Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 705107

Summary: rhcs80 cannot do client auth with pkiconsole (ok with 7.3)
Product: Red Hat Enterprise Linux 6 Reporter: Jack Magne <jmagne>
Component: tomcatjssAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.2CC: alee, awnuk, cfu, dlackey, dpal, jgalipea, jmagne, kchamart, mharmsen, msauton
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcatjss-2.1.0-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 702716 Environment:
Last Closed: 2011-12-06 16:51:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 636597, 702716    
Bug Blocks: 445047    
Attachments:
Description Flags
Patch to address this issue.
none
Patch to address this issue. alee: review+

Comment 2 Jack Magne 2011-08-06 00:53:38 UTC 
Created attachment 516968 [details]
Patch to address this issue.
Comment 3 Jack Magne 2011-08-06 01:07:59 UTC 
Tested patch on 6.1 system with the CA and tomcat 6. Configured the admin port to be set to "clientAuth=want".

Proceeding to this URL with firefox: https://host.com:9445/ca/admin/ca/getDomainXML. The servlet gave results for the case of presenting a valid client auth certificate and the case of not presenting a client auth certificate.

Caveat:

Ade: We had to fix an issue with respect to "sslget" that allowed it to only optionally provide a client cert. This fix was needed to pair up with this fix when doing the TPS and RA wizards. Do you recall that bug number?
Comment 4 Jack Magne 2011-08-06 01:10:49 UTC 
Created attachment 516969 [details]
Patch to address this issue.

This is the actual patch, the previous one was entered in error.
Comment 5 Jack Magne 2011-08-08 19:29:55 UTC 
Checkins:

rhel 6.2 branch:

svn commit -m "Fix Bug# 705107 -- rhcs80 cannot do client auth with pkiconsole (ok with 7.3)"
Enter passphrase for key '/home/jmagne/.ssh/id_rsa': 
Sending        jss/JSSSocketFactory.java
Transmitting file data .
Committed revision 164.
Comment 6 Jack Magne 2011-08-08 21:26:42 UTC 
How To Test:

Perform the testing procedure for the original bug here:

https://bugzilla.redhat.com/show_bug.cgi?id=702716

Note that the console is not supported in this context so the web browser based portion of the test should be done.
Comment 8 Matthew Harmsen 2011-08-10 22:28:01 UTC 
IPA_v2_RHEL_6_ERRATA_BRANCH:

# cd tomcatjss

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       tomcatjss.spec
A       patches
A       patches/tomcatjss-client-auth.patch

# svn commit
Adding         patches
Adding         patches/tomcatjss-client-auth.patch
Sending        tomcatjss.spec
Transmitting file data ..
Committed revision 168.
Comment 9 Kashyap Chamarthy 2011-10-11 11:52:25 UTC 
To verify this bz on RHEL6.2 , I'm trying to get 'getDomianXML' page for a CA.

So, I've got pki-ca configured on a RHEL 6.2
#############################################################
[root@dhcp201-176 ~]# service pki-cad status
pki-ca (pid 32108) is running...                           [  OK  ]
    Unsecure Port       = http://dhcp201-176.englab.pnq.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://dhcp201-176.englab.pnq.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://dhcp201-176.englab.pnq.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://dhcp201-176.englab.pnq.redhat.com:9445/ca/services
    EE Client Auth Port = https://dhcp201-176.englab.pnq.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://dhcp201-176.englab.pnq.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  silentdom
    URL:   https://dhcp201-176.englab.pnq.redhat.com:9445
    ==========================================================================
[root@dhcp201-176 ~]# 
#############################################################

Then I tried to traverse
https://dhcp201-176.englab.pnq.redhat.com:9445/ca/admin/ca/getDomianXML

Result: All I see is a blank page.


Version info:
#############################################################
[root@dhcp201-176 ~]# rpm -q pki-ca ; cat /etc/redhat-release 
pki-ca-9.0.3-20.el6.noarch
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
[root@dhcp201-176 ~]# 
#############################################################

Any hints here?
Comment 10 Marc Sauton 2011-10-11 12:53:36 UTC 
typo?...
getDomainXML
Comment 11 Kashyap Chamarthy 2011-10-11 13:11:56 UTC 
Whoops. That's right, thanks Marc.

Correct URL -- https://dhcp201-176.englab.pnq.redhat.com:9445/ca/admin/ca/getDomainXML

#####################
<XMLResponse><DomainInfo><?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>silentdom</Name><CAList><CA><Host>dhcp201-176.englab.pnq.redhat.com</Host><SecurePort>9444</SecurePort><SecureAgentPort>9443</SecureAgentPort><SecureAdminPort>9445</SecureAdminPort><SecureEEClientAuthPort>9446</SecureEEClientAuthPort><UnSecurePort>9180</UnSecurePort><Clone>FALSE</Clone><SubsystemName>Certificate Authority-ca</SubsystemName><DomainManager>TRUE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo></DomainInfo><Status>0</Status></XMLResponse>
#####################
Comment 12 Kashyap Chamarthy 2011-10-11 13:18:08 UTC 
Turned to VERIFIED per Comment #11 

Version info:
#############################################################
[root@dhcp201-176 ~]# rpm -q pki-ca ; cat /etc/redhat-release ; arch
pki-ca-9.0.3-20.el6.noarch
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
x86_64
[root@dhcp201-176 ~]# 
#############################################################
Comment 13 errata-xmlrpc 2011-12-06 16:51:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1674.html