Bug 1225589 - unable to create rhel 7.1 replica from rhel 6 replica CA because subsystem user does not exist
Summary: unable to create rhel 7.1 replica from rhel 6 replica CA because subsystem us...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pki-core
Version: 6.7
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: pre-dev-freeze
: 6.7
Assignee: Matthew Harmsen
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks: 1225603
TreeView+ depends on / blocked
 
Reported: 2015-05-27 18:04 UTC by Ade Lee
Modified: 2017-05-15 21:53 UTC (History)
6 users (show)

Fixed In Version: pki-core-9.0.3-43.el6
Doc Type: Bug Fix
Doc Text:
Creating a Red Hat Enterprise Linux 7 replica from a Red Hat Enterprise Linux 6 replica running the CA service sometimes failed in IdM deployments where the initial Red Hat Enterprise Linux 6 CA master had been removed. This could cause problems in some situations, such as when migrating from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7. The bug occurred due to a problem in a previous version of IdM where the subsystem user, created during the initial CA server installation, was removed together with the initial master. This update adds the restore-subsystem-user.py script that restores the subsystem user in the described situation, thus enabling administrators to create a Red Hat Enterprise Linux 7 replica in this scenario.
Clone Of:
: 1225603 (view as bug list)
Environment:
Last Closed: 2015-07-22 06:55:47 UTC


Attachments (Terms of Use)
Patch for RHEL 6.6 branch of pki-core (72.84 KB, patch)
2015-05-29 03:40 UTC, Endi Sukma Dewata
no flags Details | Diff
Patch for RHEL 6.7 branch of pki-core (73.41 KB, patch)
2015-05-30 02:10 UTC, Endi Sukma Dewata
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1347 normal SHIPPED_LIVE Moderate: pki-core security and bug fix update 2015-07-20 18:07:50 UTC

Description Ade Lee 2015-05-27 18:04:32 UTC
Description of problem:

This is a little complicated.  The scenario is as follows:

1. Create CA-0 on RHEL  6.6 (Dogtag 9)
2. Create CA-1 on RHEL 6.6 as replica of CA-0
3. Remove CA-0 (using pkiremove)
4. Create CA-2 as replica of CA-1 on RHEL 7.1 (Dogtag 10)  

Step 4 fails in the UpdateDomainXML step, because the subsystem user no longer exists and therefore cannot be used for authentication.

In more detail:

1. In step 1 above, a user is created :
    uid=CA-<master_host>-<nmaster_port>, ou=People, $suffix
   which uses the CA subsystem cert as its cert.

2. In step 2, no new user is created because a user already exists which uses
   the subsystem cert.  We want to be sure that only one user exists with a 
   given cert. 

3. In step 3, pkiremove contacts CA-0 (itself) calling updateDomainXML to
   remove the server's entry from the security domain.  It also removes the user
   created in step 1.  At this point - because the change is replicated through
   the DB to CA-1, there is no subsystem user available.

4. In step 4, we attempt to make a call to updateDomainXML.  We attempt to do
   this on the admin port using an install token, but this fails because the
   RHEL 6 CA-1 does not serve the newer servlets on the admin port.  We then 
   fall back to the agent port which requires client authentication.  We 
   attempt to use the subsystem cert as auth, but fail because no subsystem 
   user exists.  Thus, the replica creation process fails.

Comment 2 Endi Sukma Dewata 2015-05-29 03:40:25 UTC
Created attachment 1031566 [details]
Patch for RHEL 6.6 branch of pki-core

Scratch build:
https://brewweb.devel.redhat.com/taskinfo?taskID=9277013

To run the script:
$ python /usr/share/pki/scripts/restore-subsystem-user.py

Comment 3 Endi Sukma Dewata 2015-05-30 02:10:12 UTC
Created attachment 1032345 [details]
Patch for RHEL 6.7 branch of pki-core

Comment 4 Endi Sukma Dewata 2015-06-03 00:11:41 UTC
ACKed by alee.

Fixed in rhel-6.7 branch: a681bc9f87368a2f61fdaa5e59b8acbff4a27656

Comment 6 Endi Sukma Dewata 2015-06-05 17:15:28 UTC
It may not be possible to replicate the problem with the current packages, but the following steps should emulate the problem and verify the fix:
1. Install master.
2. Remove the subsystem user (i.e. CA-<hostname>-<port>).
3. Remove the user from the Subsystem Group.
4. Run the restore-subsystem-user.py to restore the user and the group.
5. Install replica.

Comment 7 Roshni 2015-06-05 21:35:34 UTC
Verification steps:

1. Install master CA
2. Remove the subsystem user and the user from the Subsystem group

[root@ipaqa64vme ~]# pki-server ca-group-member-find "Subsystem Group"
  User ID: CA-ipaqa64vme.idmqe.lab.eng.bos.redhat.com-9443
  Common Name: CA-ipaqa64vme.idmqe.lab.eng.bos.redhat.com-9443
  Surname: CA-ipaqa64vme.idmqe.lab.eng.bos.redhat.com-9443
  Type: agentType
  Description: 2;4;CN=Certificate Authority,OU=pki-ca,O=IdmqeLabEngBosRedhat Domain;CN=CA Subsystem Certificate,OU=pki-ca,O=IdmqeLabEngBosRedhat Domain
  E-mail: 

[root@ipaqa64vme ~]# pki-server ca-group-member-del "Subsystem Group" CA-ipaqa64vme.idmqe.lab.eng.bos.redhat.com-9443
[root@ipaqa64vme ~]# pki-server ca-group-member-find "Subsystem Group"[root@ipaqa64vme ~]# pki-server ca-user-del CA-ipaqa64vme.idmqe.lab.eng.bos.redhat.com-9443

3. Run the restore-subsystem-user.py to restore the user and the group.

[root@ipaqa64vme scripts]# ./restore-subsystem-user.py 
Restoring subsystem user
Subsystem certificate: 2;4;CN=Certificate Authority,OU=pki-ca,O=IdmqeLabEngBosRedhat Domain;CN=CA Subsystem Certificate,OU=pki-ca,O=IdmqeLabEngBosRedhat Domain
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBXMSQwIgYDVQQKExtJZG1xZUxhYkVuZ0Jvc1JlZGhhdCBEb21haW4xDzANBgNVBAsTBnBraS1jYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDYwNTIwMTc0N1oXDTE3MDUyNTIwMTc0N1owWjEkMCIGA1UEChMbSWRtcWVMYWJFbmdCb3NSZWRoYXQgRG9tYWluMQ8wDQYDVQQLEwZwa2ktY2ExITAfBgNVBAMTGENBIFN1YnN5c3RlbSBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMYaKmasuQiJy08Z3F/V6qAXkFtPD35wFRtSwRFdGza61/+jpQehc5ZYiNeszbCm1JgDUoB/6gDJnFQsP38gDtslZrkNKNeFahPUXSNmg+yz5EN0Uxp4YdBFvGvmah18SgGz6fyCOAWejFGJwcTLW8HJCGm3R2zsnz9pY821SzniAp0bhoft3X6w6lEpPWN44S5VNuUl7ENH6J5OW9iCHoQu8neaFxFy3mFOMZKmcQRp7X/Pt+sfCQJzP9nFlbvCS6RbC/q9CIu0J0gUUw34FPa4WsCpT2S+geHyl3G2SpMEbg2aE3j3bbRUg0LyOIm6AMnjK3Mvcj+S/6mE0c9N+C0CAwEAAaOBrDCBqTAfBgNVHSMEGDAWgBR9VwboMsiSS9G2SpEcpC1qKfZm6jBXBggrBgEFBQcBAQRLMEkwRwYIKwYBBQUHMAGGO2h0dHA6Ly9pcGFxYTY0dm1lLmlkbXFlLmxhYi5lbmcuYm9zLnJlZGhhdC5jb206OTE4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEl4RxNennbw009tpY5T6Y+n6C2dOK8rW5u7Saj3CWDrpHeS0ZNlELQf8fLZP1eZJNTQOeQ+EKF6/7U3PijRysTy1/fw+1qX7s+6Mo6MnUrP9dbJjRR3ufd/n0K9dczAhoatgRefV3o/nEd8uzMdmMKmk6eR/CpZpNU2dcc8sJ0NbmN5l9TrvXUwosZtE6Qp3NslodJRQBY9ia5yxqwI/k5ZcRC42fZNS1QhXE2wuH1sZNoScXMpnZL/cGjf4hqaO72fOk51cYu6he1NQXFQxhodhbktOiGaJMV9Z+N2pF/Dx3Kn52jyE4ifsIsWFl4HAJC1rmjlL6dpveEX25sGkGU=
-----END CERTIFICATE-----
New subsystem user CA-ipaqa64vme.idmqe.lab.eng.bos.redhat.com-9443 added
User added to Subsystem Group
Subsystem user CA-ipaqa64vme.idmqe.lab.eng.bos.redhat.com-9443 restored
[root@ipaqa64vme scripts]# pki-server ca-group-member-find "Subsystem Group"  User ID: CA-ipaqa64vme.idmqe.lab.eng.bos.redhat.com-9443
  Common Name: CA-ipaqa64vme.idmqe.lab.eng.bos.redhat.com-9443
  Surname: CA-ipaqa64vme.idmqe.lab.eng.bos.redhat.com-9443
  Type: agentType
  Description: 2;4;CN=Certificate Authority,OU=pki-ca,O=IdmqeLabEngBosRedhat Domain;CN=CA Subsystem Certificate,OU=pki-ca,O=IdmqeLabEngBosRedhat Domain

4. Installed a clone of the above master CA successfully

Comment 8 errata-xmlrpc 2015-07-22 06:55:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1347.html


Note You need to log in before you can comment on or make changes to this bug.