1028074 – deleting consumer will move splice identity cert

Bug 1028074 - deleting consumer will move splice identity cert

Summary: deleting consumer will move splice identity cert

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Subscription Asset Manager
Classification:	Retired
Component:	Splice
Sub Component:
Version:	Nightly
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Splice Developers
QA Contact:	Og Maciel
Docs Contact:
URL:
Whiteboard:
Depends On:	1026501
Blocks:	sam20-tracker rhsm-rhel66
TreeView+	depends on / blocked

Reported:	2013-11-07 15:45 UTC by Chris Duryee
Modified:	2017-06-26 20:37 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1026501
Environment:
Last Closed:	2017-06-26 20:37:38 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	532423	0	None	None	None	Never

Comment 1 Carter Kozak 2014-08-13 18:26:42 UTC

I believe this was fixed a while ago in master

commit a7ba3ce935b64d6877e4ccbc66635d58d810ab89
Author: Devan Goodwin <dgoodwin>
Date:   Fri Jan 31 15:44:33 2014 -0400

    1026501: Preserve PKI directories and have rpm own them.
    
    Merged duplicated cert directory cleanup code into one method.
    
    /etc/pki/consumer and /etc/pki/entitlement will now be preserved when you
    unregister or clean.
    
    We now remove just the identity cert and key as their filenames are known.
    
    For entitlement directory we remove any files ending with .pem.
    
    subscription-manager rpm will now create and own these directories on
    installation.
    
    File monitoring code needs no modifications as we check mtime, which adjusts on
    any file addition/removal within the directories.

Comment 2 Sharath Dwaral 2014-08-15 18:44:52 UTC

Following steps illustratd in https://bugzilla.redhat.com/show_bug.cgi?id=1026501#c10

Version: 

# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.9.23-1
subscription management rules: 5.11
subscription-manager: 1.12.12-1.el6
python-rhsm: 1.12.5-1.el6

# rpm -q subscription-manager-migration-data
subscription-manager-migration-data-2.0.11-1.el6.noarch

Verification:

1) Consumer deleted at Server

# subscription-manager register --serverurl=f20-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: ed19664c-b57d-4f4b-b75b-4056de3b3923

# ls -l /etc/pki
total 40
drwxr-xr-x. 6 root root 4096 Jun 19 19:09 CA
drwxr-xr-x. 4 root root 4096 Jun 19 19:08 ca-trust
drwxr-xr-x. 2 root root 4096 Aug 15 14:15 consumer
drwxr-xr-x. 2 root root 4096 Aug 14 19:33 entitlement
drwxr-xr-x. 2 root root 4096 Jun 19 19:08 java
drwxr-xr-x. 2 root root 4096 Jul 24 23:20 nssdb
drwxr-xr-x. 2 root root 4096 Jun 19 19:49 product
drwxr-xr-x. 2 root root 4096 Jun 19 19:24 rpm-gpg
drwx------. 2 root root 4096 Aug 15  2013 rsyslog
drwxr-xr-x. 5 root root 4096 Jun 19 19:09 tls

# ls -l /etc/pki/consumer/
total 8
-rw-r-----. 1 root root 1245 Aug 15 14:15 cert.pem
-rw-r-----. 1 root root 1675 Aug 15 14:15 key.pem

Faking the existence of a valid splice cert/key pair..

# cp /etc/pki/consumer/cert.pem /etc/pki/consumer/Splice_identity.cert

# cp /etc/pki/consumer/key.pem /etc/pki/consumer/Splice_identity.key

# ls -l /etc/pki/consumer/
total 16
-rw-r-----. 1 root root 1245 Aug 15 14:15 cert.pem
-rw-r-----. 1 root root 1675 Aug 15 14:15 key.pem
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

Now let's delete the consumer at the server...

# curl -k -u admin:admin --request DELETE https://f20-candlepin.usersys.redhat.com:8443/candlepin/consumers/ed19664c-b57d-4f4b-b75b-4056de3b3923

# service rhsmcertd restart
Stopping rhsmcertd...                                      [FAILED]
Starting rhsmcertd...                                      [  OK  ]

# sleep 120

# ls -l /etc/pki
total 44
drwxr-xr-x. 6 root root 4096 Jun 19 19:09 CA
drwxr-xr-x. 4 root root 4096 Jun 19 19:08 ca-trust
drwxr-xr-x. 2 root root 4096 Aug 15 14:22 consumer
drwxr-xr-x. 2 root root 4096 Aug 15 14:18 consumer.old
drwxr-xr-x. 2 root root 4096 Aug 14 19:33 entitlement
drwxr-xr-x. 2 root root 4096 Jun 19 19:08 java
drwxr-xr-x. 2 root root 4096 Aug 15 14:20 nssdb
drwxr-xr-x. 2 root root 4096 Jun 19 19:49 product
drwxr-xr-x. 2 root root 4096 Jun 19 19:24 rpm-gpg
drwx------. 2 root root 4096 Aug 15  2013 rsyslog
drwxr-xr-x. 5 root root 4096 Jun 19 19:09 tls

# ls -l /etc/pki/consumer.old/
total 16
-rw-r-----. 1 root root 1245 Aug 15 14:15 cert.pem
-rw-r-----. 1 root root 1675 Aug 15 14:15 key.pem
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

# ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

VERIFED: When consumer is deleted at server, rhsmcertd creats a backup directory for consumer with its old contents and retains only the Splice key and cert.

2) Verifying clean

# subscription-manager register --serverurl=f20-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: 51a9737e-8c67-46f9-ad00-ff32dff09ecb

# ls -l /etc/pki/consumer
total 16
-rw-r-----. 1 root root 1245 Aug 15 14:28 cert.pem
-rw-r-----. 1 root root 1675 Aug 15 14:28 key.pem
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

# subscription-manager clean
All local data removed

# ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

VERIFIED : clean removes eveything but Splice cert and key

3) Verifying unregister

# subscription-manager register --serverurl=f20-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: 5c7efd80-fe63-48dd-b166-28c77d69222a 

#  ls -l /etc/pki/consumer
total 16
-rw-r-----. 1 root root 1245 Aug 15 14:43 cert.pem
-rw-r-----. 1 root root 1679 Aug 15 14:43 key.pem
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

# subscription-manager unregister
System has been unregistered.

#  ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

Verified: After unregister Splice key and cert remain.


Moving to VERIFIED

Comment 3 Bryan Kearney 2017-06-26 20:37:38 UTC

The release of Satellite 5.8 we are deprecating the support of Subscription Asset Manager. The release notes for 5.8 can be found at https://access.redhat.com/documentation/en-us/red_hat_satellite/5.8/pdf/release_notes/Red_Hat_Satellite-5.8-Release_Notes-en-US.pdf.

I am therefore closing out this bug as WONTFIX. If you believe this to be an error, please feel free tor each out to either Rich Jerrido or Bryan Kearney. Thank you!

Note You need to log in before you can comment on or make changes to this bug.