Hide Forgot
Description of problem: When nuxwdog is enabled pkidaemon status shows instances as stopped. Version-Release number of selected component (if applicable): pki-server-10.4.1-13.el7_4.noarch How reproducible: Steps to Reproduce: 1. pkicreate a CA instance. 2. # pkidaemon status Status for rhcs92-CA-aakkiang: rhcs92-CA-aakkiang is running .. [CA Status Definitions] Unsecure URL = http://example.redhat.com:8080/ca/ee/ca Secure Agent URL = https://example.redhat.com:8443/ca/agent/ca Secure EE URL = https://example.redhat.com:8443/ca/ee/ca Secure Admin URL = https://example.redhat.com:8443/ca/services PKI Console Command = pkiconsole https://example.redhat.com:8443/ca Tomcat Port = 8005 (for shutdown) [CA Configuration Definitions] PKI Instance Name: rhcs92-CA-aakkiang PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: Example-rhcs92-CA URL: https://example.redhat.com:8443 ========================================================================== 3. systemctl stop pki-tomcatd@rhcs92-CA-aakkiang.service 4. If you have configured CA with HSM add the following parameter to CS.cfg. cms.tokenList=<TOKEN_NAME> 5.Move the password file from /var/lib/pki/rhcs92-CA-aakkiang/conf/password.conf another safe location. 6. # pki-server nuxwdog-enable --------------------------- Nuxwdog enabled for system. --------------------------- 7. # systemctl start pki-tomcatd-nuxwdog@rhcs92-CA-aakkiang.service [rhcs92-CA-aakkiang] Please provide the password for internal: ************ [rhcs92-CA-aakkiang] Please provide the password for hardware-<Token-Name>: ********** [rhcs92-CA-aakkiang] Please provide the password for internaldb: ********** [rhcs92-CA-aakkiang] Please provide the password for replicationdb: ********** 8. # pkidaemon status Status for rhcs92-CA-aakkiang: rhcs92-CA-aakkiang is stopped Actual results: pkidaemon status shows rhcs92-CA-aakkiang instance as stopped. Expected results: pkidaemon status should show rhcs92-CA-aakkiang instance as running with valid urls as in step #2. Additional info: pkidaemon may need enhancement to take into account nuxwdog instances.
[20171025] - RHEL 7.5 / RHCS 9.3 pre-Alpha Offline Triage ==> 7.6
alee: didn't we fix something like this?
No. This issue is not fixed.
Moved to RHEL 7.7.
Possible Solution: ================== This bug exists simply because `pkidaemon` checks status of `pki-tomcatd` instead of `pki-tomcatd-nuxwdog`. https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/scripts/pkidaemon#L32 The logic is to check whether the nuxwdog is enabled or not in the system and replace this variable appropriately.
The fix has been merged to DOGTAG_10_5_BRANCH via PR: https://github.com/dogtagpki/pki/pull/319 Commit information ================== commit 0033bb6900673e099661703332aab17e4fcea6a7 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH) Author: Dinesh Prasanth M K <SilleBille@users.noreply.github.com> Date: Fri Feb 14 19:58:32 2020 -0500 Fix pkidaemon status when nuxwdog is enabled (#319) - Target the right systemd file, based on whether the nuxwdog is enabled. - Add status of nuxwdog configuration to the pkidaemon output Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1487418 Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com> Test Case ========= Follow the steps mentioned by OP in the BZ description Documentation ============= pkidaemon correctly reports the status of the running instance when nuxwdog is configured.
THe bugzilla has been verified by follwoing the steps mentioned in description on following bits on RHEL79: pki-ca-10.5.18-3.el7.noarch pki-server-10.5.18-3.el7.noarch >>> Test steps : CA, KRA, OCSP in discrete tomcat installation in Non_HSM machine. I followed enabling the nuxwdog and restarted the CA instance as mentioned in description steps. And following is the output of `pkidaemon status` command. [root@pki1 certdb]# pkidaemon status REPORT STATUS OF 'tomcat' INSTANCE(S): Instance topology-03-CA is configured to use nuxwdog: true Status for topology-03-CA: topology-03-CA is running .. [CA Status Definitions] Secure Agent URL = https://pki1.example.com:20443/ca/agent/ca Secure EE URL = https://pki1.example.com:20443/ca/ee/ca Secure Admin URL = https://pki1.example.com:20443/ca/services PKI Console Command = pkiconsole https://pki1.example.com:20443/ca Tomcat Port = 20005 (for shutdown) [CA Configuration Definitions] PKI Instance Name: topology-03-CA PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: topology-03_Foobarmaster.org URL: https://pki1.example.com:20443 ========================================================================== Instance topology-03-KRA is configured to use nuxwdog: true Status for topology-03-KRA: topology-03-KRA is stopped Instance topology-03-OCSP is configured to use nuxwdog: true Status for topology-03-OCSP: topology-03-OCSP is stopped WARNING: 2 of 3 'tomcat' instances reported status failures! FINISHED REPORTING STATUS OF 'tomcat' INSTANCE(S). >>> Above output shows KRA and OCSP as stopped whereas both the instances are up and running. >>> I tried running key archival while generating a crmf type certificate and as visible in following output, It is up and running. Key archival is successful. [root@pki1 certdb]# systemctl | grep pki pki-tomcatd-nuxwdog@topology-03-CA.service loaded active running PKI Tomcat Server topology-03-CA Started by Nuxwdog pki-tomcatd@topology-03-KRA.service loaded active running PKI Tomcat Server topology-03-KRA pki-tomcatd@topology-03-OCSP.service loaded active running PKI Tomcat Server topology-03-OCSP [root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI KRA Administrator for Example.Org' -p 21080 -P http kra-key-find ---------------- 0 key(s) matched ---------------- ---------------------------- Number of entries returned 0 ---------------------------- [root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI CA Administrator for Example.Org' -p 20080 -P http client-cert-request 'uid=shal' --transport ~/transport.cert --type crmf ----------------------------- Submitted certificate request ----------------------------- Request ID: 20 Type: enrollment Request Status: pending Operation Result: success [root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI CA Administrator for Example.Org' -p 20080 -P http ca-cert-request-review 20 --action approve ------------------------------- Approved certificate request 20 ------------------------------- Request ID: 20 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x14 [root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI KRA Administrator for Example.Org' -p 21080 -P http kra-key-find ---------------- 1 key(s) matched ---------------- Key ID: 0x1 Algorithm: 1.2.840.113549.1.1.1 Size: 1024 Owner: UID=shal ---------------------------- Number of entries returned 1 ---------------------------- >>> Observation: [NeedInfo] For CA, it shows correct status in `pkidaemon status` command. But the command shows wrong output for other sub-systems. As it checks the USE_NUXWDOG in /etc/sysconfig/topology-03-KRA which shows 'true'. Whereas the instances are working without nuwxdog enabled. Either the command should show the correct status of other subsystems or the subsystems should not be running after enabling nuwxdog in system.
(In reply to shalini from comment #11) > >>> Observation: [NeedInfo] > > For CA, it shows correct status in `pkidaemon status` command. But the > command shows wrong output for other sub-systems. > As it checks the USE_NUXWDOG in /etc/sysconfig/topology-03-KRA which shows > 'true'. Whereas the instances are working without nuwxdog enabled. > The `pkidaemon status` checks for /etc/sysconfig/<instance_name> to see if the nuxwdog has been enabled. What you observe seems to be right from the code logic. > Either the command should show the correct status of other subsystems or the > subsystems should not be running after enabling nuwxdog in system. I assume you ran `pki-server nuxwdog-enable`. This enables nuxwdog for ALL instances in the system. Have you tried using `pki-server instance-nuxwdog-enable <instance>`? This allows you to enable nuxwdog only for the intended instance. As per the documentation [1][2], to enable nuxwdog you need to STOP running instance and then restart using `pki-tomcatd-nuxwdog` unit file. Note that `pki-tomcatd@<inst>` and `pki-tomcatd-nuxwdog@<inst>` are 2 different service unit files from OS perspective. So, since you ENABLED nuxwdog for ALL instances but then performed the config steps only for CA. The other 2 subsystems (KRA and OCSP) are impartially configured to use nuxwdog and so you see the incorrect status. [1] https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/using_the_watchdog_service [2] https://www.dogtagpki.org/wiki/Nuxwdog#Configuration
By disabling the KRA and OCSP instance for nuxwdog using below command: pki-server instance-nuxwdog-disable topology-03-OCSP pki-server instance-nuxwdog-disable topology-03-KRA Output shows: [root@pki1 ~]# pkidaemon status REPORT STATUS OF 'tomcat' INSTANCE(S): Instance topology-03-CA is configured to use nuxwdog: true Status for topology-03-CA: topology-03-CA is running .. [CA Status Definitions] Secure Agent URL = https://pki1.example.com:20443/ca/agent/ca Secure EE URL = https://pki1.example.com:20443/ca/ee/ca Secure Admin URL = https://pki1.example.com:20443/ca/services PKI Console Command = pkiconsole https://pki1.example.com:20443/ca Tomcat Port = 20005 (for shutdown) [CA Configuration Definitions] PKI Instance Name: topology-03-CA PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: topology-03_Foobarmaster.org URL: https://pki1.example.com:20443 ========================================================================== Instance topology-03-KRA is configured to use nuxwdog: false Status for topology-03-KRA: topology-03-KRA is running .. [KRA Status Definitions] Secure Admin URL = https://pki1.example.com:21443/kra/services PKI Console Command = pkiconsole https://pki1.example.com:21443/kra Tomcat Port = 21005 (for shutdown) [KRA Configuration Definitions] PKI Instance Name: topology-03-KRA PKI Subsystem Type: KRA Registered PKI Security Domain Information: ========================================================================== Name: topology-03_Foobarmaster.org URL: https://pki1.example.com:20443 ========================================================================== Instance topology-03-OCSP is configured to use nuxwdog: false Status for topology-03-OCSP: topology-03-OCSP is running .. [OCSP Status Definitions] Secure Agent URL = https://pki1.example.com:22443/ocsp/agent/ocsp Secure EE URL = https://pki1.example.com:22443/ocsp/ee/ocsp/<ocsp request blob> Secure Admin URL = https://pki1.example.com:22443/ocsp/services PKI Console Command = pkiconsole https://pki1.example.com:22443/ocsp Tomcat Port = 22005 (for shutdown) [OCSP Configuration Definitions] PKI Instance Name: topology-03-OCSP PKI Subsystem Type: OCSP Registered PKI Security Domain Information: ========================================================================== Name: topology-03_Foobarmaster.org URL: https://pki1.example.com:20443 ========================================================================== FINISHED REPORTING STATUS OF 'tomcat' INSTANCE(S). Marking this bugzilla verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (pki-core bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3941