Bug 1520526
Summary: | p12 admin certificate is missing when certificate is signed Externally | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Geetika Kapoor <gkapoor> | ||||
Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> | ||||
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.5 | CC: | edewata, lmiksik, mharmsen | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | pki-core-10.5.1-6.el7 | Doc Type: | No Doc Update | ||||
Doc Text: |
undefined
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-04-10 17:02:54 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Geetika Kapoor
2017-12-04 16:07:23 UTC
Other Observations: ================== 1. Try to create p12 file using: Get the ocsp.crt in base 64 format from EE page. 2. pki -v -d /root/.dogtag/topology-OCSP-EX/ocsp/alias client-cert-import ocspadmin --cert ocsp.crt Make sure ocspadmin cert has trust u,u,u. certutil -L -d /root/.dogtag/topology-OCSP-EX/ocsp/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspadmin u,u,u 3. pk12util -d /root/.dogtag/topology-OCSP-EX/ocsp/alias -n ocspadmin -o ocsp.p12 Import the cert in a p12 format. 4. [root@pki1 test]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate CT,C,C RootCA CT,C,C caadmin u,u,u ocspadmin u,u,u [root@pki1 test]# pki -d . -p 31080 -n ocspadmin ocsp-user-find PKIException: Unauthorized [root@pki1 test]# pki -v -d . -p 31080 -n ocspadmin ocsp-user-find PKI options: -v -d . PKI command: 31080 -p 31080 -n ocspadmin ocsp-user-find Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d . --verbose -p 31080 -n ocspadmin ocsp-user-find Server URI: http://pki1.example.com:31080 Client security database: /root/test/. Message format: null Command: ocsp-user-find Initializing security database Module: ocsp Initializing PKIClient HTTP request: GET /pki/rest/info HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:31080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=37DF3C317171DAD1653548F0EB3E34EF; Path=/pki; HttpOnly Content-Type: application/xml Content-Length: 106 Date: Mon, 04 Dec 2017 19:04:08 GMT HTTP request: GET /ocsp/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:31080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 05:30:00 IST Location: https://pki1.example.com:31443/ocsp/rest/account/login Content-Length: 0 Date: Mon, 04 Dec 2017 19:04:08 GMT HTTP redirect: https://pki1.example.com:31443/ocsp/rest/account/login Client certificate: ocspadmin HTTP request: GET /ocsp/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:31443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Server certificate: CN=pki1.example.com,OU=topology-OCSP-EX,O=EXAMPLE HTTP response: HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 05:30:00 IST WWW-Authenticate: Basic realm="Online Certificate Status Protocol Manager" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 951 Date: Mon, 04 Dec 2017 19:04:08 GMT com.netscape.certsrv.base.PKIException: Unauthorized at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107) at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:46) at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:47) at com.netscape.cmstools.cli.SubsystemCLI.login(SubsystemCLI.java:46) at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:64) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:631) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:667) ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '.', '--verbose', '-p', '31080', '-n', 'ocspadmin', 'ocsp-user-find']' returned non-zero exit status 255 Debug logs: =========== [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm: Authenticating certificate chain: [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm.getAuditUserfromCert: certUID=CN=PKI Administrator, EMAILADDRESS=ocspadmin, OU=topology-OCSP-EX, O=EXAMPLE [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm: CN=PKI Administrator, EMAILADDRESS=ocspadmin, OU=topology-OCSP-EX, O=EXAMPLE [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: started [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: Retrieving client certificate [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: Got client certificate [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: Authentication: client certificate found [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: In LdapBoundConnFactory::getConn() [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: masterConn is connected: true [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: getConn: conn is connected true [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: getConn: mNumConns now 2 [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: returnConn: mNumConns now 3 [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuthentication: cannot map certificate to any userUser not found [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event AUTH [05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED Created attachment 1362796 [details]
Config-logs
Generally we see Subsystem certificates under CA(ou=people,o=topology-02-CA-CA) for various subsystems like: DN: uid=OCSP-pki1.example.com-22443 2;9;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;CN=Subsystem Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org DN: uid=TKS-pki1.example.com-23443,ou=people,o=topology-02-CA-CA 2;19;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;CN=Subsystem Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org With ExternalCA: ---------------- Couldn't find such entries for External OCSP. Fixed in master: * f54b4a8d08be0dd81a3d98ae3ffc59cf6f350ca6 Fixed in upstream 10.5 branch: * ffac807486d36e031c1afbcbb2b246536d4ae240 Test build (based on upstream 10.5 branch): https://copr.devel.redhat.com/coprs/edewata/pki-10.5/build/16575/ Updated docs: * http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates * http://pki.fedoraproject.org/wiki/Installing_KRA_with_External_Certificates There is some delay in testing this because we faced some issues because of below two bugs.those are mandatory to test this bugzilla.This is tested in HSM + FIPS as it is a CC requirement. 1. 1535797 2. 1540687 Test Env: ======== # rpm -qa pki-* pki-core-debuginfo-10.5.1-6.1.el7pki.x86_64 pki-base-10.5.1-9.el7.noarch pki-ca-10.5.1-9.el7.noarch pki-javadoc-10.5.1-6.1.el7.noarch pki-tks-10.5.1-6.1.el7pki.noarch pki-console-10.5.1-4.el7pki.noarch pki-base-java-10.5.1-9.el7.noarch pki-server-10.5.1-9.el7.noarch pki-kra-10.5.1-9.el7.noarch pki-tps-10.5.1-6.1.el7pki.x86_64 pki-ocsp-10.5.1-6.1.el7pki.noarch pki-tools-10.5.1-9.el7.x86_64 pki-symkey-10.5.1-9.el7.x86_64 Test steps: ========== 1. generate csr using ocsp installation file. 2. Once the csr are generated for: ========================================================================== INSTALLATION SUMMARY ========================================================================== The OCSP subsystem of the 'gkapoor_RHCS75_externalocsp' instance is still incomplete. The CSRs for OCSP certificates have been generated in: OCSP signing: ocsp_signing.csr subsystem: subsystem.csr SSL server: sslserver.csr audit signing: ocsp_audit_signing.csr admin: ocsp_admin.csr Please obtain the necessary certificate(s) for this subsystem, and run installation step two. ========================================================================== 3. Submit the cmc request to externalCA for signing OCSP certificates.Attached are all files for external ocsp installation. 4. Run step2 installation. 5. While running i have make sure that i have provided all pkcs7 certs in step 2 configuration file. Installation : ============ ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: ocspadmin Administrator's PKCS #12 file: /root/.dogtag/gkapoor_RHCS75_externalocsp/ocsp_admin_cert.p12 This OCSP subsystem of the 'gkapoor_RHCS75_externalocsp' instance has FIPS mode enabled on this operating system. REMINDER: Don't forget to update the appropriate FIPS algorithms in server.xml in the 'gkapoor_RHCS75_externalocsp' instance. To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8443/ocsp PKI instances will be enabled upon system boot ========================================================================== verification: ============= [root@csqa4-guest04 external_ocsp]# pk12util -i /root/.dogtag/gkapoor_RHCS75_externalocsp/ocsp_admin_cert.p12 -d . Enter Password or Pin for "NSS FIPS 140-2 Certificate DB": Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL [root@csqa4-guest04 external_ocsp]# pki -d . -n "PKI OCSP Administrator" -c SECret.123 ocsp-user-find WARNING: UNTRUSTED ISSUER encountered on 'CN=csqa4-guest04.idm.lab.eng.rdu.redhat.com,OU=gkapoor_RHCS75_externalocsp,O=idm.lab.eng.rdu.redhat.com Security Domain' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=gkapoor-ecc-exca0,O=idm.lab.eng.rdu.redhat.com Security Domain' Import CA certificate (Y/n)? Y CA server URI [http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca]: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:23080/ca ----------------- 3 entries matched ----------------- User ID: ocspadmin Full name: ocspadmin User ID: pkidbuser Full name: pkidbuser User ID: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-23443 Full name: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-23443 ---------------------------- Number of entries returned 3 ---------------------------- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0925 |