RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1452250 - Inconsistent CERT_REQUEST_PROCESSED event in ConnectorServlet.
Summary: Inconsistent CERT_REQUEST_PROCESSED event in ConnectorServlet.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
Petr Bokoc
URL:
Whiteboard:
: 1446366 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-18 16:28 UTC by Matthew Harmsen
Modified: 2020-10-04 21:29 UTC (History)
3 users (show)

Fixed In Version: pki-core-10.4.1-5.el7
Doc Type: Bug Fix
Doc Text:
The audit log no longer records success when a certificate request was rejected or canceled Previously when a certificate request was rejected or canceled, the server generated a `CERT_REQUEST_PROCESSED` audit log entry with `Outcome=Success`. This was incorrect because there was no certificate issued for the request. This bug has been fixed, and the `CERT_REQUEST_PROCESSED` audit log entry for a rejected or canceled request now reads `Outcome=Failure`.
Clone Of:
Environment:
Last Closed: 2017-08-01 22:52:53 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2810 0 None None None 2020-10-04 21:29:39 UTC
Github dogtagpki pki issues 2813 0 None None None 2020-10-04 21:29:48 UTC
Github dogtagpki pki issues 2814 0 None None None 2020-10-04 21:29:52 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Matthew Harmsen 2017-05-18 16:28:50 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/dogtagpki/issue/2690

Normally a successful CERT_REQUEST_PROCESSED event would be accompanied by a cert object, and a failed one would be accompanied by a request object.

However, the following code logs a failure with a cert object:

https://github.com/dogtagpki/pki/blob/master/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java#L642

    audit(new CertRequestProcessedEvent(
        auditSubjectID,
        ILogger.FAILURE,
        auditRequesterID,
        ILogger.SIGNED_AUDIT_ACCEPTANCE,
        x509cert));

Comment 2 Matthew Harmsen 2017-05-18 16:30:34 UTC
On May 16, 2017, cfu wrote:

If a cert has already been issued (which seems to be the case of the L642 in the above report), then as far as CertRequestProcessedEvent goes, it is supposed to be considered a SUCCESS (the cert has already been issued!!!!!);
The fact that the code is under an Exception catch clause means something else happened, and it should be dealt with outside of the CertRequestProcessedEvent.
I suggest you find out what would cause this to happen and see if it deserves any audit-worthy event to be recorded. If not, a debug message should do, since it already rethrown the exception a few lines down.

Comment 3 Matthew Harmsen 2017-05-18 16:32:34 UTC
On May 17, 2017, edewata wrote:

The queue.processRequest() in line 618 is quite complex. There could be many things that could generate EBaseException, so I'll leave that to be handled by the caller in line 265.

I think the original intent of the code was to trigger a CERT_REQUEST_PROCESSED event if a new certificate was generated by queue.processRequest() regardless of the exception, so I'm moving the event trigger into a finally-clause.

Please see the following patch:

    https://review.gerrithub.io/#/c/361202/

Comment 4 Matthew Harmsen 2017-05-18 16:36:02 UTC
On May 17, 2017, edewata pushed these changes:

Fixed CERT_REQUEST_PROCESSED events in ConnectorServlet.

The code that generates CERT_REQUEST_PROCESSED events in ConnectorServlet.processRequest() has been moved into a finally- clause that wraps around IRequestQueue.processRequest() to ensure that the events are generated properly. If a cert was issued for the request that has just been processed the event outcome is a Success, otherwise it's a Failure. Any exception thrown by the IRequestQueue.processRequest() will be passed to the ConnectorServlet.processRequest()'s callers.

https://pagure.io/dogtagpki/issue/2690
Change-Id: I07454afb75328fbee3e50e5852adb5085be0613e

Comment 7 Amol K 2017-06-19 15:08:39 UTC
I verified this bug on pki 10.4.1-9.el7 build.

Steps I followed to verify this bug:

 1. Created certificate requests.

 2. After rejecting the request, in audit logs, I could see the outcome as a failure and InfoValue as null with certificate request id.

 3. After the canceling the request, in audit logs, I could see the outcome as failure and InfoValue as null with certificate request id.

Verifying this bug.

Comment 8 errata-xmlrpc 2017-08-01 22:52:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110

Comment 9 Endi Sukma Dewata 2017-11-02 01:33:03 UTC
*** Bug 1446366 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.