Bug 1028074 - deleting consumer will move splice identity cert
deleting consumer will move splice identity cert
Status: CLOSED WONTFIX
Product: Subscription Asset Manager
Classification: Red Hat
Component: Splice (Show other bugs)
Nightly
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Splice Developers
Og Maciel
:
Depends On: 1026501
Blocks: sam20-tracker rhsm-rhel66
  Show dependency treegraph
 
Reported: 2013-11-07 10:45 EST by Chris Duryee
Modified: 2017-06-26 16:37 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1026501
Environment:
Last Closed: 2017-06-26 16:37:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 532423 None None None Never

  None (edit)
Comment 1 Carter Kozak 2014-08-13 14:26:42 EDT
I believe this was fixed a while ago in master

commit a7ba3ce935b64d6877e4ccbc66635d58d810ab89
Author: Devan Goodwin <dgoodwin@redhat.com>
Date:   Fri Jan 31 15:44:33 2014 -0400

    1026501: Preserve PKI directories and have rpm own them.
    
    Merged duplicated cert directory cleanup code into one method.
    
    /etc/pki/consumer and /etc/pki/entitlement will now be preserved when you
    unregister or clean.
    
    We now remove just the identity cert and key as their filenames are known.
    
    For entitlement directory we remove any files ending with .pem.
    
    subscription-manager rpm will now create and own these directories on
    installation.
    
    File monitoring code needs no modifications as we check mtime, which adjusts on
    any file addition/removal within the directories.
Comment 2 Sharath Dwaral 2014-08-15 14:44:52 EDT
Following steps illustratd in https://bugzilla.redhat.com/show_bug.cgi?id=1026501#c10

Version: 

# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.9.23-1
subscription management rules: 5.11
subscription-manager: 1.12.12-1.el6
python-rhsm: 1.12.5-1.el6

# rpm -q subscription-manager-migration-data
subscription-manager-migration-data-2.0.11-1.el6.noarch

Verification:

1) Consumer deleted at Server

# subscription-manager register --serverurl=f20-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: ed19664c-b57d-4f4b-b75b-4056de3b3923

# ls -l /etc/pki
total 40
drwxr-xr-x. 6 root root 4096 Jun 19 19:09 CA
drwxr-xr-x. 4 root root 4096 Jun 19 19:08 ca-trust
drwxr-xr-x. 2 root root 4096 Aug 15 14:15 consumer
drwxr-xr-x. 2 root root 4096 Aug 14 19:33 entitlement
drwxr-xr-x. 2 root root 4096 Jun 19 19:08 java
drwxr-xr-x. 2 root root 4096 Jul 24 23:20 nssdb
drwxr-xr-x. 2 root root 4096 Jun 19 19:49 product
drwxr-xr-x. 2 root root 4096 Jun 19 19:24 rpm-gpg
drwx------. 2 root root 4096 Aug 15  2013 rsyslog
drwxr-xr-x. 5 root root 4096 Jun 19 19:09 tls

# ls -l /etc/pki/consumer/
total 8
-rw-r-----. 1 root root 1245 Aug 15 14:15 cert.pem
-rw-r-----. 1 root root 1675 Aug 15 14:15 key.pem

Faking the existence of a valid splice cert/key pair..

# cp /etc/pki/consumer/cert.pem /etc/pki/consumer/Splice_identity.cert

# cp /etc/pki/consumer/key.pem /etc/pki/consumer/Splice_identity.key

# ls -l /etc/pki/consumer/
total 16
-rw-r-----. 1 root root 1245 Aug 15 14:15 cert.pem
-rw-r-----. 1 root root 1675 Aug 15 14:15 key.pem
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

Now let's delete the consumer at the server...

# curl -k -u admin:admin --request DELETE https://f20-candlepin.usersys.redhat.com:8443/candlepin/consumers/ed19664c-b57d-4f4b-b75b-4056de3b3923

# service rhsmcertd restart
Stopping rhsmcertd...                                      [FAILED]
Starting rhsmcertd...                                      [  OK  ]

# sleep 120

# ls -l /etc/pki
total 44
drwxr-xr-x. 6 root root 4096 Jun 19 19:09 CA
drwxr-xr-x. 4 root root 4096 Jun 19 19:08 ca-trust
drwxr-xr-x. 2 root root 4096 Aug 15 14:22 consumer
drwxr-xr-x. 2 root root 4096 Aug 15 14:18 consumer.old
drwxr-xr-x. 2 root root 4096 Aug 14 19:33 entitlement
drwxr-xr-x. 2 root root 4096 Jun 19 19:08 java
drwxr-xr-x. 2 root root 4096 Aug 15 14:20 nssdb
drwxr-xr-x. 2 root root 4096 Jun 19 19:49 product
drwxr-xr-x. 2 root root 4096 Jun 19 19:24 rpm-gpg
drwx------. 2 root root 4096 Aug 15  2013 rsyslog
drwxr-xr-x. 5 root root 4096 Jun 19 19:09 tls

# ls -l /etc/pki/consumer.old/
total 16
-rw-r-----. 1 root root 1245 Aug 15 14:15 cert.pem
-rw-r-----. 1 root root 1675 Aug 15 14:15 key.pem
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

# ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

VERIFED: When consumer is deleted at server, rhsmcertd creats a backup directory for consumer with its old contents and retains only the Splice key and cert.

2) Verifying clean

# subscription-manager register --serverurl=f20-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: 51a9737e-8c67-46f9-ad00-ff32dff09ecb

# ls -l /etc/pki/consumer
total 16
-rw-r-----. 1 root root 1245 Aug 15 14:28 cert.pem
-rw-r-----. 1 root root 1675 Aug 15 14:28 key.pem
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

# subscription-manager clean
All local data removed

# ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

VERIFIED : clean removes eveything but Splice cert and key

3) Verifying unregister

# subscription-manager register --serverurl=f20-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: 5c7efd80-fe63-48dd-b166-28c77d69222a 

#  ls -l /etc/pki/consumer
total 16
-rw-r-----. 1 root root 1245 Aug 15 14:43 cert.pem
-rw-r-----. 1 root root 1679 Aug 15 14:43 key.pem
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

# subscription-manager unregister
System has been unregistered.

#  ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 1245 Aug 15 14:17 Splice_identity.cert
-rw-r-----. 1 root root 1675 Aug 15 14:18 Splice_identity.key

Verified: After unregister Splice key and cert remain.


Moving to VERIFIED
Comment 3 Bryan Kearney 2017-06-26 16:37:38 EDT
The release of Satellite 5.8 we are deprecating the support of Subscription Asset Manager. The release notes for 5.8 can be found at https://access.redhat.com/documentation/en-us/red_hat_satellite/5.8/pdf/release_notes/Red_Hat_Satellite-5.8-Release_Notes-en-US.pdf.

I am therefore closing out this bug as WONTFIX. If you believe this to be an error, please feel free tor each out to either Rich Jerrido or Bryan Kearney. Thank you!

Note You need to log in before you can comment on or make changes to this bug.