1740702 – IdM should call into Dogtag to dynamically update the security domain info

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1740702 - IdM should call into Dogtag to dynamically update the security domain info

Summary: IdM should call into Dogtag to dynamically update the security domain info

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	2018535 2021880 (view as bug list)
Depends On:	1740697
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-13 14:13 UTC by Thorsten Scherf
Modified:	2024-03-25 15:22 UTC (History)
CC List:	18 users (show)
Fixed In Version:	ipa-4.9.8-1.module+el8.6.0+13486+dbe20af2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-10 14:08:44 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7003	0	None	None	None	2021-10-01 08:29:55 UTC
Red Hat Product Errata	RHEA-2022:1884	0	None	None	None	2022-05-10 14:09:05 UTC

Description Thorsten Scherf 2019-08-13 14:13:34 UTC

Description of problem:
When an IdM system with CA/KRA role is removed from  IdM topology, IdM should call into Dogtag to also remove this system from the security domain info. 

At the moment there is an inconsistency between the output from 'pki' and 'ipa' tools.

See also https://bugzilla.redhat.com/show_bug.cgi?id=1740697

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Alexander Bokovoy 2019-08-14 12:21:36 UTC

We need to hook this into CA/KRA uninstaller but also a cleanup job could be done in ipa-server-upgrade.

Comment 2 Fraser Tweedale 2019-08-16 02:07:04 UTC

Adding dependency on 1740697.

Comment 8 Petr Čech 2021-01-06 09:18:36 UTC


*** This bug has been marked as a duplicate of bug 1902173 ***

Comment 9 Rob Crittenden 2021-06-04 13:11:23 UTC

Re-opening as the related BZ didn't address the security domain cleanup.

Comment 19 Rob Crittenden 2021-07-20 17:42:16 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/8930

Comment 20 Florence Blanc-Renaud 2021-08-16 07:15:16 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/db6985564600fdd7778ab2d16d73cbab4df944db
https://pagure.io/freeipa/c/c0d6c05d00f97d7a46a9e480d4c984eda22ec70c

Test added upstream in test_integration/test_server_del.py::TestLastServices::test_removal_of_server_raises_error_about_last_kra

Comment 21 Rob Crittenden 2021-08-17 18:08:06 UTC

Additioanl fix that prevented upgrades in a CA-less environment

Fixed upstream
master:
https://pagure.io/freeipa/c/d5e499cd77c01f4737769f40b5fbe690ea4fa52a

Comment 22 Rob Crittenden 2021-08-17 21:48:59 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/be3a0f3201bbb060a9d53fb65cbbccf6c7bf9bb4
https://pagure.io/freeipa/c/a417810df5500b5780396ab88d53eaea74f74ccc

Comment 23 Rob Crittenden 2021-08-18 16:04:50 UTC

Additional fix that prevented upgrades in a CA-less environment

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/da1d543c2bfa9e4acb6fde170e66c88e521ac232

Comment 24 Rob Crittenden 2021-10-29 17:22:48 UTC

*** Bug 2018535 has been marked as a duplicate of this bug. ***

Comment 26 Rob Crittenden 2021-11-01 21:28:57 UTC

Sorry about that. The CA has its own authentication system outside of IPA.

This should do the trick:

pki -d /var/lib/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -C /var/lib/pki/pki-tomcat/alias/pwdfile.txt securitydomain-host-del 'CA ipa.example.test 443'

These options authenticate using the certificate that the CA uses for its LDAP binds. It has permissions to do this removal.

Take care when executing this as removing the wrong host may require re-installation of that host. I'm not aware of a way to re-create these entries.

Comment 27 Rob Crittenden 2021-11-10 19:53:51 UTC

*** Bug 2021880 has been marked as a duplicate of this bug. ***

Comment 43 Marc Sauton 2022-01-08 01:01:14 UTC

the issue is when a replica with a CA or KRA role is uninstalled, the IPA LDAP backend keeps that replica roles references under cn=masters,cn=ipa,cn=etc,dc=idm,dc=example,dc=test so IPA and the ipa-healthcheck 's IPADogtagCertsMatchCheck test think the is a configured CA

could be tested with

cat << EOF > ~/test.api
api.Command.ping()
from ipaserver.install import cainstance
ca=cainstance.CAInstance(api.env.realm)
ca.is_configured()
EOF

cat ~/test.api | ipa console



./freeipa-healthcheck/src/ipahealthcheck/ipa/certs.py
@registry
class IPADogtagCertsMatchCheck(IPAPlugin):
...
    @duration
    def check(self):
        if not self.ca.is_configured():  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< finds a CA role from ipaConfigString in cn=CA,cn=some-replica-hostname,cn=masters,cn=ipa,cn=etc,dc=xx
            logger.debug('CA is not configured, skipping connectivity check')
            return

        def match_ldap_nss_cert(plugin, ldap, db, cert_dn, attr, cert_nick):
            try:
                entry = ldap.get_entry(cert_dn)
...
            if not cert_matched:
                yield Result(plugin, constants.ERROR,
                             key=cert_nick,
                             nickname=cert_nick,
                             dbdir=db.secdir,
                             msg=('{nickname} certificate in NSS DB {dbdir} '
                                  'does not match entry in LDAP'))
                return False
            return True



for example on an ipaserver1 where ipaserver was removed/uninstalled:

ipa server-role-find --role="CA server"
----------------------
2 server roles matched
----------------------
  Server name: ipaserver1.idm.example.test
  Role name: CA server
  Role status: enabled

  Server name: ipaserver2.idm.example.test <<<<<<<<<<<<<<<<<<
  Role name: CA server   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 
  Role status: configured  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
----------------------------
Number of entries returned 2
----------------------------
[root@ipaserver1 ~]# 


ldapsearch -o ldif-wrap=no -LLLx -D "cn=directory manager" -w password -b cn=masters,cn=ipa,cn=etc,dc=idm,dc=example,dc=test cn=CA cn ipaConfigString
dn: cn=CA,cn=ipaserver1.idm.example.test,cn=masters,cn=ipa,cn=etc,dc=idm,dc=example,dc=test
cn: CA
ipaConfigString: startOrder 50
ipaConfigString: caRenewalMaster
ipaConfigString: enabledService

dn: cn=CA,cn=ipaserver2.idm.example.test,cn=masters,cn=ipa,cn=etc,dc=idm,dc=example,dc=test  <<<<<<<<<<<
cn: CA
ipaConfigString: configuredService  <<<<<<<<<<<<<<<<<
ipaConfigString: startOrder 50       <<<<<<<<<<<<<<<<<<<<<



as a workaround, the entry 
cn=CA,cn=ipaserver2.idm.example.test,cn=masters,cn=ipa,cn=etc,dc=idm,dc=example,dc=test
could probably be removed with a ldapdelete if there is really no CA installed


and there are left overs under o=ipaca for the either uninstalled or CA role removed from ipaserver2, specially in the "PKI registry" / "PKI security domain"

ldapsearch -o ldif-wrap=no -LLLx -D "cn=directory manager" -w password -b o=ipaca cn=*ipaserver2* dn
dn: uid=CA-ipaserver2.idm.example.test-8443,ou=people,o=ipaca

dn: cn=ipaserver2.idm.example.test:443,cn=CAList,ou=Security Domain,o=ipaca

dn: uid=acme-ipaserver2.idm.example.test,ou=people,o=ipaca

Comment 44 Rob Crittenden 2022-01-08 01:33:51 UTC

Marc, this is a completely different issue altogether. I've not reproduced it myself. It could have to do with the way the IPA server is being removed from rotation. `ipa server-del <host>` should clean these up.

This bug is about the dogtag-specific securitydomain capability which is what triggers the healthcheck errors because we weren't cleaning it up on uninstall.

Comment 45 Mohammad Rizwan 2022-01-13 12:12:00 UTC

version:
ipa-server-4.9.8-2.module+el8.6.0+13621+937b8cd9.x86_64

============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.11.0, pluggy-1.0.0 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-358.el8.x86_64-x86_64-with-redhat-8.6-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 16 items

test_integration/test_server_del.py::TestServerDel::test_removal_of_nonexistent_master_raises_error PASSED [  6%]
test_integration/test_server_del.py::TestServerDel::test_forced_removal_of_nonexistent_master PASSED [ 12%]
test_integration/test_server_del.py::TestServerDel::test_removal_of_replica1_disconnects_domain_topology PASSED [ 18%]
test_integration/test_server_del.py::TestServerDel::test_removal_of_replica2_disconnects_ca_topology PASSED [ 25%]
test_integration/test_server_del.py::TestServerDel::test_ignore_topology_disconnect_replica1 PASSED [ 31%]
test_integration/test_server_del.py::TestServerDel::test_ignore_topology_disconnect_replica2 PASSED [ 37%]
test_integration/test_server_del.py::TestServerDel::test_removal_of_master_disconnects_both_topologies PASSED [ 43%]
test_integration/test_server_del.py::TestServerDel::test_removal_of_replica1 PASSED [ 50%]
test_integration/test_server_del.py::TestServerDel::test_removal_of_replica2 PASSED [ 56%]
test_integration/test_server_del.py::TestLastServices::test_removal_of_master_raises_error_about_last_dns PASSED [ 62%]
test_integration/test_server_del.py::TestLastServices::test_install_dns_on_replica1_and_dnssec_on_master PASSED [ 68%]
test_integration/test_server_del.py::TestLastServices::test_removal_of_master_raises_error_about_dnssec PASSED [ 75%]
test_integration/test_server_del.py::TestLastServices::test_disable_dnssec_on_master PASSED [ 81%]
test_integration/test_server_del.py::TestLastServices::test_removal_of_master_raises_error_about_last_ca PASSED [ 87%]
test_integration/test_server_del.py::TestLastServices::test_removal_of_server_raises_error_about_last_kra PASSED [ 93%]
test_integration/test_server_del.py::TestLastServices::test_forced_removal_of_master PASSED [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
========================= 16 passed in 3896.89 seconds =========================

Automation passed for test_removal_of_server_raises_error_about_last_kra, Hence marking the bug as verified.

https://ci-jenkins-csb-idmops.apps.ocp-c1.prod.psi.redhat.com/job/ipa-RHEL8.6/job/Nightly/job/tier-2-RHEL8.6-Nightly-upstream-server-del/

Comment 49 errata-xmlrpc 2022-05-10 14:08:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1884

Note You need to log in before you can comment on or make changes to this bug.