Bug 731741

Summary: some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm)
Product: [Retired] Dogtag Certificate System Reporter: Ade Lee <alee>
Component: CloningAssignee: Ade Lee <alee>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 9.0CC: awnuk, benl, ksiddiqu
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-04 20:05:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 445047    
Attachments:
Description Flags
patch to fix cfu: review+

Description Ade Lee 2011-08-18 14:15:58 UTC 
Description of problem:

The parameters <type>.cert.<tag>.nickname are supposed to look like: 
token_name: nickname

After cloning, though, they do not have the token_name attached.  This is OK for internal token but not for HSM.  These parameters are used for system cert verification on instance startup - so these tests will fail if not fixed.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Ade Lee 2011-08-18 18:04:31 UTC 
Created attachment 518911 [details]
patch to fix
Comment 2 Ade Lee 2011-08-23 02:45:56 UTC 
8.1:

[vakwetu@goofy-vm4 base]$ svn ci -m "Resolves #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm)"
Sending        base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Transmitting file data .
Committed revision 2157.

8.2:

svn ci -m "Resolves #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm)"
Sending        base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Transmitting file data .
Committed revision 2158.

tip:

vakwetu@dhcp231-121 pki]$  svn ci -m "Resolves #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm)" base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java 
Sending        base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Transmitting file data .
Committed revision 2159.
Comment 5 Kaleem 2011-09-20 08:36:18 UTC 
Verified.

RHEL Version:
[root@nocp5 kaleem]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.7 (Tikanga)

RHCS Version:
[root@nocp5 ~]# rpm -qa *pki*|sort
pki-ca-8.1.0-8.el5pki
pki-common-8.1.0-16.el5pki
pki-console-8.1.0-4.el5pki
pki-java-tools-8.1.0-6.el5pki
pki-kra-8.1.0-8.el5pki
pki-native-tools-8.1.0-6.el5pki
pkinit-nss-0.7.6-1.el5
pki-ocsp-8.1.0-7.el5pki
pki-selinux-8.1.0-2.el5pki
pki-setup-8.1.0-4.el5pki
pki-silent-8.1.0-2.el5pki
pki-util-8.1.0-5.el5pki
redhat-pki-ca-ui-8.1.0-6.el5pki
redhat-pki-common-ui-8.1.0-2.el5pki
redhat-pki-console-ui-8.1.0-2.el5pki
redhat-pki-kra-ui-8.1.0-6.el5pki
redhat-pki-ocsp-ui-8.1.0-5.el5pki
[root@nocp5 ~]#

Steps used to verify:
(1)Create and Configure a Master CA instance with HSM
(2)Create a clone CA instance with new DS instance with HSM
(3)Export Certificates with Keys of Master CA in clone CA's directory /var/lib/<instance-name>/alias
  [root@nocp5 kaleem]# PKCS12Export -d /var/lib/pki-ca-sep20/alias/ -p /tmp/internal.pwd -w /tmp/master-ca-crts.pwd -o master-ca-crts.p12


(4)Change permission of exported p12 file to pkiuser:pkiuser

[root@nocp5 kaleem]# cp master-ca-crts.p12 /var/lib/pki-cloneca-sep20/alias/.
[root@nocp5 kaleem]# cd /var/lib/pki-cloneca-sep20/alias/
[root@nocp5 alias]# chown pkiuser:pkiuser master-ca-crts.p12 
[root@nocp5 alias]# ls -la
total 140
drwxrwxr-x 2 pkiuser pkiuser  4096 Sep 20 01:34 .
drwxrwxr-x 9 pkiuser pkiuser  4096 Sep 20 01:15 ..
-rw------- 1 pkiuser pkiuser 65536 Sep 20 01:32 cert8.db
-rw------- 1 pkiuser pkiuser 16384 Sep 20 01:14 key3.db
-rw-r--r-- 1 pkiuser pkiuser  5278 Sep 20 01:34 master-ca-crts.p12
-rw------- 1 pkiuser pkiuser 16384 Sep 20 01:14 secmod.db
[root@nocp5 alias]#
(5)Configure Clone CA instance.
(6)Now search certificate nickname in CS.cfg of Clone CA for prefixed with HSM name.

Result:
(1)Master CA's CS.cfg 

[root@nocp5 conf]# pwd
/var/lib/pki-ca-sep20/conf

[root@nocp5 conf]# cat CS.cfg |grep NHSM6000-OCS
ca.audit_signing.tokenname=NHSM6000-OCS
ca.cert.audit_signing.nickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20
ca.cert.ocsp_signing.nickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20
ca.cert.signing.nickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20
ca.cert.sslserver.nickname=NHSM6000-OCS:Server-Cert cert-pki-ca-sep20
ca.cert.subsystem.nickname=NHSM6000-OCS:subsystemCert cert-pki-ca-sep20
ca.ocsp_signing.newNickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20
ca.ocsp_signing.tokenname=NHSM6000-OCS
ca.signing.newNickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20
ca.signing.tokenname=NHSM6000-OCS
ca.sslserver.tokenname=NHSM6000-OCS
ca.subsystem.tokenname=NHSM6000-OCS
cloning.module.token=NHSM6000-OCS
cms.tokenPasswordList=NHSM6000-OCS
log.instance.SignedAudit.signedAuditCertNickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20

(2)Clone CA's CS.cfg

[root@nocp5 conf]# pwd
/var/lib/pki-cloneca-sep20/conf

[root@nocp5 conf]# cat CS.cfg |grep NHSM6000-OCS
ca.audit_signing.tokenname=NHSM6000-OCS
ca.cert.audit_signing.nickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20
ca.cert.ocsp_signing.nickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20
ca.cert.signing.nickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20
ca.cert.sslserver.nickname=NHSM6000-OCS:Server-Cert cert-pki-cloneca-sep20
ca.cert.subsystem.nickname=NHSM6000-OCS:subsystemCert cert-pki-ca-sep20
ca.ocsp_signing.newNickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20
ca.ocsp_signing.tokenname=NHSM6000-OCS
ca.signing.newNickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20
ca.signing.tokenname=NHSM6000-OCS
ca.sslserver.tokenname=NHSM6000-OCS
ca.subsystem.tokenname=NHSM6000-OCS
cloning.module.token=NHSM6000-OCS
cms.tokenPasswordList=NHSM6000-OCS
log.instance.SignedAudit.signedAuditCertNickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20
[root@nocp5 conf]#

Here in clone CA's CS.cfg certificate's nickname are prefixed with hsm name.