Bug 1540440

Summary: CMC: Audit Events needed for failures in SharedToken scenario's
Product: Red Hat Enterprise Linux 7 Reporter: Geetika Kapoor <gkapoor>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact:
Priority: high    
Version: 7.5CC: cfu, lmiksik, mharmsen, msauton
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.9-2.el7 Doc Type: No Doc Update
Doc Text:
See Doc Text in BZ#1594128.
 Story Points: ---
Clone Of:
: 1594128 (view as bug list) Environment:
Last Closed: 2018-10-30 11:05:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1594128    

Description Geetika Kapoor 2018-01-31 04:59:24 UTC 
Description of problem:

Audit events are required in case of SharedToken failures.Debug logs have it but audit logs doesn't capture them.
This behavior is observed when testing is done for "CMC Revocation Request (User-signed)" and SharedSecret.


if we provide incorrect value of sharedsecret  in revocation file or ldap missing metainfo ,it will fail during HttpClient request.That's expected.Currently, any failures related to revocation is not getting displayed in audit logs.Below are two snip for a better understanding.

<snip1>
debug logs:
[30/Jan/2018:06:30:23][http-bio-20443-exec-14]: CMCOutputTemplate: processRevokeRequestControl:  Client and server shared secret are not the same, cannot revoke certificate.
[30/Jan/2018:06:30:23][http-bio-20443-exec-14]: SignedAuditLogger: event CERT_STATUS_CHANGE_REQUEST_PROCESSED


Audit logs:

0.http-bio-20443-exec-14 - [30/Jan/2018:06:30:23 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success] access session establish success
0.http-bio-20443-exec-14 - [30/Jan/2018:06:30:23 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=$Unidentified$][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-20443-exec-14 - [30/Jan/2018:06:30:23 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=<null>][Outcome=Failure][ReqID=<null>][CertSerialNum=17361974][RequestType=revoke][RevokeReasonNum=Unspecified][Approval=rejected] certificate status change request processed
0.http-bio-20443-exec-14 - [30/Jan/2018:06:30:23 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
</snip1>


<snip2>

debug logs

[30/Jan/2018:06:11:04][http-bio-20443-exec-20]: SharedSecret.getSharedToken(BigInteger serial): shrTok not found in metaInfo
[30/Jan/2018:06:11:04][http-bio-20443-exec-20]: CMCOutputTemplate: createFullResponse: SharedSecret.getSharedToken(BigInteger serial): shrTok not found in metaInfo
[30/Jan/2018:06:11:04][http-bio-20443-exec-20]: CMSServlet: curDate=Tue Jan 30 06:11:04 EST 2018 id=caProfileSubmitCMCFull time=14


Audit logs:

0.http-bio-20443-exec-20 - [30/Jan/2018:06:11:04 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success] access session establish success
0.http-bio-20443-exec-20 - [30/Jan/2018:06:11:04 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=$Unidentified$][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-20443-exec-20 - [30/Jan/2018:06:11:04 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=usercert,CN=usercert][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

</snip2>

Version-Release number of selected component (if applicable):

10.5

How reproducible:

always

Steps to Reproduce:
1. Provide incorrect shared secret .Follow procedure :  http://pki.fedoraproject.org/wiki/PKI_10.5_CMC_Shared_Token#Example_Enrollment_Procedure
2.
3.

Actual results:

No Audit events getting generated

Expected results:

for consistent behavior, all the success and failure events should be there. 

Additional info:
Comment 3 Christina Fu 2018-02-03 02:16:02 UTC 
https://pagure.io/dogtagpki/issue/2920#comment-491902
Comment 5 Geetika Kapoor 2018-02-15 11:13:15 UTC 
Test Case 1: When revShrtok entry is not found with metainfo into ldap
-----------------------------------------------------------------------

Question: I don't see correct failure reason in audit logs?
===========================================================

CMCResponse:

Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1 
   OtherInfo type: FAIL
     failInfo=bad identity
ERROR: CMC status for [1]: failed


Debug logs:

[15/Feb/2018:05:44:49][http-bio-25443-exec-3]: SharedSecret.getSharedToken(BigInteger serial): shrTok not found in metaInfo
[15/Feb/2018:05:44:49][http-bio-25443-exec-3]: CMCOutputTemplate: SharedSecret.getSharedToken(BigInteger serial): shrTok not found in metaInfo
[15/Feb/2018:05:44:49][http-bio-25443-exec-3]: CMCOutputTemplate: processRevokeRequestControl:  shared secret not found
[15/Feb/2018:05:44:49][http-bio-25443-exec-3]: SignedAuditLogger: event CERT_STATUS_CHANGE_REQUEST_PROCESSED
[15/Feb/2018:05:44:49][http-bio-25443-exec-3]: LogFile: event type not selected: CERT_STATUS_CHANGE_REQUEST_PROCESSED
[15/Feb/2018:05:44:49][http-bio-25443-exec-3]: CMCOutputTemplate: createFullResponse:  after new ResponseBody, respBody not null


===============================================================================================================

Audit logs:

0.http-bio-25443-exec-3 - [15/Feb/2018:05:44:49 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=sslauth,OU=People][Outcome=Success] access session establish success
0.http-bio-25443-exec-3 - [15/Feb/2018:05:44:49 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=$Unidentified$][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-25443-exec-3 - [15/Feb/2018:05:44:49 EST] [14] [6] [AuditEvent=CMC_REQUEST_RECEIVED][SubjectID=$Unidentified$][Outcome=Success][CMCRequest=MIG7BgkqhkiG9w0BBwGgga0EgaowgacwgZ4wgZsCAQEGCCsGAQUFBwcRMYGLMIGIMFYxFTATBgNVBAoMDFNFQ3VyZS1Ec09PTzEcMBoGA1UECwwTZ2thcG9vcl9SSENTXzc1X3NzbDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZQIECGnKhAoBBgQMd29uZGVyZnVsZGF5DBdnZWV0aWthIHRlc3QgcmV2b2NhdGlvbjAAMAAwAA==] CMC request received
0.http-bio-25443-exec-3 - [15/Feb/2018:05:44:49 EST] [14] [6] [AuditEvent=CMC_RESPONSE_SENT][SubjectID=$Unidentified$][Outcome=Success][CMCResponse=MIIGPwYJKoZIhvcNAQcCoIIGMDCCBiwCAQMxDzANBglghkgBZQMEAgMFADA0BggrBgEFBQcMA6AoBCYwJDAeMBwCAQEGCCsGAQUFBwcZMQ0wCwIBAjADAgEBAgEHMAAwAKCCA+gwggPkMIICzKADAgECAgQM3QwgMA0GCSqGSIb3DQEBDQUAMFMxEjAQBgNVBAoMCVNFQ3VyZS1EczEcMBoGA1UECwwTZ2thcG9vcl9SSENTXzc1X3NzbDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xODAyMTExOTE4MjlaFw0zODAyMTExOTE4MjlaMFMxEjAQBgNVBAoMCVNFQ3VyZS1EczEcMBoGA1UECwwTZ2thcG9vcl9SSENTXzc1X3NzbDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJRuy2MpwSogHtg84aBToFzWzZmkqCdIlO363KqhGb9SDI7nYdJWfSuMW3sMpdxeP/E9DqaEgiTw1b3OBTxSojLHbcjzAiT4iRNv2kwZwMit7JmfemVWMHCwoGm80qrUwUoIcau/I86HXrGN6BjTzjHQJHMbefH+I2zqh0bXhcLCvfH/Vg4X39eQ1Fp/xtX2E8SvjgBagvFVMcUw9XCPk4Gn7i6TTY4fgqq7qqZqrsVNziA2NL07BqvX9joCI3RzJwnxzVP1r8fBA9sPLHrkYUxue/ObQo2uRL91OYdI3R4HLJilbrgYWrixziDXPr6UrbEsiEE+rSg4ff+0yBoGT78CAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBRexDUJbLEkPOUGRug4ZhxMlYyjRjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUXsQ1CWyxJDzlBkboOGYcTJWMo0YwWQYIKwYBBQUHAQEETTBLMEkGCCsGAQUFBzABhj1odHRwOi8vY3NxYTQtZ3Vlc3QwNC5pZG0ubGFiLmVuZy5yZHUucmVkaGF0LmNvbToyNTA4MC9jYS9vY3NwMA0GCSqGSIb3DQEBDQUAA4IBAQBV+JNL9Gpm88yTiWPdJgHpiXVQusKJIchrRBTFA1ZbBTFJTcsjv5XrdvEGS4X5PcO6xzWxFLKiiS7T6LA0g6ghVubwqcHo3tmj+xHxNhVopwa9TxvXEPNwfnBFluUwRMoDy1ULb4/ohplmeGVkEeNLfTyo0xtpBSMj92iy6ZwYw5dmE0ZFxfx6hzUnk65qn8H2mIdnWHiRjkwQGCdrq2oizcVM0OaX5rz0msgqSWFO85XjX/IxPVJJNNixSgSFIirVLToModCqX2puWn4wermn8INI3k8MMPOxpEK6L6IFEfGUqXEr/YnRgAGrPljw39p2wU/SCnp8P8CVzIssi/x0MYIB8jCCAe4CAQEwWzBTMRIwEAYDVQQKDAlTRUN1cmUtRHMxHDAaBgNVBAsME2drYXBvb3JfUkhDU183NV9zc2wxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUCBAzdDCAwDQYJYIZIAWUDBAIDBQCgajAXBgkqhkiG9w0BCQMxCgYIKwYBBQUHDAMwTwYJKoZIhvcNAQkEMUIEQEvv2Hre+zYecA1BQPgG1/2oiSly9W6NdK7+dN9RxLwLiAyPnTYH/6v+5z4bW4rdVvzS+N6RWR5fhCwr7OIr37EwDQYJKoZIhvcNAQENBQAEggEAK+9OkkkDSE+652cRCEQYBNwO6iLXbOGoVWas5ahTqvMLlSAYOTD8PVOrJvkTKcCyUQXMQc3SbGTurVFPL7o8PFwJ05jou0DmG3o4J6/Djbf+Gt0QVPW/tVwN4x49JrRB3LJXRv/EQU8EGn85/hYgcrLJMwUJzMnu5aeoilbotAItwzj6sFezHFCqTwu9aHWFYGlU07IAZJL/6LGX5q8V0iuU9eK92K2PuK3pH0Ya5KIWIWKg0igSgBZt6e4PkznU2ln7Am5hTrfM23EsvHOU7cBwIJHLVSotzj1fwkPO7rf7cOY1CCFjprjsJqj3qlhQN7WTpsPX1nPZkrmgVodYtg==] CMC response sent
0.http-bio-25443-exec-3 - [15/Feb/2018:05:44:49 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=sslauth,OU=People][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated


Test case 2: Different issuer and revocation dn
------------------------------------------------

debug:

[15/Feb/2018:05:52:47][http-bio-25443-exec-4]: CMCOutputTemplate: processRevokeRequestControl:  Client and server shared secret are the same, can go ahead and revoke certificate.
[15/Feb/2018:05:52:47][http-bio-25443-exec-4]: In LdapBoundConnFactory::getConn()
[15/Feb/2018:05:52:47][http-bio-25443-exec-4]: masterConn is connected: true
[15/Feb/2018:05:52:47][http-bio-25443-exec-4]: getConn: conn is connected true
[15/Feb/2018:05:52:47][http-bio-25443-exec-4]: getConn: mNumConns now 2
[15/Feb/2018:05:52:47][http-bio-25443-exec-4]: returnConn: mNumConns now 3
[15/Feb/2018:05:52:47][http-bio-25443-exec-4]: CMCOutputTemplate: processRevokeRequestControl: shared secret revocation: checking issuer DN
[15/Feb/2018:05:52:47][http-bio-25443-exec-4]: CMCOutputTemplate: processRevokeRequestControl:  certificate issuer DN and revocation request issuer DN do not match

Audit:

0.http-bio-25443-exec-4 - [15/Feb/2018:05:52:47 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=sslauth,OU=People][Outcome=Success] access session establish success
0.http-bio-25443-exec-4 - [15/Feb/2018:05:52:47 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=$Unidentified$][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-25443-exec-4 - [15/Feb/2018:05:52:47 EST] [14] [6] [AuditEvent=CMC_REQUEST_RECEIVED][SubjectID=$Unidentified$][Outcome=Success][CMCRequest=MIG7BgkqhkiG9w0BBwGgga0EgaowgacwgZ4wgZsCAQEGCCsGAQUFBwcRMYGLMIGIMFYxFTATBgNVBAoMDFNFQ3VyZS1Ec09PTzEcMBoGA1UECwwTZ2thcG9vcl9SSENTXzc1X3NzbDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZQIECGnKhAoBBgQMd29uZGVyZnVsZGF5DBdnZWV0aWthIHRlc3QgcmV2b2NhdGlvbjAAMAAwAA==] CMC request received
0.http-bio-25443-exec-4 - [15/Feb/2018:05:52:47 EST] [14] [6] [AuditEvent=CMC_RESPONSE_SENT][SubjectID=$Unidentified$][Outcome=Success][CMCResponse=MIIGhQYJKoZIhvcNAQcCoIIGdjCCBnICAQMxDzANBglghkgBZQMEAgMFADB6BggrBgEFBQcMA6BuBGwwajBkMGICAQEGCCsGAQUFBwcZMVMwUQIBAjADAgEBDEQgY2VydGlmaWNhdGUgaXNzdWVyIEROIGFuZCByZXZvY2F0aW9uIHJlcXVlc3QgaXNzdWVyIEROIGRvIG5vdCBtYXRjaAIBBzAAMACgggPoMIID5DCCAsygAwIBAgIEDN0MIDANBgkqhkiG9w0BAQ0FADBTMRIwEAYDVQQKDAlTRUN1cmUtRHMxHDAaBgNVBAsME2drYXBvb3JfUkhDU183NV9zc2wxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTgwMjExMTkxODI5WhcNMzgwMjExMTkxODI5WjBTMRIwEAYDVQQKDAlTRUN1cmUtRHMxHDAaBgNVBAsME2drYXBvb3JfUkhDU183NV9zc2wxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUbstjKcEqIB7YPOGgU6Bc1s2ZpKgnSJTt+tyqoRm/UgyO52HSVn0rjFt7DKXcXj/xPQ6mhIIk8NW9zgU8UqIyx23I8wIk+IkTb9pMGcDIreyZn3plVjBwsKBpvNKq1MFKCHGrvyPOh16xjegY084x0CRzG3nx/iNs6odG14XCwr3x/1YOF9/XkNRaf8bV9hPEr44AWoLxVTHFMPVwj5OBp+4uk02OH4Kqu6qmaq7FTc4gNjS9Owar1/Y6AiN0cycJ8c1T9a/HwQPbDyx65GFMbnvzm0KNrkS/dTmHSN0eByyYpW64GFq4sc4g1z6+lK2xLIhBPq0oOH3/tMgaBk+/AgMBAAGjgb8wgbwwHwYDVR0jBBgwFoAUXsQ1CWyxJDzlBkboOGYcTJWMo0YwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFF7ENQlssSQ85QZG6DhmHEyVjKNGMFkGCCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL2NzcWE0LWd1ZXN0MDQuaWRtLmxhYi5lbmcucmR1LnJlZGhhdC5jb206MjUwODAvY2Evb2NzcDANBgkqhkiG9w0BAQ0FAAOCAQEAVfiTS/RqZvPMk4lj3SYB6Yl1ULrCiSHIa0QUxQNWWwUxSU3LI7+V63bxBkuF+T3Dusc1sRSyooku0+iwNIOoIVbm8KnB6N7Zo/sR8TYVaKcGvU8b1xDzcH5wRZblMETKA8tVC2+P6IaZZnhlZBHjS308qNMbaQUjI/dosumcGMOXZhNGRcX8eoc1J5Ouap/B9piHZ1h4kY5MEBgna6tqIs3FTNDml+a89JrIKklhTvOV41/yMT1SSTTYsUoEhSIq1S06DKHQql9qblp+MHq5p/CDSN5PDDDzsaRCui+iBRHxlKlxK/2J0YABqz5Y8N/adsFP0gp6fD/AlcyLLIv8dDGCAfIwggHuAgEBMFswUzESMBAGA1UECgwJU0VDdXJlLURzMRwwGgYDVQQLDBNna2Fwb29yX1JIQ1NfNzVfc3NsMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgQM3QwgMA0GCWCGSAFlAwQCAwUAoGowFwYJKoZIhvcNAQkDMQoGCCsGAQUFBwwDME8GCSqGSIb3DQEJBDFCBEDe5AD14wrjjWfZryulqxF9NV6tzJYqBnmv68EAOx4ueEHBzHLUoMVyT4Ks3MqDAP8Vm7db1ZYqmU1s/vmoVdPvMA0GCSqGSIb3DQEBDQUABIIBAC8tr3wK1SEvx31QF8w6b03Mr6lJ/j/IjOS1Mvv1tvc+7aSYTqTMTB8W9rUtr5HHoBAeTwlPmLgEs7RoBDiLutUJWpEhYVGK3/uZzCMA20l1l+ATc2UhvZ2JgUHRek4yq0Ik1ZT3fT7FSeSN2i2BeiUdV7Z9V3jT3Dqx2jZS81OAJD7RRPprDXmTS0lcj+zIXXkBpgDT7EG0Ygap/cSE4mh2qNBkKl14ccRALmYlZxHd4mMOlkfZcnjoQ5XlDHiO+a/YhsTFipsVLgU/QRhOeadp+HuaGQdF2rlDhJhfCLZpjhmMBCw8FHmKwsY933oabgXH9PIrPGdjgCrfsCGOTLE=] CMC response sent
0.http-bio-25443-exec-4 - [15/Feb/2018:05:52:47 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.12.28.208][ServerIP=10.12.28.208][SubjectID=UID=sslauth,OU=People][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
Comment 6 Christina Fu 2018-02-15 18:42:52 UTC 
looks like the event is not enabled by default:
[15/Feb/2018:05:44:49][http-bio-25443-exec-3]: LogFile: event type not selected: CERT_STATUS_CHANGE_REQUEST_PROCESSED

I'll check with Endi (who has a wiki that tracks what need to be enabled) and see if we should enable that.
Comment 7 Christina Fu 2018-02-15 22:37:54 UTC 
I did not find the CERT_STATUS_CHANGE_REQUEST_PROCESSED event in
http://pki.fedoraproject.org/wiki/PKI_Server_Audit_Events_Design

I also double-checked the PP and doesn't appear that status change is a required auditable event.
Comment 8 Geetika Kapoor 2018-02-16 17:57:03 UTC 
Marking failedQA because failure logs are still not coming in Audit logs.
Comment 11 Geetika Kapoor 2018-02-23 20:18:20 UTC 
There are few other issues observed during testing.Adding those also in this Bugzilla.

https://bugzilla.redhat.com/show_bug.cgi?id=1525306#c7
https://bugzilla.redhat.com/show_bug.cgi?id=1525306#c10
Comment 12 Geetika Kapoor 2018-02-23 20:20:47 UTC 
Refer https://bugzilla.redhat.com/show_bug.cgi?id=1525306#c12
Comment 13 Matthew Harmsen 2018-04-17 01:00:43 UTC 
Per RHEL 7.5.z/7.6/8.0 Triage:  10.5.z

cfu: re-opened due to errors
Comment 16 Matthew Harmsen 2018-05-05 00:28:48 UTC 
Moving from ASSIGNED to NEW since this bug was kicked out of the RHEL 7.5 GA errata and will need to first be fixed in RHEL 7.6 before a RHEL 7.5.z bug can be generated.
Comment 17 Christina Fu 2018-06-22 00:56:02 UTC 
commit 0bfc946c7b71973a38003d56c30052982b1f8030 (HEAD -> master, origin/master, origin/HEAD, ticket-2920-SharedTokenFailureAudit-master)
Author: Christina Fu <cfu>
Date:   Wed Jun 20 18:59:28 2018 -0700

    Ticket 2920 Part2 of SharedToken Audit
    
    This patch addresses the issue that the original audit message for failure
    got overwritten for SharedToken.
    
    fixes https://pagure.io/dogtagpki/issue/2920
    
    Change-Id: I0c09fbcc39135dc9aeee8a49a40772565af996c4
Comment 19 Matthew Harmsen 2018-06-26 01:47:55 UTC 
QE Test Verification

https://bugzilla.redhat.com/show_bug.cgi?id=1594128#c3
Comment 21 Geetika Kapoor 2018-08-17 19:30:41 UTC 
Test Env:

rpm -qa pki-ca
pki-ca-10.5.9-5.el7.noarch


Verification:

Verified all that is mentioned in 
https://bugzilla.redhat.com/show_bug.cgi?id=1594128#c3
Comment 23 errata-xmlrpc 2018-10-30 11:05:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195