Bug 1447762 – pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1447762 - pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE

Summary:	pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	All Linux

Priority	urgent Severity urgent
Target Milestone:	rc
Target Release:	---
Assigned To:	Endi Sukma Dewata
QA Contact:	Asha Akkiangady
Docs Contact:	Petr Bokoc

URL:
Whiteboard:
Keywords:	Reopened, ZStream

Duplicates:	1459337 (view as bug list)
Depends On:
Blocks:	1463358
	Show dependency tree / graph

Reported:	2017-05-03 14:25 EDT by Roshni
Modified:	2017-08-01 18:50 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	pki-core-10.4.1-8.el7
Doc Type:	Bug Fix
Doc Text:	"pkispawn" no longer generates invalid NSS database passwords Prior to this update, "pkispawn" generated a random password for the NSS database which in some cases contained a backslash (`\`) character. This caused problems when NSS established SSL connections, which in turn caused the installation to fail with a `ACCESS_SESSION_ESTABLISH_FAILURE` error. This update ensures that the randomly generated password can not contain the backslash character and a connection can always be established, allowing the installation to finish successfully.
Story Points:	---
Clone Of:
Clones:	1462973 1463358 (view as bug list)
Environment:
Last Closed:	2017-08-01 18:50:57 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2110	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2017-08-01 15:36:59 EDT

Groups: None (edit)

Description Roshni 2017-05-03 14:25:20 EDT

Description of problem:
pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE  

Version-Release number of selected component (if applicable):
pki-ca-10.4.1-3.el7.noarch

How reproducible:
inconsistent

Steps to Reproduce:
1. [DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080
pki_token_password = 
pki_admin_password = 
pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-02-CA
pki_client_pkcs12_password = 
pki_backup_keys = True
pki_backup_password = 
pki_ds_password = 
pki_ds_ldap_port = 3389
pki_ssl_server_key_algorithm=SHA512withRSA
pki_ssl_server_key_size=2048
pki_ssl_server_key_type=rsa
pki_subsystem_key_algorithm=SHA512withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA

Using the above installation file run pkispawn -s CA -f ca.cfg
2.
3.

Actual results:
pkispawn fails

Expected results:
pkispawn should be successful

Additional info:
03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: selftests startup start
[03/May/2017:13:39:58][localhost-startStop-1]: SelfTestSubsystem.startup(): Do not run selftests in pre-op mode
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: selftests startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: stats startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: stats startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: auths startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: auths startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: authz startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: authz startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: jobsScheduler startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: jobsScheduler startup done
[03/May/2017:13:39:58][http-bio-23443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:00][http-bio-23443-exec-2]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:01][http-bio-23443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:02][http-bio-23443-exec-4]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:03][http-bio-23443-exec-5]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:05][http-bio-23443-exec-6]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:06][http-bio-23443-exec-7]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:07][http-bio-23443-exec-8]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:08][http-bio-23443-exec-9]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:09][http-bio-23443-exec-10]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:10][http-bio-23443-exec-11]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:11][http-bio-23443-exec-12]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:12][http-bio-23443-exec-13]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:14][http-bio-23443-exec-14]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

Comment 8 Endi Sukma Dewata 2017-06-02 11:29:59 EDT

The problem only happens if the randomly generated NSS database password contains a backslash character. As a workaround, specify a fixed password without backslash, for example:

  [DEFAULT]
  pki_pin=Secret.123

Comment 9 Red Hat Bugzilla Rules Engine 2017-06-02 12:40:22 EDT

Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Comment 10 Endi Sukma Dewata 2017-06-02 13:14:33 EDT

Fixed in master:

* https://github.com/dogtagpki/pki/commit/29dbed75f1c214a065cd3bcc438d0584fd980d4f

Comment 12 Matthew Harmsen 2017-06-08 19:59:12 EDT

*** Bug 1459337 has been marked as a duplicate of this bug. ***

Comment 13 Roshni 2017-06-14 10:09:16 EDT

[root@cloud-qe-19 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.4.1
Release     : 9.el7
Architecture: noarch
Install Date: Wed 14 Jun 2017 09:37:00 AM EDT
Group       : System Environment/Daemons
Size        : 2308437
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-9.el7.src.rpm
Build Date  : Tue 13 Jun 2017 02:08:27 PM EDT
Build Host  : ppc-046.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

pkispawn was successful after trying a couple of times. Do we want to fail pkispawn with an appropriate error message if a pin with \ is provided in the installation file?

Comment 14 Endi Sukma Dewata 2017-06-14 11:39:31 EDT

Yes, we can add some code to check user-provided password validity and generate the proper error message. Feel free to change the ticket to ASSIGNED or open a new ticket.

Comment 15 Roshni 2017-06-19 15:13:49 EDT

Opened a new bug for comment 14 https://bugzilla.redhat.com/show_bug.cgi?id=1462973

Comment 17 errata-xmlrpc 2017-08-01 18:50:57 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110

Note You need to log in before you can comment on or make changes to this bug.