Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 683172

Summary: pkisilent needs to provide option to set nsDS5ReplicaTransportInfo to TLS in replication agreements when creating a clone
Product: Red Hat Enterprise Linux 6 Reporter: Ade Lee <alee>
Component: pki-coreAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1CC: benl, dpal, jgalipea, kchamart, kevinu
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-9.0.3-9.el6 ipa-pki-theme-9.0.3-6.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 683173 (view as bug list) Environment:
Last Closed: 2011-05-19 13:44:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 683173    
Attachments:
Description Flags
patch to fix
awnuk: review+
patch to fix ui
awnuk: review+
Patch + spec file changes
awnuk: review+
Patch + spec file changes (UI) awnuk: review+

Description Ade Lee 2011-03-08 18:21:32 UTC 
Description of problem:

pkisilent needs to provide an option to set nsDS5ReplicaTransportInfo to TLS in replication agreements when creating a clone.  Currently, there is no option which means the default (LDAP) is used.  This means replications are in the clear.

The change requires a change to pkisilent and to pki-common in the database panel.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Ade Lee 2011-03-08 22:50:08 UTC 
Created attachment 483056 [details]
patch to fix
Comment 2 Ade Lee 2011-03-08 22:51:13 UTC 
Created attachment 483057 [details]
patch to fix ui
Comment 3 Ade Lee 2011-03-09 07:03:15 UTC 
6.1:

[vakwetu@dhcp231-121 pki]$ svn ci -m "Resolves #683172 - pkisilent needs to provide option to set nsDS5ReplicaTransportInfo to TLS in replication agreements when creating a clone"
Sending        base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
Sending        base/silent/src/ca/ConfigureCA.java
Sending        base/silent/src/drm/ConfigureDRM.java
Sending        base/silent/src/ocsp/ConfigureOCSP.java
Sending        base/silent/src/subca/ConfigureSubCA.java
Sending        base/silent/src/tks/ConfigureTKS.java
Sending        base/silent/templates/pki_silent.template
Sending        dogtag/common-ui/shared/admin/console/config/databasepanel.vm
Transmitting file data ........
Committed revision 1886.
Comment 4 Matthew Harmsen 2011-03-09 20:23:14 UTC 
Extrapolating from Bugzilla Bug #682021:

    ./pki/scripts/pki_patch_maker 1880 1887 pki-core 9.0.3
        pki-core-9.0.3-r1886.patch
Comment 5 Matthew Harmsen 2011-03-09 20:41:51 UTC 
Created attachment 483303 [details]
Patch + spec file changes
Comment 6 Matthew Harmsen 2011-03-09 20:46:51 UTC 
IPA_v2_RHEL_6_1_ERRATA_BRANCH:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
A       patches/pki-core-9.0.3-r1886.patch
M       specs/pki-core.spec

# svn commit
Adding         patches/pki-core-9.0.3-r1886.patch
Sending        specs/pki-core.spec
Transmitting file data ..
Committed revision 1889.
Comment 7 Matthew Harmsen 2011-03-09 20:53:38 UTC 
Published patch to http://pki.fedoraproject.org/pki/sources/pki-core/
Comment 8 Matthew Harmsen 2011-03-09 21:23:03 UTC 
For 'ipa-pki-theme':

    ./pki/scripts/pki_patch_maker 1834 1887 ipa-pki-theme 9.0.3
        ipa-pki-theme-9.0.3-r1886.patch
Comment 9 Matthew Harmsen 2011-03-09 22:07:50 UTC 
Created attachment 483319 [details]
Patch + spec file changes (UI)
Comment 10 Matthew Harmsen 2011-03-09 22:21:37 UTC 
IPA_v2_RHEL_6_1_ERRATA_BRANCH:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
A       patches/ipa-pki-theme-9.0.3-r1886.patch
M       specs/ipa-pki-theme.spec

# svn commit
Adding         patches/ipa-pki-theme-9.0.3-r1886.patch
Sending        specs/ipa-pki-theme.spec
Transmitting file data ..
Committed revision 1891.
Comment 11 Matthew Harmsen 2011-03-09 22:43:05 UTC 
Published patch to http://pki.fedoraproject.org/pki/sources/ipa-pki-theme/
Comment 13 Jenny Severance 2011-04-20 18:38:46 UTC 
need official steps to reproduce? or will this suffice for verification?

IPA REPLICA Install pkicreate invocation (NOTE: -clone_start_tls true) :

011-04-20 13:55:55,748 DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname dhcp-100-18-11.testrelm -cs_port 9445 -client_certdb_dir /tmp/tmp-62GRKS -client_certdb_pwd 'XXXXXXXX' -preop_pin X7qm865z7jkMglDGvsne -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=TESTRELM" -ldap_host dhcp-100-18-11.testrelm -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=TESTRELM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=TESTRELM" -ca_server_cert_subject_name "CN=dhcp-100-18-11.testrelm,O=TESTRELM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=TESTRELM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=TESTRELM" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname dhcp-100-18-10.testrelm -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://dhcp-100-18-10.testrelm:9444



Configuration Agreement post install (NOTE: nsDS5ReplicaTransportInfo: TLS):

# cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca, replica, o\3Dipaca, mapping
  tree, config
dn: cn=cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca,cn=replica,cn=o\3Dipaca,
 cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaHost: dhcp-100-18-10.testrelm
nsDS5ReplicaPort: 7389
nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-dhcp-100-18-11.tes
 trelm-pki-ca,cn=config
nsDS5ReplicaBindMethod: Simple
nsDS5ReplicaTransportInfo: TLS
description: cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca
nsDS5ReplicaCredentials: {DES}JDmnMc3VmYfPXXLKaB2LoA==
nsds50ruv: {replicageneration} 4daf12fb000000600000
nsds50ruv: {replica 96 ldap://dhcp-100-18-10.testrelm:7389} 4daf132f0000006000
 00 4daf1e2b000100600000
nsds50ruv: {replica 86 ldap://dhcp-100-18-11.testrelm:7389} 4daf1e0e0000005600
 00 4daf1efc000100560000
nsds50ruv: {replica 91 ldap://dhcp-100-18-11.testrelm:7389} 4daf19f70000005b00
 00 4daf1a4b0002005b0000
nsds50ruv: {replica 97 ldap://dhcp-100-18-11.testrelm:7389} 4daf13120000006100
 00 4daf1366000200610000
nsruvReplicaLastModified: {replica 96 ldap://dhcp-100-18-10.testrelm:7389} 000
 00000
nsruvReplicaLastModified: {replica 86 ldap://dhcp-100-18-11.testrelm:7389} 000
 00000
nsruvReplicaLastModified: {replica 91 ldap://dhcp-100-18-11.testrelm:7389} 000
 00000
nsruvReplicaLastModified: {replica 97 ldap://dhcp-100-18-11.testrelm:7389} 000
 00000
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20110420183048Z
nsds5replicaLastUpdateEnd: 20110420183048Z
nsds5replicaChangesSentSinceStartup:: ODY6MS8wIA==
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd
 ate succeeded
nsds5replicaUpdateInProgress: FALSE


Versions:
pki-silent-9.0.3-10.el6.noarch
ipa-server-2.0.0-23.el6.x86_64
pki-ca-9.0.3-10.el6.noarch
ds-replication-1.2.8.0-1.el6.x86_64
Comment 14 Jenny Severance 2011-04-20 18:43:59 UTC 
marking verfied based on comment 13
Comment 15 errata-xmlrpc 2011-05-19 13:44:10 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0627.html