Bug 500738

Summary: (nethsm2k) : KRA : installation wizard fails
Product: [Retired] Dogtag Certificate System Reporter: Chandrasekar Kannan <ckannan>
Component: DRMAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: alee, benl, mharmsen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:35:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
solution for working around some underlying issue with jss and hsm
none
added a helpful debug message
none
spec file change none

Description Chandrasekar Kannan 2009-05-13 21:04:01 UTC 
test setup:

1 - rhel 5.3 x86_64 with nethsm 2000 attached
2 - install a rootCA 
3 - install kra. join to security domain in Step(2)

Installation wizard proceeds just fine. I don't see any issues.
but when I restart KRA, I can't go into the agent page. 
sure enough, I do have the KRA agent cert.

but when I look in /var/lib/pki-kra/alias/ I see just the
transport cert.

nethsm2k:transportCert cert-pki-kra                          u,u,u

I don't see the server cert or storage cert.
Comment 1 Chandrasekar Kannan 2009-05-14 14:01:20 UTC 
update - this problem doesn't happen on a machine that has no nethsm installed.
         so something to do with the way we work with nethsm.
Comment 4 Christina Fu 2009-06-01 16:14:12 UTC 
*** Bug 500756 has been marked as a duplicate of this bug. ***
Comment 5 Christina Fu 2009-06-01 16:50:10 UTC 
Created attachment 346100 [details]
solution for working around some underlying issue with jss and hsm
Comment 6 Christina Fu 2009-06-02 15:32:24 UTC 
Created attachment 346273 [details]
added a helpful debug message
Comment 7 Jack Magne 2009-06-02 19:10:39 UTC 
Attachment (id=346273) +jmagne.
Comment 8 Christina Fu 2009-06-02 19:49:06 UTC 
[cfu@jaw common]$ svn commit
Sending        common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
Sending        common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Transmitting file data ..pwd

Committed revision 539.
[cfu@jaw common]$ pwd
/home/cfu/dogtag/hsm4/pki/base/common
Comment 9 Christina Fu 2009-06-02 19:50:53 UTC 
Created attachment 346308 [details]
spec file change
Comment 10 Chandrasekar Kannan 2009-06-04 21:14:03 UTC 
Verified with today's build

[root@sigma ~]# rpm -qi pki-common
Name        : pki-common                   Relocations: (not relocatable)
Version     : 8.0.0                             Vendor: Red Hat, Inc.
Release     : 12.beta                       Build Date: Thu 04 Jun 2009 01:49:42 AM PDT
Install Date: Thu 04 Jun 2009 01:36:03 PM PDT      Build Host: payday.dsdev.sjc.redhat.com
Group       : System Environment/Base       Source RPM: pki-common-8.0.0-12.beta.src.rpm
Size        : 2780418                          License: GPLv2 with exceptions
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.redhat.com/certificate_system
Summary     : Red Hat Certificate System - PKI Common Framework
Description :
Red Hat Certificate System is an enterprise software system designed
to manage enterprise Public Key Infrastructure (PKI) deployments.

The Red Hat PKI Common Framework is required by the following four
Red Hat PKI subsystems:

    the Red Hat Certificate Authority,
    the Red Hat Data Recovery Manager,
    the Red Hat Online Certificate Status Protocol Manager, and
    the Red Hat Token Key Service.
[root@sigma ~]# certutil -L -d /var/lib/pki-kra/alias -h nethsm2k

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "nethsm2k":
nethsm2k:subsystemCert cert-pki-kra                          u,u,u
nethsm2k:auditSigningCert cert-pki-ca                        u,u,u
nethsm2k:ocspSigningCert cert-pki-ca                         u,u,u
nethsm2k:transportCert cert-pki-kra                          u,u,u
nethsm2k:auditSigningCert cert-pki-tks                       u,u,u
nethsm2k:Server-Cert cert-pki-ra                             u,u,u
nethsm2k:subsystemCert cert-pki-ocsp                         u,u,u
nethsm2k:auditSigningCert cert-pki-kra                       u,u,u
nethsm2k:auditSigningCert cert-pki-tps                       u,u,u
nethsm2k:subsystemCert cert-pki-ca                           u,u,u
nethsm2k:auditSigningCert cert-pki-ocsp                      u,u,u
nethsm2k:Server-Cert cert-pki-ca                             u,u,u
nethsm2k:Server-Cert cert-pki-tps                            u,u,u
nethsm2k:subsystemCert cert-pki-tks                          u,u,u
nethsm2k:caSigningCert cert-pki-ca                           CTu,cu,u
nethsm2k:subsystemCert cert-pki-tps                          u,u,u
nethsm2k:Server-Cert cert-pki-ocsp                           u,u,u
nethsm2k:Server-Cert cert-pki-tks                            u,u,u
nethsm2k:ocspSigningCert cert-pki-ocsp                       u,u,u
nethsm2k:storageCert cert-pki-kra                            u,u,u
nethsm2k:Server-Cert cert-pki-kra                            u,u,u
nethsm2k:subsystemCert cert-pki-ra                           u,u,u
[root@sigma ~]#