Bug 2375332

Summary: Missing registry entries for EST on upgraded server
Product: [Fedora] Fedora Reporter: Pritam Singh <prisingh>
Component: dogtag-pkiAssignee: Endi Sukma Dewata <edewata>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 42CC: abokovoy, alee, cfu, edewata, jmagne, mfargett
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pritam Singh 2025-06-28 15:32:48 UTC 
I've upgraded to the latest PKI version 11.7 from PKI-11.2 to reproduce: https://bugzilla.redhat.com/show_bug.cgi?id=2350322#c6, At the time of EST deployment on the upgraded PKI version, Adding estServiceCert profile to CA was not working and failing with error "Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null"

Builds:

# uname -r
6.15.3-200.fc42.x86_64

# rpm -qa | grep -e pki -e jss -e jackson -e resteasy | sort
dogtag-jss-5.7.0-0.1.alpha1.20250326234708UTC.26cced2e.fc42.x86_64
dogtag-jss-tomcat-5.7.0-0.1.alpha1.20250326234708UTC.26cced2e.fc42.x86_64
dogtag-pki-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.x86_64
dogtag-pki-acme-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-base-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-ca-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-est-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-java-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-javadoc-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-kra-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-ocsp-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-server-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tests-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-theme-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tks-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tools-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.x86_64
dogtag-pki-tps-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
python3-dogtag-pki-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch

Reproducible: Always

Steps to Reproduce:
1. Follow test procedure: https://bugzilla.redhat.com/show_bug.cgi?id=2350322#c6
2. Deploying EST on upgraded PKI 11.7 version, refer: https://docs.redhat.com/en/documentation/red_hat_certificate_system/10/html/planning_installation_and_deployment_guide/installation_and_configuration#installing-est-pki-server
3. Add EST profile using following command:
$ pki -p 8443 -u caadmin -w SECret.123 ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
Actual Results:
[root@pki1 fedora]# pki -p 8443 -u caadmin -w SECret.123 ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg 
BadRequestException: Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null

CA debug log:

2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: Creating profile from raw data
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - profileId: estServiceCert
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - classId: caEnrollImpl
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - name: EST Service Certificate Enrollment
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - description: EST service certificate profile
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] SEVERE: Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null
java.lang.NullPointerException: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null
    at com.netscape.cms.profile.common.Profile.init(Profile.java:269)
    at org.dogtagpki.server.ca.rest.v1.ProfileService.createProfileRaw(ProfileService.java:646)
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
    at java.base/java.lang.reflect.Method.invoke(Method.java:580)
    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
...
...
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
    at java.base/java.lang.Thread.run(Thread.java:1583)

2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: PKIExceptionMapper: Returning BadRequestException
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: PKIExceptionMapper: XML exception:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PKIException>
  <ClassName>com.netscape.certsrv.base.BadRequestException</ClassName>
  <Attributes/>
  <Code>400</Code>
  <Message>Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null</Message>
</PKIException>

Expected Results:
EST profile add should work as expected.

Additional Information:
Missing parameters in upgraded PKI's registry.cfg file:

constraintPolicy.raClientAuthSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.RAClientAuthSubjectNameContraint
constraintPolicy.raClientAuthSubjectNameConstraintImpl.desc=RA Client Subject Name Constraint
constraintPolicy.raClientAuthSubjectNameConstraintImpl.name=RA Client Subject Name Constraint

raClientAuthInfoInputImpl from profileInput.ids=
raClientAuthSubjectNameConstraintImpl from constraintPolicy.ids=

profileInput.raClientAuthInfoInputImpl.class=com.netscape.cms.profile.input.RAClientAuthInfoInput
profileInput.raClientAuthInfoInputImpl.desc=RA Client Authentication Information Input
profileInput.raClientAuthInfoInputImpl.name=RA Client Authentication Information Input


As a workaround: When I replaced registry.cfg with latest or added above parameters in upgraded PKI's registry.cfg file, EST profile add worked.