Bug 1633104
Summary: | CMC: add config to allow non-clientAuth [rhel-7.6.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
Component: | pki-core | Assignee: | Christina Fu <cfu> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | high | ||
Version: | 7.6 | CC: | afarley, cfu, cpelland, mharmsen, msauton, rpattath |
Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.5.9-7.el7_6 | Doc Type: | Bug Fix |
Doc Text: |
A previous version of Certificate System added a feature to enforce TLS client authentication when authenticating through CMCAuth. However, certain older applications do not support TLS client authentication and failed to connect to Certificate System. This update adds the bypassClientAuth configuration parameter to the /var/lib/pki/pki-instance_name/ca/conf/CS.cfg file. As a result, administrators can now set this parameter to "true" to disable client authentication if not supported by certain applications.
|
Story Points: | --- |
Clone Of: | 1628410 | Environment: | |
Last Closed: | 2019-01-29 17:21:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1628410 | ||
Bug Blocks: |
Description
Oneata Mircea Teodor
2018-09-26 08:15:19 UTC
commit 19120d14941b5964a728ab06b0406be3ddeff5d4 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH) Author: Christina Fu <cfu> Date: Tue Sep 18 16:13:29 2018 -0700 Bug1628410 CMC: add config to allow non-clientAuth This patch adds a new parameter, cmc.bypassClientAuth, in the CS.cfg to allow agents to bypass clientAuth requirement in CMCAuth. Default value for cmc.bypassClientAuth is false. In addition, CMC enrollment profile caCMCUserCert "visible" value is set to false. fixes https://bugzilla.redhat.com/show_bug.cgi?id=1628410 Change-Id: Ie3efda321472c1e1b27ac4c5ecf63db753ce70fc test procedure: First make sure the original clientAuth requirement is not broken: Perform any CMCAuth enrollment as instructed in any previous test cases and make sure clientAuth is still required and matches the signer of the cmc request. Next, test bypassing clientAuth (as requested by the customer). set the following to true in CA's CS.cfg: cmc.bypassClientAuth=true Restart the CA. Perform the same test again, but this time set clientmode=false in HttpClient. Make sure it works. doc text looks fine. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0168 |