Bug 846302

Summary: export ssl certificate from nss db in pem format needs to be documented
Product: Red Hat Enterprise MRG Reporter: Petr Matousek <pematous>
Component: Messaging_Installation_and_Configuration_GuideAssignee: Joshua Wulf <jwulf>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Matousek <pematous>
Severity: medium Docs Contact:
Priority: high    
Version: DevelopmentCC: chetan, iboverma, jross, lcarlon, lzhaldyb, sgraf
Target Milestone: 2.3   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-13 23:59:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 825078, 850517    

Description Petr Matousek 2012-08-07 11:47:17 UTC 
Description of problem:

According to Bug 825078, qpid-tools were updated to support ssl encryption. 
There is a new option "--ssl-certificate" in the management tools used to provide the client SSL certificate in PEM format in order to establish the secure connection to the broker.

Documentation were not updated accordingly, so the customer may be confused how to obtain such certificate.

Chapters "11.3. Encryption using SSL: Enabling SSL in Clients" and "Chapter 13. Management Tools" may be good places where to put this info.

Version-Release number of selected component (if applicable):
Messaging User Guide, Edition 2
Revision 2-17

How reproducible:
n/a

Steps to Reproduce:
n/a
  
Actual results:
No documentation update regarding the pem certificate export from nss db.

Expected results:
Export of ssl certificate from nss db in pem format is documented.

Additional info:
pk12util -o cert.p12 -n <cert_name> -d <ca_db> -w <password_file>
openssl pkcs12 -in cert.p12 -out cert.pem -nodes -clcerts -passin pass:<password> /dev/null
Comment 6 Joshua Wulf 2013-02-07 12:17:17 UTC 
I've added a reusable topic about exporting the certificate:

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_Installation_and_Configuration_Guide/index.html#Export_an_SSL_Certificate_for_Clients

This will be used by multiple books, so it will kept up-to-date.

I've also added (through reuse) the OpenSSL Certificate Reference from the MCIG as an appendix. 

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_Installation_and_Configuration_Guide/index.html#appe-OpenSSL_Certificate_Reference

If there is not time to review it sufficiently I can remove it, or it may be able to be reviewed/QA'd through Grid.
Comment 7 Petr Matousek 2013-02-07 16:36:10 UTC 
Hi Joshua, 

Certificates in PEM format are used in MRG/M only with the python client, thus I believe that the paragraph 8.2.3 shall be moved below to the python section of the following paragraph - "8.2.4. Enable SSL on the Clients"

Moreover, I noticed that the new Appendix B in the MICG describes the export of client ssl certificate from nss db sufficiently. So I believe that this paragraph (8.2.3) is redundant and shall be removed at all.

But I still strongly recommend to refer to the information in python section of paragraph 8.2.4:
ie.: 

When SSL is enabled on the broker and the client's authentication is required, 
the clients require a client certificate to establish a secure connection. 
Please see "Exporting a Certificate from NSS into PEM Format" section in Apendix B for details.
Comment 9 Joshua Wulf 2013-02-09 22:31:51 UTC 
Note added, paragraph moved, and references added.

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Messaging_Installation_and_Configuration_Guide/Enable_SSL_on_the_Clients.html
Comment 10 Petr Matousek 2013-02-11 09:54:31 UTC 
Hi Joshua, sorry, I probably didn't make myself clear. Following changes are requested:

8.2.4. Export an SSL Certificate for Clients

^^ This paragraph is redundant and shall be removed at all (sufficient info is provided in the "Exporting a Certificate from NSS into PEM Format" section of Appendix B)

8.2.3. Enable SSL on the Clients

a.] Remove the link to the just removed paragraph 8.2.4.
b.] If possible, it would be better to point directly to "Exporting a Certificate from NSS into PEM Format" section of Appendix B.

Python clients
  See Also:
-    * Section 8.2.4, “Export an SSL Certificate for Clients”
-    * Appendix B, OpenSSL Certificate Reference 
+    * Exporting a Certificate from NSS into PEM Format, Appendix B
Comment 12 Joshua Wulf 2013-02-11 16:58:17 UTC 
At the moment I can't point to a sub-section in the appendix. To make the information more accessible to readers I've included it as a separate entry in the chapter. Also, if we pull that appendix out due to lack of time to complete QE on it in 2.3, we need the "Export an SSL Certificate for Clients" information in the book.

I've made the Python client section link to the export a certificate topic and the appendix.

http://deathstar1.usersys.redhat.com/MCIG/index.html#Enable_SSL_in_Python_Clients

(I am having trouble with brew at the moment, so please check it out this URL)
Comment 13 Petr Matousek 2013-02-13 12:38:20 UTC 
I am fine with pointing at the whole Appendix, but I still believe that it is not necessary to hold the redundant information in the document. In other words: if  Appendix B takes part of the MCIG the paragraph 8.2.3 is redundant.

Leaving this bugzilla ON_QA until it is decided whether the Appendix B will be part of the MICG or not.
Comment 17 Petr Matousek 2013-02-18 15:56:16 UTC 
Hi Joshua, as the bug 910009 (new Appendix B) was already reviewed and hopefully will be verified soon, I suggest to remove the content tracked by this bug (paragraph: 8.2.3. Export an SSL Certificate for Clients), because the content will be redundant. Then close this bug as a duplicate for 910009.

If you decide to leave the paragraph in the documentation due to any reason, please do the following changes to be more in compliance with the openssl doc:

- The following example commands can be used to export a certificate from the broker's NSS database: 
+ The following example commands can be used to export a client certificate and the private key from the broker's NSS database:  

- pk12util -o cert.p12 -n <cert_name> -d <ca_db> -w <password_file>
+ pk12util -o <p12exportfile> -n <certname> -d <certdir> -w <p12filepwfile>
- openssl pkcs12 -in cert.p12 -out cert.pem -nodes -clcerts -passin pass:<password> /dev/null
+ openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw>
Comment 18 Joshua Wulf 2013-02-19 00:51:37 UTC 
Thanks for the feedback, I've kept it in place and made the modifications suggested:

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Messaging_Installation_and_Configuration_Guide/Export_an_SSL_Certificate_for_Clients.html
Comment 19 Petr Matousek 2013-02-19 08:54:53 UTC 
Hi Joshua, changes are OK, but you didn't notice that the "/dev/null" string shall be removed. I should that mention explicitly:

- openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw> /dev/null
+ openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw>
Comment 20 Joshua Wulf 2013-02-19 10:03:11 UTC 
http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Messaging_Installation_and_Configuration_Guide/Export_an_SSL_Certificate_for_Clients.html
Comment 21 Petr Matousek 2013-02-19 10:31:59 UTC 
Content approved.

Version used for verification:
Messaging Installation and Configuration Guide (Revision 1.0.0-51)

-> VERIFIED
Comment 22 Cheryn Tan 2013-03-13 23:59:37 UTC 
Docs published on https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_MRG/