Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1630469

Summary: CC: tomcatjss: unable to enable OCSP checking from peer AIA extension
Product: Red Hat Enterprise Linux 7 Reporter: Christina Fu <cfu>
Component: tomcatjssAssignee: Jack Magne <jmagne>
Status: CLOSED CURRENTRELEASE QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact:
Priority: high    
Version: 7.6CC: cpelland, edewata, jmagne, mharmsen, msauton, toneata
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcatjss-7.2.1-8.el7_6 Doc Type: No Doc Update
Doc Text:
This is just fixing something that is supposed to work already.
 Story Points: ---
Clone Of:
: 1631645 1632618 1636564 (view as bug list) Environment:
Last Closed: 2019-06-20 18:52:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1631645, 1632618, 1636564    
Attachments:
Description Flags
Downstream fix for issue.
edewata: review+
Upstream version for master , of patch
none
Revised upstream fix. none

Description Christina Fu 2018-09-18 17:35:41 UTC 
This issue was raised by our lab and confirmed by jmagne.

jmagne's tests concluded that our current tomcatjss seems to lack a way to enable ocsp to check its peer's AIA extension instead of the default url set in server.xml.

See the following for detail (under the section "AIA"):
https://docs.google.com/document/d/1TqBV_LR4DSgxS9ZilIrgtLtT9PGEx9BvKJv4qQHsSQ0/edit#
Comment 2 Christina Fu 2018-09-18 17:56:34 UTC 
Note: please make sure it can be configured to check for AIA when RHCS is acting as a client and as a server.
Comment 4 Jack Magne 2018-09-20 23:26:28 UTC 
Created attachment 1485347 [details]
Downstream fix for issue.
Comment 5 Jack Magne 2018-09-21 00:24:30 UTC 
Created attachment 1485353 [details]
Upstream version for master , of patch
Comment 6 Endi Sukma Dewata 2018-09-21 00:37:42 UTC 
I think the upstream patch can be simplified as follows:

logger.debug("ocspResponderURL: " + ocspResponderURL);
if (StringUtils.isEmpty(ocspResponderURL)) {
    ocspResponderURL = null;
}

logger.debug("ocspResponderCertNickname: " + ocspResponderCertNickname);
if (StringUtils.isEmpty(ocspResponderCertNickname)) {
    ocspResponderCertNickname = null;
}

if (ocspResponderURL == null && ocspResponderCertNickname != null) {
    throw new Exception("Missing OCSP responder URL");
}

if (ocspResponderURL != null && ocspResponderCertNickname == null) {
    throw new Exception("Missing OCSP responder certificate nickname");
}

It will also provide more descriptive error messages.
Comment 7 Jack Magne 2018-09-21 00:47:08 UTC 
I like this version, will test it out and make double sure it does the job.
Comment 8 Jack Magne 2018-09-21 01:07:01 UTC 
Created attachment 1485355 [details]
Revised upstream fix.
Comment 9 Jack Magne 2018-09-21 01:15:52 UTC 
Commit master / upstream :

commit 84ce990707481556e5ba8070b54e830bc6aef7c7 (HEAD -> master, origin/master, origin/HEAD)
Author: Jack Magne <jmagne>
Date:   Thu Sep 20 18:10:09 2018 -0700

    Fix for Bug 1630469 - CC: tomcatjss: unable to enable OCSP checking from peer AIA extension.
    
    Now the server.xml can be configured to enable ocsp AND leave other settings null, to trigger
    NSS to use the AIA extension to locate the ocsp responder.
    
    ex:
    
     <Connector name="Secure" port="18443" ...
         .....
         enableOCSP="true"  ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10"
Comment 10 Jack Magne 2018-09-21 01:51:17 UTC 
Commit downstream / origin/TOMCATJSS_7_2_BRANCH

commit c7e9138d59833ca0b9437fd130d3d9cb2fdf393d
Author: John Magne <jmagne.redhat.com>
Date:   Thu Sep 20 21:35:20 2018 -0400

    Fix for Bug 1630469 - CC: tomcatjss: unable to enable OCSP checking from peer AIA extension.
    
        Now the server.xml can be configured to enable ocsp AND leave other settings null, to trigger
        NSS to use the AIA extension to locate the ocsp responder.
    
        ex:
    
         <Connector name="Secure" port="18443" ...
             .....
             enableOCSP="true"  ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10"
Comment 11 Jack Magne 2018-09-21 01:57:38 UTC 
Testing instructions:

In order to test this functionality do the following:

Create a CA
Create a KRA and make sure the AIA extension of each system cert for the KRA points to something like this:

http://test.host.com:8080/ca/ocsp

This is what you get by default if a simple kra install is done and points to the security domain of the CA during pkispawn.

Stop the KRA and reconfigure the Connector of the SSL port in the kra instances "server.xml" file such as this:

<Connector name="Secure" port="18443" ...
             .....
             enableOCSP="true"  ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10"

Note that we have left out the settings for ocspResponderURL and ocspSigingCertNickname, or whatever the actual strings are. This means that ONLY enableOCSP="true" is set. This means that NSS will ultimately be forced to find the ocsp responder url from a given cert's AIA extension, instead of a default value we may have configured here.

Now restart the KRA while putting a tail on teh CA's log.

While the KRA restarts we should observe the CA's internal ocsp responder coming to life, verifying various certs associated with the KRA.


Note: That of course certs can be applied for with the AIA extension pointing to  outboard ocsp responders as well. When we want specific certs to hit specific responders, this is how it should be tested.