Bug 986901

Summary:	pkispawn NullPointerException
Product:	[Fedora] Fedora	Reporter:	Jan Cholasta <jcholast>
Component:	pki-core	Assignee:	Matthew Harmsen <mharmsen>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	19	CC:	alee, awnuk, dennis, edewata, kwright, mharmsen, mkosek
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	988416 (view as bug list)		Environment:
Last Closed:	2013-07-26 19:23:57 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	988416

Description Jan Cholasta 2013-07-22 11:40:08 UTC

Description of problem:

pkispawn crashes with NullPointerException if run with the following configuration file:

[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_client_database_dir = /tmp/tmp-8r1i5O
pki_client_database_password = XXXXXXXX
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = XXXXXXXX
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM
pki_ssl_server_subject_dn = cn=ipa.example.com,O=EXAMPLE.COM
pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM
pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_external = True
pki_external_csr_path = /root/ipa.csr


Version-Release number of selected component (if applicable):

pki-server-10.0.3-1.fc19


How reproducible:

Always


Steps to Reproduce:
1. Run pkispawn with the above configuration file.


Actual results:

pkispawn crashes with NullPointerException.

stack trace:

com.netscape.cms.servlet.csadmin.ConfigurationUtils.getPortFromSecurityDomain(ConfigurationUtils.java:2446)
com.netscape.cms.servlet.csadmin.SystemConfigService.configure(SystemConfigService.java:419)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:601)
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155)
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:211)
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:502)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:119)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:601)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:299)
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57)
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193)
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
java.security.AccessController.doPrivileged(Native Method)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
java.lang.Thread.run(Thread.java:722)


Expected results:

pkispawn successfuly sets up a certificate server instance.


Additional info:

This bug is triggered by ipa-server-install with --external-ca, see https://fedorahosted.org/freeipa/ticket/3773

Comment 1 Martin Kosek 2013-07-22 13:25:11 UTC

Raising severity of the bug. FreeIPA external CA cannot be used with this bug effective, there is no known workaround.

Comment 2 Endi Sukma Dewata 2013-07-23 21:09:11 UTC

The pki_issuing_ca parameter was not set properly by the deployment tool.

Fixed in master:
* 23ce40f255de2abe3347924b3fd9e0eb2a539551

Fixed in 10.0 branch:
* 2c0ef5747ea1d9adbe11bcd9e102ab34b0c5414d

Comment 3 Jan Cholasta 2013-07-24 09:58:41 UTC

This fixes the issue in ipa-server-install, thanks.

Comment 4 Martin Kosek 2013-07-25 14:47:18 UTC

Cloning the bug also for Fedora 18 - I just reproduce the issue there too.

Comment 5 Martin Kosek 2013-07-26 10:55:28 UTC

I see this bug is still in MODIFIED even though it seems to be fixed by pki-ca-10.0.4-1.fc19.noarch...