Bug 713316

Summary: TYPO: QPID SSL Certificate Generation Script
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: Lana Brindley <lbrindle>
Component: ToolsAssignee: Jay Dobies <jason.dobies>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.0CC: jason.dobies, kbidarka, mhideo, sghai, tsanders
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 707764 Environment:
Last Closed: 2012-05-31 12:55:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 707764    
Bug Blocks: 711223    

Description Lana Brindley 2011-06-15 00:01:12 UTC 
The nss-db-gen script contains a typo:

<quote>
Client certificate created.
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL
Enter Import Password:
MAC verified OK
Client key & certficate exported
</quote>

In the last line of the quote above, "certficate" should be "certificate".

I have corrected this error in the documentation (revision 1-13), but it should be corrected in the script itself also.

LKB


Artifacts copied to: /tmp/rhua/qpid.

+++ This bug was initially created as a clone of Bug #707764 +++

I'm pretty sure this would best fit in the Installation Requirements section below "Procedure 2.1. Configuring SSL Certificates"

In Procedure 2.1, they generate SSL certificates for the web server (in other words, repo accesses by yum clients). Internally, RHUI also uses a QPID message broker to communicate between its pieces. This communication is also secured through SSL, however the process for generating those certificates is different.

To facilitate the creation, we provide a script called "nss-db-gen". That script is as automated as possible, but there are some points where it will ask for a password for some of the newly created items (more on that later).

That generates a directory of files that need to be specified in the answers.conf file. If you accept the default directory in the nss-db-gen command (it's the first thing the user is prompted for) then the defaults in answers.sample will point to the correct locations.

If you're stubborn/compulsive and insist on your own temporary directory, here are the relevant entries in answers.conf they need to fill out:

-----
# Full path to the CA certificate used to secure QPID communications. This is generated
# using the nss-db-gen script included with the RHUI Installer.
qpid_ca: /tmp/rhua/qpid/ca.crt

# Full path to the client certificate used to secure QPID communications. This is generated
# using the nss-db-gen script included with the RHUI Installer.
qpid_client: /tmp/rhua/qpid/client.crt

# Full path to the NSS database used to secure QPID communications. This is generated
# using the nss-db-gen script included with the RHUI Installer. Note: This must be
# a directory containing a number of files, including the NSS database and password file.
qpid_nss_db: /tmp/rhua/qpid/nss
-----

So the idea is that they run this script when they create their HTTP SSL certificates so that they have all of the pieces they need to pass into the rhui-installer script.

--- Additional comment from jason.dobies on 2011-05-25 17:00:53 EDT ---

Sample output from running the script:


Working in: /tmp/tmp24055


Please specify a directory into which the created NSS database
and associated certificates will be installed.

Enter a directory [/tmp/rhua/qpid]:
/tmp/rhua/qpid

Enter NSS database password:

Password file created.

Database created.

Creating CA certificate:


Generating key.  This may take a few moments...

CA created

Creating BROKER certificate:


Generating key.  This may take a few moments...

Broker certificate created.

Creating CLIENT certificate:


Generating key.  This may take a few moments...

Client certificate created.
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL
Enter Import Password:
MAC verified OK
Client key & certficate exported

Artifacts copied to: /tmp/rhua/qpid.

--- Additional comment from jason.dobies on 2011-05-25 17:06:13 EDT ---

Same sample output as above, but with commentary before each place they have to input a password. It's your call how much of this you want to document, I just figured




Working in: /tmp/tmp24055


Please specify a directory into which the created NSS database
and associated certificates will be installed.

Enter a directory [/tmp/rhua/qpid]:
/tmp/rhua/qpid

---- Note: Password used by QPID to access the NSS database itself.
Enter NSS database password:

Password file created.

Database created.

Creating CA certificate:


Generating key.  This may take a few moments...

CA created

Creating BROKER certificate:


Generating key.  This may take a few moments...

Broker certificate created.

Creating CLIENT certificate:


Generating key.  This may take a few moments...

Client certificate created.

----- Note: Same password as above, specified again here because we're attempting to access the DB we just created in the previous step.
Enter Password or Pin for "NSS Certificate DB":

----- Note: Password for the pkcs12 files used to get the private key out of the NSS DB.
Enter password for PKCS12 file: 

----- Note: Just a confirmation of the above password.
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL


----- Note: Same password as the previous two; now we're accessing the certificate we just created/secured in the previous step so we can get the client certificate and private key from it.
Enter Import Password:
MAC verified OK
Client key & certficate exported

Artifacts copied to: /tmp/rhua/qpid.

--- Additional comment from whayutin on 2011-06-06 17:15:22 EDT ---

added to rhui-20 tracker

--- Additional comment from lbrindle on 2011-06-14 18:00:58 EDT ---

<procedure id="proc-Installation_Guide-Installation_Requirements-Generating_a_Qpid_SSL_Certificate">
	<title>Generating a Qpid SSL Certificate</title>
	<indexterm>
		<primary>installation</primary>
		 <secondary>qpid SSL</secondary>
	</indexterm>
	<para>
		&RHUI; uses a qpid message broker for internal comunications. These communication processes are secured by SSL, which is set up using a script called <filename>nss-db-gen</filename>. When the script is run, it will prompt you for some information.
	</para>
	<step>
		<para>
			Run the <filename>nss-db-gen</filename> script by switching to the root user and issuing the command:
		</para>
<screen>
# /usr/bin/nss-db-gen

Working in: /tmp/tmp24055
</screen>
	</step>
	<step>
		<para>
			Specify a directory for the new database and certificates to be stored, or press enter to accept the default value of <filename>/tmp/rhua/qpid</filename>:
		</para>
<screen>
Please specify a directory into which the created NSS database
and associated certificates will be installed.

Enter a directory [/tmp/rhua/qpid]:
/tmp/rhua/qpid
</screen>
	</step>
	<step>
		<para>
			Enter a password to be used by qpid to secure the database:
		</para>
<screen>
Enter NSS database password:

Password file created.
</screen>
	</step>
	<step>
		<para>
			The script will create the database and generate the necessary keys and certificates:
		</para>
<screen>
Database created.

Creating CA certificate:

Generating key.  This may take a few moments...

CA created

Creating BROKER certificate:

Generating key.  This may take a few moments...

Broker certificate created.

Creating CLIENT certificate:

Generating key.  This may take a few moments...

Client certificate created.
</screen>
	</step>
	<step>
		<para>
			Enter the NSS database password again. This is so that the database created in the last step can be accessed:
		</para>
<screen>
Enter Password or Pin for "NSS Certificate DB":
</screen>
	</step>
	<step>
		<para>
			Enter a password to be used for the pkcs12 file, and re-enter it to confirm:
		</para>
<screen>
Enter password for PKCS12 file: 
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL
</screen>
	</step>
	<step>
		<para>
			Enter the pkcs12 password again. This is so that the certificate created in the last step can be accessed. The script will export the key and certificate, and finish:
		</para>
<screen>
Enter Import Password:
MAC verified OK
Client key &amp; certficate exported

Artifacts copied to: /tmp/rhua/qpid.
</screen>
	</step>
</procedure>

Revision 1-13

LKB
Comment 1 Jay Dobies 2011-06-15 14:41:34 UTC 
commit fd7ee5cc8f325f7d77a490e945760285cd41239f
Author: Jay Dobies <jason.dobies>
Date:   Wed Jun 15 10:40:40 2011 -0400

    713316 - Fixed typo

rhui-2.0/tools/bin/nss-db-gen
Comment 2 Jay Dobies 2011-06-21 20:58:17 UTC 
Fixed in RHUI 2.0.31.
Comment 3 Sachin Ghai 2011-06-23 08:28:59 UTC 
Verified with 2.0.32, the typo is fixed.


Generating key.  This may take a few moments...

Client certificate created.
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL
Enter Import Password:
MAC verified OK
Client key & certificate exported  <<< Typo fixed

Artifacts copied to: /tmp/test.

[root@dhcp201-127 ~]# rpm -qa | grep rhui
rh-rhui-tools-2.0.32-1.el6.noarch
[root@dhcp201-127 ~]#
Comment 4 Sachin Ghai 2011-06-23 08:36:50 UTC 
Comment 3 is for script typo. 

The same typo is also fixed in stage documentation under Revision 1-13 ( On page 12 ==> Chapter 2 Installation requirement.)

http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/pdf/Installation_Guide/Red_Hat_Update_Infrastructure-2.0-Installation_Guide-en-US.pdf
Comment 5 wes hayutin 2011-08-01 21:40:03 UTC 
moving to release pending
Comment 6 wes hayutin 2012-05-31 12:55:36 UTC 
closing out, product released