Bug 1464549 - CC: Installation with CMC
CC: Installation with CMC
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Endi Sukma Dewata
Asha Akkiangady
Marc Muehlfeld
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-23 14:08 EDT by Christina Fu
Modified: 2018-06-05 01:14 EDT (History)
6 users (show)

See Also:
Fixed In Version: pki-core-10.5.1-1.el7
Doc Type: Enhancement
Doc Text:
Certificate System supports installing CA, KRA, and OCSP subsystems with CMC This enhancement provides a mechanism to install CA, KRA, or OCSP subsystems with Certificate Management over CMS (CMC). The installation will be done in two steps. The first step of the installation will generate the Certificate Signing Requests (CSR) for the system certificates. The CSRs can be used to issue the system certificates using CMC. The second step of the installation will use these system certificates and complete the subsystem installation.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 12:58:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0925 None None None 2018-04-10 12:59 EDT

  None (edit)
Description Christina Fu 2017-06-23 14:08:46 EDT
This came out of the PP requirement: FIA_CMC_EXT.1.3

Basically, when a subordinate CA acts as a client to its superior CA, the cert requests and responses should be carried in CMC format and protocol.

Since retrofitting CMC into the existing installation system is not feasibly as installation is a "one-time-thing" that doesn't happen often, our plan is to give some manual CC setup steps with assistance of some code changes:

* for sub-ca's, just give instruction on manual cmc request generation and submission to the superior ca, and then use the "existing CA" feature to install
* for non-ca subsystems, such as KRA, OCSP, TPS, and TKS, we need some (possibly not a lot) changes to allow pre-existing system certificates to be used.  We add instruction on manual cmc request generation and submission to the ca before directing people to use this new "existing all subsystems" feature.

For the above, there is already a ticket:
https://pagure.io/dogtagpki/issue/2280

Another area needs to be covered is a set of system certificate profiles for CMC requests to complete the above strategy.
Comment 2 Christina Fu 2017-07-07 20:06:42 EDT
note that the cmc system cert enrollment profiles have been pushed to Dogtag master.
See Usage info here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
Comment 6 Geetika Kapoor 2017-12-06 02:35:01 EST
Test Environment:
================

rpm -qa pki-*
pki-tests-CoreOS-dogtag-aakkiang-test-rhcs-1.0.8.20170618003302-0.noarch
pki-console-10.5.1-2.el7pki.noarch
pki-server-10.5.1-4.el7.noarch
pki-ca-10.5.1-4.el7.noarch
pki-tests-pki-tests-dogtag-20151005152014.66e7821-0.noarch
pki-base-java-10.5.1-4.el7.noarch
pki-tps-10.5.1-4.el7pki.x86_64
pki-core-debuginfo-10.5.1-4.el7pki.x86_64
pki-javadoc-10.5.1-1.el7.noarch
pki-tests-CoreOS-dogtag-PKI_TEST_USER_ID-bbhavsar-1.0.8.RPM.IDENTIFIER-0.noarch
pki-symkey-10.5.1-4.el7.x86_64
pki-tks-10.5.1-4.el7pki.noarch
pki-tests-pki-tests-20150522165149.1561420-0.noarch
pki-tools-10.5.1-4.el7.x86_64
pki-ocsp-10.5.1-4.el7pki.noarch
pki-base-10.5.1-4.el7.noarch
pki-kra-10.5.1-4.el7.noarch


while testing for http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates
get into https://bugzilla.redhat.com/show_bug.cgi?id=1520526.

Please have a look.
Comment 7 Endi Sukma Dewata 2018-01-18 14:21:44 EST
Bug #1520526 has been fixed. Please retest when the build becomes available. Thanks.
Comment 8 Geetika Kapoor 2018-02-01 02:35:34 EST
Test Bits:
=========

rpm -qa nss* pki-* jss*
pki-tools-10.5.1-6.el7.x86_64
pki-ocsp-10.5.1-6.el7pki.noarch
pki-javadoc-10.5.1-5.1.el7.noarch
pki-base-10.5.1-6.el7.noarch
pki-symkey-10.5.1-6.el7.x86_64
pki-server-10.5.1-6.el7.noarch
pki-kra-10.5.1-6.el7.noarch
pki-tks-10.5.1-6.el7pki.noarch
pki-console-10.4.1-7.el7pki.noarch
pki-core-debuginfo-10.5.1-5.1.el7pki.x86_64
jss-4.4.0-11.el7.x86_64
pki-base-java-10.5.1-6.el7.noarch
pki-ca-10.5.1-6.el7.noarch
pki-tps-10.5.1-6.el7pki.x86_64


Testing:
========
Test case 1: http://pki.fedoraproject.org/wiki/Installing_CA_with_External_CA_Signing_Certificate
-------------------------------------------------------------------------------------------------

-- This is tested with HSM soft-token because thales HSM is failing because of https://bugzilla.redhat.com/show_bug.cgi?id=1535797 currently.

Testing config's for ExternalCA with CMC is attached along with logs.

After installation verification is done by signing a caUsercert.

[root@csqa4-guest04 75_cfg_working]# pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-cert-request-review 6 --action approve
WARNING: UNTRUSTED ISSUER encountered on 'CN=csqa4-guest04.idm.lab.eng.rdu.redhat.com,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain'
Import CA certificate (Y/n)? Y
CA server URI [http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca]: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31080/ca
------------------------------
Approved certificate request 6
------------------------------
  Request ID: 6
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x6

pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-user-find
-----------------
3 entries matched
-----------------
  User ID: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-31443
  Full name: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-31443

  User ID: caadmin
  Full name: caadmin

  User ID: pkidbuser
  Full name: pkidbuser
----------------------------
Number of entries returned 3
----------------------------

Test Case 2:http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates
-----------------------------------------------------------------------------------------

Currently it is failing during OCSP installation.
https://bugzilla.redhat.com/show_bug.cgi?id=1540687

If i find sometime i will try to debug it more.


Test Case 3: http://pki.fedoraproject.org/wiki/Installing_KRA_with_External_Certificates
----------------------------------------------------------------------------------------

Since this part was tested by Akshay I will let him update status on this.
Comment 10 Geetika Kapoor 2018-02-14 03:11:49 EST
Testing is done as mentioned above in comment 8 but there are few failures for which bugs have been raised.Without testing below, we can't consider testing complete for this feature.

1. https://bugzilla.redhat.com/show_bug.cgi?id=1540687
2. https://bugzilla.redhat.com/show_bug.cgi?id=1544843

KRA is tested based on CC setup instructions.
Comment 13 errata-xmlrpc 2018-04-10 12:58:29 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925
Comment 14 Akshay Adhikari 2018-06-05 01:14:34 EDT
The information has already provided.

Note You need to log in before you can comment on or make changes to this bug.