Bug 1520526
| Summary: | p12 admin certificate is missing when certificate is signed Externally | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Geetika Kapoor <gkapoor> | ||||
| Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.5 | CC: | edewata, lmiksik, mharmsen | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pki-core-10.5.1-6.el7 | Doc Type: | No Doc Update | ||||
| Doc Text: |
undefined
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-04-10 17:02:54 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Other Observations:
==================
1. Try to create p12 file using:
Get the ocsp.crt in base 64 format from EE page.
2. pki -v -d /root/.dogtag/topology-OCSP-EX/ocsp/alias client-cert-import ocspadmin --cert ocsp.crt
Make sure ocspadmin cert has trust u,u,u.
certutil -L -d /root/.dogtag/topology-OCSP-EX/ocsp/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspadmin u,u,u
3. pk12util -d /root/.dogtag/topology-OCSP-EX/ocsp/alias -n ocspadmin -o ocsp.p12
Import the cert in a p12 format.
4. [root@pki1 test]# certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate CT,C,C
RootCA CT,C,C
caadmin u,u,u
ocspadmin u,u,u
[root@pki1 test]# pki -d . -p 31080 -n ocspadmin ocsp-user-find
PKIException: Unauthorized
[root@pki1 test]# pki -v -d . -p 31080 -n ocspadmin ocsp-user-find
PKI options: -v -d .
PKI command: 31080 -p 31080 -n ocspadmin ocsp-user-find
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d . --verbose -p 31080 -n ocspadmin ocsp-user-find
Server URI: http://pki1.example.com:31080
Client security database: /root/test/.
Message format: null
Command: ocsp-user-find
Initializing security database
Module: ocsp
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:31080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=37DF3C317171DAD1653548F0EB3E34EF; Path=/pki; HttpOnly
Content-Type: application/xml
Content-Length: 106
Date: Mon, 04 Dec 2017 19:04:08 GMT
HTTP request: GET /ocsp/rest/account/login HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:31080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 05:30:00 IST
Location: https://pki1.example.com:31443/ocsp/rest/account/login
Content-Length: 0
Date: Mon, 04 Dec 2017 19:04:08 GMT
HTTP redirect: https://pki1.example.com:31443/ocsp/rest/account/login
Client certificate: ocspadmin
HTTP request: GET /ocsp/rest/account/login HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:31443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=pki1.example.com,OU=topology-OCSP-EX,O=EXAMPLE
HTTP response: HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 05:30:00 IST
WWW-Authenticate: Basic realm="Online Certificate Status Protocol Manager"
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 951
Date: Mon, 04 Dec 2017 19:04:08 GMT
com.netscape.certsrv.base.PKIException: Unauthorized
at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:46)
at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:47)
at com.netscape.cmstools.cli.SubsystemCLI.login(SubsystemCLI.java:46)
at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:64)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:631)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:667)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '.', '--verbose', '-p', '31080', '-n', 'ocspadmin', 'ocsp-user-find']' returned non-zero exit status 255
Debug logs:
===========
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm: Authenticating certificate chain:
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm.getAuditUserfromCert: certUID=CN=PKI Administrator, EMAILADDRESS=ocspadmin, OU=topology-OCSP-EX, O=EXAMPLE
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm: CN=PKI Administrator, EMAILADDRESS=ocspadmin, OU=topology-OCSP-EX, O=EXAMPLE
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: started
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: Retrieving client certificate
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: Got client certificate
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: Authentication: client certificate found
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: In LdapBoundConnFactory::getConn()
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: masterConn is connected: true
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: getConn: conn is connected true
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: getConn: mNumConns now 2
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: returnConn: mNumConns now 3
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuthentication: cannot map certificate to any userUser not found
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event AUTH
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED
Created attachment 1362796 [details]
Config-logs
Generally we see Subsystem certificates under CA(ou=people,o=topology-02-CA-CA) for various subsystems like: DN: uid=OCSP-pki1.example.com-22443 2;9;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;CN=Subsystem Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org DN: uid=TKS-pki1.example.com-23443,ou=people,o=topology-02-CA-CA 2;19;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;CN=Subsystem Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org With ExternalCA: ---------------- Couldn't find such entries for External OCSP. Fixed in master: * f54b4a8d08be0dd81a3d98ae3ffc59cf6f350ca6 Fixed in upstream 10.5 branch: * ffac807486d36e031c1afbcbb2b246536d4ae240 Test build (based on upstream 10.5 branch): https://copr.devel.redhat.com/coprs/edewata/pki-10.5/build/16575/ Updated docs: * http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates * http://pki.fedoraproject.org/wiki/Installing_KRA_with_External_Certificates There is some delay in testing this because we faced some issues because of below two bugs.those are mandatory to test this bugzilla.This is tested in HSM + FIPS as it is a CC requirement.
1. 1535797
2. 1540687
Test Env:
========
# rpm -qa pki-*
pki-core-debuginfo-10.5.1-6.1.el7pki.x86_64
pki-base-10.5.1-9.el7.noarch
pki-ca-10.5.1-9.el7.noarch
pki-javadoc-10.5.1-6.1.el7.noarch
pki-tks-10.5.1-6.1.el7pki.noarch
pki-console-10.5.1-4.el7pki.noarch
pki-base-java-10.5.1-9.el7.noarch
pki-server-10.5.1-9.el7.noarch
pki-kra-10.5.1-9.el7.noarch
pki-tps-10.5.1-6.1.el7pki.x86_64
pki-ocsp-10.5.1-6.1.el7pki.noarch
pki-tools-10.5.1-9.el7.x86_64
pki-symkey-10.5.1-9.el7.x86_64
Test steps:
==========
1. generate csr using ocsp installation file.
2. Once the csr are generated for:
==========================================================================
INSTALLATION SUMMARY
==========================================================================
The OCSP subsystem of the 'gkapoor_RHCS75_externalocsp' instance is still incomplete.
The CSRs for OCSP certificates have been generated in:
OCSP signing: ocsp_signing.csr
subsystem: subsystem.csr
SSL server: sslserver.csr
audit signing: ocsp_audit_signing.csr
admin: ocsp_admin.csr
Please obtain the necessary certificate(s) for this subsystem,
and run installation step two.
==========================================================================
3. Submit the cmc request to externalCA for signing OCSP certificates.Attached are all files for external ocsp installation.
4. Run step2 installation.
5. While running i have make sure that i have provided all pkcs7 certs in step 2 configuration file.
Installation :
============
==========================================================================
INSTALLATION SUMMARY
==========================================================================
Administrator's username: ocspadmin
Administrator's PKCS #12 file:
/root/.dogtag/gkapoor_RHCS75_externalocsp/ocsp_admin_cert.p12
This OCSP subsystem of the 'gkapoor_RHCS75_externalocsp' instance
has FIPS mode enabled on this operating system.
REMINDER: Don't forget to update the appropriate FIPS
algorithms in server.xml in the 'gkapoor_RHCS75_externalocsp' instance.
To check the status of the subsystem:
systemctl status pki-tomcatd
To restart the subsystem:
systemctl restart pki-tomcatd
The URL for the subsystem is:
https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8443/ocsp
PKI instances will be enabled upon system boot
==========================================================================
verification:
=============
[root@csqa4-guest04 external_ocsp]# pk12util -i /root/.dogtag/gkapoor_RHCS75_externalocsp/ocsp_admin_cert.p12 -d .
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
[root@csqa4-guest04 external_ocsp]# pki -d . -n "PKI OCSP Administrator" -c SECret.123 ocsp-user-find
WARNING: UNTRUSTED ISSUER encountered on 'CN=csqa4-guest04.idm.lab.eng.rdu.redhat.com,OU=gkapoor_RHCS75_externalocsp,O=idm.lab.eng.rdu.redhat.com Security Domain' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=gkapoor-ecc-exca0,O=idm.lab.eng.rdu.redhat.com Security Domain'
Import CA certificate (Y/n)? Y
CA server URI [http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca]: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:23080/ca
-----------------
3 entries matched
-----------------
User ID: ocspadmin
Full name: ocspadmin
User ID: pkidbuser
Full name: pkidbuser
User ID: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-23443
Full name: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-23443
----------------------------
Number of entries returned 3
----------------------------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0925 |
Description of problem: When OCSP certificate signed using ExternalCA installation output looks like: ========================================================================== Administrator's username: ocspadmin Administrator's certificate nickname: ocspadmin Administrator's certificate database: /root/.dogtag/pki-tomcat/ocsp/alias To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://pki1.example.com:8443/ocsp PKI instances will be enabled upon system boot ========================================================================== Which clearly shows admin(*12) cert is missing. https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server /deployment/scriptlets/configuration.py#L1172 the process_admin_cert() is supposed to generate the p12 file, but it's only executed in standalone cases right now the case we're testing is external, so it didn't get executed. Version-Release number of selected component (if applicable): 10.5 How reproducible: always Steps to Reproduce: 1.Sign ocsp certificate in a 2 step process using http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates 2. 3. Actual results: ocsp p12 admin cert is not getting generated Expected results: ocsp p12 admin cert should get generated. Additional info: