RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1628410 - CMC: add config to allow non-clientAuth
Summary: CMC: add config to allow non-clientAuth
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1633104
TreeView+ depends on / blocked
 
Reported: 2018-09-12 23:57 UTC by Christina Fu
Modified: 2023-12-15 16:10 UTC (History)
5 users (show)

Fixed In Version: pki-core-10.5.16-2.el7
Doc Type: Bug Fix
Doc Text:
.Client authentication can now be disabled in Certificate System A previous version of Certificate System added a feature to enforce TLS client authentication when authenticating through CMCAuth. However, certain older applications do not support TLS client authentication and failed to connect to Certificate System. This update adds the `bypassClientAuth` configuration parameter to the `/var/lib/pki/pki-instance_name/ca/conf/CS.cfg` file. As a result, administrators can now set this parameter to `true` to disable client authentication if not supported by certain applications.
Clone Of:
: 1633104 (view as bug list)
Environment:
Last Closed: 2019-08-06 13:07:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2228 0 None None None 2019-08-06 13:07:40 UTC

Description Christina Fu 2018-09-12 23:57:08 UTC 
Description of problem:
currently, CA requires CMC requests to be submitted via TLS client authentication.
If a site doesn't wish to pose such requirement it is not possible.

Version-Release number of selected component (if applicable):

pki-core

How reproducible:
always

Steps to Reproduce:
1.Try any of the CMC enrollment methods.
2.
3.

Actual results:
requires TLS clientAuth

Expected results:
allows to configure otherwise.

Additional info:
This is a customer request
Comment 6 Christina Fu 2018-09-25 18:11:33 UTC 
commit 19120d14941b5964a728ab06b0406be3ddeff5d4 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date:   Tue Sep 18 16:13:29 2018 -0700

    Bug1628410 CMC: add config to allow non-clientAuth
    
    This patch adds a new parameter, cmc.bypassClientAuth, in the CS.cfg
    to allow agents to bypass clientAuth requirement in CMCAuth.
    Default value for cmc.bypassClientAuth is false.
    
    In addition, CMC enrollment profile caCMCUserCert "visible" value is
    set to false.
    
    fixes https://bugzilla.redhat.com/show_bug.cgi?id=1628410
    
    Change-Id: Ie3efda321472c1e1b27ac4c5ecf63db753ce70fc
Comment 7 Christina Fu 2018-09-25 20:43:47 UTC 
cherry-picked to master:
commit f0a2ce6f3a966fd6f301b0f5ca0a7c100ffdd9ad (ladycfu/bug1628410-CMC-non-clientAuth-master, bug1628410-CMC-non-clientAuth-master)
Author: Christina Fu <cfu>
Date:   Tue Sep 18 16:13:29 2018 -0700

    Bug1628410 CMC: add config to allow non-clientAuth
    
    This patch adds a new parameter, cmc.bypassClientAuth, in the CS.cfg
    to allow agents to bypass clientAuth requirement in CMCAuth.
    Default value for cmc.bypassClientAuth is false.
Comment 10 Geetika Kapoor 2019-06-24 09:43:15 UTC 
# rpm -qa pki-ca nss jss
jss-4.4.6-1.el7.x86_64
pki-ca-10.5.16-2.el7.noarch
nss-3.44.0-4.el7.x86_64

Test Steps: This is only applicable for Agent Signed Certificates

Test Case 1 : Don't set cmc.bypassClientAuth
============================================

cmc.bypassClientAuth=false (default) ==> It should never bypass

Debug logs:

[24/Jun/2019:05:28:03][http-bio-20080-exec-4]: CMCAuth: verifySignerInfo: missing SSL client authentication certificate;
[24/Jun/2019:05:28:03][http-bio-20080-exec-4]: CMCAuth: No Client Certificate Found
[24/Jun/2019:05:28:03][http-bio-20080-exec-4]: SignedAuditLogger: event CMC_SIGNED_REQUEST_SIG_VERIFY
[24/Jun/2019:05:28:03][http-bio-20080-exec-4]: SignedAuditLogger: event CMC_SIGNED_REQUEST_SIG_VERIFY
[24/Jun/2019:05:28:03][http-bio-20080-exec-4]: ProfileSubmitCMCServlet: authenticate: Invalid Credential.

CMCResponse: 


Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 0 
   Status String: Invalid Credential.
   OtherInfo type: FAIL
     failInfo=bad request
CMC Full Response.
ERROR: CMC status for [0]: failed



Test Case 2: Set cmc.bypassClientAuth=true in CS.cfg 
====================================================

Try this Test case with both Config 1 and Config 2 and it should work.


debug :

[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CMCAuth: verifySignerInfo: missing SSL client authentication certificate; allowed
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CMCAuth: signing key alg=RSA
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CMCAuth: verifying signature with public key
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CMCAuth: finished checking signature
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CertUserDBAuth: started
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CertUserDBAuth: Retrieving client certificate
[24/Jun/2019:05:31:30][http-bio-20080-exec-1]: CertUserDBAuth: Got client certificate

CMCResponse:

Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1 
   Status: SUCCESS
CMC Full Response.

==============================================
Config 1:
---------
Contents of http.cfg

host=pki1.example.com
port=20080
secure=false

input=cmc.self.req
output=cmc.role_crmf.resp
clientmode=true
#nickname=caadmin
password=SECret.123
#password=SECret.123
dbdir=/root/testing_geetika/nssdb
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert

Config 2:
---------

Contents of http.cfg
host=pki1.example.com
port=20443
secure=true

input=cmc.self.req
output=cmc.role_crmf.resp
clientmode=false
#nickname=caadmin
password=SECret.123
#password=SECret.123
dbdir=/root/testing_geetika/nssdb
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert
Comment 11 Geetika Kapoor 2019-06-24 09:44:46 UTC 
Hi Christina,

I have tried above test cases. Do you feel i should try something else?

Thanks
Geetika
Comment 12 Geetika Kapoor 2019-06-25 12:00:31 UTC 
Marking this bug verified based on above test cases. I will check with Christina later for additinal test cases if i missed something.
Comment 15 errata-xmlrpc 2019-08-06 13:07:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2228
Comment 16 Red Hat Bugzilla 2023-09-14 04:34:46 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.