RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1445088 - profile modification cannot remove existing config parameters
Summary: profile modification cannot remove existing config parameters
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-24 21:54 UTC by Matthew Harmsen
Modified: 2020-10-04 21:22 UTC (History)
3 users (show)

Fixed In Version: pki-core-10.4.1-3.el7
Doc Type: Bug Fix
Doc Text:
Updating the `LDAPProfileSubsystem` profile now supports removing attributes Previously, when updating the `LDAPProfileSubsystem` profile on PKI Server, attributes could not be removed. As a result, PKI Server was unable to load the profile or issue certificates after updating the profile in certain situations. A patch has been applied, and now PKI Server clears the existing profile configuration before loading the new configuration. As a result, updates in the `LDAPProfileSubsystem` profile can now remove configuration attributes.
Clone Of:
Environment:
Last Closed: 2017-08-01 22:50:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2708 0 None None None 2020-10-04 21:22:06 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Matthew Harmsen 2017-04-24 21:54:56 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/dogtagpki/issue/2588

When modifying a profile via `PUT /ca/rest/profile/{id}/raw`,
existing config parameters that are not present
in the updated configuration remain after update.

Comment 3 Fraser Tweedale 2017-04-26 07:53:10 UTC
Fixed upstream:

* 62419afd831039e7487ba184c6bf8f876f4d21da ProfileService: clear profile attributes when modifying
* 6562b05a73090c0f7882a9684a8ceac2666e4401 ISourceConfigStore: add clear() method to interface
* 8caedd6723f4885d4aff2348aa3d9fc850627aa1 LDAPProfileSubsystem: avoid duplicating logic in superclass

Comment 5 bhavik 2017-05-12 10:53:36 UTC
Hi Fraser, could you please add verification steps for this bug?

Comment 6 Endi Sukma Dewata 2017-05-18 16:41:19 UTC
Here's the verification steps:

1. Disable a profile. For example:

  $ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-profile-disable caServerCert

2. Edit the profile configuration using the pki CLI. For example:

  $ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-profile-edit caServerCert

3. Delete some attributes from the configuration. For example, remove policy #8:

  policyset.serverCertSet.list=1,2,3,4,5,6,7  (remove 8)
  policyset.serverCertSet.8.*=...             (remove lines)

4. Retrieve the profile configuration. For example:

  $ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-profile-show caServerCert

The deleted attributes (i.e. policy #8) should no longer exist.

Comment 7 bhavik 2017-05-22 09:20:12 UTC
Bug verified on build

root@pki1 ansible # rpm -qi pki-base
Name        : pki-base
Version     : 10.4.1
Release     : 4.el7
Architecture: noarch
Install Date: Mon 15 May 2017 05:29:53 PM IST
Group       : System Environment/Base
Size        : 2086209
License     : GPLv2
Signature   : RSA/SHA256, Wed 10 May 2017 09:03:58 AM IST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.4.1-4.el7.src.rpm
Build Date  : Wed 10 May 2017 06:53:16 AM IST
Build Host  : ppc-021.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - PKI Framework

Steps followed:

root@pki1 ansible # pki -d /tmp/nssdb/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-disable caServerCert
-------------------------------
Disabled profile "caServerCert"
-------------------------------

root@pki1 ansible # pki -d /tmp/nssdb2/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert --output beforeprofilemodify
----------------------
Profile "caServerCert"
----------------------
-------------------------------------------------
Saved profile caServerCert to beforeprofilemodify
-------------------------------------------------


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Delete some attributes from the configuration. For example, remove policy #8:
 
  policyset.serverCertSet.list=1,2,3,4,5,6,7  (remove 8)
  policyset.serverCertSet.8.*=...             (remove lines)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


root@pki1 ansible # pki -d /tmp/nssdb/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert 
----------------------
Profile "caServerCert"
----------------------
  Profile ID: caServerCert
  Name: Manual Server Certificate Enrollment
  Description: This certificate profile is for enrolling server certificates.

  Name: Certificate Request Input
  Class: certReqInputImpl

    Attribute Name: cert_request_type
    Attribute Description: Certificate Request Type
    Attribute Syntax: cert_request_type

    Attribute Name: cert_request
    Attribute Description: Certificate Request
    Attribute Syntax: cert_request

  Name: Requestor Information
  Class: submitterInfoInputImpl

    Attribute Name: requestor_name
    Attribute Description: Requestor Name
    Attribute Syntax: string

    Attribute Name: requestor_email
    Attribute Description: Requestor Email
    Attribute Syntax: string

    Attribute Name: requestor_phone
    Attribute Description: Requestor Phone
    Attribute Syntax: string

  Name: Certificate Output
  Class: certOutputImpl

    Attribute Name: pretty_cert
    Attribute Description: Certificate Pretty Print
    Attribute Syntax: pretty_print

    Attribute Name: b64_cert
    Attribute Description: Certificate Base-64 Encoded
    Attribute Syntax: pretty_print


root@pki1 ansible # pki -d /tmp/nssdb/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert --raw

#Fri May 19 20:35:50 IST 2017
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.2.default.params.range=720
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
input.i2.class_id=submitterInfoInputImpl
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
output.o1.class_id=certOutputImpl
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyType=-
policyset.serverCertSet.2.constraint.params.range=720
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
output.list=o1
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
input.list=i1,i2
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
visible=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
desc=This certificate profile is for enrolling server certificates.
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
profileId=caServerCert
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
auth.class_id=
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
enable=false
policyset.serverCertSet.1.constraint.params.pattern=.*CN\=.*
policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
input.i1.class_id=certReqInputImpl
enableBy=admin
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.list=1,2,3,4,5,6,7
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
name=Manual Server Certificate Enrollment
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
/bin/bash=indent\: command not found
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.1.default.params.name=
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.list=serverCertSet
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.name=AIA Extension Default
classId=caEnrollImpl
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.serverCertSet.1.constraint.params.accept=true


root@pki1 ~ # pki -d /tmp/nssdb2/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert --output aftereditingprofile
----------------------
Profile "caServerCert"
----------------------
-------------------------------------------------
Saved profile caServerCert to aftereditingprofile
-------------------------------------------------

root@pki1 ~ # diff beforeprofilemodify aftereditingprofile
8c8
<     <enabledBy>admin</enabledBy>
---
>     <enabledBy>caadmin</enabledBy>
496,522d495
<                 </constraint>
<             </value>
<             <value id="8">
<                 <def id="Signing Alg" classId="signingAlgDefaultImpl">
<                     <description>This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA512withRSA</description>
<                     <policyAttribute name="signingAlg">
<                         <Descriptor>
<                             <Syntax>choice</Syntax>
<                             <Constraint>SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA</Constraint>
<                             <Description>Signing Algorithm</Description>
<                         </Descriptor>
<                     </policyAttribute>
<                     <params name="signingAlg">
<                         <value>-</value>
<                     </params>
<                 </def>
<                 <constraint id="No Constraint">
<                     <description>This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC</description>
<                     <classId>signingAlgConstraintImpl</classId>
<                     <constraint id="signingAlgsAllowed">
<                         <descriptor>
<                             <Syntax>string</Syntax>
<                             <Description>Allowed Signing Algorithms</Description>
<                             <DefaultValue>SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</DefaultValue>
<                         </descriptor>
<                         <value>SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC</value>
<                     </constraint>

Comment 9 Fraser Tweedale 2017-07-24 01:06:10 UTC
Doc text is perfect.

Comment 10 errata-xmlrpc 2017-08-01 22:50:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110


Note You need to log in before you can comment on or make changes to this bug.