1367140 – NO_SUCH_USER and entryUSN error messages after CA installation

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1367140 - NO_SUCH_USER and entryUSN error messages after CA installation

Summary: NO_SUCH_USER and entryUSN error messages after CA installation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.3
Assignee:	RHCS Maintainers
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-15 17:02 UTC by Roshni
Modified:	2020-10-04 21:14 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pki-core-10.3.3-9.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 05:27:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2564	0	None	None	None	2020-10-04 21:14:11 UTC
Red Hat Product Errata	RHBA-2016:2396	0	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2016-11-03 13:55:03 UTC

Description Roshni 2016-08-15 17:02:16 UTC

Description of problem:
NO_SUCH_USER and entryUSN error messages when CA is restarted with the ca signing cert's trust set to "u,u,u"

Version-Release number of selected component (if applicable):
pki-ca-10.3.3-5.el7.noarch

How reproducible:
always

Steps to Reproduce:

1. Create CA instance.
2. Shutdown the instance.
3. Remove signing cert's trust flags with this command:

  certutil -M -d /var/lib/pki/pki-tomcat/alias -n "caSigningCert cert-pki-tomcat CA" -t "u,u,u"

4. Restart the instance.
[root@auto-hv-02-guest02 ~]# systemctl status pki-tomcatd -l
● pki-tomcatd - PKI Tomcat Server topology-CA
   Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2016-08-14 17:43:57 EDT; 1min 7s ago
  Process: 29058 ExecStop=/usr/libexec/tomcat/server stop (code=exited, status=0/SUCCESS)
  Process: 29106 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, status=0/SUCCESS)
 Main PID: 29219 (java)
   CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd
           └─29219 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/topology-CA -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/topology-CA/temp -Djava.util.logging.config.file=/var/lib/pki/topology-CA/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/topology-CA/conf/catalina.policy org.apache.catalina.startup.Bootstrap start

Aug 14 17:44:42 auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com server[29219]: testLDAPConnection connecting to auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:389
Aug 14 17:44:42 auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com server[29219]: testLDAPConnection: The specified user cn=Replication Manager masterAgreement1-auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com-topology-CA,cn=config does not exist
Aug 14 17:44:43 auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com server[29219]: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER.  This may not be a latest instance.  Ignoring ..
Aug 14 17:44:45 auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com server[29219]: CMS Warning: FAILURE: Authority entry has no entryUSN.  This is likely because the USN plugin is not enabled in the database|FAILURE: Authority entry has no entryUSN.  This is likely because the USN plugin is not enabled in the database|FAILURE: Authority entry has no entryUSN.  This is likely because the USN plugin is not enabled in the database|
Aug 14 17:44:45 auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com server[29219]: CA is started.
Aug 14 17:44:45 auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com server[29219]: Aug 14, 2016 5:44:45 PM org.apache.catalina.startup.HostConfig deployDescriptor
Aug 14 17:44:45 auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com server[29219]: INFO: Deployment of configuration descriptor /etc/pki/topology-CA/Catalina/localhost/ca.xml has finished in 4,528 ms
Aug 14 17:44:46 auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com server[29219]: Aug 14, 2016 5:44:46 PM org.apache.tomcat.util.http.Cookies processCookieHeader
Aug 14 17:44:46 auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com server[29219]: INFO: Cookies: Invalid cookie. Value not a token or quoted value
Aug 14 17:44:46 auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com server[29219]: Note: further occurrences of Cookie errors will be logged at DEBUG level.
[

Actual results:


Expected results:


Additional info:

Comment 2 Roshni 2016-08-18 18:53:36 UTC

I do see those messages even without changing the trust of CA signing cert. I installed CA and checked journatctl

[root@ipaqavmf ~]# journalctl -xe | grep  NO_SUCH_USER
Aug 18 14:34:37 ipaqavmf.idmqe.lab.eng.bos.redhat.com server[6324]: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER.  This may not be a latest instance.  Ignoring ..
[root@ipaqavmf ~]# journalctl -xe | grep  entryUSN
Aug 18 14:34:40 ipaqavmf.idmqe.lab.eng.bos.redhat.com server[6324]: CMS Warning: FAILURE: Authority entry has no entryUSN.  This is likely because the USN plugin is not enabled in the database|
[root@ipaqav

Comment 3 Fraser Tweedale 2016-08-23 09:49:58 UTC

I've investigated the entryUSN issue - I think if can happen if the USN plugin
gets enabled after the entry in question is created.  As long as the USN
plugin is enabled this is not actually a problem.  The proposed fix is, if
entry is missing entryUSN attribute, to check if the DS USN plugin is enabled.
We will print the warning only if it is not enabled.

I believe alee is investigating the NO_SUCH_USER message.

Comment 4 Ade Lee 2016-08-23 15:24:05 UTC

We probably need the fix that ftweedal suggests above for the case where we have migrated data.  But I'm a little confused ---  based on the code in SystemConfigService.java (line 765), it seems  like one of the first things we do is enable the USN plugin.  So I'm not sure how a CA entry would occur ..

Comment 5 Ade Lee 2016-08-23 20:47:23 UTC

The NO_SUCH_USER error message is benign.  Its been around forever and can be ignored.

Comment 7 Matthew Harmsen 2016-09-07 21:20:34 UTC

Cherry-picked into DOGTAG_10_3_RHEL_BRANCH:

From 8e0235adccb11868f0036d48d2b52230c82b3e6b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal>
Date: Wed, 24 Aug 2016 14:10:55 +1000
Subject: [PATCH 8/9] Perform host authority check before entryUSN check

When processing lightweight CAs, currently we perform the entryUSN
check before the host authority check.  If the entry does not have
an entryUSN attribute, and if the DS USN plugin is not enabled, the
entry gets skipped and we do not reach the host authority check.
This causes the CA to believe that it has not seen the host
authority entry, and results in additional entries being added.

Move the host authority check before the entryUSN check to avoid
this scenario.

Fixes: https://fedorahosted.org/pki/ticket/2444
(cherry picked from commit e457cb8367f39562a844229ddb9da9c3a46d9611)
(cherry picked from commit 3a97c5fc0df7015a7e19236778089c67441a1499)

From 06a85c76938211d6ecf2b49ac72b168e9f6e7fdd Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <frase.au>
Date: Tue, 23 Aug 2016 14:50:03 +1000
Subject: [PATCH 7/9] Accept LWCA entry with missing entryUSN if plugin enabled

Currently we abort adding a lightweight CA if its entry does not
have an 'entryUSN' attribute, and log a failure, even if the USN
plugin is enabled.  But if the plugin is enabled, it's fine to
proceed.

Update the authority monitor to check if the USN plugin is enabled
and only log the failure if it is not.  Clarify the log message
accordingly.

Part of: https://fedorahosted.org/pki/ticket/2444

(cherry picked from commit d1aa1ec049d7cb5beed9ba79b09930a90a3c51fe)
(cherry picked from commit 21e268ae6d5f9c2f93d4d80a6285e453974b5c07)

Comment 8 Roshni 2016-09-15 21:24:56 UTC

[root@cypher ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.3.3
Release     : 10.el7
Architecture: noarch
Install Date: Tue 13 Sep 2016 09:58:32 AM EDT
Group       : System Environment/Daemons
Size        : 2431460
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.3.3-10.el7.src.rpm
Build Date  : Sat 10 Sep 2016 02:18:45 AM EDT
Build Host  : ppc-042.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority


Verification steps

1. Install CA with defaults
2. [root@cypher ~]# journalctl | grep entryUSN
[root@cypher ~]# journalctl | grep NO_SUCH_USER
Sep 13 11:22:19 cypher.idmqe.lab.eng.bos.redhat.com server[23189]: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER.  This may not be a latest instance.  Ignoring ..
Sep 13 11:39:42 cypher.idmqe.lab.eng.bos.redhat.com server[24503]: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER.  This may not be a latest instance.  Ignoring ..
Sep 15 11:00:27 cypher.idmqe.lab.eng.bos.redhat.com server[31536]: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER.  This may not be a latest instance.  Ignoring ..

Based on comment 5 marking the bug verified

Comment 10 errata-xmlrpc 2016-11-04 05:27:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html

Note You need to log in before you can comment on or make changes to this bug.