RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1447762 - pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE
Summary: pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
Petr Bokoc
URL:
Whiteboard:
: 1459337 (view as bug list)
Depends On:
Blocks: 1463358
TreeView+ depends on / blocked
 
Reported: 2017-05-03 18:25 UTC by Roshni
Modified: 2020-10-04 21:28 UTC (History)
6 users (show)

Fixed In Version: pki-core-10.4.1-8.el7
Doc Type: Bug Fix
Doc Text:
"pkispawn" no longer generates invalid *NSS* database passwords Prior to this update, "pkispawn" generated a random password for the *NSS* database which in some cases contained a backslash (`\`) character. This caused problems when *NSS* established *SSL* connections, which in turn caused the installation to fail with a `ACCESS_SESSION_ESTABLISH_FAILURE` error. This update ensures that the randomly generated password can not contain the backslash character and a connection can always be established, allowing the installation to finish successfully.
Clone Of:
: 1462973 1463358 (view as bug list)
Environment:
Last Closed: 2017-08-01 22:50:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2796 0 None None None 2020-10-04 21:28:33 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Roshni 2017-05-03 18:25:20 UTC
Description of problem:
pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE  

Version-Release number of selected component (if applicable):
pki-ca-10.4.1-3.el7.noarch

How reproducible:
inconsistent

Steps to Reproduce:
1. [DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080
pki_token_password = 
pki_admin_password = 
pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-02-CA
pki_client_pkcs12_password = 
pki_backup_keys = True
pki_backup_password = 
pki_ds_password = 
pki_ds_ldap_port = 3389
pki_ssl_server_key_algorithm=SHA512withRSA
pki_ssl_server_key_size=2048
pki_ssl_server_key_type=rsa
pki_subsystem_key_algorithm=SHA512withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA

Using the above installation file run pkispawn -s CA -f ca.cfg
2.
3.

Actual results:
pkispawn fails

Expected results:
pkispawn should be successful

Additional info:
03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: selftests startup start
[03/May/2017:13:39:58][localhost-startStop-1]: SelfTestSubsystem.startup(): Do not run selftests in pre-op mode
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: selftests startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: stats startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: stats startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: auths startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: auths startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: authz startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: authz startup done
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: jobsScheduler startup start
[03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: jobsScheduler startup done
[03/May/2017:13:39:58][http-bio-23443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:00][http-bio-23443-exec-2]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:01][http-bio-23443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:02][http-bio-23443-exec-4]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:03][http-bio-23443-exec-5]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:05][http-bio-23443-exec-6]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:06][http-bio-23443-exec-7]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:07][http-bio-23443-exec-8]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:08][http-bio-23443-exec-9]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:09][http-bio-23443-exec-10]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:10][http-bio-23443-exec-11]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:11][http-bio-23443-exec-12]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:12][http-bio-23443-exec-13]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[03/May/2017:13:40:14][http-bio-23443-exec-14]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

Comment 8 Endi Sukma Dewata 2017-06-02 15:29:59 UTC
The problem only happens if the randomly generated NSS database password contains a backslash character. As a workaround, specify a fixed password without backslash, for example:

  [DEFAULT]
  pki_pin=Secret.123

Comment 9 Red Hat Bugzilla Rules Engine 2017-06-02 16:40:22 UTC
Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Comment 10 Endi Sukma Dewata 2017-06-02 17:14:33 UTC
Fixed in master:

* https://github.com/dogtagpki/pki/commit/29dbed75f1c214a065cd3bcc438d0584fd980d4f

Comment 12 Matthew Harmsen 2017-06-08 23:59:12 UTC
*** Bug 1459337 has been marked as a duplicate of this bug. ***

Comment 13 Roshni 2017-06-14 14:09:16 UTC
[root@cloud-qe-19 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.4.1
Release     : 9.el7
Architecture: noarch
Install Date: Wed 14 Jun 2017 09:37:00 AM EDT
Group       : System Environment/Daemons
Size        : 2308437
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-9.el7.src.rpm
Build Date  : Tue 13 Jun 2017 02:08:27 PM EDT
Build Host  : ppc-046.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

pkispawn was successful after trying a couple of times. Do we want to fail pkispawn with an appropriate error message if a pin with \ is provided in the installation file?

Comment 14 Endi Sukma Dewata 2017-06-14 15:39:31 UTC
Yes, we can add some code to check user-provided password validity and generate the proper error message. Feel free to change the ticket to ASSIGNED or open a new ticket.

Comment 15 Roshni 2017-06-19 19:13:49 UTC
Opened a new bug for comment 14 https://bugzilla.redhat.com/show_bug.cgi?id=1462973

Comment 17 errata-xmlrpc 2017-08-01 22:50:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110


Note You need to log in before you can comment on or make changes to this bug.