Bug 1638875

Summary: [RFE] extract key/certs pem file into a private namespace
Product: Red Hat Enterprise Linux 8 Reporter: Amy Farley <afarley>
Component: 389-ds-baseAssignee: thierry bordaz <tbordaz>
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 8.1CC: abokovoy, afarley, bsmejkal, czinda, dpal, mharmsen, mkosek, mreynolds, nkinder, pasik, spichugi, tbordaz, vashirov
Target Milestone: pre-dev-freezeKeywords: FutureFeature
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766 Doc Type: Enhancement
Doc Text:
.Directory Server exports the private key and certificate to a private name space when the service starts Directory Server uses OpenLDAP libraries for outgoing connections, such as replication agreements. Because these libraries cannot access the network security services (NSS) database directly, Directory Server extracts the private key and certificates from the NSS database on instances with TLS encryption support to enable the OpenLDAP libraries to establish encrypted connections. Previously, Directory Server extracted the private key and certificates to the directory set in the `nsslapd-certdir` parameter in the `cn=config` entry (default: `/etc/dirsrv/slapd-<instance_name>/`). As a consequence, Directory Server stored the `Server-Cert-Key.pem` and `Server-Cert.pem` in this directory. With this enhancement, Directory Server extracts the private key and certificate to a private name space that `systemd` mounts to the `/tmp/` directory. As a result, the security has been increased.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 03:07:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1652269, 1683259, 1782896    
Bug Blocks: 1679810, 1689138, 1701002, 1755139, 1825061    

Comment 12 mreynolds 2019-03-11 16:24:01 UTC 
*** Bug 1625661 has been marked as a duplicate of this bug. ***
Comment 20 thierry bordaz 2019-12-12 15:35:40 UTC 
depends on new selinux policy: https://bugzilla.redhat.com/show_bug.cgi?id=1782896
Comment 24 thierry bordaz 2020-02-10 12:10:52 UTC 
Upstream ticket related to pem files: https://pagure.io/389-ds-base/issue/50889
Comment 26 thierry bordaz 2020-02-27 09:16:07 UTC 
Fix pushed upstream (https://pagure.io/389-ds-base/issue/50889) -> POST
Comment 30 bsmejkal 2020-06-04 10:13:46 UTC 
=============================================================================================== test session starts ===============================================================================================
platform linux -- Python 3.6.8, pytest-5.4.3, py-1.8.1, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-205.el8.x86_64-x86_64-with-redhat-8.3-Ootpa', 'Packages': {'pytest': '5.4.3', 'py': '1.8.1', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.9.0', 'html': '2.1.1'}}
389-ds-base: 1.4.3.8-2.module+el8.3.0+6591+ebfc9766
nss: 3.44.0-15.el8
nspr: 4.21.0-2.el8_0
openldap: 2.4.46-11.el8
cyrus-sasl: 2.1.27-5.el8
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests, inifile: pytest.ini
plugins: metadata-1.9.0, html-2.1.1
collected 1 item                                                                                                                                                                                                  

dirsrvtests/tests/suites/tls/tls_cert_namespace_test.py::test_pem_cert_in_private_namespace PASSED                                                                                                       [100%]

========================================================================================= 1 passed in 19.96s ======================================================================================================

Marking as VERIFIED.
Comment 33 Marc Muehlfeld 2020-06-15 09:26:21 UTC 
Thierry, can you please review the release note for this enhancement (see Doc Text field)? Thanks.
Comment 34 thierry bordaz 2020-06-15 09:51:32 UTC 
Thanks Marc, the text looks good to me
Comment 37 errata-xmlrpc 2020-11-04 03:07:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4695
Comment 38 Red Hat Bugzilla 2023-09-14 04:40:08 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days