RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1369640 - Host CA's certificate and key are deleted if LWCA entry deleted
Summary: Host CA's certificate and key are deleted if LWCA entry deleted
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: 7.3
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-24 04:55 UTC by Fraser Tweedale
Modified: 2020-10-04 21:14 UTC (History)
5 users (show)

Fixed In Version: pki-core-10.3.3-9.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 05:27:16 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
console.log (1.27 KB, text/plain)
2016-09-16 13:06 UTC, Abhijeet Kasurde
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2563 0 None None None 2020-10-04 21:14:07 UTC
Red Hat Product Errata RHBA-2016:2396 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2016-11-03 13:55:03 UTC

Description Fraser Tweedale 2016-08-24 04:55:05 UTC
Description of problem:

If authorityMonitor observes the deletion of the host CA's authority entry, it will treat it the same as any other lightweight CA and delete the signing cert AND KEY from the NSSDB. Because the database is replicated, the change would be observed and the deletion effected on all running clones almost simultaneously. Unless the main CA private key is backed up somewhere there is no way to recover from this. 


Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce:
1. ldapdelete the host authority LDAP entry

Actual results:

Host CA certificate and signing key deleted from
/etc/pki/pki-tomcat/alias NSSDB (on all running clones)


Expected results:

Deletion of host CA signing key should be prevented,
and the event logged.

Additional info:

Comment 3 Matthew Harmsen 2016-09-07 21:15:25 UTC
Cherry-picked into DOGTAG_10_3_RHEL_BRANCH:

commit 0dd6bf96dc2d711d59d5d7b34eba5953e69e5e4d
Author: Fraser Tweedale <ftweedal>
Date:   Wed Aug 24 14:40:46 2016 +1000

    Prevent deletion of host CA cert and key from NSSDB
    
    If authorityMonitor observes the deletion of the host CA's authority
    entry, it will treat it the same as any other lightweight CA and
    delete the signing cert AND KEY from the NSSDB. Because the database
    is replicated, the change would be observed and deletion immediately
    effected on all running clones.  Unless the main CA private key is
    backed up somewhere there is no way to recover from this.
    
    Although this scenario does not arise in normal operation, the
    impact is severe so add a check that prevents cert and key deletion
    for host authority.
    
    Fixes: https://fedorahosted.org/pki/ticket/2443
    (cherry picked from commit 68d98b63e18c5c952e0cdf3193b0ce1a5c55d5c1)
    (cherry picked from commit a1f225e0034d89cc011b81604439111ed725961e)

Comment 5 Fraser Tweedale 2016-09-09 00:14:13 UTC
Steps to verify:

1. Find DN of authority entry for main CA:

    ldapsearch -LLL -D "cn=directory manager" -w4me2Test -b o=ipaca \
        "(&(objectclass=authority)(description=Host authority))" 1.1 \
            | cut -d " " -f 2


2. Delete that entry

    ldapdelete -D "cn=directory manager" -w4me2Test $HOST_AUTHORITY_DN

3. Confirm that CA signing key (nickname "caSigningCert cert-pki-ca")
   HAS NOT deleted from /etc/pki/pki-tomcat/alias NSSDB

Comment 6 Abhijeet Kasurde 2016-09-16 13:05:48 UTC
Verified using IPA version ::
ipa-server-4.4.0-11.el7.x86_64
pki-ca-10.3.3-10.el7.noarch

Marking BZ as verified.

Comment 7 Abhijeet Kasurde 2016-09-16 13:06:05 UTC
Created attachment 1201640 [details]
console.log

Comment 9 errata-xmlrpc 2016-11-04 05:27:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html


Note You need to log in before you can comment on or make changes to this bug.