Bug 1581134
| Summary: | ECC installation for non CA subsystems needs improvement [rhel-7.5.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | pki-core | Assignee: | Jack Magne <jmagne> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | high | ||
| Version: | 7.5 | CC: | akahat, cfu, enewland, gkapoor, jmagne, mharmsen, msauton |
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.5.1-12.el7_5 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, due to a bug in the Certificate System installation procedure, installing a Key Recovery Authority (KRA) with ECC keys failed. To fix the problem, the installation process has been updated to handle both RSA and ECC subsystems automatically. As a result, installing subsystems with ECC keys no longer fail.
|
Story Points: | --- |
| Clone Of: | 1568615 | Environment: | |
| Last Closed: | 2018-06-26 16:47:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1568615 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2018-05-22 08:32:40 UTC
The first step of subordinate CA ECC install is failing with following error:
pkispawn : INFO ....... executing 'certutil -N -d /opt/ECC_SubCA/certs_db -f /opt/ECC_SubCA/ca/password.conf'
pkispawn : INFO ....... generating ca_signing CSR in ca_signing_ecc_subca_nontms.csr
pki.nssdb : DEBUG Command: openssl rand -out /tmp/tmpN78KVo/noise.bin 2048
pki.nssdb : DEBUG Command: certutil -R -d /var/lib/pki/rhcs93-ECC-NonTMS-SubCA-nocp11-aakkiang/alias -h NHSM6000-OCS -f /tmp/tmpRAKzv5/password.txt -s cn=CA Signing Certificate,ou=rhcs93-ECC-NonTMS-SubCA-nocp11-aakkiang,o=Example-ECC-SubCA -o /tmp/tmpN78KVo/request.bin -z /tmp/tmpN78KVo/noise.bin -k ec -q nistp256 -Z SHA256 --keyUsage certSigning,crlSigning,critical,digitalSignature,nonRepudiation -2
pkispawn : DEBUG ....... Error Type: Exception
pkispawn : DEBUG ....... Error Message: Failed to generate certificate request. RC: 255
pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 534, in main
scriptlet.spawn(deployer)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1039, in spawn
self.generate_system_cert_requests(deployer, nssdb, subsystem)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 340, in generate_system_cert_requests
self.generate_ca_signing_csr(deployer, nssdb, subsystem)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 164, in generate_ca_signing_csr
generic_exts=generic_exts
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 115, in generate_csr
generic_exts=generic_exts)
File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 417, in create_request
'Failed to generate certificate request. RC: %d' % rc)
Installation failed: Failed to generate certificate request. RC: 255
================================================
SubCA's pkispawn config file:
[DEFAULT]
pki_instance_name=rhcs93-ECC-NonTMS-SubCA-aakkiang
pki_https_port=31443
pki_http_port=31080
#NSS DB Token Password
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=XXXXXXXX
pki_token_password=XXXXXXXX
pki_audit_signing_key_algorithm=SHA256withEC
pki_audit_signing_key_size=nistp256
pki_audit_signing_key_type=ecc
pki_audit_signing_signing_algorithm=SHA256withEC
pki_audit_signing_token=XXXXXXXX
pki_subsystem_key_algorithm=SHA256withEC
pki_subsystem_key_size=nistp256
pki_subsystem_key_type=ecc
pki_subsystem_signing_algorithm=SHA256withEC
pki_subsystem_token=XXXXXXXX
pki_subsystem_nickname=subsystemCert-NonTMS-SubCA-nocp11-aakkiang
pki_sslserver_key_algorithm=SHA256withEC
pki_sslserver_key_size=nistp256
pki_sslserver_key_type=ecc
pki_sslserver_signing_algorithm=SHA256withEC
pki_sslserver_token=XXXXXXXX
pki_sslserver_nickname=Server-Cert-NonTMS-SubCA-nocp11-aakkiang
#Admin
pki_admin_key_algorithm=SHA256withEC
pki_admin_key_size=nistp256
pki_admin_key_type=ecc
pki_admin_password=SECret.123
#Security Domain
pki_security_domain_hostname=XXXXXXXXXXXXXXXXXXXXXXX
pki_security_domain_name=Example-ECC-SubCA
pki_security_domain_password=SECret.123
#client Dir
pki_client_dir=/opt/ECC_SubCA
pki_client_admin_cert_p12=/opt/ECC_SubCA/subca_caadmincert.p12
pki_client_database_dir=/opt/ECC_SubCA/certs_db
pki_client_database_password=SECret.123
pki_client_pkcs12_password=SECret.123
#LDAP
pki_ds_ldap_port=1697
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=SECret.123
pki_ds_secure_connection=True
pki_ds_ldaps_port=7636
pki_ds_secure_connection_ca_pem_file=/tmp/ldap2ca_cert.pem
pki_ds_remove_data=True
[Tomcat]
pki_ajp_port=31009
pki_tomcat_server_port=31005
[CA]
pki_admin_nickname=PKI ECC SUBCA Administrator
pki_ca_signing_key_algorithm=SHA256withEC
pki_ca_signing_key_size=nistp256
pki_ca_signing_key_type=ecc
pki_ca_signing_signing_algorithm=SHA256withEC
pki_ca_signing_token=XXXXXXXX
pki_ca_signing_nickname=caSigningCert-ECC-NonTMS-SubCA-nocp11-aakkiang
pki_ocsp_signing_key_algorithm=SHA256withEC
pki_ocsp_signing_key_size=nistp256
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_signing_algorithm=SHA256withEC
pki_ocsp_signing_token=XXXXXXXX
pki_ocsp_signing_nickname=ocspSigningCert-ECC-NonTMS-SubCA-nocp11-aakkiang
pki_audit_signing_nickname=auditSigningCert-NonTMS-SubCA-nocp11-aakkiang
pki_admin_name=caadmin
pki_admin_uid=caadmin
pki_admin_email=example
pki_import_admin_cert=False
pki_ds_hostname=XXXXXXXXXXXXXXXXXXXXXXX
pki_ds_database=CC-ECC-NonTMS-SECOND-LDAP
pki_ds_base_dn=dc=ECC-NonTMS-SubCA
pki_external=True
pki_external_step_two=False
pki_ca_signing_csr_path=ca_signing_ecc_subca_nontms.csr
# Enable random serial numbers
pki_random_serial_numbers_enable=True
A separate bug filed for the above issue, https://bugzilla.redhat.com/show_bug.cgi?id=1544843 Marking this bug ON_QA. I'm successfully able to install CA, RKA, OCSP and able to do key archival. But after TKS installation I'm able to see this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1588411 Becuase of this issue I'm not able to install TPS. Currently marking this bug varified for CA, KRA, OCSP. PKI Version: 10.5.1-13.1.el7_5 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1979 |