1498957 – pkidestroy does not work with nuxwdog

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1498957 - pkidestroy does not work with nuxwdog

Summary: pkidestroy does not work with nuxwdog

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jack Magne
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-05 15:56 UTC by Roshni
Modified:	2020-10-04 21:36 UTC (History)
CC List:	5 users (show)
Fixed In Version:	pki-core-10.5.1-6.el7
Doc Type:	Bug Fix
Doc Text:	The pkidestroy utility now fully removes instances that are started by the pki-tomcatd-nuxwdog service Previously, the pkidestroy utility did not remove Certificate System instances that used the pki-tomcatd-nuxwdog service as a starting mechanism. As a consequence, administrators had to migrate pki-tomcatd-nuxwdog to the service without watchdog before using pkidestroy to fully remove an instance. The utility has been updated, and instances are correctly removed in the mentioned scenario. Note that if you manually removed the password file before running pkidestroy, the utility will ask for the password to update the security domain.
Clone Of:
Environment:
Last Closed:	2018-04-10 17:01:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2955	0	None	open	pkidestroy does not work with nuxwdog	2021-02-15 11:31:18 UTC
Red Hat Product Errata	RHBA-2018:0925	0	None	None	None	2018-04-10 17:02:23 UTC

Description Roshni 2017-10-05 15:56:47 UTC

Description of problem:
pkidestroy does not work with nuxwdog

Version-Release number of selected component (if applicable):
pki-ca-10.4.1-15.el7_4.noarch

How reproducible:
always

Steps to Reproduce:
1. pkispawn CA
2. Enable nuxwdog as follows
cms.tokenList=<TOKEN_NAME>

# pki-server nuxwdog-enable
---------------------------
Nuxwdog enabled for system.

systemctl start pki-tomcatd-nuxwdog@<pki-ca>.service

3. pkidestroy -s CA -i <pki-ca>

Actual results:
pkidestroy is successful but seeign the following

[root@nocp1 ~]# ps -aef | grep pki-ca-
root      2689 28144  0 10:51 pts/0    00:00:00 grep --color=auto pki-ca-
dirsrv   17917     1  0 Oct04 ?        00:03:12 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-pki-ca-Oct5-LDAP -i /var/run/dirsrv/slapd-pki-ca-Oct5-LDAP.pid
root     18391     1  0 Oct04 ?        00:00:00 /bin/nuxwdog -f /etc/pki/pki-ca-Oct5/nuxwdog.conf
root     18392 18391  0 Oct04 ?        00:01:31 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-ca-Oct5 -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-ca-Oct5/temp -Djava.util.logging.config.file=/var/lib/pki/pki-ca-Oct5/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-ca-Oct5/conf/catalina.policy org.apache.catalina.startup.Bootstrap start


Expected results:
pkidestroy should kill the related processes and cleanup the security domain

Additional info:

<alee> looks like there are two problems
<alee> 1. pkidestroy has not been modiied to get the password for the hsm in case the password.conf is not present
<alee> and so the entry is not removed from the security doamain
<alee> 2. its trying to stop pki-tomcatd  instead of pki-tomcatd-nuxwdog

<edewata> alee: I think this is also a problem: 3. pkidestroy ignores missing hsm password and just keeps going

Comment 6 Ade Lee 2018-01-03 19:08:19 UTC

commit 6716b82ecc38b23de81c8f0fe18863e1df4bfddb
Author: Ade Lee <alee>
Date:   Tue Jan 2 14:52:32 2018 -0500

    Allow prompting for token passwords if not present
    
    Change-Id: Ifa2e60424d713ebe15bf9aa92f1d5b7691b7e0ff

commit c7c907c07599ef1d9b52638c25153f7bd82de999
Author: Ade Lee <alee>
Date:   Tue Jan 2 13:38:40 2018 -0500

    Modified systemd invocations in pkispawn to handle nuxwdog
    
    The systemd invocations in pkispawn/pkidestroy did not account for
    nuxwdog enabled instances.  This patch allows pkispawn/pkidestroy to
    use the right service name if the nuxwdog service unit files exist.
    
    Also modified instance_layout deployment script to delete the right
    systemd link.
    
    Change-Id: I25eac0555aad022784d7728913ae4a335eab3463

commit e9b5fc7ef000abfd2cbdd6be6bfd4b2d015816a2
Author: Ade Lee <alee>
Date:   Tue Jan 2 13:24:23 2018 -0500

    Fix various PEP8 and pylint issues
    
    Change-Id: I8b2b52599ab6b2d4738b748f36598319f11477c7

Comment 8 Ade Lee 2018-01-26 16:03:29 UTC

Verification Step:

1. Create an instance.
2. Set it to be managed using nuxwdog (pki-server instance-nuxwodg-enable <instance_name>
3. Remove the password.conf file.
3. pkidestroy the instance/subsystem.  Instance should be removed correctly.  You should be prompted for the password of the instance where the subsystem cert is located.

You should try this for CA, KRA etc.

Comment 9 Roshni 2018-02-06 20:03:05 UTC

Using pki-ca-10.5.1-6.1.el7.noarch

The following are a few results I noticed, the password was prompted twice in both these cases:

[root@nocp1 ~]# pkidestroy -s TPS -i pki-tps-rpattath-Jan31
Log file: /var/log/pki/pki-tps-destroy.20180205142457.log
Loading deployment configuration from /var/lib/pki/pki-tps-rpattath-Jan31/tps/registry/tps/deployment.cfg.
Uninstalling TPS from /var/lib/pki/pki-tps-rpattath-Jan31.
Password for token NHSM-RPATTATH-SOFTCARD: 
pkidestroy  : WARNING  ....... Failed to update TPS connector for nocp1.idm.lab.eng.rdu2.redhat.com:23443
pkidestroy  : ERROR    ....... subprocess.CalledProcessError:  Command '['/bin/pki', '-p', '23443', '-h', 'nocp1.idm.lab.eng.rdu2.redhat.com', '-n', 'NHSM-RPATTATH-SOFTCARD:subsystemCert cert-pki-tps-rpattath-Jan31', '-P', 'https', '-d', '/etc/pki/pki-tps-rpattath-Jan31/alias', '-c', 'XXXXX', '-t', 'tks', 'tks-tpsconnector-del', '--host', 'nocp1.idm.lab.eng.rdu2.redhat.com', '--port', '25443']' returned non-zero exit status 255!
Password for token NHSM-RPATTATH-SOFTCARD: 
pkidestroy  : WARNING  ....... this 'TPS' entry will NOT be deleted from security domain 'Example-rhcs92-CA'!
pkidestroy  : WARNING  ....... security domain 'Example-rhcs92-CA' may be offline or unreachable!
pkidestroy  : ERROR    ....... subprocess.CalledProcessError:  Command '['/usr/bin/sslget', '-n', 'NHSM-RPATTATH-SOFTCARD:subsystemCert cert-pki-tps-rpattath-Jan31', '-p', 'XXXXX', '-d', '/etc/pki/pki-tps-rpattath-Jan31/alias', '-e', 'name="/var/lib/pki/pki-tps-rpattath-Jan31"&type=TPS&list=tpsList&host=nocp1.idm.lab.eng.rdu2.redhat.com&sport=25443&ncsport=25443&adminsport=25443&agentsport=25443&operation=remove', '-v', '-r', '/ca/agent/ca/updateDomainXML', 'nocp1.idm.lab.eng.rdu2.redhat.com:8443']' returned non-zero exit status 4!
pkidestroy  : WARNING  ....... File '/etc/pki/pki-tps-rpattath-Jan31/password.conf' is either missing or is NOT a regular file!


[root@nocp1 ~]# pkidestroy -s KRA -i pki-kra-rpattath-Jan31
Log file: /var/log/pki/pki-kra-destroy.20180205151038.log
Loading deployment configuration from /var/lib/pki/pki-kra-rpattath-Jan31/kra/registry/kra/deployment.cfg.
WARNING: The 'pki_ssl_server_key_algorithm' in [DEFAULT] has been deprecated. Use 'pki_sslserver_key_algorithm' instead.
WARNING: The 'pki_ssl_server_key_size' in [DEFAULT] has been deprecated. Use 'pki_sslserver_key_size' instead.
WARNING: The 'pki_ssl_server_key_type' in [DEFAULT] has been deprecated. Use 'pki_sslserver_key_type' instead.
WARNING: The 'pki_ssl_server_token' in [DEFAULT] has been deprecated. Use 'pki_sslserver_token' instead.
Uninstalling KRA from /var/lib/pki/pki-kra-rpattath-Jan31.
Password for token NHSM-RPATTATH-SOFTCARD: 
pkidestroy  : WARNING  ....... Failed to deregister KRA connector nocp1.idm.lab.eng.rdu2.redhat.com:31042 from CA nocp1.idm.lab.eng.rdu2.redhat.com:8443
Password for token NHSM-RPATTATH-SOFTCARD: 
pkidestroy  : WARNING  ....... this 'KRA' entry will NOT be deleted from security domain 'Example-rhcs92-CA'!
pkidestroy  : WARNING  ....... security domain 'Example-rhcs92-CA' may be offline or unreachable!
pkidestroy  : ERROR    ....... subprocess.CalledProcessError:  Command '['/usr/bin/sslget', '-n', 'NHSM-RPATTATH-SOFTCARD:subsystemCert cert-pki-kra-rpattath-Jan31', '-p', 'xxxxx', '-d', '/etc/pki/pki-kra-rpattath-Jan31/alias', '-e', 'name="/var/lib/pki/pki-kra-rpattath-Jan31"&type=KRA&list=kraList&host=nocp1.idm.lab.eng.rdu2.redhat.com&sport=31042&ncsport=31042&adminsport=31042&agentsport=31042&operation=remove', '-v', '-r', '/ca/agent/ca/updateDomainXML', 'nocp1.idm.lab.eng.rdu2.redhat.com:8443']' returned non-zero exit status 4!
pkidestroy  : WARNING  ....... File '/etc/pki/pki-kra-rpattath-Jan31/password.conf' is either missing or is NOT a regular file!

Uninstallation complete.


I tried running the connector-del cli manually and noticed the following:

Using HSM password for -c option

[root@auto-hv-01-guest05 ~]# pki -p 8443 -h auto-hv-01-guest05.idmqe.lab.eng.bos.redhat.com -n "NHSM6000-OCS:subsystemCert cert-pki-kra-rpattath-Feb2" -P https -d /etc/pki/pki-kra-rpattath-Feb2/alias -c xxxxx -t ca ca-kraconnector-del --host auto-hv-01-guest05.idmqe.lab.eng.bos.redhat.com --port 31042
WARNING: The -t option has been deprecated. Use pki ca command instead.
Error: Incorrect client security database password.

Using sec db password

[root@auto-hv-01-guest05 ~]# pki -p 8443 -h auto-hv-01-guest05.idmqe.lab.eng.bos.redhat.com -n "NHSM6000-OCS:subsystemCert cert-pki-kra-rpattath-Feb2" -P https -d /etc/pki/pki-kra-rpattath-Feb2/alias -c +ID5c5KdOH~P -t ca ca-kraconnector-del --host auto-hv-01-guest05.idmqe.lab.eng.bos.redhat.com --port 31042
WARNING: The -t option has been deprecated. Use pki ca command instead.
Enter password for NHSM6000-OCS

------------------------------------------------------------------------
Removed KRA host "auto-hv-01-guest05.idmqe.lab.eng.bos.redhat.com:31042"
------------------------------------------------------------------------

So there maybe be some more fixes needed for the instances that involve connectors.

Comment 11 Roshni 2018-02-15 19:44:35 UTC

[root@auto-hv-02-guest01 certdb]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.5.1
Release     : 7.el7
Architecture: noarch
Install Date: Wed 14 Feb 2018 05:50:27 PM EST
Group       : System Environment/Daemons
Size        : 2359899
License     : GPLv2
Signature   : RSA/SHA256, Tue 06 Feb 2018 02:32:49 AM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.5.1-7.el7.src.rpm
Build Date  : Tue 06 Feb 2018 02:04:51 AM EST
Build Host  : ppc-035.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

pkidestroy of instances which has nuxwdog enabled are successful except that there is a connector delete issue for TPS and KRA https://bugzilla.redhat.com/show_bug.cgi?id=1545902

Comment 15 errata-xmlrpc 2018-04-10 17:01:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925

Note You need to log in before you can comment on or make changes to this bug.