Bug 1325071 – add options to enable/disable cert or crl publishing.

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1325071 - add options to enable/disable cert or crl publishing.

Summary:	add options to enable/disable cert or crl publishing.

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Ade Lee
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2016-04-08 02:59 EDT by Thorsten Scherf
Modified:	2017-08-01 18:46 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	pki-core-10.4.0-1.el7
Doc Type:	Enhancement
Doc Text:	Certificate System now supports enabling and disabling certificate and CRL publishing Prior to this update, if publishing was enabled in a certificate authority (CA), Certificate System automatically enabled both certificate revocation list (CRL) and certificate publishing. Consequently, on servers that did not have certificate publishing enabled, error messages were logged. Certificate System has been enhanced, and now supports enabling and disabling certificate and CRL publishing independently in the `/var/lib/pki/<instance>/ca/conf/CS.cfg` file. To enable or disable both certificate and CRL publishing, set: ca.publish.enable = True\|False To enable only CRL publishing, set: ca.publish.enable = True ca.publish.cert.enable = False To enable only certificate publishing, set: ca.publish.enable = True ca.publish.crl.enable = False
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-01 18:46:01 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2110	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2017-08-01 15:36:59 EDT

Groups: None (edit)

Description Thorsten Scherf 2016-04-08 02:59:00 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/2275

Dogtag has only one switch -- ca.publish.enable for both CRLs and certs.

If cert publishing is not wanted and not set up (rules etc)., then errors can be found in the system log about publishing errors for each cert.

We need two new config parameters - ca.publishing.cert.enable and ca.publishing.crl.enable which default to True.  The old ca.publishing.enable parameter will still exist.

If either is set to false, though, we would expect publishing not to be attempted.  In fact, it would be better if the threads for those publishers were not even started.

Comment 1 Matthew Harmsen 2017-01-06 19:51:21 EST

commit f0551f75618cd30de3efc3154f37a5f53504896c Author: Ade Lee <alee@redhat.com> Date: Wed May 18 15:33:36 2016 -0400

    Add parameters to disable cert or crl publishing

    Right now, if publishing is enabled, both CRLs and Cert publishing is enabled. This causes a bunch of spurious error messages on IPA servers as cert publishing is not configured.

    As it is impossible to determine if cert publishing is not desired or simply misconfigured, we provide options to explicitly disable either cert or crl publishing.

    Specifically:

    to enable/disable both cert and crl publishing: ca.publish.enable = True/False? 

        This is the legacy behavior.

    to enable CRL publishing only: ca.publish.enable = True ca.publish.cert.enable = False 

    to enable cert publishing only: ca.publish.enable = True ca.publish.crl.enable = False 

    Ticket 2275

Comment 3 Sumedh Sidhaye 2017-05-05 07:26:59 EDT

Build used for verification:

[root@auto-hv-02-guest09 certdb]# rpm -qi pki-base
Name        : pki-base
Version     : 10.4.1
Release     : 3.el7
Architecture: noarch
Install Date: Friday 05 May 2017 01:31:47 AM EDT
Group       : System Environment/Base
Size        : 2086078
License     : GPLv2
Signature   : RSA/SHA256, Tuesday 02 May 2017 04:38:09 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.4.1-3.el7.src.rpm
Build Date  : Tuesday 02 May 2017 03:15:26 PM EDT
Build Host  : ppc-015.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - PKI Framework


Enable crl publishing only

  ca.publish.enable = True
  ca.publish.cert.enable = False

After setting the above flags crl publishing works as expected 

Enable cert publishing only

  ca.publish.enable = True
  ca.publish.crl.enable = False

After setting above flags cert publishing is working as expected as well.

When ca.publish.enable = False both cert and crl publishing is disabled, which is the legacy behaviour.

Comment 5 Ade Lee 2017-07-26 12:07:29 EDT

Doc text looks good.

Comment 6 errata-xmlrpc 2017-08-01 18:46:01 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110

Note You need to log in before you can comment on or make changes to this bug.