1351295 – Dogtag 10.3.4: Miscellaneous Enhancements

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1351295 - Dogtag 10.3.4: Miscellaneous Enhancements

Summary: Dogtag 10.3.4: Miscellaneous Enhancements

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.3
Assignee:	RHCS Maintainers
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1349769 1351096 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-29 15:58 UTC by Matthew Harmsen
Modified:	2020-10-04 21:11 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pki-core-10.3.3-3.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 05:25:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2510	0	None	None	None	2020-10-04 21:11:35 UTC
Red Hat Product Errata	RHBA-2016:2396	0	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2016-11-03 13:55:03 UTC

Description Matthew Harmsen 2016-06-29 15:58:10 UTC

This bug was created as a holding place for multiple minor bug fixes and enhancements made to the Dogtag 10.3.4 Milestone which have generally been provided by individuals outside the core development group (e. g. - QE).

Comment 1 Matthew Harmsen 2016-06-29 16:01:10 UTC

Upstream ticket:
https://fedorahosted.org/pki/ticket/2390

Comment 2 Matthew Harmsen 2016-06-29 20:36:26 UTC

FROM https://bugzilla.redhat.com/show_bug.cgi?id=1351096 - - pki-server db-schema-upgrade fails to verify instance and subsystem:


Abhijeet Kasurde 2016-06-29 04:55:52 EDT

Description of problem:
While providing invalid or non-existent instance id for command pki-server db-schema-upgrade, command fails to verify instance id and throws stack trace like

# pki-server db-schema-upgrade -i nonexistent_instance -D "cn=Directory Manager" -w Secret123 
Traceback (most recent call last):
  File "/usr/sbin/pki-server", line 107, in <module>
    cli.execute(sys.argv)
  File "/usr/sbin/pki-server", line 102, in execute
    super(PKIServerCLI, self).execute(args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 203, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 203, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/server/cli/db.py", line 99, in execute
    self.update_schema(instance, bind_dn, bind_password)
  File "/usr/lib/python2.7/site-packages/pki/server/cli/db.py", line 108, in update_schema
    subsystem = instance.subsystems[0]
IndexError: list index out of range



Version-Release number of selected component (if applicable):
pki-core-debuginfo-10.3.4-0.1.fc24.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install PKI server packages
2. pki-server db-schema-upgrade -i nonexistent_instance -D "cn=Directory Manager" -w Secret123 


Actual results:
Stack trace as above

Expected results:
Error message stating about non-existent or invalid instance id.

Comment 3 Matthew Harmsen 2016-06-29 20:37:01 UTC

*** Bug 1351096 has been marked as a duplicate of this bug. ***

Comment 4 Matthew Harmsen 2016-06-29 20:38:36 UTC

FROM https://bugzilla.redhat.com/show_bug.cgi?id=1349769 -  pki-server db-schema-upgrade shows "upgrade complete" message for wrong parameters.

Amol K 2016-06-24 04:11:49 EDT

Description of problem:

pki-server db-schema-upgrade shows "Upgrade complete" message when specify 
wrong bind-dn and password.

Version-Release number of selected component (if applicable):
10.3.2-4.el7

How reproducible:
Always

Steps to Reproduce:
1. pki-server db-schema-upgrade -i FoobarCA -D "cn=Directory" -w Secret123 

2. pki-server db-schema-upgrade -i FoobarCA -D "cn=Directory manager" -w Secret123dsdf

3.

Actual results:
1. Wrong bind-dn message.

ldap_bind: No such object (32)
ldapmodify returns 32: 
----------------
Upgrade complete
----------------


2. Wrong password message.

ldap_bind: Invalid credentials (49)
ldapmodify returns 49: 
----------------
Upgrade complete
----------------


Expected results:
1. For wrong dn : 
It should throws error and exit with error return code.

2. For wrong password: 
It should throws error and exit with error return code.

Additional info:

It is good if it throws ldap error message in commands.

Comment 5 Matthew Harmsen 2016-06-29 20:39:00 UTC

*** Bug 1349769 has been marked as a duplicate of this bug. ***

Comment 6 Abhijeet Kasurde 2016-06-30 09:36:40 UTC

Description of problem:
pki-server kra-clone-prepare command throws exception when provided with invalid or non-existent instance id.

# pki-server kra-clone-prepare -i a --pkcs12-file /tmp/a.p12 --pkcs12-password Secret123 -v 
Traceback (most recent call last):
  File "/usr/sbin/pki-server", line 107, in <module>
    cli.execute(sys.argv)
  File "/usr/sbin/pki-server", line 102, in execute
    super(PKIServerCLI, self).execute(args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 203, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 203, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 203, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/server/cli/kra.py", line 145, in execute
    subsystem.export_system_cert(
AttributeError: 'NoneType' object has no attribute 'export_system_cert'

Version-Release number of selected component (if applicable):
pki-core-debuginfo-10.3.4-0.1.fc24.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install PKI server packages
2. pki-server kra-clone-prepare -i a --pkcs12-file /tmp/a.p12 --pkcs12-password Secret123 -v 

Actual results:
Stack trace as above

Expected results:
Error message stating about non-existent or invalid instance id.

Comment 7 Abhijeet Kasurde 2016-06-30 10:55:54 UTC

Description of problem:
pki-server kra-db-vlv-del command throws exception when no instance id is provided.

# pki-server kra-db-vlv-del 
Traceback (most recent call last):
  File "/usr/sbin/pki-server", line 107, in <module>
    cli.execute(sys.argv)
  File "/usr/sbin/pki-server", line 102, in execute
    super(PKIServerCLI, self).execute(args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 203, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 203, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 203, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 203, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/server/cli/kra.py", line 466, in execute
    self.delete_vlv(instance, bind_dn, bind_password)
  File "/usr/lib/python2.7/site-packages/pki/server/cli/kra.py", line 475, in delete_vlv
    database = subsystem.config['internaldb.database']
AttributeError: 'NoneType' object has no attribute 'config'


Version-Release number of selected component (if applicable):
pki-core-debuginfo-10.3.4-0.1.fc24.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install PKI server packages
2. pki-server kra-db-vlv-del 

Actual results:
Stack trace as above

Expected results:
Error message stating about no KRA subsystem. 

Additional Info:
If you provide -v argument, then stack trace is hidden.

Comment 8 Endi Sukma Dewata 2016-07-01 02:11:15 UTC

Fixed in master:
* 097e116c8557e7bee170bc2764c2e000bd49d4c9
* 1913ff38f04dd27641f23cb76b13cb4806720946
* 99a93af1ca5cce26d625ce7cee07dab4a890f1be
* 8e40b74dc5d314912c65722b4284cab0ffbffbcc
* 943e8231fc77ed0ccb6ed34b71817a6d3927d3e5

Comment 9 Endi Sukma Dewata 2016-07-01 17:23:24 UTC

Additional changes in master:
* e81cf4e11ca86562b27548d469fa606a072da23b
* a646c1b6e67a5c4d105208254fa3288cdbd86c6e
* ab8655ca693ddf5afc0579db42cfbea61e8fee89
* eb0f8d0f1e9d396efb071c6432aa22ff0a39d613
* aef84ae829bf2645937363ee3e61f002c2682869

Comment 11 Sumedh Sidhaye 2016-08-10 09:09:35 UTC

Following scenarios are working as expected with error messages instead of stack traces:

pki-server db-schema-upgrade

With invalid instance ID

[root@qe-blade-03 ~]# pki-server db-schema-upgrade -i FoobarCA -D "cn=Directory Manager" -w Secret123
ERROR: Invalid instance FoobarCA.
[root@qe-blade-03 ~]# ls /var/lib/pki/
pki-tomcat
[root@qe-blade-03 ~]#

With invalid credentials

[root@qe-blade-03 ~]# pki-server db-schema-upgrade -i pki-tomcat -D "cn=Directory manager" -w Secret123dsdf
ERROR: ldap_bind: Invalid credentials (49)

[root@qe-blade-03 ~]# 

With invalid bindDN

[root@qe-blade-03 ~]# pki-server db-schema-upgrade -i pki-tomcat -D "cn=Directory" -w Secret123
ERROR: ldap_bind: No such object (32)

[root@qe-blade-03 ~]#

With valid instance ID and credentials upgrade completes with relevant message

[root@qe-blade-03 ~]# pki-server db-schema-upgrade -i pki-tomcat -D "cn=Directory Manager" -w Secret123
----------------
Upgrade complete
----------------

Run kra-db-vlv-del for default tomcat instance when KRA is not installed

[root@qe-blade-03 ~]# pki-server kra-db-vlv-del
ERROR: No KRA subsystem in instance pki-tomcat.
[root@qe-blade-03 ~]# 

With invalid instance ID

[root@qe-blade-03 ~]# pki-server kra-clone-prepare -i a --pkcs12-file /tmp/a.p12 --pkcs12-password Secret123 -v
ERROR: Invalid instance a.
[root@qe-blade-03 ~]#


Tested above cases with following packages:

pki-base.noarch          10.3.3-5.el7                                     
pki-base-java.noarch     10.3.3-5.el7                                     
pki-ca.noarch            10.3.3-5.el7                                     
pki-console.noarch       10.3.3-1.el7pki                                  
pki-core-debuginfo.x86_6410.3.3-5.el7pki                                  
pki-javadoc.noarch       10.3.3-5.el7                                     
pki-kra.noarch           10.3.3-5.el7                                     
pki-ocsp.noarch          10.3.3-5.el7pki                                  
pki-server.noarch        10.3.3-5.el7                                     
pki-symkey.x86_64        10.3.3-5.el7                                     
pki-tks.noarch           10.3.3-5.el7pki                                  
pki-tools.x86_64         10.3.3-5.el7                                     
pki-tps.x86_64           10.3.3-5.el7pki

Comment 13 errata-xmlrpc 2016-11-04 05:25:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html

Note You need to log in before you can comment on or make changes to this bug.