Bug 506305
| Summary: | revoking user certs fail from the RA due to nonces changes | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Ade Lee <alee> | ||||
| Component: | RA | Assignee: | Andrew Wnuk <awnuk> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 1.1 | CC: | benl, cfu, dpal, mharmsen | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-07-22 23:36:33 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 443788 | ||||||
| Attachments: |
|
||||||
Created attachment 348341 [details]
proposed fix
attachment (id=348341) +mharmsen svn commit pki/dogtag/common/pki-common.spec Sending pki/dogtag/common/pki-common.spec Transmitting file data . Committed revision 623. svn commit pki/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java Sending pki/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java Transmitting file data . Committed revision 624. Verified. Able to revoke certificates in RA successfully with build(18-june-09) --------- [root@pkiserv ~]# rpm -qi pki-ra | grep -i build Release : 20.beta Build Date: Thu 18 Jun 2009 01:18:31 PM IST Install Date: Thu 18 Jun 2009 08:15:11 PM IST Build Host: heath.dsdev.sjc.redhat.com ---------- |
Description of problem: Revoking a user certificate from the RA fails due to recent nonces changes. Setting ca.enableNonces=false on the CA allows the revocation to complete successfully. In the CA log, we see the following: [15/Jun/2009:23:27:22][http-9443-Processor24]: according to ccMode, authorization for servlet: caDoRevoke is LDAP based, not XML {1}, use default authz mgr: {2}. [15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet:service() uri = /ca/agent/ca/doRevoke [15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet::service() param name='revocationReason' value='6' [15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet::service() param name='xml' value='true' [15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet::service() param name='totalRecordCount' value='1' [15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet::service() param name='revokeAll' value='(certRecordId=0x10)' [15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet::service() param name='op' value='revoke' [15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet: caDoRevoke start to service. [15/Jun/2009:23:27:22][http-9443-Processor24]: IP: 10.14.1.104 [15/Jun/2009:23:27:22][http-9443-Processor24]: AuthMgrName: certUserDBAuthMgr [15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet: retrieving SSL certificate [15/Jun/2009:23:27:22][http-9443-Processor24]: CMSServlet: certUID=CN=RA Subsystem Certificate,OU=pki-ra,O=oliver 0616 domain [15/Jun/2009:23:27:22][http-9443-Processor24]: CertUserDBAuth: started [15/Jun/2009:23:27:22][http-9443-Processor24]: CertUserDBAuth: Retrieving client certificate [15/Jun/2009:23:27:22][http-9443-Processor24]: CertUserDBAuth: Got client certificate [15/Jun/2009:23:27:22][http-9443-Processor24]: Authentication: client certificate found [15/Jun/2009:23:27:22][http-9443-Processor24]: getConn: mNumConns now 2 [15/Jun/2009:23:27:23][http-9443-Processor24]: returnConn: mNumConns now 3 [15/Jun/2009:23:27:23][http-9443-Processor24]: Authentication: mapped certificate to user [15/Jun/2009:23:27:23][http-9443-Processor24]: authenticated uid=RA-oliver.dsdev.sjc.redhat.com-12889,ou=People,dc=oliver.dsdev.sjc.redhat.com-pki-ca [15/Jun/2009:23:27:23][http-9443-Processor24]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=RA-oliver.dsdev.sjc.redhat.com-12889][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success [15/Jun/2009:23:27:23][http-9443-Processor24]: DoRevoke: Missing nonce [15/Jun/2009:23:27:23][http-9443-Processor24]: DoRevoke: nonceVerified=false Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: