Bug 1581134 - ECC installation for non CA subsystems needs improvement [rhel-7.5.z]
Summary: ECC installation for non CA subsystems needs improvement [rhel-7.5.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.5
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Jack Magne
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1568615
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-22 08:32 UTC by Oneata Mircea Teodor
Modified: 2018-06-30 05:40 UTC (History)
7 users (show)

Fixed In Version: pki-core-10.5.1-12.el7_5
Doc Type: Bug Fix
Doc Text:
Previously, due to a bug in the Certificate System installation procedure, installing a Key Recovery Authority (KRA) with ECC keys failed. To fix the problem, the installation process has been updated to handle both RSA and ECC subsystems automatically. As a result, installing subsystems with ECC keys no longer fail.
Clone Of: 1568615
Environment:
Last Closed: 2018-06-26 16:47:59 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1979 None None None 2018-06-26 16:48:33 UTC

Description Oneata Mircea Teodor 2018-05-22 08:32:40 UTC
This bug has been copied from bug #1568615 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 6 Asha Akkiangady 2018-05-30 17:34:20 UTC
The first step of subordinate CA ECC install is failing with following error:

pkispawn    : INFO     ....... executing 'certutil -N -d /opt/ECC_SubCA/certs_db -f /opt/ECC_SubCA/ca/password.conf'
pkispawn    : INFO     ....... generating ca_signing CSR in ca_signing_ecc_subca_nontms.csr
pki.nssdb   : DEBUG    Command: openssl rand -out /tmp/tmpN78KVo/noise.bin 2048
pki.nssdb   : DEBUG    Command: certutil -R -d /var/lib/pki/rhcs93-ECC-NonTMS-SubCA-nocp11-aakkiang/alias -h NHSM6000-OCS -f /tmp/tmpRAKzv5/password.txt -s cn=CA Signing Certificate,ou=rhcs93-ECC-NonTMS-SubCA-nocp11-aakkiang,o=Example-ECC-SubCA -o /tmp/tmpN78KVo/request.bin -z /tmp/tmpN78KVo/noise.bin -k ec -q nistp256 -Z SHA256 --keyUsage certSigning,crlSigning,critical,digitalSignature,nonRepudiation -2
pkispawn    : DEBUG    ....... Error Type: Exception
pkispawn    : DEBUG    ....... Error Message: Failed to generate certificate request. RC: 255
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 534, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1039, in spawn
    self.generate_system_cert_requests(deployer, nssdb, subsystem)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 340, in generate_system_cert_requests
    self.generate_ca_signing_csr(deployer, nssdb, subsystem)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 164, in generate_ca_signing_csr
    generic_exts=generic_exts
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 115, in generate_csr
    generic_exts=generic_exts)
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 417, in create_request
    'Failed to generate certificate request. RC: %d' % rc)


Installation failed: Failed to generate certificate request. RC: 255

================================================
SubCA's pkispawn config file:
[DEFAULT]
pki_instance_name=rhcs93-ECC-NonTMS-SubCA-aakkiang
pki_https_port=31443
pki_http_port=31080

#NSS DB Token Password
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=XXXXXXXX
pki_token_password=XXXXXXXX

pki_audit_signing_key_algorithm=SHA256withEC
pki_audit_signing_key_size=nistp256
pki_audit_signing_key_type=ecc
pki_audit_signing_signing_algorithm=SHA256withEC
pki_audit_signing_token=XXXXXXXX

pki_subsystem_key_algorithm=SHA256withEC
pki_subsystem_key_size=nistp256
pki_subsystem_key_type=ecc
pki_subsystem_signing_algorithm=SHA256withEC
pki_subsystem_token=XXXXXXXX
pki_subsystem_nickname=subsystemCert-NonTMS-SubCA-nocp11-aakkiang

pki_sslserver_key_algorithm=SHA256withEC
pki_sslserver_key_size=nistp256
pki_sslserver_key_type=ecc
pki_sslserver_signing_algorithm=SHA256withEC
pki_sslserver_token=XXXXXXXX
pki_sslserver_nickname=Server-Cert-NonTMS-SubCA-nocp11-aakkiang

#Admin
pki_admin_key_algorithm=SHA256withEC
pki_admin_key_size=nistp256
pki_admin_key_type=ecc
pki_admin_password=SECret.123

#Security Domain
pki_security_domain_hostname=XXXXXXXXXXXXXXXXXXXXXXX
pki_security_domain_name=Example-ECC-SubCA
pki_security_domain_password=SECret.123

#client Dir
pki_client_dir=/opt/ECC_SubCA
pki_client_admin_cert_p12=/opt/ECC_SubCA/subca_caadmincert.p12
pki_client_database_dir=/opt/ECC_SubCA/certs_db
pki_client_database_password=SECret.123
pki_client_pkcs12_password=SECret.123

#LDAP
pki_ds_ldap_port=1697
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=SECret.123
pki_ds_secure_connection=True
pki_ds_ldaps_port=7636
pki_ds_secure_connection_ca_pem_file=/tmp/ldap2ca_cert.pem
pki_ds_remove_data=True


[Tomcat]
pki_ajp_port=31009
pki_tomcat_server_port=31005

[CA]
pki_admin_nickname=PKI ECC SUBCA Administrator

pki_ca_signing_key_algorithm=SHA256withEC
pki_ca_signing_key_size=nistp256
pki_ca_signing_key_type=ecc
pki_ca_signing_signing_algorithm=SHA256withEC
pki_ca_signing_token=XXXXXXXX
pki_ca_signing_nickname=caSigningCert-ECC-NonTMS-SubCA-nocp11-aakkiang

pki_ocsp_signing_key_algorithm=SHA256withEC
pki_ocsp_signing_key_size=nistp256
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_signing_algorithm=SHA256withEC
pki_ocsp_signing_token=XXXXXXXX
pki_ocsp_signing_nickname=ocspSigningCert-ECC-NonTMS-SubCA-nocp11-aakkiang

pki_audit_signing_nickname=auditSigningCert-NonTMS-SubCA-nocp11-aakkiang

pki_admin_name=caadmin
pki_admin_uid=caadmin
pki_admin_email=example@redhat.com

pki_import_admin_cert=False

pki_ds_hostname=XXXXXXXXXXXXXXXXXXXXXXX
pki_ds_database=CC-ECC-NonTMS-SECOND-LDAP
pki_ds_base_dn=dc=ECC-NonTMS-SubCA

pki_external=True
pki_external_step_two=False
pki_ca_signing_csr_path=ca_signing_ecc_subca_nontms.csr

# Enable random serial numbers
pki_random_serial_numbers_enable=True

Comment 7 Asha Akkiangady 2018-05-30 18:06:32 UTC
A separate bug filed for the above issue, https://bugzilla.redhat.com/show_bug.cgi?id=1544843

Marking this bug ON_QA.

Comment 8 Amol K 2018-06-15 15:51:54 UTC
I'm successfully able to install CA, RKA, OCSP and able to do key archival.

But after TKS installation I'm able to see this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1588411

Becuase of this issue I'm not able to install TPS. 

Currently marking this bug varified for CA, KRA, OCSP.

PKI Version: 10.5.1-13.1.el7_5

Comment 10 errata-xmlrpc 2018-06-26 16:47:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979


Note You need to log in before you can comment on or make changes to this bug.