Bug 1464591

Summary: CC: need CMC enrollment profiles for system certificates
Product: Red Hat Enterprise Linux 7 Reporter: Christina Fu <cfu>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.4CC: edewata, gkapoor, mharmsen, msauton, pasik, pbokoc
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
https://bugzilla.redhat.com/show_bug.cgi?id=1518180#c7
 Story Points: ---
Clone Of:
: 1469446 1487278 (view as bug list) Environment:
Last Closed: 2018-04-10 16:58:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1404413, 1469446, 1518180    
Attachments:
Description Flags
First part patch to support non-TMS CMC-based installation none

Description Christina Fu 2017-06-23 20:50:56 UTC 
This is one of the areas that needs to be addressed from:
Bug 1464549 - CC: Installation: allow installation with existing system certificates 

The manual steps required to get system certificates would need CMC enrollment profiles for them.
Comment 2 Christina Fu 2017-07-04 01:43:40 UTC 
Created attachment 1294020 [details]
First part patch to support non-TMS CMC-based installation

This patch contains the following:
* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert
* The non-TMS system enrollment profiles: 
caCMCauditSigningCert.cfg
caCMCcaCert.cfg
caCMCkraStorageCert.cfg
caCMCkraTransportCert.cfg
caCMCocspCert.cfg
caCMCserverCert.cfg
caCMCsubsystemCert.cfg
* new URI's in web.xml as new access points

It should allow https://bugzilla.redhat.com/show_bug.cgi?id=1464549 to be tested against non-TMS CMC-based installation shall it become available.
Comment 3 Christina Fu 2017-07-07 00:41:11 UTC 
Comment on attachment 1294020 [details]
First part patch to support non-TMS CMC-based installation

slightly updated patch has been submitted to pkidevel for review.

Usage examples can be found here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
Comment 4 Christina Fu 2017-07-08 00:03:00 UTC 
pushed to Dogtag master:
https://pagure.io/dogtagpki/issue/2757#comment-447880
Comment 7 Geetika Kapoor 2018-01-31 11:27:31 UTC 
Trying to test this bugzilla with CC steup but stuck in 
 https://bugzilla.redhat.com/show_bug.cgi?id=1536938#c11
Comment 8 Geetika Kapoor 2018-02-14 08:18:22 UTC 
Test Steps:
==========

This is tested as mentioned in http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_%28RFC5272%29#Examples_.28System_Certificates.29.

How ever, when we try to use the signed certs for setting up :
1. SubCA -- https://bugzilla.redhat.com/show_bug.cgi?id=1520253
2. OCSP -- https://bugzilla.redhat.com/show_bug.cgi?id=1540687
3. ExternalCA ECC -- https://bugzilla.redhat.com/show_bug.cgi?id=1544843

There are some practical issues for which Bugzilla's have been raised for review.
All these bugs mentioned above are seen in HSM environment.
Comment 11 errata-xmlrpc 2018-04-10 16:58:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925