Bug 502861
Summary: | "Signed CMC-Authenticated User Certificate Enrollment" fails with Authorization error | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | Kashyap Chamarthy <kchamart> | ||||||
Component: | Tools - Java | Assignee: | Christina Fu <cfu> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 1.1 | CC: | alee, awnuk, benl, cfu, jmagne | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-07-22 23:35:43 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 443788 | ||||||||
Attachments: |
|
Description
Kashyap Chamarthy
2009-05-27 14:46:59 UTC
Created attachment 345619 [details]
ca debug log during the CMC-authenticated user cert enrollment
Re-assigning to cfu per CS meeting of 6/1/2009. Created attachment 346595 [details]
usrid contains the uid
for CMCAuth, the userid contains the uid, and uid contains the cn. Renewal works with this cert too.
attachment (id=346595) +awnuk [cfu@jaw common]$ pwd /home/cfu/dogtag/src0/pki/base/common [cfu@jaw common]$ svn commit src/com/netscape/cms/evaluators Sending src/com/netscape/cms/evaluators/GroupAccessEvaluator.java Transmitting file data . Committed revision 551. [cfu@jaw common]$ svn commit pki-common.spec Sending pki-common.spec Transmitting file data . Committed revision 552. I tried with June-8th-2008 build. But still see the same error. <snip> [08/Jun/2009:06:59:04][http-9580-Processor19]: evaluated expression: group="Certificate Manager Agents" to be false [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet authorize: Authorization failed on resource: group="Certificate Manager Agents", operation: {1} </snip> Please let me know if I'm missing on anything. -------------------------------------------------------------- [root@tel53 logs]# tail -100 /var/lib/pki-ca/logs/debug [08/Jun/2009:06:59:04][http-9580-Processor19]: CMSServlet: caProfileSubmit start to service. [08/Jun/2009:06:59:04][http-9580-Processor19]: xmlOutput false [08/Jun/2009:06:59:04][http-9580-Processor19]: Start of ProfileSubmitServlet Input Parameters [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter cert_request='MIIKWQYJKoZIhvcNAQcCoIIKSjCCCkYCAQMxCzAJBgUrDgMCGgUAMIICDQYIKwYB BQUHDAKgggH/BIIB+zCCAfcwUjAtAgECBggrBgEFBQcHBjEeBBxBWFIvWVhUVkhK S2JhdHlEUVE0NWs1R2RwazA9MCECAQMGCCsGAQUFBwcFMRICECehLatBr0Lwv3em 0eqL44cwggGboIIBlwIBATCCAZAwgfoCAQAwUTELMAkGA1UEBhMCSW4xDDAKBgNV BAgTA01haDENMAsGA1UEBxMEcHVuZTEQMA4GA1UEChMHc29tZW9yZzETMBEGA1UE AxMKdGVzdHVzZXIzNTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsmZ/gXHB EAomHDXpi+xChW4ZQH4DTPtzqPZstWvGOVSo8ieb7qZqFyTLTIrSh8LFLshiSVVC 9X6y+uwyD7E3T4bqdEQS0cCAZJFL0XfFJi4RmkGSQyTIqu0YZKE6j7iXJZpg7Nwj ntmQvKHu8fjVXEgaxHI2pqPpPl/eWQ+H7/0CAwEAAaAAMA0GCSqGSIb3DQEBBQUA A4GBAHNs+tsn6Sk+XSzzOnfGK3pXd/JCLVz1OLsORnqduBX1wlPlyBsjgmwHQb2m 5aJw32iGCwtCNSg0WXBSryi4Hv5tHeoziVJ/Y0wT0wD4PGUYZmb8f1xQglcgBzDN z1yIBc0qlQQq9iZ91tPEfhMIfazVGdfjF0G11dWuVga76B83MAAwAKCCBvcwggNT MIICO6ADAgECAgEGMA0GCSqGSIb3DQEBBQUAMDsxGTAXBgNVBAoTEFBucVJlZGhh dCBEb21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wOTA2 MDcyMjQwMTJaFw0xMTA1MjgyMjQwMTJaMIGGMRkwFwYDVQQKExBQbnFSZWRoYXQg RG9tYWluMSQwIgYJKoZIhvcNAQkBFhVwa2ktY2EtYWRtaW5AdGVzdC5jb20xFTAT BgoJkiaJk/IsZAEBEwVhZG1pbjEsMCoGA1UEAxMjQ0EgQWRtaW5pc3RyYXRvciBv ZiBJbnN0YW5jZSBwa2ktY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALSc 7KqDzP9yXqCg0cveq1+fRjT3ihO8vRIp1qQ5TCj432HDvvOBPm6IdGfbUPRYMi7y 4MF3fxlppsaJMVgi3XhycXPY2bOrkVEQEQ+uU3QtcN6Pwr5D6wiQcFAV5eVS6x1O 1xxR6uo48wMs3JgOMiBphLLf4P66C/166ECyleFtAgMBAAGjgZkwgZYwHwYDVR0j BBgwFoAUWOtkP2PwXfuTdkuHNi29pQY5EtQwRAYIKwYBBQUHAQEEODA2MDQGCCsG AQUFBzABhihodHRwOi8vdGVsNTMucG5xLnJlZGhhdC5jb206OTU4MC9jYS9vY3Nw MA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQw DQYJKoZIhvcNAQEFBQADggEBAAXPNkKKnRqEizO4YeGH0QhRUfr9Pb88huGyb0ox x3v4iB9TAMDmiH7amkU6piUjiZs5SfqxD7r++Fer8NgrUeSodMps+PlZ9oHsRwWR iWr4BkUo6+izpcNtFWMDgw13vOxI3x+4ju6bmiIjawrAKTDghgEd+gUfBkRzlISx tofw/VOKjnJ4nC5S2ThkS3gCDDVRokeYgePiVc7ovK9t/ihvtTQDV1dl1wCYkTRc qo6rbmzIKjMwYSE2C/s6nVxx6bD4MNV3qY5puh9Zg90hQS+yhko6xqY63m2bcLjS UiWA5IzsR0eDw6bcjrzTWI/osPMyQaL/hA6WTf98gdCxl9owggOcMIIChKADAgEC AgEBMA0GCSqGSIb3DQEBBQUAMDsxGTAXBgNVBAoTEFBucVJlZGhhdCBEb21haW4x HjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wOTA2MDcyMjM5MTRa Fw0xMTA1MjgyMjM5MTRaMDsxGTAXBgNVBAoTEFBucVJlZGhhdCBEb21haW4xHjAc BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBANGOV5f8HNKFtuBZYcnze1oCDc/3pGBW9/9q/uRSoNy0LrkS 7/Q1wvIgcYc96/ukw935kzZFVp/azt7vycYrE/NjJ0QUbei1hL0aDAdaBpEvNRCC zqolDJSQGPkRpoKM4BpIgMJ2XsrD+y7jm8XHlrWC0edWfKNQxuV/jwyfaDS53BY3 MMuUrNkj573Vltn+jhycttjBb4zBGWLMvXWMnT9OU50fC3xmH8Fp3ZFHi6vng40R 9j8UAhHESE4EgFiw4LH6aX2w6H6FmA47JkfuPzf/65YofCceiEqe5yVBgbDaes2V hSsVfR/opk/U3Spiaf3HUplFSau2klUWS7fgUikCAwEAAaOBqjCBpzAfBgNVHSME GDAWgBRY62Q/Y/Bd+5N2S4c2Lb2lBjkS1DAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud DwEB/wQEAwIBxjAdBgNVHQ4EFgQUWOtkP2PwXfuTdkuHNi29pQY5EtQwRAYIKwYB BQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vdGVsNTMucG5xLnJlZGhhdC5j b206OTU4MC9jYS9vY3NwMA0GCSqGSIb3DQEBBQUAA4IBAQBcTitdYIKJKLT4qeX5 vw4OLkY2eQw4MKE/7bxI3EuUw6UgfkCKnpIybyarBL8gsolhNrrL+OQ/De+QpsFq EDDB9LGDvlb4GO+tM3GhzXC/7MGiXM1fBmydLNwHyKea6ISpRrFkr93a0FZXv4RE kseyvZ3mcypHIYvrK7F5mXv5H5V9sM7w3LY0EBuhoHkGC+r3U6QL7HVyEmj0tLoo FZHAt7uDwe1tDX1jK5xZ6r9/Ppr6TGaDi3jkzec+EbYB9kQ4hfjY/HCGWVQC0OHq 4O/HTq9Q7bTFwEom7F3jNtmOC5PrZbD/nJMJOcCTKEorVo4cDPVEgYdQRueNZSEr C2DmMYIBJjCCASICAQMwQDA7MRkwFwYDVQQKExBQbnFSZWRoYXQgRG9tYWluMR4w HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCAQYwCQYFKw4DAhoFAKA+MBcG CSqGSIb3DQEJAzEKBggrBgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUDzBqznvpmRSe 8ee7aCFthjWrd1gwDQYJKoZIhvcNAQEBBQAEgYCZgyRskULzVtGV9NQOe0BpWL8F mpyc/q7PBG8JBdt8V5EkyaLxU27IOvwHy82HF62k84ysliS62hnJH2HBVeuc6SJF xlnusXBBfXcQk75R3m/MwEzTDS0PbJVTSEIwUM7i+8p9b4X8uXwY1RQsJRD5A9T5 hCp4IFu+j5qhVyuAcQ==' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter renewal='false' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter requestor_phone='2343243113' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter requestor_name='james' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter requestor_email='james' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter xmlOutput='false' [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet Input Parameter profileId='caCMCUserCert' [08/Jun/2009:06:59:04][http-9580-Processor19]: End of ProfileSubmitServlet Input Parameters [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: start serving [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: SubId=profile [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: isRenewal false [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: profileId caCMCUserCert [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: authenticator CMCAuth found [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet:setCredentialsIntoContext() authNames not null [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet:setCredentialsIntoContext() authName:cert_request [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet:setCredentialsIntoContext() authName found in request [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmistServlet: set Inputs into profile Context [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: set sslClientCertProvider [08/Jun/2009:06:59:04][http-9580-Processor19]: CMCAuth: start checking signature [08/Jun/2009:06:59:04][http-9580-Processor19]: CMCAuth: verifying signature with public key [08/Jun/2009:06:59:04][http-9580-Processor19]: CMCAuth: finished checking signature [08/Jun/2009:06:59:04][http-9580-Processor19]: CertUserDBAuth: started [08/Jun/2009:06:59:04][http-9580-Processor19]: CertUserDBAuth: Retrieving client certificate [08/Jun/2009:06:59:04][http-9580-Processor19]: CertUserDBAuth: Got client certificate [08/Jun/2009:06:59:04][http-9580-Processor19]: getConn: mNumConns now 2 [08/Jun/2009:06:59:04][http-9580-Processor19]: returnConn: mNumConns now 3 [08/Jun/2009:06:59:04][http-9580-Processor19]: Authentication: client certificate found [08/Jun/2009:06:59:04][http-9580-Processor19]: getConn: mNumConns now 2 [08/Jun/2009:06:59:04][http-9580-Processor19]: returnConn: mNumConns now 3 [08/Jun/2009:06:59:04][http-9580-Processor19]: Authentication: mapped certificate to user [08/Jun/2009:06:59:04][http-9580-Processor19]: authenticated uid=admin,ou=People,dc=tel53.pnq.redhat.com-pki-ca-te [08/Jun/2009:06:59:04][http-9580-Processor19]: CMCAuth: in PKCS10 [08/Jun/2009:06:59:04][http-9580-Processor19]: SignedAuditEventFactory: create() message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Success][ReqType=enrollment][CertSubject=CN=testuser35,O=someorg,L=pune,ST=Mah,C=In][SignerInfo=CA Administrator of Instance pki-ca] agent pre-approved CMC request signature verification [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet authToken not null [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet: authz using acl: group="Certificate Manager Agents" [08/Jun/2009:06:59:04][http-9580-Processor19]: evaluating expressions: group="Certificate Manager Agents" [08/Jun/2009:06:59:04][http-9580-Processor19]: getConn: mNumConns now 2 [08/Jun/2009:06:59:04][http-9580-Processor19]: returnConn: mNumConns now 3 [08/Jun/2009:06:59:04][http-9580-Processor19]: evaluated expression: group="Certificate Manager Agents" to be false [08/Jun/2009:06:59:04][http-9580-Processor19]: ProfileSubmitServlet authorize: Authorization failed on resource: group="Certificate Manager Agents", operation: {1} [08/Jun/2009:06:59:04][http-9580-Processor19]: CMSServlet: curDate=Mon Jun 08 06:59:04 GMT+05:30 2009 id=caProfileSubmit time=30 -------------------------------------------------------------------- you don't seem to have the build containing my fix. Did the build system actually pick up the fix? Verified. CMC Enrolment works perfect the new fix(June-8th-build). |