Bug 1487418
| Summary: | When nuxwdog is enabled pkidaemon status shows instances as stopped. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Asha Akkiangady <aakkiang> | |
| Component: | pki-core | Assignee: | Dinesh Prasanth <dmoluguw> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | unspecified | Docs Contact: | Florian Delehaye <fdelehay> | |
| Priority: | unspecified | |||
| Version: | 7.9 | CC: | aakkiang, dmoluguw, fdelehay, mharmsen, msauton, skhandel | |
| Target Milestone: | rc | Keywords: | TestCaseProvided | |
| Target Release: | 7.9 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-10.5.18-1.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
.The `pkidaemon` tool now reports the correct status of PKI instances when `nuxwdog` is enabled
Previously, the `pkidaemon status` command would not report the correct status for PKI server instances that have the `nuxwdog` watchdog enabled.
With this update, `pkidaemon` detects whether `nuxwdog` is enabled and reports the correct status of the PKI server.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1732981 (view as bug list) | Environment: | ||
| Last Closed: | 2020-09-29 20:00:58 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1732981 | |||
[20171025] - RHEL 7.5 / RHCS 9.3 pre-Alpha Offline Triage ==> 7.6 alee: didn't we fix something like this? No. This issue is not fixed. Moved to RHEL 7.7. Possible Solution: ================== This bug exists simply because `pkidaemon` checks status of `pki-tomcatd` instead of `pki-tomcatd-nuxwdog`. https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/scripts/pkidaemon#L32 The logic is to check whether the nuxwdog is enabled or not in the system and replace this variable appropriately. The fix has been merged to DOGTAG_10_5_BRANCH via PR: https://github.com/dogtagpki/pki/pull/319 Commit information ================== commit 0033bb6900673e099661703332aab17e4fcea6a7 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH) Author: Dinesh Prasanth M K <SilleBille.github.com> Date: Fri Feb 14 19:58:32 2020 -0500 Fix pkidaemon status when nuxwdog is enabled (#319) - Target the right systemd file, based on whether the nuxwdog is enabled. - Add status of nuxwdog configuration to the pkidaemon output Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1487418 Signed-off-by: Dinesh Prasanth M K <dmoluguw> Test Case ========= Follow the steps mentioned by OP in the BZ description Documentation ============= pkidaemon correctly reports the status of the running instance when nuxwdog is configured. THe bugzilla has been verified by follwoing the steps mentioned in description on following bits on RHEL79: pki-ca-10.5.18-3.el7.noarch pki-server-10.5.18-3.el7.noarch >>> Test steps : CA, KRA, OCSP in discrete tomcat installation in Non_HSM machine. I followed enabling the nuxwdog and restarted the CA instance as mentioned in description steps. And following is the output of `pkidaemon status` command. [root@pki1 certdb]# pkidaemon status REPORT STATUS OF 'tomcat' INSTANCE(S): Instance topology-03-CA is configured to use nuxwdog: true Status for topology-03-CA: topology-03-CA is running .. [CA Status Definitions] Secure Agent URL = https://pki1.example.com:20443/ca/agent/ca Secure EE URL = https://pki1.example.com:20443/ca/ee/ca Secure Admin URL = https://pki1.example.com:20443/ca/services PKI Console Command = pkiconsole https://pki1.example.com:20443/ca Tomcat Port = 20005 (for shutdown) [CA Configuration Definitions] PKI Instance Name: topology-03-CA PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: topology-03_Foobarmaster.org URL: https://pki1.example.com:20443 ========================================================================== Instance topology-03-KRA is configured to use nuxwdog: true Status for topology-03-KRA: topology-03-KRA is stopped Instance topology-03-OCSP is configured to use nuxwdog: true Status for topology-03-OCSP: topology-03-OCSP is stopped WARNING: 2 of 3 'tomcat' instances reported status failures! FINISHED REPORTING STATUS OF 'tomcat' INSTANCE(S). >>> Above output shows KRA and OCSP as stopped whereas both the instances are up and running. >>> I tried running key archival while generating a crmf type certificate and as visible in following output, It is up and running. Key archival is successful. [root@pki1 certdb]# systemctl | grep pki pki-tomcatd-nuxwdog loaded active running PKI Tomcat Server topology-03-CA Started by Nuxwdog pki-tomcatd loaded active running PKI Tomcat Server topology-03-KRA pki-tomcatd loaded active running PKI Tomcat Server topology-03-OCSP [root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI KRA Administrator for Example.Org' -p 21080 -P http kra-key-find ---------------- 0 key(s) matched ---------------- ---------------------------- Number of entries returned 0 ---------------------------- [root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI CA Administrator for Example.Org' -p 20080 -P http client-cert-request 'uid=shal' --transport ~/transport.cert --type crmf ----------------------------- Submitted certificate request ----------------------------- Request ID: 20 Type: enrollment Request Status: pending Operation Result: success [root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI CA Administrator for Example.Org' -p 20080 -P http ca-cert-request-review 20 --action approve ------------------------------- Approved certificate request 20 ------------------------------- Request ID: 20 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x14 [root@pki1 certdb]# pki -d . -c SECret.123 -n 'PKI KRA Administrator for Example.Org' -p 21080 -P http kra-key-find ---------------- 1 key(s) matched ---------------- Key ID: 0x1 Algorithm: 1.2.840.113549.1.1.1 Size: 1024 Owner: UID=shal ---------------------------- Number of entries returned 1 ---------------------------- >>> Observation: [NeedInfo] For CA, it shows correct status in `pkidaemon status` command. But the command shows wrong output for other sub-systems. As it checks the USE_NUXWDOG in /etc/sysconfig/topology-03-KRA which shows 'true'. Whereas the instances are working without nuwxdog enabled. Either the command should show the correct status of other subsystems or the subsystems should not be running after enabling nuwxdog in system. (In reply to shalini from comment #11) > >>> Observation: [NeedInfo] > > For CA, it shows correct status in `pkidaemon status` command. But the > command shows wrong output for other sub-systems. > As it checks the USE_NUXWDOG in /etc/sysconfig/topology-03-KRA which shows > 'true'. Whereas the instances are working without nuwxdog enabled. > The `pkidaemon status` checks for /etc/sysconfig/<instance_name> to see if the nuxwdog has been enabled. What you observe seems to be right from the code logic. > Either the command should show the correct status of other subsystems or the > subsystems should not be running after enabling nuwxdog in system. I assume you ran `pki-server nuxwdog-enable`. This enables nuxwdog for ALL instances in the system. Have you tried using `pki-server instance-nuxwdog-enable <instance>`? This allows you to enable nuxwdog only for the intended instance. As per the documentation [1][2], to enable nuxwdog you need to STOP running instance and then restart using `pki-tomcatd-nuxwdog` unit file. Note that `pki-tomcatd@<inst>` and `pki-tomcatd-nuxwdog@<inst>` are 2 different service unit files from OS perspective. So, since you ENABLED nuxwdog for ALL instances but then performed the config steps only for CA. The other 2 subsystems (KRA and OCSP) are impartially configured to use nuxwdog and so you see the incorrect status. [1] https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/using_the_watchdog_service [2] https://www.dogtagpki.org/wiki/Nuxwdog#Configuration By disabling the KRA and OCSP instance for nuxwdog using below command:
pki-server instance-nuxwdog-disable topology-03-OCSP
pki-server instance-nuxwdog-disable topology-03-KRA
Output shows:
[root@pki1 ~]# pkidaemon status
REPORT STATUS OF 'tomcat' INSTANCE(S):
Instance topology-03-CA is configured to use nuxwdog: true
Status for topology-03-CA: topology-03-CA is running ..
[CA Status Definitions]
Secure Agent URL = https://pki1.example.com:20443/ca/agent/ca
Secure EE URL = https://pki1.example.com:20443/ca/ee/ca
Secure Admin URL = https://pki1.example.com:20443/ca/services
PKI Console Command = pkiconsole https://pki1.example.com:20443/ca
Tomcat Port = 20005 (for shutdown)
[CA Configuration Definitions]
PKI Instance Name: topology-03-CA
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: topology-03_Foobarmaster.org
URL: https://pki1.example.com:20443
==========================================================================
Instance topology-03-KRA is configured to use nuxwdog: false
Status for topology-03-KRA: topology-03-KRA is running ..
[KRA Status Definitions]
Secure Admin URL = https://pki1.example.com:21443/kra/services
PKI Console Command = pkiconsole https://pki1.example.com:21443/kra
Tomcat Port = 21005 (for shutdown)
[KRA Configuration Definitions]
PKI Instance Name: topology-03-KRA
PKI Subsystem Type: KRA
Registered PKI Security Domain Information:
==========================================================================
Name: topology-03_Foobarmaster.org
URL: https://pki1.example.com:20443
==========================================================================
Instance topology-03-OCSP is configured to use nuxwdog: false
Status for topology-03-OCSP: topology-03-OCSP is running ..
[OCSP Status Definitions]
Secure Agent URL = https://pki1.example.com:22443/ocsp/agent/ocsp
Secure EE URL = https://pki1.example.com:22443/ocsp/ee/ocsp/<ocsp request blob>
Secure Admin URL = https://pki1.example.com:22443/ocsp/services
PKI Console Command = pkiconsole https://pki1.example.com:22443/ocsp
Tomcat Port = 22005 (for shutdown)
[OCSP Configuration Definitions]
PKI Instance Name: topology-03-OCSP
PKI Subsystem Type: OCSP
Registered PKI Security Domain Information:
==========================================================================
Name: topology-03_Foobarmaster.org
URL: https://pki1.example.com:20443
==========================================================================
FINISHED REPORTING STATUS OF 'tomcat' INSTANCE(S).
Marking this bugzilla verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (pki-core bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3941 |
Description of problem: When nuxwdog is enabled pkidaemon status shows instances as stopped. Version-Release number of selected component (if applicable): pki-server-10.4.1-13.el7_4.noarch How reproducible: Steps to Reproduce: 1. pkicreate a CA instance. 2. # pkidaemon status Status for rhcs92-CA-aakkiang: rhcs92-CA-aakkiang is running .. [CA Status Definitions] Unsecure URL = http://example.redhat.com:8080/ca/ee/ca Secure Agent URL = https://example.redhat.com:8443/ca/agent/ca Secure EE URL = https://example.redhat.com:8443/ca/ee/ca Secure Admin URL = https://example.redhat.com:8443/ca/services PKI Console Command = pkiconsole https://example.redhat.com:8443/ca Tomcat Port = 8005 (for shutdown) [CA Configuration Definitions] PKI Instance Name: rhcs92-CA-aakkiang PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: Example-rhcs92-CA URL: https://example.redhat.com:8443 ========================================================================== 3. systemctl stop pki-tomcatd 4. If you have configured CA with HSM add the following parameter to CS.cfg. cms.tokenList=<TOKEN_NAME> 5.Move the password file from /var/lib/pki/rhcs92-CA-aakkiang/conf/password.conf another safe location. 6. # pki-server nuxwdog-enable --------------------------- Nuxwdog enabled for system. --------------------------- 7. # systemctl start pki-tomcatd-nuxwdog [rhcs92-CA-aakkiang] Please provide the password for internal: ************ [rhcs92-CA-aakkiang] Please provide the password for hardware-<Token-Name>: ********** [rhcs92-CA-aakkiang] Please provide the password for internaldb: ********** [rhcs92-CA-aakkiang] Please provide the password for replicationdb: ********** 8. # pkidaemon status Status for rhcs92-CA-aakkiang: rhcs92-CA-aakkiang is stopped Actual results: pkidaemon status shows rhcs92-CA-aakkiang instance as stopped. Expected results: pkidaemon status should show rhcs92-CA-aakkiang instance as running with valid urls as in step #2. Additional info: pkidaemon may need enhancement to take into account nuxwdog instances.