Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1455617

Summary: Key recovery on token fails because key record is not marked encrypted
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: pki-coreAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: mharmsen
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.4.1-7.el7 Doc Type: No Doc Update
Doc Text:
This is something that would have been encountered in an intermediate build that was never released. So it should not ever be encountered in the wild, so no doc required.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 22:52:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1458043    
Bug Blocks: 1425972    

Description Roshni 2017-05-25 15:34:15 UTC 
Description of problem:
Key recovery on token fails because key record is not marked encrypted

Version-Release number of selected component (if applicable):
pki-kra-10.4.1-5.el7

How reproducible:
always

Steps to Reproduce:
1. Install CA, KRA, TKS and TPS on an HSM and FIPS enabled server with server-side keygen enabled on TPS
2. Enroll a token using TPS
3. Mark the token physically damaged
4. Issue a new token for the user

Actual results:
Key recovery during new token enrollment fails.

Expected results:
Issuing a new token should be successful and cert/key on the damaged token should be recovered onto the new token

Additional info:
KRA debug log

[25/May/2017:09:34:54][http-bio-31042-exec-13]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_SUCCESS
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet:service() uri = /kra/agent/kra/TokenKeyRecovery
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet::service() param name='tokencuid' value='40906145C76224192809'
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet::service() param name='userid' value='scuser1'
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet::service() param name='cert' value='MIIC/jCCAeagAwIBAgIEC100DTANBgkqhkiG9w0BAQ0FADBaMSAwHgYDVQQKDBdw
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet::service() param name='drm_trans_desKey' value='(sensitive)'
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet: kraTokenKeyRecovery start to service.
[25/May/2017:09:34:54][http-bio-31042-exec-13]: IP: 10.8.60.15
[25/May/2017:09:34:54][http-bio-31042-exec-13]: AuthMgrName: certUserDBAuthMgr
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet: retrieving SSL certificate
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet: certUID=CN=Subsystem Certificate,OU=pki-tps-May23,O=idm.lab.eng.rdu2.redhat.com Security Domain
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CertUserDBAuth: started
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CertUserDBAuth: Retrieving client certificate
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CertUserDBAuth: Got client certificate
[25/May/2017:09:34:54][http-bio-31042-exec-13]: Authentication: client certificate found
[25/May/2017:09:34:54][http-bio-31042-exec-13]: In LdapBoundConnFactory::getConn()
[25/May/2017:09:34:54][http-bio-31042-exec-13]: masterConn is connected: true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: conn is connected true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: mNumConns now 2
[25/May/2017:09:34:54][http-bio-31042-exec-13]: returnConn: mNumConns now 3
[25/May/2017:09:34:54][http-bio-31042-exec-13]: Authentication: mapped certificate to user
[25/May/2017:09:34:54][http-bio-31042-exec-13]: authenticated uid=TPS-nocp1.idm.lab.eng.rdu2.redhat.com-25443,ou=people,o=pki-kra-May23-KRA
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet: userid=TPS-nocp1.idm.lab.eng.rdu2.redhat.com-25443
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet: in auditSubjectID
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet: auditSubjectID auditContext {locale=en_US, userid=TPS-nocp1.idm.lab.eng.rdu2.redhat.com-25443, ipAddress=10.8.60.15, authManagerId=certUserDBAuthMgr}
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet auditSubjectID: subjectID: TPS-nocp1.idm.lab.eng.rdu2.redhat.com-25443
[25/May/2017:09:34:54][http-bio-31042-exec-13]: SignedAuditEventFactory: create() message created for eventType=AUTH_SUCCESS
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet: in auditSubjectID
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet: auditSubjectID auditContext {locale=en_US, userid=TPS-nocp1.idm.lab.eng.rdu2.redhat.com-25443, ipAddress=10.8.60.15, authManagerId=certUserDBAuthMgr}
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet auditSubjectID: subjectID: TPS-nocp1.idm.lab.eng.rdu2.redhat.com-25443
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet: in auditGroupID
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet: auditGroupID auditContext {locale=en_US, userid=TPS-nocp1.idm.lab.eng.rdu2.redhat.com-25443, ipAddress=10.8.60.15, authManagerId=certUserDBAuthMgr}
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet auditGroupID: groupID: null
[25/May/2017:09:34:54][http-bio-31042-exec-13]: checkACLS(): ACLEntry expressions= group="Data Recovery Manager Agents"
[25/May/2017:09:34:54][http-bio-31042-exec-13]: evaluating expressions: group="Data Recovery Manager Agents"
[25/May/2017:09:34:54][http-bio-31042-exec-13]: GroupAccessEvaluator: evaluate: uid=TPS-nocp1.idm.lab.eng.rdu2.redhat.com-25443 value="Data Recovery Manager Agents"
[25/May/2017:09:34:54][http-bio-31042-exec-13]: GroupAccessEvaluator: evaluate: no groups in authToken
[25/May/2017:09:34:54][http-bio-31042-exec-13]: In LdapBoundConnFactory::getConn()
[25/May/2017:09:34:54][http-bio-31042-exec-13]: masterConn is connected: true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: conn is connected true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: mNumConns now 2
[25/May/2017:09:34:54][http-bio-31042-exec-13]: returnConn: mNumConns now 3
[25/May/2017:09:34:54][http-bio-31042-exec-13]: UGSubsystem.isMemberOf() using new lookup code
[25/May/2017:09:34:54][http-bio-31042-exec-13]: In LdapBoundConnFactory::getConn()
[25/May/2017:09:34:54][http-bio-31042-exec-13]: masterConn is connected: true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: conn is connected true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: mNumConns now 2
[25/May/2017:09:34:54][http-bio-31042-exec-13]: authorization search base: cn=Data Recovery Manager Agents,ou=groups,o=pki-kra-May23-KRA
[25/May/2017:09:34:54][http-bio-31042-exec-13]: authorization search filter: (uniquemember=uid=TPS-nocp1.idm.lab.eng.rdu2.redhat.com-25443,ou=people,o=pki-kra-May23-KRA)
[25/May/2017:09:34:54][http-bio-31042-exec-13]: authorization result: true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: returnConn: mNumConns now 3
[25/May/2017:09:34:54][http-bio-31042-exec-13]: evaluated expression: group="Data Recovery Manager Agents" to be true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: DirAclAuthz: authorization passed
[25/May/2017:09:34:54][http-bio-31042-exec-13]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
[25/May/2017:09:34:54][http-bio-31042-exec-13]: In LdapBoundConnFactory::getConn()
[25/May/2017:09:34:54][http-bio-31042-exec-13]: masterConn is connected: true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: conn is connected true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: mNumConns now 2
[25/May/2017:09:34:54][http-bio-31042-exec-13]: returnConn: mNumConns now 3
[25/May/2017:09:34:54][http-bio-31042-exec-13]: SignedAuditEventFactory: create() message created for eventType=ROLE_ASSUME
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryServlet: processTokenKeyRecovery would be called
[25/May/2017:09:34:54][http-bio-31042-exec-13]: processTokenKeyRecovery begins:
[25/May/2017:09:34:54][http-bio-31042-exec-13]: Repository: in getNextSerialNumber. 
[25/May/2017:09:34:54][http-bio-31042-exec-13]: Repository: checkRange  mLastSerialNo=13
[25/May/2017:09:34:54][http-bio-31042-exec-13]: Repository: getNextSerialNumber: returning retSerial 13
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryServlet: processTokenKeyRecovery(): received request parameter: cert
[25/May/2017:09:34:54][http-bio-31042-exec-13]: GenericPolicyProcessor: apply begins
[25/May/2017:09:34:54][http-bio-31042-exec-13]: GenericPolicyProcessor: apply not ProfileRequest. op=netkeyKeyRecovery
[25/May/2017:09:34:54][http-bio-31042-exec-13]: GenericPolicyProcessor: apply begins
[25/May/2017:09:34:54][http-bio-31042-exec-13]: GenericPolicyProcessor: apply not ProfileRequest. op=netkeyKeyRecovery
[25/May/2017:09:34:54][http-bio-31042-exec-13]: KRA services token key recovery request
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getVolatileRequest params null
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryService: received DRM-trans-wrapped des key
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryService: wrapped_des_key specialDecoded
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryService: received des key
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryService: got token slot:NHSM-RPATTATH-SOFTCARD
[25/May/2017:09:34:54][http-bio-31042-exec-13]: KRA reading key record
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryService: recover by cert
[25/May/2017:09:34:54][http-bio-31042-exec-13]: In LdapBoundConnFactory::getConn()
[25/May/2017:09:34:54][http-bio-31042-exec-13]: masterConn is connected: true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: conn is connected true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: mNumConns now 2
[25/May/2017:09:34:54][http-bio-31042-exec-13]: filter= (publicKey=x509cert#"MIIC/jCCAeagAwIBAgIEC100DTANBgkqhkiG9w0BAQ0FADBaMSAwHgYDVQQKDBdw
[25/May/2017:09:34:54][http-bio-31042-exec-13]: returnConn: mNumConns now 3
[25/May/2017:09:34:54][http-bio-31042-exec-13]: read key record
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryService: owner name on record =40906145C76224192809:scuser1
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryService: owner name from TPS =40906145C76224192809:scuser1
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryService: owner name matches
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryService: recoverKey() - with allowEncDecrypt_archival being false
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryService: recoverKey() - allowEncDecrypt_archival needs to be false for this call
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryService: Recovery Failed recoverKey, allowEncDecrypt_archival needs to be false for this call
[25/May/2017:09:34:54][http-bio-31042-exec-13]: ARequestNotifier  notify mIsPublishingQueueEnabled=false mMaxThreads=1
[25/May/2017:09:34:54][http-bio-31042-exec-13]: processTokenKeyRecovery finished
[25/May/2017:09:34:54][http-bio-31042-exec-13]: In LdapBoundConnFactory::getConn()
[25/May/2017:09:34:54][http-bio-31042-exec-13]: masterConn is connected: true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: conn is connected true
[25/May/2017:09:34:54][http-bio-31042-exec-13]: getConn: mNumConns now 2
[25/May/2017:09:34:54][Thread-18]: RunListeners:: noQueue  SingleRequest
[25/May/2017:09:34:54][Thread-18]: RunListeners:  noQueue  SingleRequest
[25/May/2017:09:34:54][http-bio-31042-exec-13]: returnConn: mNumConns now 3
[25/May/2017:09:34:54][http-bio-31042-exec-13]: TokenKeyRecoveryServlet:outputString.length 8
[25/May/2017:09:34:54][http-bio-31042-exec-13]: CMSServlet: curDate=Thu May 25 09:34:54 EDT 2017 id=kraTokenKeyRecovery time=83
[25/May/2017:09:34:54][http-bio-31042-exec-13]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED
Comment 3 Ade Lee 2017-05-26 16:05:11 UTC 
Fixed here:

commit 5438e24e022c4c169ff9b5c6325e5ec0023d4caa
Author: Ade Lee <alee>
Date:   Thu May 25 16:31:45 2017 -0400

    Set encryption flag for generated keys
    
    The key record for keys generated in the keygen servlets
    was not updated to reflect whether or not the server was set up
    to do encryption/key wrapping.  This patch corrects this
    oversight.
    
    Bugzilla BZ# 1455617
    
    Change-Id: I31daece8b93a0ad58cb595e6a23fe8705f338024
Comment 5 Roshni 2017-06-02 14:56:40 UTC 
Can be verified only after https://bugzilla.redhat.com/show_bug.cgi?id=1425972 and https://bugzilla.redhat.com/show_bug.cgi?id=1458043 are verified
Comment 7 Roshni 2017-06-21 20:46:49 UTC 
[root@nocp1 ~]# rpm -qi pki-kra
Name        : pki-kra
Version     : 10.4.1
Release     : 10.el7
Architecture: noarch
Install Date: Wed 21 Jun 2017 11:00:26 AM EDT
Group       : System Environment/Daemons
Size        : 562173
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-10.el7.src.rpm
Build Date  : Tue 20 Jun 2017 01:23:22 AM EDT
Build Host  : ppc-046.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Key Recovery Authority

[root@nocp1 ~]# rpm -qi pki-tps
Name        : pki-tps
Version     : 10.4.1
Release     : 10.el7pki
Architecture: x86_64
Install Date: Wed 21 Jun 2017 11:05:25 AM EDT
Group       : System Environment/Daemons
Size        : 1866565
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-10.el7pki.src.rpm
Build Date  : Tue 20 Jun 2017 01:59:47 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Token Processing Service

Verification steps:

1. Verified automatic key recovery

Temporary token issued to a user had the encryption cert/key from lost token. Same behavior was observed when a token was physically damaged.

2. Cert/key recovery works with externalReg, delegateISE, userKey and delegateIE token types.
Comment 8 errata-xmlrpc 2017-08-01 22:52:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110