Bug 705107

Summary: rhcs80 cannot do client auth with pkiconsole (ok with 7.3)
Product: Red Hat Enterprise Linux 6 Reporter: Jack Magne <jmagne>
Component: tomcatjssAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.2CC: alee, awnuk, cfu, dlackey, dpal, jgalipea, jmagne, kchamart, mharmsen, msauton
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcatjss-2.1.0-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 702716 Environment:
Last Closed: 2011-12-06 16:51:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 636597, 702716    
Bug Blocks: 445047    
Attachments:
Description Flags
Patch to address this issue.
none
Patch to address this issue. alee: review+

Comment 2 Jack Magne 2011-08-06 00:53:38 UTC
Created attachment 516968 [details]
Patch to address this issue.

Comment 3 Jack Magne 2011-08-06 01:07:59 UTC
Tested patch on 6.1 system with the CA and tomcat 6. Configured the admin port to be set to "clientAuth=want".

Proceeding to this URL with firefox: https://host.com:9445/ca/admin/ca/getDomainXML. The servlet gave results for the case of presenting a valid client auth certificate and the case of not presenting a client auth certificate.

Caveat:

Ade: We had to fix an issue with respect to "sslget" that allowed it to only optionally provide a client cert. This fix was needed to pair up with this fix when doing the TPS and RA wizards. Do you recall that bug number?

Comment 4 Jack Magne 2011-08-06 01:10:49 UTC
Created attachment 516969 [details]
Patch to address this issue.

This is the actual patch, the previous one was entered in error.

Comment 5 Jack Magne 2011-08-08 19:29:55 UTC
Checkins:

rhel 6.2 branch:

svn commit -m "Fix Bug# 705107 -- rhcs80 cannot do client auth with pkiconsole (ok with 7.3)"
Enter passphrase for key '/home/jmagne/.ssh/id_rsa': 
Sending        jss/JSSSocketFactory.java
Transmitting file data .
Committed revision 164.

Comment 6 Jack Magne 2011-08-08 21:26:42 UTC
How To Test:

Perform the testing procedure for the original bug here:

https://bugzilla.redhat.com/show_bug.cgi?id=702716

Note that the console is not supported in this context so the web browser based portion of the test should be done.

Comment 8 Matthew Harmsen 2011-08-10 22:28:01 UTC
IPA_v2_RHEL_6_ERRATA_BRANCH:

# cd tomcatjss

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       tomcatjss.spec
A       patches
A       patches/tomcatjss-client-auth.patch

# svn commit
Adding         patches
Adding         patches/tomcatjss-client-auth.patch
Sending        tomcatjss.spec
Transmitting file data ..
Committed revision 168.

Comment 9 Kashyap Chamarthy 2011-10-11 11:52:25 UTC
To verify this bz on RHEL6.2 , I'm trying to get 'getDomianXML' page for a CA.

So, I've got pki-ca configured on a RHEL 6.2
#############################################################
[root@dhcp201-176 ~]# service pki-cad status
pki-ca (pid 32108) is running...                           [  OK  ]
    Unsecure Port       = http://dhcp201-176.englab.pnq.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://dhcp201-176.englab.pnq.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://dhcp201-176.englab.pnq.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://dhcp201-176.englab.pnq.redhat.com:9445/ca/services
    EE Client Auth Port = https://dhcp201-176.englab.pnq.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://dhcp201-176.englab.pnq.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  silentdom
    URL:   https://dhcp201-176.englab.pnq.redhat.com:9445
    ==========================================================================
[root@dhcp201-176 ~]# 
#############################################################

Then I tried to traverse
https://dhcp201-176.englab.pnq.redhat.com:9445/ca/admin/ca/getDomianXML

Result: All I see is a blank page.


Version info:
#############################################################
[root@dhcp201-176 ~]# rpm -q pki-ca ; cat /etc/redhat-release 
pki-ca-9.0.3-20.el6.noarch
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
[root@dhcp201-176 ~]# 
#############################################################

Any hints here?

Comment 10 Marc Sauton 2011-10-11 12:53:36 UTC
typo?...
getDomainXML

Comment 11 Kashyap Chamarthy 2011-10-11 13:11:56 UTC
Whoops. That's right, thanks Marc.

Correct URL -- https://dhcp201-176.englab.pnq.redhat.com:9445/ca/admin/ca/getDomainXML

#####################
<XMLResponse><DomainInfo><?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>silentdom</Name><CAList><CA><Host>dhcp201-176.englab.pnq.redhat.com</Host><SecurePort>9444</SecurePort><SecureAgentPort>9443</SecureAgentPort><SecureAdminPort>9445</SecureAdminPort><SecureEEClientAuthPort>9446</SecureEEClientAuthPort><UnSecurePort>9180</UnSecurePort><Clone>FALSE</Clone><SubsystemName>Certificate Authority-ca</SubsystemName><DomainManager>TRUE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo></DomainInfo><Status>0</Status></XMLResponse>
#####################

Comment 12 Kashyap Chamarthy 2011-10-11 13:18:08 UTC
Turned to VERIFIED per Comment #11 

Version info:
#############################################################
[root@dhcp201-176 ~]# rpm -q pki-ca ; cat /etc/redhat-release ; arch
pki-ca-9.0.3-20.el6.noarch
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
x86_64
[root@dhcp201-176 ~]# 
#############################################################

Comment 13 errata-xmlrpc 2011-12-06 16:51:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1674.html