Bug 705107

Created attachment 516968 [details]
Patch to address this issue.

Tested patch on 6.1 system with the CA and tomcat 6. Configured the admin port to be set to "clientAuth=want".

Proceeding to this URL with firefox: https://host.com:9445/ca/admin/ca/getDomainXML. The servlet gave results for the case of presenting a valid client auth certificate and the case of not presenting a client auth certificate.

Caveat:

Ade: We had to fix an issue with respect to "sslget" that allowed it to only optionally provide a client cert. This fix was needed to pair up with this fix when doing the TPS and RA wizards. Do you recall that bug number?

Created attachment 516969 [details]
Patch to address this issue.

This is the actual patch, the previous one was entered in error.

Checkins:

rhel 6.2 branch:

svn commit -m "Fix Bug# 705107 -- rhcs80 cannot do client auth with pkiconsole (ok with 7.3)"
Enter passphrase for key '/home/jmagne/.ssh/id_rsa': 
Sending        jss/JSSSocketFactory.java
Transmitting file data .
Committed revision 164.

How To Test:

Perform the testing procedure for the original bug here:

https://bugzilla.redhat.com/show_bug.cgi?id=702716

Note that the console is not supported in this context so the web browser based portion of the test should be done.

IPA_v2_RHEL_6_ERRATA_BRANCH:

# cd tomcatjss

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       tomcatjss.spec
A       patches
A       patches/tomcatjss-client-auth.patch

# svn commit
Adding         patches
Adding         patches/tomcatjss-client-auth.patch
Sending        tomcatjss.spec
Transmitting file data ..
Committed revision 168.

To verify this bz on RHEL6.2 , I'm trying to get 'getDomianXML' page for a CA.

So, I've got pki-ca configured on a RHEL 6.2
#############################################################
[root@dhcp201-176 ~]# service pki-cad status
pki-ca (pid 32108) is running...                           [  OK  ]
    Unsecure Port       = http://dhcp201-176.englab.pnq.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://dhcp201-176.englab.pnq.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://dhcp201-176.englab.pnq.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://dhcp201-176.englab.pnq.redhat.com:9445/ca/services
    EE Client Auth Port = https://dhcp201-176.englab.pnq.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://dhcp201-176.englab.pnq.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  silentdom
    URL:   https://dhcp201-176.englab.pnq.redhat.com:9445
    ==========================================================================
[root@dhcp201-176 ~]# 
#############################################################

Then I tried to traverse
https://dhcp201-176.englab.pnq.redhat.com:9445/ca/admin/ca/getDomianXML

Result: All I see is a blank page.


Version info:
#############################################################
[root@dhcp201-176 ~]# rpm -q pki-ca ; cat /etc/redhat-release 
pki-ca-9.0.3-20.el6.noarch
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
[root@dhcp201-176 ~]# 
#############################################################

Any hints here?

typo?...
getDomainXML

Whoops. That's right, thanks Marc.

Correct URL -- https://dhcp201-176.englab.pnq.redhat.com:9445/ca/admin/ca/getDomainXML

#####################
<XMLResponse><DomainInfo><?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>silentdom</Name><CAList><CA><Host>dhcp201-176.englab.pnq.redhat.com</Host><SecurePort>9444</SecurePort><SecureAgentPort>9443</SecureAgentPort><SecureAdminPort>9445</SecureAdminPort><SecureEEClientAuthPort>9446</SecureEEClientAuthPort><UnSecurePort>9180</UnSecurePort><Clone>FALSE</Clone><SubsystemName>Certificate Authority-ca</SubsystemName><DomainManager>TRUE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo></DomainInfo><Status>0</Status></XMLResponse>
#####################

Turned to VERIFIED per Comment #11 

Version info:
#############################################################
[root@dhcp201-176 ~]# rpm -q pki-ca ; cat /etc/redhat-release ; arch
pki-ca-9.0.3-20.el6.noarch
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
x86_64
[root@dhcp201-176 ~]# 
#############################################################

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1674.html