScheduler startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: jobsScheduler startup done
[03/May/2017:13:39:58][http-bio-23443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:00][http-bio-23443-exec-2]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:01][http-bio-23443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:02][http-bio-23443-exec-4]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:03][http-bio-23443-exec-5]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:05][http-bio-23443-exec-6]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:06][http-bio-23443-exec-7]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:07][http-bio-23443-exec-8]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:08][http-bio-23443-exec-9]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:09][http-bio-23443-exec-10]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:10][http-bio-23443-exec-11]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:11][http-bio-23443-exec-12]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:12][http-bio-23443-exec-13]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:14][http-bio-23443-exec-14]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE
Comment 8 Endi Sukma Dewata 2017-06-02 15:29:59 UTC 
The problem only happens if the randomly generated NSS database password contains a backslash character. As a workaround, specify a fixed password without backslash, for example:

  [DEFAULT]
  pki_pin=Secret.123
Comment 9 Red Hat Bugzilla Rules Engine 2017-06-02 16:40:22 UTC 
Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.
Comment 10 Endi Sukma Dewata 2017-06-02 17:14:33 UTC 
Fixed in master:

* https://github.com/dogtagpki/pki/commit/29dbed75f1c214a065cd3bcc438d0584fd980d4f
Comment 12 Matthew Harmsen 2017-06-08 23:59:12 UTC 
*** Bug 1459337 has been marked as a duplicate of this bug. ***
Comment 13 Roshni 2017-06-14 14:09:16 UTC 
[root@cloud-qe-19 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.4.1
Release     : 9.el7
Architecture: noarch
Install Date: Wed 14 Jun 2017 09:37:00 AM EDT
Group       : System Environment/Daemons
Size        : 2308437
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-9.el7.src.rpm
Build Date  : Tue 13 Jun 2017 02:08:27 PM EDT
Build Host  : ppc-046.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

pkispawn was successful after trying a couple of times. Do we want to fail pkispawn with an appropriate error message if a pin with \ is provided in the installation file?
Comment 14 Endi Sukma Dewata 2017-06-14 15:39:31 UTC 
Yes, we can add some code to check user-provided password validity and generate the proper error message. Feel free to change the ticket to ASSIGNED or open a new ticket.
Comment 15 Roshni 2017-06-19 19:13:49 UTC 
Opened a new bug for comment 14 https://bugzilla.redhat.com/show_bug.cgi?id=1462973
Comment 17 errata-xmlrpc 2017-08-01 22:50:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110