1487418 – When nuxwdog is enabled pkidaemon status shows instances as stopped.

Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.

Bug 1487418 - When nuxwdog is enabled pkidaemon status shows instances as stopped.

Summary: When nuxwdog is enabled pkidaemon status shows instances as stopped.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.9
Assignee:	Dinesh Prasanth
QA Contact:	Asha Akkiangady
Docs Contact:	Florian Delehaye
URL:
Whiteboard:
Depends On:
Blocks:	1732981
TreeView+	depends on / blocked

Reported:	2017-08-31 20:58 UTC by Asha Akkiangady
Modified:	2020-10-04 21:36 UTC (History)
CC List:	6 users (show)
Fixed In Version:	pki-core-10.5.18-1.el7
Doc Type:	Bug Fix
Doc Text:	.The `pkidaemon` tool now reports the correct status of PKI instances when `nuxwdog` is enabled Previously, the `pkidaemon status` command would not report the correct status for PKI server instances that have the `nuxwdog` watchdog enabled. With this update, `pkidaemon` detects whether `nuxwdog` is enabled and reports the correct status of the PKI server.
Clone Of:
Clones:	1732981 (view as bug list)
Environment:
Last Closed:	2020-09-29 20:00:58 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2926	0	None	None	None	2020-10-04 21:35:59 UTC
Red Hat Product Errata	RHBA-2020:3941	0	None	None	None	2020-09-29 20:01:16 UTC

Description Asha Akkiangady 2017-08-31 20:58:00 UTC

Description of problem:
When nuxwdog is enabled pkidaemon status shows instances as stopped.

Version-Release number of selected component (if applicable):
pki-server-10.4.1-13.el7_4.noarch

How reproducible:


Steps to Reproduce:
1. pkicreate a CA instance.
2. # pkidaemon status
Status for rhcs92-CA-aakkiang: rhcs92-CA-aakkiang is running ..

    [CA Status Definitions]
    Unsecure URL        = http://example.redhat.com:8080/ca/ee/ca
    Secure Agent URL    = https://example.redhat.com:8443/ca/agent/ca
    Secure EE URL       = https://example.redhat.com:8443/ca/ee/ca
    Secure Admin URL    = https://example.redhat.com:8443/ca/services
    PKI Console Command = pkiconsole https://example.redhat.com:8443/ca
    Tomcat Port         = 8005 (for shutdown)

    [CA Configuration Definitions]
    PKI Instance Name:   rhcs92-CA-aakkiang

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  Example-rhcs92-CA
    URL:   https://example.redhat.com:8443
    ==========================================================================

3. systemctl stop pki-tomcatd@rhcs92-CA-aakkiang.service
4. If you have configured CA with HSM add the following parameter to CS.cfg.
cms.tokenList=<TOKEN_NAME> 
5.Move the password file from /var/lib/pki/rhcs92-CA-aakkiang/conf/password.conf  another safe location. 
6. # pki-server nuxwdog-enable
---------------------------
Nuxwdog enabled for system.
---------------------------
7. # systemctl start pki-tomcatd-nuxwdog@rhcs92-CA-aakkiang.service
[rhcs92-CA-aakkiang] Please provide the password for internal: ************
[rhcs92-CA-aakkiang] Please provide the password for hardware-<Token-Name>: **********
[rhcs92-CA-aakkiang] Please provide the password for internaldb: **********
[rhcs92-CA-aakkiang] Please provide the password for replicationdb: **********

8. # pkidaemon status
Status for rhcs92-CA-aakkiang: rhcs92-CA-aakkiang is stopped

Actual results:
pkidaemon status shows rhcs92-CA-aakkiang instance as stopped.

Expected results:
pkidaemon status should show rhcs92-CA-aakkiang instance as running with valid urls as in step #2.

Additional info:
pkidaemon may need enhancement to take into account nuxwdog instances.

Comment 2 Matthew Harmsen 2017-10-25 16:23:28 UTC

[20171025] - RHEL 7.5 / RHCS 9.3 pre-Alpha Offline Triage ==> 7.6

Comment 3 Matthew Harmsen 2018-05-02 22:59:16 UTC

alee: didn't we fix something like this?

Comment 4 Asha Akkiangady 2018-05-04 13:53:00 UTC

No. This issue is not fixed.

Comment 5 Matthew Harmsen 2018-07-04 00:30:54 UTC

Moved to RHEL 7.7.

Comment 6 Dinesh Prasanth 2019-07-16 21:23:57 UTC

Possible Solution:
==================

This bug exists simply because `pkidaemon` checks status of `pki-tomcatd` instead of `pki-tomcatd-nuxwdog`.

https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/scripts/pkidaemon#L32

The logic is to check whether the nuxwdog is enabled or not in the system and replace this variable appropriately.

Comment 8 Dinesh Prasanth 2020-02-15 01:08:24 UTC

The fix has been merged to DOGTAG_10_5_BRANCH via PR: https://github.com/dogtagpki/pki/pull/319

Commit information
==================
commit 0033bb6900673e099661703332aab17e4fcea6a7 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Dinesh Prasanth M K <SilleBille@users.noreply.github.com>
Date:   Fri Feb 14 19:58:32 2020 -0500

    Fix pkidaemon status when nuxwdog is enabled (#319)

    - Target the right systemd file, based on whether the
      nuxwdog is enabled.
    - Add status of nuxwdog configuration to the pkidaemon
      output

    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1487418

    Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>

Test Case
=========
Follow the steps mentioned by OP in the BZ description

Documentation
=============
pkidaemon correctly reports the status of the running instance when nuxwdog is configured.

Comment 11 shalini 2020-05-13 09:30:37 UTC

THe bugzilla has been verified by follwoing the steps mentioned in description on following bits on RHEL79:
pki-ca-10.5.18-3.el7.noarch
pki-server-10.5.18-3.el7.noarch

>>> Test steps :
CA, KRA, OCSP in discrete tomcat installation in Non_HSM machine.
I followed enabling the nuxwdog and restarted the CA instance as mentioned in description steps.
And following is the output of `pkidaemon status` command.

[root@pki1 certdb]# pkidaemon status
REPORT STATUS OF 'tomcat' INSTANCE(S):

Instance topology-03-CA is configured to use nuxwdog: true
Status for topology-03-CA: topology-03-CA is running ..

    [CA Status Definitions]
    Secure Agent URL    = https://pki1.example.com:20443/ca/agent/ca
    Secure EE URL       = https://pki1.example.com:20443/ca/ee/ca
    Secure Admin URL    = https://pki1.example.com:20443/ca/services
    PKI Console Command = pkiconsole https://pki1.example.com:20443/ca
    Tomcat Port         = 20005 (for shutdown)

    [CA Configuration Definitions]
    PKI Instance Name:   topology-03-CA

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  topology-03_Foobarmaster.org
    URL:   https://pki1.example.com:20443
    ==========================================================================

Instance topology-03-KRA is configured to use nuxwdog: true
Status for topology-03-KRA: topology-03-KRA is stopped

Instance topology-03-OCSP is configured to use nuxwdog: true
Status for topology-03-OCSP: topology-03-OCSP is stopped

WARNING:  2 of 3 'tomcat' instances reported status failures!

FINISHED REPORTING STATUS OF 'tomcat' INSTANCE(S).


>>> Above output shows KRA and OCSP as stopped whereas both the instances are up and running. 
>>> I tried running key archival while generating a crmf type certificate and as visible in following output, It is up and running. Key archival is successful.


[root@pki1 certdb]# systemctl | grep pki
pki-tomcatd-nuxwdog@topology-03-CA.service                                                                                     loaded active running   PKI Tomcat Server topology-03-CA Started by Nuxwdog
pki-tomcatd@topology-03-KRA.service                                                                                            loaded active running   PKI Tomcat Server topology-03-KRA
pki-tomcatd@topology-03-OCSP.service                                                                                           loaded active running   PKI Tomcat Server topology-03-OCSP




[root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI KRA Administrator for Example.Org' -p 21080 -P http kra-key-find
----------------
0 key(s) matched
----------------
----------------------------
Number of entries returned 0
----------------------------
[root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI CA Administrator for Example.Org' -p 20080 -P http client-cert-request 'uid=shal' --transport ~/transport.cert --type crmf
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 20
  Type: enrollment
  Request Status: pending
  Operation Result: success
[root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI CA Administrator for Example.Org' -p 20080 -P http ca-cert-request-review 20 --action approve
-------------------------------
Approved certificate request 20
-------------------------------
  Request ID: 20
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x14
[root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI KRA Administrator for Example.Org' -p 21080 -P http kra-key-find
----------------
1 key(s) matched
----------------
  Key ID: 0x1
  Algorithm: 1.2.840.113549.1.1.1
  Size: 1024
  Owner: UID=shal
----------------------------
Number of entries returned 1
----------------------------



>>> Observation: [NeedInfo]

For CA, it shows correct status in `pkidaemon status` command. But the command shows wrong output for other sub-systems.
As it checks the USE_NUXWDOG in /etc/sysconfig/topology-03-KRA which shows 'true'. Whereas the instances are working without nuwxdog enabled.

Either the command should show the correct status of other subsystems or the subsystems should not be running after enabling nuwxdog in system.

Comment 12 Dinesh Prasanth 2020-05-13 16:21:48 UTC

(In reply to shalini from comment #11)
> >>> Observation: [NeedInfo]
> 
> For CA, it shows correct status in `pkidaemon status` command. But the
> command shows wrong output for other sub-systems.
> As it checks the USE_NUXWDOG in /etc/sysconfig/topology-03-KRA which shows
> 'true'. Whereas the instances are working without nuwxdog enabled.
> 

The `pkidaemon status` checks for /etc/sysconfig/<instance_name> to see if
the nuxwdog has been enabled. What you observe seems to be right from the code
logic.


> Either the command should show the correct status of other subsystems or the
> subsystems should not be running after enabling nuwxdog in system.

I assume you ran `pki-server nuxwdog-enable`. This enables nuxwdog for ALL
instances in the system. Have you tried using `pki-server instance-nuxwdog-enable <instance>`?
This allows you to enable nuxwdog only for the intended instance.

As per the documentation [1][2], to enable nuxwdog you need to STOP running instance
and then restart using `pki-tomcatd-nuxwdog` unit file. Note that `pki-tomcatd@<inst>`
and `pki-tomcatd-nuxwdog@<inst>` are 2 different service unit files from OS perspective.
So, since you ENABLED nuxwdog for ALL instances but then performed the config steps only
for CA. The other 2 subsystems (KRA and OCSP) are impartially configured to use nuxwdog
and so you see the incorrect status.


[1] https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/using_the_watchdog_service
[2] https://www.dogtagpki.org/wiki/Nuxwdog#Configuration

Comment 13 shalini 2020-05-14 07:20:24 UTC

By disabling the KRA and OCSP instance for nuxwdog using below command:

pki-server instance-nuxwdog-disable topology-03-OCSP
pki-server instance-nuxwdog-disable topology-03-KRA


Output shows:


[root@pki1 ~]# pkidaemon status
REPORT STATUS OF 'tomcat' INSTANCE(S):

Instance topology-03-CA is configured to use nuxwdog: true
Status for topology-03-CA: topology-03-CA is running ..

    [CA Status Definitions]
    Secure Agent URL    = https://pki1.example.com:20443/ca/agent/ca
    Secure EE URL       = https://pki1.example.com:20443/ca/ee/ca
    Secure Admin URL    = https://pki1.example.com:20443/ca/services
    PKI Console Command = pkiconsole https://pki1.example.com:20443/ca
    Tomcat Port         = 20005 (for shutdown)

    [CA Configuration Definitions]
    PKI Instance Name:   topology-03-CA

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  topology-03_Foobarmaster.org
    URL:   https://pki1.example.com:20443
    ==========================================================================

Instance topology-03-KRA is configured to use nuxwdog: false
Status for topology-03-KRA: topology-03-KRA is running ..

    [KRA Status Definitions]
    Secure Admin URL    = https://pki1.example.com:21443/kra/services
    PKI Console Command = pkiconsole https://pki1.example.com:21443/kra
    Tomcat Port         = 21005 (for shutdown)

    [KRA Configuration Definitions]
    PKI Instance Name:   topology-03-KRA

    PKI Subsystem Type:  KRA

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  topology-03_Foobarmaster.org
    URL:   https://pki1.example.com:20443
    ==========================================================================

Instance topology-03-OCSP is configured to use nuxwdog: false
Status for topology-03-OCSP: topology-03-OCSP is running ..

    [OCSP Status Definitions]
    Secure Agent URL    = https://pki1.example.com:22443/ocsp/agent/ocsp
    Secure EE URL       = https://pki1.example.com:22443/ocsp/ee/ocsp/<ocsp request blob>
    Secure Admin URL    = https://pki1.example.com:22443/ocsp/services
    PKI Console Command = pkiconsole https://pki1.example.com:22443/ocsp
    Tomcat Port         = 22005 (for shutdown)

    [OCSP Configuration Definitions]
    PKI Instance Name:   topology-03-OCSP

    PKI Subsystem Type:  OCSP

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  topology-03_Foobarmaster.org
    URL:   https://pki1.example.com:20443
    ==========================================================================

FINISHED REPORTING STATUS OF 'tomcat' INSTANCE(S).


Marking this bugzilla verified.

Comment 17 errata-xmlrpc 2020-09-29 20:00:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pki-core bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3941

Note You need to log in before you can comment on or make changes to this bug.