Bug 492189
| Summary: | Security Officer: a security officer token that is in temp lost status can be used to login to the so work station UI. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Asha Akkiangady <aakkiang> | ||||||||
| Component: | ESC | Assignee: | Jack Magne <jmagne> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||||
| Severity: | urgent | Docs Contact: | |||||||||
| Priority: | urgent | ||||||||||
| Version: | unspecified | CC: | alee, benl, mharmsen | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | |||||||||||
| : | 505685 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2009-07-22 23:33:43 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 443788, 505685 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Asha Akkiangady
2009-03-25 19:51:54 UTC
A permanently lost security officer token also able to login to work-station ui and perform operations. Will give this a try with the ocsp feature turned on. I've gotten this to basically work with the following test version of nss installed: nss-3.12.3.99.3-1 This whole issue is talked about in the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=499052 Once a working nss is installed, the tps server can be configured by adding the following lines to the nss.conf file: # Configure OCSP checking of client certs NSSOCSP on NSSOCSPDefaultResponder on #URL of the ocsp service #Example of the built in ocsp service of the CS CA NSSOCSPDefaultURL http://localhost:9180/ca/ocsp #Nickname of ocsp signing cert #Below is sufficient if using built in CS CA ocsp service #If using outboard ocsp, make sure the cert listed below #is imported into the local cert database. NSSOCSPDefaultName caCert Set the URL to your actual CA. The NSSOCSPDefaultNamne might have to change if using an outboard ocsp server. I thought it would be reasonable to put these items in the nss.conf for both tps and ra, but have them all commented out, so the user can configure it as desired. The following patch describes the changes to the nss.conf files. Created attachment 347499 [details]
Config changes to make this feature configurable.
If OCSP is successfully configured on the TPS , this bug will be addressed to the following extent: 1. If the Security Officer's certificate has been revoked, TPS will consult the OCSP responder and deny entry into this UI. The following is the current downside of this approach: The current NSS uses a caching mechanism for requests it has made to the OCSP server. The first time NSS has to consult the OCSP on behalf of a certificate, it puts that cert's information into a cache. If the cert is then unrevoked, there is a wait of about one hour, as far as I can tell, before the OCSP is actually consulted again. For now, this may be the best we can do. Created attachment 347615 [details]
Fixed patch to address this problem.
Created attachment 347644 [details]
Sample documentation text to explain this feature.
Here is some sample text designed to document to the user how to operate this feature.
attachment (id=347615) +mharmsen CAVEAT: I would suggest the following format for clarity in both the RA and TPS nss.conf: # Configure OCSP checking of client certs #NSSOCSP on #NSSOCSPDefaultResponder on # URL of the ocsp service # # Example of the built in ocsp service of the CS CA #NSSOCSPDefaultURL http://localhost:9180/ca/ocsp # Nickname of ocsp signing cert # # Below is sufficient if using built in CS CA ocsp service # # If using outboard ocsp, make sure the cert listed below # is imported into the local cert database. #NSSOCSPDefaultName caCert svn commit -m "Bugzilla Bug# 492189, Security Officer: a security officer token that is in temp lost status can be used to login to the so work station UI." Sending base/ra/apache/conf/nss.conf Sending base/tps/apache/conf/nss.conf Transmitting file data .. Committed revision 585. Verified. Trying to login to the so workstation with Temporarily lost security officer token shows dialog wit "SSL Peer rejected your certificate as revoked". Did the following changes and restarted tps server Imported ocsp signing cert from CA's alias directory to tps's alias directory and Tps nss.conf has following settings: # Configure OCSP checking of client certs NSSOCSP on NSSOCSPDefaultResponder on # URL of the ocsp service # # Example of the built in ocsp service of the CS CA NSSOCSPDefaultURL http://dhcp-108.sjc.redhat.com:9180/ca/ocsp # Nickname of ocsp signing cert # # Below is sufficient if using built in CS CA ocsp service # If using outboard ocsp, make sure the cert listed below # is imported into the local cert database. NSSOCSPDefaultName "ocspSigningCert cert-pki-ca" Unable to login to the esc security officer station on Vista after these steps. Operation timed out when attempting to contact tps server host. Putting this bug to assigned status. 1. Set phone home URL and Enroll Security Officer SOfficer#1 with a token#1. 2. Imported ocsp signing cert from CA's alias directory to tps's alias directory 3. Tps nss.conf has following settings: # Configure OCSP checking of client certs NSSOCSP on NSSOCSPDefaultResponder on # URL of the ocsp service # # Example of the built in ocsp service of the CS CA NSSOCSPDefaultURL http://dhcp-108.sjc.redhat.com:9180/ca/ocsp # Nickname of ocsp signing cert # # Below is sufficient if using built in CS CA ocsp service # If using outboard ocsp, make sure the cert listed below # is imported into the local cert database. NSSOCSPDefaultName "ocspSigningCert cert-pki-ca" 4. Restart tps. 5. From tps agent page select SOfficer#1 token token#1 and put it to a status "This token has been temporarily lost". 6. set esc-prefs.js to have esc.security.url to be so workstation UI. 7. Start esc and login to so workstation with token#1, Error message "SSL Peer rejected your certificate as revoked". 8. From tps agent page select SOfficer#1 token token#1 and put it to a status "This temporarily lost token has been found". 9. Restart tps. 10. Start esc and login to so workstation with token#1, able to login. 11. Reboot the machine on which CS subsyems are installed. 12. Start directory server and all the CS subsystems. 13. From ESC login to so workstation with token#1. Actual Result: Operation timed out when attempting to contact tps host. Expected: Successfully login to so workstation with token#1 and perform user enrollments. Additional info: Enrolling user in the regular esc mode after step #13 gives error message "Enrollment of smart card failed. Smart card manager has lost the connection to the Smart card server". So, the problem here is the following: 1. Revoke the user and see that the OCSP server rejects the cert. 2. Bring back the user and see that the OCSP server lets the cert in. 3. For some reason, reboot the machine and restart all servers and try again, which results in a timed out connection. If so, will take a look. The firewall was turned on on the host, we turned off the firewall, security officer token worked fine. |