Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1452250

Summary: Inconsistent CERT_REQUEST_PROCESSED event in ConnectorServlet.
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Harmsen <mharmsen>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact: Petr Bokoc <pbokoc>
Priority: unspecified    
Version: 7.4CC: akahat, arubin, pbokoc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.4.1-5.el7 Doc Type: Bug Fix
Doc Text:
The audit log no longer records success when a certificate request was rejected or canceled Previously when a certificate request was rejected or canceled, the server generated a `CERT_REQUEST_PROCESSED` audit log entry with `Outcome=Success`. This was incorrect because there was no certificate issued for the request. This bug has been fixed, and the `CERT_REQUEST_PROCESSED` audit log entry for a rejected or canceled request now reads `Outcome=Failure`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 22:52:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Harmsen 2017-05-18 16:28:50 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/dogtagpki/issue/2690

Normally a successful CERT_REQUEST_PROCESSED event would be accompanied by a cert object, and a failed one would be accompanied by a request object.

However, the following code logs a failure with a cert object:

https://github.com/dogtagpki/pki/blob/master/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java#L642

    audit(new CertRequestProcessedEvent(
        auditSubjectID,
        ILogger.FAILURE,
        auditRequesterID,
        ILogger.SIGNED_AUDIT_ACCEPTANCE,
        x509cert));
Comment 2 Matthew Harmsen 2017-05-18 16:30:34 UTC 
On May 16, 2017, cfu wrote:

If a cert has already been issued (which seems to be the case of the L642 in the above report), then as far as CertRequestProcessedEvent goes, it is supposed to be considered a SUCCESS (the cert has already been issued!!!!!);
The fact that the code is under an Exception catch clause means something else happened, and it should be dealt with outside of the CertRequestProcessedEvent.
I suggest you find out what would cause this to happen and see if it deserves any audit-worthy event to be recorded. If not, a debug message should do, since it already rethrown the exception a few lines down.
Comment 3 Matthew Harmsen 2017-05-18 16:32:34 UTC 
On May 17, 2017, edewata wrote:

The queue.processRequest() in line 618 is quite complex. There could be many things that could generate EBaseException, so I'll leave that to be handled by the caller in line 265.

I think the original intent of the code was to trigger a CERT_REQUEST_PROCESSED event if a new certificate was generated by queue.processRequest() regardless of the exception, so I'm moving the event trigger into a finally-clause.

Please see the following patch:

    https://review.gerrithub.io/#/c/361202/
Comment 4 Matthew Harmsen 2017-05-18 16:36:02 UTC 
On May 17, 2017, edewata pushed these changes:

Fixed CERT_REQUEST_PROCESSED events in ConnectorServlet.

The code that generates CERT_REQUEST_PROCESSED events in ConnectorServlet.processRequest() has been moved into a finally- clause that wraps around IRequestQueue.processRequest() to ensure that the events are generated properly. If a cert was issued for the request that has just been processed the event outcome is a Success, otherwise it's a Failure. Any exception thrown by the IRequestQueue.processRequest() will be passed to the ConnectorServlet.processRequest()'s callers.

https://pagure.io/dogtagpki/issue/2690
Change-Id: I07454afb75328fbee3e50e5852adb5085be0613e
Comment 5 Matthew Harmsen 2017-05-18 16:50:37 UTC 
https://pagure.io/dogtagpki/issue/2693:

Fixed in master:

    https://github.com/dogtagpki/pki/commit/dcbe7ce08fcf9512a6cf1ecf22ed080c0085e28a



https://pagure.io/dogtagpki/issue/2694:

Fixed in master:

    https://github.com/dogtagpki/pki/commit/e54873d6dbb95e82632f888b90dc6d0d7836ad4d
Comment 7 Amol K 2017-06-19 15:08:39 UTC 
I verified this bug on pki 10.4.1-9.el7 build.

Steps I followed to verify this bug:

 1. Created certificate requests.

 2. After rejecting the request, in audit logs, I could see the outcome as a failure and InfoValue as null with certificate request id.

 3. After the canceling the request, in audit logs, I could see the outcome as failure and InfoValue as null with certificate request id.

Verifying this bug.
Comment 8 errata-xmlrpc 2017-08-01 22:52:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110
Comment 9 Endi Sukma Dewata 2017-11-02 01:33:03 UTC 
*** Bug 1446366 has been marked as a duplicate of this bug. ***