Bug 504697
Summary: | certificates always issued by admin | ||
---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | Chandrasekar Kannan <ckannan> |
Component: | CA | Assignee: | Andrew Wnuk <awnuk> |
Status: | CLOSED NOTABUG | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | unspecified | CC: | awnuk, benl, dpal |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-06-10 04:21:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 443788 |
Description
Chandrasekar Kannan
2009-06-08 20:15:56 UTC
[08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet:service() uri = /ca/agent/ca/listRequests.html [08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: caListRequests start to service. [08/Jun/2009:13:05:38][http-9443-Processor16]: DisplayHtmlServlet about to service [08/Jun/2009:13:05:38][http-9443-Processor16]: IP: 10.14.52.236 [08/Jun/2009:13:05:38][http-9443-Processor16]: AuthMgrName: certUserDBAuthMgr [08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: retrieving SSL certificate [08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: certUID=UID=ckannan,E=ckannan,CN=Chandrasekar Kannan,O=Red Hat,C=US [08/Jun/2009:13:05:38][http-9443-Processor16]: CertUserDBAuth: started [08/Jun/2009:13:05:38][http-9443-Processor16]: CertUserDBAuth: Retrieving client certificate [08/Jun/2009:13:05:38][http-9443-Processor16]: CertUserDBAuth: Got client certificate [08/Jun/2009:13:05:38][http-9443-Processor16]: Authentication: client certificate found [08/Jun/2009:13:05:38][http-9443-Processor16]: getConn: mNumConns now 14 [08/Jun/2009:13:05:38][http-9443-Processor16]: returnConn: mNumConns now 15 [08/Jun/2009:13:05:38][http-9443-Processor16]: Authentication: mapped certificate to user [08/Jun/2009:13:05:38][http-9443-Processor16]: authenticated uid=ckannan,ou=People,dc=sigma.dsdev.sjc.redhat.com-pki-ca [08/Jun/2009:13:05:38][http-9443-Processor16]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=ckannan][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success [08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: curDate=Mon Jun 08 13:05:38 PDT 2009 id=caListRequests time=2 ------------- [08/Jun/2009:13:06:48][http-9443-Processor8]: CMSServlet: curDate=Mon Jun 08 13:06:48 PDT 2009 id=caqueryReq time=22 [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet:service() uri = /ca/agent/ca/profileReview [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet::service() param name='requestId' value='79980' [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: caProfileReview start to service. [08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: start serving [08/Jun/2009:13:06:50][http-9443-Processor14]: IP: 10.14.52.236 [08/Jun/2009:13:06:50][http-9443-Processor14]: AuthMgrName: certUserDBAuthMgr [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: retrieving SSL certificate [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: certUID=UID=ckannan,E=ckannan,CN=Chandrasekar Kannan,O=Red Hat,C=US [08/Jun/2009:13:06:50][http-9443-Processor14]: CertUserDBAuth: started [08/Jun/2009:13:06:50][http-9443-Processor14]: CertUserDBAuth: Retrieving client certificate [08/Jun/2009:13:06:50][http-9443-Processor14]: CertUserDBAuth: Got client certificate [08/Jun/2009:13:06:50][http-9443-Processor14]: Authentication: client certificate found [08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14 [08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15 [08/Jun/2009:13:06:50][http-9443-Processor14]: Authentication: mapped certificate to user [08/Jun/2009:13:06:50][http-9443-Processor14]: authenticated uid=ckannan,ou=People,dc=sigma.dsdev.sjc.redhat.com-pki-ca [08/Jun/2009:13:06:50][http-9443-Processor14]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=ckannan][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success [08/Jun/2009:13:06:50][http-9443-Processor14]: checkACLS(): ACLEntry expressions= group="Certificate Manager Agents" [08/Jun/2009:13:06:50][http-9443-Processor14]: evaluating expressions: group="Certificate Manager Agents" [08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14 [08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15 [08/Jun/2009:13:06:50][http-9443-Processor14]: UGSubsystem.isMemberOf() using new lookup code [08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14 [08/Jun/2009:13:06:50][http-9443-Processor14]: authorization search base: cn=Certificate Manager Agents,ou=groups,dc=sigma.dsdev.sjc.redhat.com-pki-ca [08/Jun/2009:13:06:50][http-9443-Processor14]: authorization search filter: (uniquemember=uid=ckannan,ou=People,dc=sigma.dsdev.sjc.redhat.com-pki-ca) [08/Jun/2009:13:06:50][http-9443-Processor14]: authorization result: true [08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15 [08/Jun/2009:13:06:50][http-9443-Processor14]: evaluated expression: group="Certificate Manager Agents" to be true [08/Jun/2009:13:06:50][http-9443-Processor14]: DirAclAuthz: authorization passed [08/Jun/2009:13:06:50][http-9443-Processor14]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=ckannan][Outcome=Success][aclResource=certServer.ca.request.profile][Op=read] authorization success [08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14 [08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15 [08/Jun/2009:13:06:50][http-9443-Processor14]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=ckannan][Outcome=Success][Role=Certificate Manager Agents] assume privileged role [08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: SubId=profile [08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: requestId=79980 [08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14 [08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15 [08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: requestId=79980 profileId=caUserCert [08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: profileSetId=userCertSet [08/Jun/2009:13:06:50][http-9443-Processor14]: AuthInfoAccess num=5 [08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: createExtension i=0 [08/Jun/2009:13:06:50][http-9443-Processor14]: gname is empty, not added [08/Jun/2009:13:06:50][http-9443-Processor14]: count is 0 [08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: populate sees no extension. get out [08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: createExtension i=0 [08/Jun/2009:13:06:50][http-9443-Processor14]: gname is empty, not added [08/Jun/2009:13:06:50][http-9443-Processor14]: count is 0 [08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: populate sees no extension. get out [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: curDate=Mon Jun 08 13:06:50 PDT 2009 id=caProfileReview time=11 ----------------- Certificate Profile Information Certificate Profile Id: caUserCert Approved By: admin Certificate Profile Name: Manual User Dual-Use Certificate Enrollment Certificate Profile Description: This certificate profile is for enrolling user certificates. ---------------- 0x0000006a issued for 'agent2' by 'admin' with caUserCert 0x0000006b issued for 'aaa' by 'agent2' with caUserCert 0x0000006c issued for 'xxx' by 'system' with caDirUserCert I do not all certificates being issued by admin only. Here is a corresponding certificate list: Serial number Subject name 0x0000006a UID=agent2 Version Certificate Type Subject public key algorithm 3 X.509 PKCS #1 RSA with 2048-bit key Not valid before Not valid after 6/8/2009 15:09:37 12/5/2009 14:09:37 Issued on Issued by 6/8/2009 15:09:50 admin Serial number Subject name 0x0000006b UID=aaa Version Certificate Type Subject public key algorithm 3 X.509 PKCS #1 RSA with 512-bit key Not valid before Not valid after 6/8/2009 15:11:37 12/5/2009 14:11:37 Issued on Issued by 6/8/2009 15:11:54 agent2 Serial number Subject name 0x0000006c UID=xxx, OU=People, DC=sjc, DC=redhat, DC=com Version Certificate Type Subject public key algorithm 3 X.509 PKCS #1 RSA with 512-bit key Not valid before Not valid after 6/8/2009 15:13:41 12/5/2009 14:13:41 Issued on Issued by 6/8/2009 15:13:41 system hvn't been able to reproduce this myself. closing bug. |