RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1594128 - CMC: Audit Events needed for failures in SharedToken scenario's [rhel-7.5.z]
Summary: CMC: Audit Events needed for failures in SharedToken scenario's [rhel-7.5.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.5
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1540440
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-22 08:01 UTC by Oneata Mircea Teodor
Modified: 2019-10-23 05:10 UTC (History)
5 users (show)

Fixed In Version: pki-core-10.5.1-14.el7_5
Doc Type: Bug Fix
Doc Text:
Previously, Certificate System did not contain audit log entries for failed Certificate Management over CMS (CMC) SharedToken authentication scenarios. As a consequence, these events were not logged in the audit log. This update adds the missing audit events. As a result, failed CMC SharedToken authentication events are now logged in the audit log.
Clone Of: 1540440
Environment:
Last Closed: 2018-08-16 14:20:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:2306 0 None None None 2018-08-16 14:20:37 UTC

Description Oneata Mircea Teodor 2018-06-22 08:01:32 UTC 
This bug has been copied from bug #1540440 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 2 Christina Fu 2018-06-22 16:47:20 UTC 
commit 2a228b4a8e1af920e577d007be87291831c635d5 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date:   Wed Jun 20 18:59:28 2018 -0700

    Ticket 2920 Part2 of SharedToken Audit
    
    This patch addresses the issue that the original audit message for failure
    got overwritten for SharedToken.
    
    fixes https://pagure.io/dogtagpki/issue/2920
    
    Change-Id: I0c09fbcc39135dc9aeee8a49a40772565af996c4
Comment 3 Christina Fu 2018-06-22 17:02:11 UTC 
test suggestions:
Execute various CMC Shared Token authentication scenarios (for both revocation an d enrollment) including:
* bad passphrase
* missing shared token in user entry

for enrollment only:
* wrong profile (say, use caFullCMCUserSignedCert instead of caFullCMCSelfSignedCert)

For revocation, look for CERT_STATUS_CHANGE_REQUEST_PROCESSED.
for enrollment, look for CERT_REQUEST_PROCESSED.
Comment 7 Geetika Kapoor 2018-07-27 14:08:14 UTC 
Hi Christina,

There are some revocation scenario's where if we have some failures they are not getting captured in audit logs. Do you think such events should be there in audit logs or it's fine to have them in debug only.

1. In case issuerdn and certificate dn doesn't match
2. Shared token meta info missing in LDAP.

example 1 : failure because certificate issuer DN and revocation request issuer DN do not match

Revocation CMCResponse:
=======================
Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1 
   Status String:  certificate issuer DN and revocation request issuer DN do not match
   OtherInfo type: FAIL
     failInfo=bad identity
CMC Full Response.
ERROR: CMC status for [1]: failed


Debug logs:
============
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: CMCOutputTemplate: processRevokeRequestControl:  Client and server shared secret are the same, can go ahead and revoke certificate.
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: In LdapBoundConnFactory::getConn()
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: masterConn is connected: true
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: getConn: conn is connected true
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: getConn: mNumConns now 2
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: returnConn: mNumConns now 3
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: CMCOutputTemplate: processRevokeRequestControl: shared secret revocation: checking issuer DN
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: CMCOutputTemplate: processRevokeRequestControl:  certificate issuer DN and revocation request issuer DN do not match
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: SignedAuditLogger: event CERT_STATUS_CHANGE_REQUEST_PROCESSED
[27/Jul/2018:10:01:12][http-bio-28443-exec-12]: LogFile: event type not selected: CERT_STATUS_CHANGE_REQUEST_PROCESSED


============================================

Audit logs:

0.http-bio-28443-exec-12 - [27/Jul/2018:10:01:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=10.8.60.16][ServerIP=10.8.60.16][SubjectID=UID=test10,CN=test10,O=example.org][Outcome=Success] access session establish success
0.http-bio-28443-exec-12 - [27/Jul/2018:10:01:12 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=$Unidentified$][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
0.http-bio-28443-exec-12 - [27/Jul/2018:10:01:12 EDT] [14] [6] [AuditEvent=CMC_REQUEST_RECEIVED][SubjectID=$Unidentified$][Outcome=Success][CMCRequest=MIGOBgkqhkiG9w0BBwGggYAEfjB8MHQwcgIBAQYIKwYBBQUHBxExYzBhMDoxCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdDb21wYW55MRkwFwYDVQQDDBBDb21wYW55IFJvb3QgQ0EyAgFOCgEABAx3b25kZXJmdWxkYXkMD3Jldm9jYXRpb24gdGVzdDAAMAAwAA==] CMC request received
0.http-bio-28443-exec-12 - [27/Jul/2018:10:01:13 EDT] [14] [6] [AuditEvent=CMC_RESPONSE_SENT][SubjectID=$Unidentified$][Outcome=Success][CMCResponse=MIIHRwYJKoZIhvcNAQcCoIIHODCCBzQCAQMxDzANBglghkgBZQMEAgIFADB6BggrBgEFBQcMA6BuBGwwajBkMGICAQEGCCsGAQUFBwcZMVMwUQIBAjADAgEBDEQgY2VydGlmaWNhdGUgaXNzdWVyIEROIGFuZCByZXZvY2F0aW9uIHJlcXVlc3QgaXNzdWVyIEROIGRvIG5vdCBtYXRjaAIBBzAAMACgggVDMIICiDCCAg6gAwIBAgIEBtLdITAKBggqhkjOPQQDAzBmMR4wHAYDVQQKDBVFeGFtcGxlLXJoY3M5Mi1DQS1lY2MxIzAhBgNVBAsMGmdrYXBvb3JfUkhDUzc1X3VwZGF0ZTJfZWNjMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4MDYxMzE2NTQxMVoXDTM4MDMwNTE3NTQxMVowOjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0NvbXBhbnkxGTAXBgNVBAMTEENvbXBhbnkgUm9vdCBDQTIwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARzlhmepuoxSErEpYM3WzDuguhfbrJ9eIihMPRtmaNAz4a9R0oJbGYSSP78RADP/wFCDYXMiVM8RpL9X7Rakbr64U7ikwDIUU9S8fYBiQTtxlWfowsrKfKB6XFwTasEzs6jgbgwgbUwHwYDVR0jBBgwFoAULpPFUV5OQPoqt76qiMYv3RwBv34wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFHQQy8+XenxmleSvkhA08CUHVrIWMFIGCCsGAQUFBwEBBEYwRDBCBggrBgEFBQcwAYY2aHR0cDovL25vY3A0LmlkbS5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbToyMDA4MC9jYS9vY3NwMAoGCCqGSM49BAMDA2gAMGUCMQC2zgdSWG8T0nyZ8x8HyRINqILLkwR3khHDkVcmga5NbTRylCLteTxRiow4ikceAbQCMB0ovCbRoyaNp/EgpIF61xHBTmLqtGHwB4qEaaqhXRMpq67sYa3dsMcsJpLXhmRmnTCCArMwggI6oAMCAQICBAXQxpgwCgYIKoZIzj0EAwMwZjEeMBwGA1UECgwVRXhhbXBsZS1yaGNzOTItQ0EtZWNjMSMwIQYDVQQLDBpna2Fwb29yX1JIQ1M3NV91cGRhdGUyX2VjYzEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xODA1MjUxMDMzMjdaFw0zODA1MjUxMDMzMjdaMGYxHjAcBgNVBAoMFUV4YW1wbGUtcmhjczkyLUNBLWVjYzEjMCEGA1UECwwaZ2thcG9vcl9SSENTNzVfdXBkYXRlMl9lY2MxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATm49kQHJvf30ucEHrf4rYS3Sr5n0BJIxiXF9dsFwA0FZnYnC1OFmPJnZJxtLjqJdeEte/Ba0dBHz2W1ZoQQoSj26Up+CCzdmzdDUdTL419o2iwaxcLXsZFZ/sIT1585BOjgbgwgbUwHwYDVR0jBBgwFoAULpPFUV5OQPoqt76qiMYv3RwBv34wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFC6TxVFeTkD6Kre+qojGL90cAb9+MFIGCCsGAQUFBwEBBEYwRDBCBggrBgEFBQcwAYY2aHR0cDovL25vY3A0LmlkbS5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbToyMDA4MC9jYS9vY3NwMAoGCCqGSM49BAMDA2cAMGQCMEbVnh+hGwm3zDsw9tGxpfmsJRxrhUcGKQW8Bv7uzAmMsHE3k0L5rBHzrgfE77AA4QIwT8kItcb4C6xJX45s4elU314uMajYtm2CSRCxvWT4di9T4aQMt2tNo6xB/VDTOEvVMYIBWTCCAVUCAQEwbjBmMR4wHAYDVQQKDBVFeGFtcGxlLXJoY3M5Mi1DQS1lY2MxIzAhBgNVBAsMGmdrYXBvb3JfUkhDUzc1X3VwZGF0ZTJfZWNjMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgQG0t0hMA0GCWCGSAFlAwQCAgUAoFowFwYJKoZIhvcNAQkDMQoGCCsGAQUFBwwDMD8GCSqGSIb3DQEJBDEyBDAoMMzsintqftK3JUU+75FQJy0XNk+6lH+0HU7vc4lxwbLsTQQdOlP+pXGDDWHUMzcwDAYIKoZIzj0EAwMFAARnMGUCMHuJh9MJACW37dcB0fgkCPb3QYobBsPXPUd37AEEMmhFrXMlfhYnIhVKZL9N9+yXPwIxAMOfCCflP9epbwx51W0xoyQEWqQz4zr7EtW8Go90XfEJBnWZ/2u/fRyTTUwEyYYLPg==] CMC response sent
Comment 8 Christina Fu 2018-07-31 22:30:01 UTC 
Hi Geetika,
Good find.  Just fail QE on this bug and I'll supplement with additional fix.
thanks!
Comment 9 Christina Fu 2018-07-31 22:35:47 UTC 
(In reply to Christina Fu from comment #8)
> Hi Geetika,
> Good find.  Just fail QE on this bug and I'll supplement with additional fix.
> thanks!

Wait, looking closely, the debug and audit log are showing "success" not "failure".
Could you show me the actual "failure" case that matched with your "failure" test?
Comment 10 Geetika Kapoor 2018-07-31 23:19:01 UTC 
Based on discussion on IRC, we decided to give it another round of review.
Marking it assigned.
Comment 11 Geetika Kapoor 2018-07-31 23:23:43 UTC 
We have decided on IRC that we are going to add this issue to another bug https://bugzilla.redhat.com/show_bug.cgi?id=1601071 and marking this bug verified.
Comment 12 Christina Fu 2018-08-01 00:33:25 UTC 
Geetika, for the record, I could not reproduce the issue.
Did you by any chance not enable the audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED as instructed in comment #3?

Yes, we could move this conversation to https://bugzilla.redhat.com/show_bug.cgi?id=1601071
Comment 14 errata-xmlrpc 2018-08-16 14:20:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2306
Comment 15 Geetika Kapoor 2019-10-23 05:10:42 UTC 
This needinfo is taken care in https://bugzilla.redhat.com/show_bug.cgi?id=1601071
Note You need to log in before you can comment on or make changes to this bug.