Bug 1464549

Summary: CC: Installation with CMC
Product: Red Hat Enterprise Linux 7 Reporter: Christina Fu <cfu>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.4CC: aadhikar, cfu, edewata, gkapoor, mharmsen, pasik
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.5.1-1.el7 Doc Type: Enhancement
Doc Text:
Certificate System supports installing CA, KRA, and OCSP subsystems with CMC This enhancement provides a mechanism to install CA, KRA, or OCSP subsystems with Certificate Management over CMS (CMC). The installation will be done in two steps. The first step of the installation will generate the Certificate Signing Requests (CSR) for the system certificates. The CSRs can be used to issue the system certificates using CMC. The second step of the installation will use these system certificates and complete the subsystem installation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 16:58:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christina Fu 2017-06-23 18:08:46 UTC 
This came out of the PP requirement: FIA_CMC_EXT.1.3

Basically, when a subordinate CA acts as a client to its superior CA, the cert requests and responses should be carried in CMC format and protocol.

Since retrofitting CMC into the existing installation system is not feasibly as installation is a "one-time-thing" that doesn't happen often, our plan is to give some manual CC setup steps with assistance of some code changes:

* for sub-ca's, just give instruction on manual cmc request generation and submission to the superior ca, and then use the "existing CA" feature to install
* for non-ca subsystems, such as KRA, OCSP, TPS, and TKS, we need some (possibly not a lot) changes to allow pre-existing system certificates to be used.  We add instruction on manual cmc request generation and submission to the ca before directing people to use this new "existing all subsystems" feature.

For the above, there is already a ticket:
https://pagure.io/dogtagpki/issue/2280

Another area needs to be covered is a set of system certificate profiles for CMC requests to complete the above strategy.
Comment 2 Christina Fu 2017-07-08 00:06:42 UTC 
note that the cmc system cert enrollment profiles have been pushed to Dogtag master.
See Usage info here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
Comment 4 Endi Sukma Dewata 2017-09-22 16:28:37 UTC 
Fixed in master:

* https://github.com/dogtagpki/pki/commit/959db34796b4ed29618d3479150f88ae6062f6e7
* https://github.com/dogtagpki/pki/commit/eeeb8e05745ab90abe2b322ebd6804cc5a0c45bd
* https://github.com/dogtagpki/pki/commit/3a7bfb28668076ed685f99ce67c4fab769204071
* https://github.com/dogtagpki/pki/commit/b98118f2776c38cb4a5d25ff39a65b2a474a0e00
* https://github.com/dogtagpki/pki/commit/d7fc48917736c271c7e3f7b9bc7172d82fa22de8

Docs:

* http://pki.fedoraproject.org/wiki/Installing_CA_with_External_CA_Signing_Certificate
* http://pki.fedoraproject.org/wiki/Installing_KRA_with_External_Certificates
* http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates
Comment 6 Geetika Kapoor 2017-12-06 07:35:01 UTC 
Test Environment:
================

rpm -qa pki-*
pki-tests-CoreOS-dogtag-aakkiang-test-rhcs-1.0.8.20170618003302-0.noarch
pki-console-10.5.1-2.el7pki.noarch
pki-server-10.5.1-4.el7.noarch
pki-ca-10.5.1-4.el7.noarch
pki-tests-pki-tests-dogtag-20151005152014.66e7821-0.noarch
pki-base-java-10.5.1-4.el7.noarch
pki-tps-10.5.1-4.el7pki.x86_64
pki-core-debuginfo-10.5.1-4.el7pki.x86_64
pki-javadoc-10.5.1-1.el7.noarch
pki-tests-CoreOS-dogtag-PKI_TEST_USER_ID-bbhavsar-1.0.8.RPM.IDENTIFIER-0.noarch
pki-symkey-10.5.1-4.el7.x86_64
pki-tks-10.5.1-4.el7pki.noarch
pki-tests-pki-tests-20150522165149.1561420-0.noarch
pki-tools-10.5.1-4.el7.x86_64
pki-ocsp-10.5.1-4.el7pki.noarch
pki-base-10.5.1-4.el7.noarch
pki-kra-10.5.1-4.el7.noarch


while testing for http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates
get into https://bugzilla.redhat.com/show_bug.cgi?id=1520526.

Please have a look.
Comment 7 Endi Sukma Dewata 2018-01-18 19:21:44 UTC 
Bug #1520526 has been fixed. Please retest when the build becomes available. Thanks.
Comment 8 Geetika Kapoor 2018-02-01 07:35:34 UTC 
Test Bits:
=========

rpm -qa nss* pki-* jss*
pki-tools-10.5.1-6.el7.x86_64
pki-ocsp-10.5.1-6.el7pki.noarch
pki-javadoc-10.5.1-5.1.el7.noarch
pki-base-10.5.1-6.el7.noarch
pki-symkey-10.5.1-6.el7.x86_64
pki-server-10.5.1-6.el7.noarch
pki-kra-10.5.1-6.el7.noarch
pki-tks-10.5.1-6.el7pki.noarch
pki-console-10.4.1-7.el7pki.noarch
pki-core-debuginfo-10.5.1-5.1.el7pki.x86_64
jss-4.4.0-11.el7.x86_64
pki-base-java-10.5.1-6.el7.noarch
pki-ca-10.5.1-6.el7.noarch
pki-tps-10.5.1-6.el7pki.x86_64


Testing:
========
Test case 1: http://pki.fedoraproject.org/wiki/Installing_CA_with_External_CA_Signing_Certificate
-------------------------------------------------------------------------------------------------

-- This is tested with HSM soft-token because thales HSM is failing because of https://bugzilla.redhat.com/show_bug.cgi?id=1535797 currently.

Testing config's for ExternalCA with CMC is attached along with logs.

After installation verification is done by signing a caUsercert.

[root@csqa4-guest04 75_cfg_working]# pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-cert-request-review 6 --action approve
WARNING: UNTRUSTED ISSUER encountered on 'CN=csqa4-guest04.idm.lab.eng.rdu.redhat.com,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain'
Import CA certificate (Y/n)? Y
CA server URI [http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca]: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31080/ca
------------------------------
Approved certificate request 6
------------------------------
  Request ID: 6
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x6

pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-user-find
-----------------
3 entries matched
-----------------
  User ID: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-31443
  Full name: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-31443

  User ID: caadmin
  Full name: caadmin

  User ID: pkidbuser
  Full name: pkidbuser
----------------------------
Number of entries returned 3
----------------------------

Test Case 2:http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates
-----------------------------------------------------------------------------------------

Currently it is failing during OCSP installation.
https://bugzilla.redhat.com/show_bug.cgi?id=1540687

If i find sometime i will try to debug it more.


Test Case 3: http://pki.fedoraproject.org/wiki/Installing_KRA_with_External_Certificates
----------------------------------------------------------------------------------------

Since this part was tested by Akshay I will let him update status on this.
Comment 10 Geetika Kapoor 2018-02-14 08:11:49 UTC 
Testing is done as mentioned above in comment 8 but there are few failures for which bugs have been raised.Without testing below, we can't consider testing complete for this feature.

1. https://bugzilla.redhat.com/show_bug.cgi?id=1540687
2. https://bugzilla.redhat.com/show_bug.cgi?id=1544843

KRA is tested based on CC setup instructions.
Comment 13 errata-xmlrpc 2018-04-10 16:58:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925
Comment 14 Akshay Adhikari 2018-06-05 05:14:34 UTC 
The information has already provided.