Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1406505

Summary: KRA ECC installation failed with shared tomcat
Product: Red Hat Enterprise Linux 8 Reporter: Geetika Kapoor <gkapoor>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: aakkiang, ascheel, edewata, mharmsen, rrelyea, skhandel
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.6-8030020200527223446.5ff1562f Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 03:15:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
debug_logs none

Description Geetika Kapoor 2016-12-20 18:02:42 UTC 
Created attachment 1233992 [details]
debug_logs

Description of problem:

KRA ECC installation with shared tomcat failed.CA installation went fine 
Error :

java.lang.ClassCastException: org.mozilla.jss.pkcs11.PK11ECPublicKey cannot be cast to java.security.interfaces.RSAPublicKey

Version-Release number of selected component (if applicable):

rhel 7.3

Looks to be broken functionality (commit :b834efbaa8c929c10cf00252b71ebc29e2f10456)

How reproducible:

always 
Steps to Reproduce:
1.Configure KRA with ECC on shared tomcat.
2.
3.

Actual results:


java.lang.ClassCastException: org.mozilla.jss.pkcs11.PK11ECPublicKey cannot be cast to java.security.interfaces.RSAPublicKey

Expected results:

KRA installation should work

Additional info:

Configuration file :
-------------------
[DEFAULT]
pki_admin_password=Secret123
#pki_admin_keysize=nistp384
#pki_admin_key_type=ecc
pki_client_pkcs12_password=Secret123
pki_ds_password=Secret123
pki_security_domain_password=Secret123
pki_client_database_password=Secret123

[KRA]
pki_import_admin_cert=False
pki_storage_key_type=rsa
pki_storage_key_size=2048
pki_storage_key_algorithm=SHA256withRSA
pki_storage_signing_algorithm=SHA256withRSA
pki_transport_key_type=rsa
pki_transport_key_size=2048
pki_transport_key_algorithm=SHA256withRSA
pki_transport_signing_algorithm=SHA256withRSA
pki_ssl_server_key_type=ecc
pki_ssl_server_key_size=nistp384
pki_ssl_server_key_algorithm=SHA384withEC
pki_ssl_server_signing_algorithm=SHA384withEC
pki_subsystem_key_type=ecc
pki_subsystem_key_size=nistp384
pki_subsystem_key_algorithm=SHA384withEC
pki_subsystem_signing_algorithm=SHA384withEC
Comment 1 Matthew Harmsen 2017-01-04 20:52:55 UTC 
Upstream ticket:
https://fedorahosted.org/pki/ticket/2574
Comment 5 Matthew Harmsen 2018-07-04 00:13:32 UTC 
Moved to RHEL 7.7.
Comment 6 Endi Sukma Dewata 2020-02-10 04:59:58 UTC 
It's not clear when this problem was fixed, but ECC installation
should be working in PKI 10.8 (RHEL 8.2).
Comment 7 Endi Sukma Dewata 2020-05-05 18:47:34 UTC 
Asha, could you have someone retest this on RHEL 8.2?
If it works we can close it as CURRENT_RELEASE. Thanks.
Comment 8 shalini 2020-05-12 09:35:15 UTC 
Verified on following RHEL8.2.0 bits, using the same KRA cfg mentioned in description:

pki-base-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-server-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-ca-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch
pki-kra-10.8.3-1.module+el8.2.0+5925+bad5981a.noarch


ECC shared instance installation worked fine. Following are the sub-system installed. 


>>> pkidaemon status
WARNING: pkidaemon status has been deprecated. Use pki-server status instead.
Status for pki-tomcat: pki-tomcat is running ..

    [CA Status Definitions]
    Secure Agent URL    = https://pki1.example.com:8443/ca/agent/ca
    Secure EE URL       = https://pki1.example.com:8443/ca/ee/ca
    Secure Admin URL    = https://pki1.example.com:8443/ca/services
    PKI Console Command = pkiconsole https://pki1.example.com:8443/ca
    Tomcat Port         = 8005 (for shutdown)

    [KRA Status Definitions]
    Secure Admin URL    = https://pki1.example.com:8443/kra/services
    PKI Console Command = pkiconsole https://pki1.example.com:8443/kra
    Tomcat Port         = 8005 (for shutdown)

    [CA Configuration Definitions]
    PKI Instance Name:   pki-tomcat

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  example.com Security Domain
    URL:   https://pki1.example.com:8443
    ==========================================================================

    [KRA Configuration Definitions]
    PKI Instance Name:   pki-tomcat

    PKI Subsystem Type:  KRA

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  example.com Security Domain
    URL:   https://pki1.example.com:8443
    ==========================================================================



>>>> pki-server status
  Instance ID: pki-tomcat
  Active: True
  Unsecure Port: 8080
  Secure Port: 8443
  Tomcat Port: 8005

  CA Subsystem:
    Type:                Root CA (Security Domain)
    SD Registration URL: https://pki1.example.com:8443
    Enabled:             True
    Unsecure URL:        http://pki1.example.com:8080/ca/ee/ca
    Secure Agent URL:    https://pki1.example.com:8443/ca/agent/ca
    Secure EE URL:       https://pki1.example.com:8443/ca/ee/ca
    Secure Admin URL:    https://pki1.example.com:8443/ca/services
    PKI Console URL:     https://pki1.example.com:8443/ca

  KRA Subsystem:
    Type:                KRA
    SD Registration URL: https://pki1.example.com:8443
    Enabled:             True
    Secure Agent URL:    https://pki1.example.com:8443/kra/agent/kra
    Secure Admin URL:    https://pki1.example.com:8443/kra/services
    PKI Console URL:     https://pki1.example.com:8443/kra
Comment 11 shalini 2020-07-22 07:07:24 UTC 
KRA ecc installation worked in ecc on RHEL83, with following packages:

rpm -qa | grep pki
pki-server-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch
pki-kra-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch
pki-base-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch
pki-ca-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Following are the config files used for installation

>>>>>> cat ecc/ca.cfg 
[DEFAULT]
pki_instance_name=pki-tomcat-ecc
pki_server_database_password=SECret.123

[CA]
pki_admin_email=caadmin
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=SECret.123
pki_admin_uid=caadmin

pki_client_database_password=SECret.123
pki_client_database_purge=False
pki_client_pkcs12_password=SECret.123

pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
pki_ds_database=ca
#pki_ds_password=SECret.123

pki_security_domain_name=EXAMPLE

pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem

pki_ds_ldap_port=3389
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=SECret.123
pki_ds_remove_data=True

pki_subsystem_key_type=ecc
pki_subsystem_key_size=nistp256
pki_subsystem_key_algorithm=SHA256withEC
pki_subsystem_signing_algorithm=SHA256withEC
pki_sslserver_key_type=ecc
pki_sslserver_key_size=nistp256
pki_sslserver_key_algorithm=SHA256withEC
pki_sslserver_signing_algorithm=SHA256withEC

pki_ca_signing_key_type=ecc
pki_ca_signing_key_size=nistp256
pki_ca_signing_key_algorithm=SHA256withEC
pki_ca_signing_signing_algorithm=SHA256withEC
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_key_size=nistp256
pki_ocsp_signing_key_algorithm=SHA256withEC
pki_ocsp_signing_signing_algorithm=SHA256withEC



>>>>>>>>>> cat ecc/kra.cfg 
[DEFAULT]
pki_instance_name=pki-tomcat-ecc
pki_server_database_password=SECret.123

[KRA]
#pki_admin_cert_file=ca_admin.cert
pki_admin_email=kraadmin
pki_admin_name=kraadmin
pki_admin_nickname=kraadmin
pki_admin_password=SECret.123
pki_admin_uid=kraadmin

pki_client_database_password=SECret.123
pki_client_database_purge=False
pki_client_pkcs12_password=SECret.123

pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
pki_ds_database=kra
pki_ds_password=SECret.123

pki_security_domain_name=EXAMPLE
pki_security_domain_user=caadmin
pki_security_domain_password=SECret.123

pki_storage_nickname=kra_storage
pki_transport_nickname=kra_transport
pki_audit_signing_nickname=kra_audit_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem

#pki_hostname=qe-blade-01.idmqe.lab.eng.bos.redhat.com
pki_ds_ldap_port=3389
pki_ds_bind_dn=cn=Directory Manager
#pki_ds_password=SECret.123
pki_ds_remove_data=True


# PKI SSL Server
pki_sslserver_key_type=ecc
pki_sslserver_key_size=nistp256
pki_sslserver_key_algorithm=SHA256withEC

# PKI subsystem
pki_subsystem_key_type=ecc
pki_subsystem_key_size=nistp256
pki_subsystem_key_algorithm=SHA256withEC

#Admin Password
pki_admin_key_type=ecc
pki_admin_key_size=nistp256
pki_admin_key_algorithm=SHA256withEC
#pki_admin_password=SECret.123
pki_admin_signing_algorithm=SHA256withEC

pki_import_admin_cert=False

pki_transport_key_type=ecc
pki_transport_key_size=nistp256
pki_transport_key_algorithm=SHA256withEC
pki_transport_signing_algorithm=SHA256withEC




>>>> pki-server status pki-tomcat-ecc
  Instance ID: pki-tomcat-ecc
  Active: True
  Unsecure Port: 8080
  Secure Port: 8443
  Tomcat Port: 8005

  CA Subsystem:
    Type:                Root CA (Security Domain)
    SD Registration URL: https://pki1.example.com:8443
    Enabled:             True
    Unsecure URL:        http://pki1.example.com:8080/ca/ee/ca
    Secure Agent URL:    https://pki1.example.com:8443/ca/agent/ca
    Secure EE URL:       https://pki1.example.com:8443/ca/ee/ca
    Secure Admin URL:    https://pki1.example.com:8443/ca/services
    PKI Console URL:     https://pki1.example.com:8443/ca

  KRA Subsystem:
    Type:                KRA
    SD Registration URL: https://pki1.example.com:8443
    Enabled:             True
    Secure Agent URL:    https://pki1.example.com:8443/kra/agent/kra
    Secure Admin URL:    https://pki1.example.com:8443/kra/services
    PKI Console URL:     https://pki1.example.com:8443/kra
Comment 14 errata-xmlrpc 2020-11-04 03:15:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4847