RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1437602 - non-CA cli looks for CA in the instance during a request
Summary: non-CA cli looks for CA in the instance during a request
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-30 15:54 UTC by Roshni
Modified: 2020-10-04 21:24 UTC (History)
3 users (show)

Fixed In Version: pki-core-10.4.1-2.el7
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2017-08-01 22:50:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2746 0 None None None 2020-10-04 21:24:27 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Roshni 2017-03-30 15:54:29 UTC
Description of problem:
non-CA cli looks for CA in the instance during a request

Version-Release number of selected component (if applicable):
pki-ca-10.4.1-1.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. Install CA and KRA
2. Import the KRA admin cert in the security database
3.

Actual results:
[root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n "PKI KRA Administrator for Example.Org" kra-group-find
PKI options: -v -d . -c Secret123
PKI command: pki1.example.com -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org kra-group-find
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d . -c Secret123 --verbose -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org kra-group-find
Server URI: http://pki1.example.com:21080
Client security database: /root/multihost_tests/certdb/.
Message format: null
Command: kra-group-find
Initializing security database
Logging into security token
Module: kra
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=8B8FC58EB2540BB6939D2DF41620CDF9; Path=/pki/; HttpOnly
  Content-Type: application/xml
  Content-Length: 106
  Date: Sat, 01 Apr 2017 12:24:11 GMT
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=8B8FC58EB2540BB6939D2DF41620CDF9
  Cookie2: $Version=1
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Content-Type: application/xml
  Content-Length: 106
  Date: Sat, 01 Apr 2017 12:24:11 GMT
HTTP request: GET /kra/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Location: https://pki1.example.com:21443/kra/rest/account/login
  Content-Length: 0
  Date: Sat, 01 Apr 2017 12:24:11 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/account/login
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Set-Cookie: JSESSIONID=12AF5E29953498554C609F4EFE704FFC; Path=/kra/; Secure; HttpOnly
  Content-Type: application/xml
  Content-Length: 248
  Date: Sat, 01 Apr 2017 12:24:11 GMT
Account:
 - User ID: kraadmin
 - Full Name: kraadmin
 - Email: kraadmin
 - Roles: [Administrators, Data Recovery Manager Agents]
Module: group
Module: find
HTTP request: GET /ca/rest/admin/groups HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 404 Not Found
  Server: Apache-Coyote/1.1
  Content-Type: text/html;charset=utf-8
  Content-Language: en
  Content-Length: 991
  Date: Sat, 01 Apr 2017 12:24:11 GMT
com.netscape.certsrv.base.PKIException: Not Found
	at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:417)
	at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:397)
	at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:118)
	at com.netscape.certsrv.group.GroupClient.findGroups(GroupClient.java:45)
	at com.netscape.cmstools.group.GroupFindCLI.execute(GroupFindCLI.java:80)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:344)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:344)
	at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:344)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:626)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:662)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '.', '-c', 'Secret123', '--verbose', '-h', 'pki1.example.com', '-p', '21080', '-n', 'PKI KRA Administrator for Example.Org', 'kra-group-find']' returned non-zero exit status 255


Expected results:
The operation should be successful

Additional info:
The workaround is to use -t option with the cli

[root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n "PKI KRA Administrator for Example.Org" -t kra kra-group-find
PKI options: -v -d . -c Secret123
PKI command: pki1.example.com -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org -t kra kra-group-find
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d . -c Secret123 --verbose -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org -t kra kra-group-find
Server URI: http://pki1.example.com:21080/kra
Client security database: /root/multihost_tests/certdb/.
Message format: null
Command: kra-group-find
Initializing security database
Logging into security token
Module: kra
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=06D409FFE031D937DF8CBA96A51AD405; Path=/pki/; HttpOnly
  Content-Type: application/xml
  Content-Length: 106
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=06D409FFE031D937DF8CBA96A51AD405
  Cookie2: $Version=1
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Content-Type: application/xml
  Content-Length: 106
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP request: GET /kra/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Location: https://pki1.example.com:21443/kra/rest/account/login
  Content-Length: 0
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/account/login
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Set-Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209; Path=/kra/; Secure; HttpOnly
  Content-Type: application/xml
  Content-Length: 248
  Date: Sat, 01 Apr 2017 12:27:06 GMT
Account:
 - User ID: kraadmin
 - Full Name: kraadmin
 - Email: kraadmin
 - Roles: [Administrators, Data Recovery Manager Agents]
Module: group
Module: find
HTTP request: GET /kra/rest/admin/groups HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Location: https://pki1.example.com:21443/kra/rest/admin/groups
  Content-Length: 0
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/admin/groups
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/admin/groups HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209
  Cookie2: $Version=1
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Content-Type: application/xml
  Content-Length: 4664
  Date: Sat, 01 Apr 2017 12:27:06 GMT
-----------------
8 entries matched
-----------------
  Group ID: Data Recovery Manager Agents
  Description: Agents for Data Recovery Manager
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Data+Recovery+Manager+Agents

  Group ID: Subsystem Group
  Description: Subsystem Group
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Subsystem+Group

  Group ID: Trusted Managers
  Description: Managers trusted by this PKI instance
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Trusted+Managers

  Group ID: Administrators
  Description: People who manage the Certificate System
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Administrators

  Group ID: Auditors
  Description: People who can read the signed audits
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Auditors

  Group ID: ClonedSubsystems
  Description: People who can clone the master subsystem
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/ClonedSubsystems

  Group ID: Security Domain Administrators
  Description: People who are the Security Domain administrators
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Security+Domain+Administrators

  Group ID: Enterprise KRA Administrators
  Description: People who are the administrators for the security domain for KRA
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Enterprise+KRA+Administrators
----------------------------
Number of entries returned 8
----------------------------
HTTP request: GET /kra/rest/account/logout HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Location: https://pki1.example.com:21443/kra/rest/account/logout
  Content-Length: 0
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/account/logout
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/account/logout HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209
  Cookie2: $Version=1
HTTP response: HTTP/1.1 204 No Content
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Content-Type: application/xml
  Date: Sat, 01 Apr 2017 12:27:06 GMT

Comment 2 Matthew Harmsen 2017-03-30 21:18:14 UTC
Upstream ticket:
https://pagure.io/dogtagpki/issue/2626

Comment 3 Endi Sukma Dewata 2017-03-31 01:48:10 UTC
Fixed in master:
* 1d3216aece7381cbac7b812dfbb969b466b31abe

Comment 5 Roshni 2017-05-15 18:57:25 UTC
[root@auto-hv-02-guest10 certdb]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.4.1
Release     : 4.el7
Architecture: noarch
Install Date: Wed 10 May 2017 10:43:30 AM EDT
Group       : System Environment/Daemons
Size        : 2299431
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-4.el7.src.rpm
Build Date  : Tue 09 May 2017 09:23:16 PM EDT
Build Host  : ppc-021.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

[root@auto-hv-02-guest10 certdb]# pki -d . -c redhat -n "PKI KRA Administrator for Example.Org" -h auto-hv-02-guest10.idmqe.lab.eng.bos.redhat.com -p 21080 kra-group-find
-----------------
8 entries matched
-----------------
  Group ID: Data Recovery Manager Agents
  Description: Agents for Data Recovery Manager

  Group ID: Subsystem Group
  Description: Subsystem Group

  Group ID: Trusted Managers
  Description: Managers trusted by this PKI instance

  Group ID: Administrators
  Description: People who manage the Certificate System

  Group ID: Auditors
  Description: People who can read the signed audits

  Group ID: ClonedSubsystems
  Description: People who can clone the master subsystem

  Group ID: Security Domain Administrators
  Description: People who are the Security Domain administrators

  Group ID: Enterprise KRA Administrators
  Description: People who are the administrators for the security domain for KRA
----------------------------
Number of entries returned 8
----------------------------

Comment 6 errata-xmlrpc 2017-08-01 22:50:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110


Note You need to log in before you can comment on or make changes to this bug.