Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1447762

Summary: pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Petr Bokoc <pbokoc>
Priority: urgent    
Version: 7.4CC: arubin, dsirrine, edewata, mharmsen, msauton, pbokoc
Target Milestone: rcKeywords: Reopened, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.4.1-8.el7 Doc Type: Bug Fix
Doc Text:
"pkispawn" no longer generates invalid *NSS* database passwords Prior to this update, "pkispawn" generated a random password for the *NSS* database which in some cases contained a backslash (`\`) character. This caused problems when *NSS* established *SSL* connections, which in turn caused the installation to fail with a `ACCESS_SESSION_ESTABLISH_FAILURE` error. This update ensures that the randomly generated password can not contain the backslash character and a connection can always be established, allowing the installation to finish successfully.
 Story Points: ---
Clone Of:
: 1462973 1463358 (view as bug list) Environment:
Last Closed: 2017-08-01 22:50:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1463358    

Description Roshni 2017-05-03 18:25:20 UTC 
Description of problem:
pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE  

Version-Release number of selected component (if applicable):
pki-ca-10.4.1-3.el7.noarch

How reproducible:
inconsistent

Steps to Reproduce:
1. [DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080
pki_token_password = 
pki_admin_password = 
pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-02-CA
pki_client_pkcs12_password = 
pki_backup_keys = True
pki_backup_password = 
pki_ds_password = 
pki_ds_ldap_port = 3389
pki_ssl_server_key_algorithm=SHA512withRSA
pki_ssl_server_key_size=2048
pki_ssl_server_key_type=rsa
pki_subsystem_key_algorithm=SHA512withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA

Using the above installation file run pkispawn -s CA -f ca.cfg
2.
3.

Actual results:
pkispawn fails

Expected results:
pkispawn should be successful

Additional info:
03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: selftests startup start
[03/May/2017:13:39:58][localhost-startStop-1]: SelfTestSubsystem.startup(): Do not run selftests in pre-op mode
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: selftests startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: stats startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: stats startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: auths startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: auths startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: authz startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: authz startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: jobsScheduler startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: jobsScheduler startup done
[03/May/2017:13:39:58][http-bio-23443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:00][http-bio-23443-exec-2]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:01][http-bio-23443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:02][http-bio-23443-exec-4]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:03][http-bio-23443-exec-5]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:05][http-bio-23443-exec-6]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:06][http-bio-23443-exec-7]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:07][http-bio-23443-exec-8]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:08][http-bio-23443-exec-9]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:09][http-bio-23443-exec-10]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:10][http-bio-23443-exec-11]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:11][http-bio-23443-exec-12]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:12][http-bio-23443-exec-13]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:14][http-bio-23443-exec-14]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE
Comment 8 Endi Sukma Dewata 2017-06-02 15:29:59 UTC 
The problem only happens if the randomly generated NSS database password contains a backslash character. As a workaround, specify a fixed password without backslash, for example:

  [DEFAULT]
  pki_pin=Secret.123
Comment 9 Red Hat Bugzilla Rules Engine 2017-06-02 16:40:22 UTC 
Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.
Comment 10 Endi Sukma Dewata 2017-06-02 17:14:33 UTC 
Fixed in master:

* https://github.com/dogtagpki/pki/commit/29dbed75f1c214a065cd3bcc438d0584fd980d4f
Comment 12 Matthew Harmsen 2017-06-08 23:59:12 UTC 
*** Bug 1459337 has been marked as a duplicate of this bug. ***
Comment 13 Roshni 2017-06-14 14:09:16 UTC 
[root@cloud-qe-19 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.4.1
Release     : 9.el7
Architecture: noarch
Install Date: Wed 14 Jun 2017 09:37:00 AM EDT
Group       : System Environment/Daemons
Size        : 2308437
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-9.el7.src.rpm
Build Date  : Tue 13 Jun 2017 02:08:27 PM EDT
Build Host  : ppc-046.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

pkispawn was successful after trying a couple of times. Do we want to fail pkispawn with an appropriate error message if a pin with \ is provided in the installation file?
Comment 14 Endi Sukma Dewata 2017-06-14 15:39:31 UTC 
Yes, we can add some code to check user-provided password validity and generate the proper error message. Feel free to change the ticket to ASSIGNED or open a new ticket.
Comment 15 Roshni 2017-06-19 19:13:49 UTC 
Opened a new bug for comment 14 https://bugzilla.redhat.com/show_bug.cgi?id=1462973
Comment 17 errata-xmlrpc 2017-08-01 22:50:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110