Bug 479722

Summary: ESC to TPS SSL communication problem with renewed TPS cert
Product: [Retired] Dogtag Certificate System Reporter: Jack Magne <jmagne>
Component: ESCAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: 1.0CC: aakkiang, alee, benl, kevinu, mharmsen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:30:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 496410    
Bug Blocks: 443788    
Attachments:
Description Flags
Proposed fix for this issue. none

Description Jack Magne 2009-01-12 17:48:31 UTC 
Description of problem:

ESC can communicate with TPS over SSL for operations such as the Format and Enroll token operations. 

We have found a case where the TPS's certificate expired and had to be renewed.  In this case, ESC can have trouble communicating with TPS for thse operations.

As of now, there is  workaround involving the manipulation of the user's profile data.

The goal is to have ESC take care of this situation automatically without user interaction.
Comment 1 Jack Magne 2009-05-09 18:39:24 UTC 
*** Bug 479335 has been marked as a duplicate of this bug. ***
Comment 2 Jack Magne 2009-06-19 02:58:43 UTC 
Created attachment 348593 [details]
Proposed fix for this issue.

This fix involved allowing the user to set security exceptions much like in Firefox. Also, the separate HTTP library that contacts the TPS to perform token operations has been given a Bad Cert handler that can recognize previously created exceptions.
Comment 3 Matthew Harmsen 2009-06-19 19:34:57 UTC 
attachment (id=348593) +mharmsen

CAVEATS:

In "src/app/xpcom/rhCoolKey.cpp":

CHANGE:  if(!certCBLock) {
             PR_DestroyLock(certCBLock);
         }

TO:      if(certCBLock) {
             PR_DestroyLock(certCBLock);
         }


MOVE this "err" initialization code above the "err" switches:

    // Retrieve callback data from NssHttpClient
    // Caller cleans up this data
    BadCertData *data = (BadCertData *) arg;
    data->error = err = PORT_GetError();

REMOVE unused variable "PRNetAddr addr;"

Add LOG messages on "false" cases.
Comment 4 Jack Magne 2009-06-19 21:13:19 UTC 
Changes suggested Done:

cvs -d :ext:jmagne.redhat.com/cvs/dirsec  commit -m "Bugzilla#
479722 ESC to TPS SSL communication problem with renewed TPS cert."

cvs trace lost.

Fixed in the next build of ESC.
Comment 5 Asha Akkiangady 2009-07-08 02:02:03 UTC 
Verified.

With the renewed tps server cert able to enroll/format tokens.