1214838 – fixes for null termination needed, and allowing secrets retrieval post-init-phase

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1214838 - fixes for null termination needed, and allowing secrets retrieval post-init-phase

Summary: fixes for null termination needed, and allowing secrets retrieval post-init-p...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nuxwdog
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	7.2
Assignee:	Ade Lee
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1214825 (view as bug list)
Depends On:
Blocks:	1216089
TreeView+	depends on / blocked

Reported:	2015-04-23 15:59 UTC by Ade Lee
Modified:	2015-11-19 04:49 UTC (History)
CC List:	5 users (show)
Fixed In Version:	nuxwdog-1.0.2-1
Doc Type:	Bug Fix
Doc Text:	When using the Dogtag Certificate System version 10, retrieving a stored password with the nuxwdog daemon previously caused the password not to be correctly null-terminated. This update fixes the underlying code, and the password is null-terminated as expected in the described scenario. In addition, it is now possible to use nuxwdog to prompt for passwords for programs or daemons started by the systemd service.
Clone Of:
Clones:	1216089 (view as bug list)
Environment:
Last Closed:	2015-11-19 04:49:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2187	0	normal	SHIPPED_LIVE	nuxwdog bug fix update	2015-11-19 08:07:16 UTC

Description Ade Lee 2015-04-23 15:59:14 UTC

Description of problem:

Nuxwdog has a couple of bugs detected while getting it working with dogtag 10.
In particular, if a stored password is retrived, it is incorrectly null terminated.

We also want to be able to retrieve passwords -- by a child only of course, post-init phase.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Ade Lee 2015-04-23 16:01:36 UTC

Note this is needed for RHCS 9.0

Comment 2 Matthew Harmsen 2015-04-23 16:13:09 UTC

*** Bug 1214825 has been marked as a duplicate of this bug. ***

Comment 4 Ade Lee 2015-04-23 16:15:08 UTC

See ticket https://fedorahosted.org/pki/ticket/1230 for instructions on how to set up CS9 instance with nuxwdog.

Server should start up and stop correctly.

Comment 8 Roshni 2015-09-04 19:37:42 UTC

[root@qe-blade-08 ~]# rpm -qi nuxwdog
Name        : nuxwdog
Version     : 1.0.3
Release     : 2.el7
Architecture: x86_64
Install Date: Fri 04 Sep 2015 03:26:11 PM EDT
Group       : System Environment/Libraries
Size        : 119114
License     : LGPLv2 and (GPL+ or Artistic)
Signature   : RSA/SHA256, Wed 05 Aug 2015 04:36:27 AM EDT, Key ID 938a80caf21541eb
Source RPM  : nuxwdog-1.0.3-2.el7.src.rpm
Build Date  : Wed 17 Jun 2015 05:02:06 PM EDT
Build Host  : x86-018.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.redhat.com/certificate_system
Summary     : Watchdog server to start and stop processes, and prompt for passwords

[root@qe-blade-08 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.2.6
Release     : 8.el7pki
Architecture: noarch
Install Date: Fri 04 Sep 2015 03:27:25 PM EDT
Group       : System Environment/Daemons
Size        : 2416291
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.2.6-8.el7pki.src.rpm
Build Date  : Tue 25 Aug 2015 01:18:45 AM EDT
Build Host  : x86-025.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

[root@qe-blade-08 ~]# pkispawn 

IMPORTANT:

    Interactive installation currently only exists for very basic deployments!

    For example, deployments intent upon using advanced features such as:

        * Cloning,
        * Elliptic Curve Cryptography (ECC),
        * External CA,
        * Hardware Security Module (HSM),
        * Subordinate CA,
        * etc.,

    must provide the necessary override parameters in a separate
    configuration file.

    Run 'man pkispawn' for details.

Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: 

Tomcat:
  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

Administrator:
  Username [caadmin]: 
  Password: 
  Verify password: 
  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 
Directory Server:
  Hostname [qe-blade-08.idmqe.lab.eng.bos.redhat.com]: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Password: 
  Base DN [o=pki-tomcat-CA]: dc=pki-ca

Security Domain:
  Name [idmqe.lab.eng.bos.redhat.com Security Domain]: 

Begin installation (Yes/No/Quit)? yes

Log file: /var/log/pki/pki-ca-spawn.20150904153049.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Notice: Trust flag u is set automatically if the private key is present.
Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      To check the status of the subsystem:
            systemctl status pki-tomcatd

      To restart the subsystem:
            systemctl restart pki-tomcatd

      The URL for the subsystem is:
            https://qe-blade-08.idmqe.lab.eng.bos.redhat.com:8443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================

[root@qe-blade-08 ~]# systemctl stop pki-tomcatd
[root@qe-blade-08 ~]# pki-server instance-nuxwdog-enable pki-tomcat
----------------------------------------
Nuxwdog enabled for instance pki-tomcat.
----------------------------------------
[root@qe-blade-08 ~]# systemctl restart pki-tomcatd-nuxwdog
[pki-tomcat] Please provide the password for internal: ************
[pki-tomcat] Please provide the password for internaldb: *********
[pki-tomcat] Please provide the password for replicationdb: ***********
[root@qe-blade-08 ~]# systemctl status pki-tomcatd-nuxwdog
● pki-tomcatd-nuxwdog - PKI Tomcat Server pki-tomcat Started by Nuxwdog
   Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd-nuxwdog@.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2015-09-04 15:33:31 EDT; 18s ago
  Process: 31468 ExecStart=/bin/nuxwdog -f /etc/pki/%i/nuxwdog.conf (code=exited, status=0/SUCCESS)
  Process: 31322 ExecStartPre=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS)
 Main PID: 31469 (nuxwdog)
   CGroup: /system.slice/system-pki\x2dtomcatd\x2dnuxwdog.slice/pki-tomcatd-nuxwdog
           ├─31469 /bin/nuxwdog -f /etc/pki/pki-tomcat/nuxwdog.conf
           └─31470 java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.j...

Sep 04 15:32:33 qe-blade-08.idmqe.lab.eng.bos.redhat.com systemd[1]: Starting PKI Tomcat Server pki-tomcat Started by Nuxwdog...
Sep 04 15:32:33 qe-blade-08.idmqe.lab.eng.bos.redhat.com pkidaemon[31322]: SUCCESS:  Successfully archived '/var/lib/pki/pki-tomcat/conf/ca/archives/CS.cfg.bak.20150904153233'
Sep 04 15:32:33 qe-blade-08.idmqe.lab.eng.bos.redhat.com pkidaemon[31322]: SUCCESS:  Successfully backed up '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.bak'
Sep 04 15:33:31 qe-blade-08.idmqe.lab.eng.bos.redhat.com systemd[1]: Started PKI Tomcat Server pki-tomcat Started by Nuxwdog.
[root@qe-blade-08 ~]# systemctl stop pki-tomcatd-nuxwdog
[root@qe-blade-08 ~]# pki-server instance-nuxwdog-disable pki-tomcat
-----------------------------------------
Nuxwdog disabled for instance pki-tomcat.
-----------------------------------------
[root@qe-blade-08 ~]# systemctl start pki-tomcatd
[root@qe-blade-08 ~]# systemctl status pki-tomcatd
● pki-tomcatd - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2015-09-04 15:34:28 EDT; 9s ago
  Process: 31619 ExecStartPre=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS)
 Main PID: 31764 (java)
   CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd
           └─31764 java -DRESTEASY_LIB=/usr/share/java/resteasy-base -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcat...

Sep 04 15:34:34 qe-blade-08.idmqe.lab.eng.bos.redhat.com server[31764]: Sep 04, 2015 3:34:34 PM org.apache.catalina.startup.HostConfig deployDescriptor
Sep 04 15:34:34 qe-blade-08.idmqe.lab.eng.bos.redhat.com server[31764]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml has finished in 1,226 ms
Sep 04 15:34:34 qe-blade-08.idmqe.lab.eng.bos.redhat.com server[31764]: Sep 04, 2015 3:34:34 PM org.apache.catalina.startup.HostConfig deployDescriptor
Sep 04 15:34:34 qe-blade-08.idmqe.lab.eng.bos.redhat.com server[31764]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml
Sep 04 15:34:36 qe-blade-08.idmqe.lab.eng.bos.redhat.com server[31764]: Sep 04, 2015 3:34:36 PM org.apache.catalina.startup.HostConfig deployDescriptor
Sep 04 15:34:36 qe-blade-08.idmqe.lab.eng.bos.redhat.com server[31764]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,285 ms
Sep 04 15:34:36 qe-blade-08.idmqe.lab.eng.bos.redhat.com server[31764]: Sep 04, 2015 3:34:36 PM org.apache.catalina.startup.HostConfig deployDescriptor
Sep 04 15:34:36 qe-blade-08.idmqe.lab.eng.bos.redhat.com server[31764]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
Sep 04 15:34:36 qe-blade-08.idmqe.lab.eng.bos.redhat.com server[31764]: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
Sep 04 15:34:36 qe-blade-08.idmqe.lab.eng.bos.redhat.com server[31764]: SSLAuthenticatorWithFallback: Setting container

Comment 10 errata-xmlrpc 2015-11-19 04:49:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2187.html

Note You need to log in before you can comment on or make changes to this bug.