RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2006070 - Upgrades incorrectly add secret attribute to connectors
Summary: Upgrades incorrectly add secret attribute to connectors
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: PKI QE
Depends On:
TreeView+ depends on / blocked
Reported: 2021-09-20 19:53 UTC by Rob Crittenden
Modified: 2022-05-10 14:22 UTC (History)
11 users (show)

Fixed In Version: pki-core-10.6-8060020211115121442.7e0b02f6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-05-10 13:51:03 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCS-2600 0 None None None 2021-11-11 15:18:20 UTC
Red Hat Issue Tracker RHELPLAN-97678 0 None None None 2021-09-20 19:53:55 UTC
Red Hat Product Errata RHSA-2022:1851 0 None None None 2022-05-10 13:51:29 UTC

Description Rob Crittenden 2021-09-20 19:53:10 UTC
Description of problem:

tomcat changed a connector attribute name from requiredSecret to secret. See https://tomcat.apache.org/connectors-doc/reference/workers.html

PKI unconditionally adds a new "secret" attribute to the connectors in server.xml regardless of version. I don't know what is adding it but it appears immediately after IPA installation is complete.

It looks like:

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="" secret="2Xtgn097JIuohy3TUEwzBG2FAPdss53o3bA8dZ7xrG54" name="Connector1" requiredSecret="1FwAWAHDSQ040Mf7Iy1y2JhXASsBMWecFHwn933HpWoX"/>
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="::1" secret="2Xtgn097JIuohy3TUEwzBG2FAPdss53o3bA8dZ7xrG54" name="Connector2" requiredSecret="1FwAWAHDSQ040Mf7Iy1y2JhXASsBMWecFHwn933HpWoX"/>

Some users of CentOS Stream 8 have reported authentication issues with the CA. They reported that removing the secret value and ensuring that requiredSecret matches the IPA configuration their CA works again.

For IPA the secret value need to match with the Apache configuration in /etc/ipa/ipa-pki-proxy.conf.

I haven't been able to reproduce in RHEL. Still, it is probably not valid to have both of these values set at the same time (and they appear to have differing secrets which I don't know is good or bad).

Not sure if this is related but there appears to have been an error in refactoring of commit https://github.com/dogtagpki/pki/commit/e70373ab131aba810f318c1d917896392b49ff4b

The version conditional was lost. The requiredSecret -> secret conversion should not be done in versions lower than

Version-Release number of selected component (if applicable):


Steps to Reproduce:
1. ipa-server-install <options>
2. pki-server upgrade
3. grep secret /etc/pki/pki-tomcat/server.xml

Comment 2 Endi Sukma Dewata 2021-10-01 16:42:59 UTC
Does CentOS Stream 8 work like RHEL 8? We only test against RHEL 8, and in RHEL 8 we assume there is only one Tomcat version per PKI version, so the version check was not necessary.

Instead of restoring the version check and having to support multiple Tomcat versions, can we simply require tomcat >= 9.0.31 and drop the requiredSecret?

Also note that the above commit doesn't change the upgrade behavior, i.e. replacing requiredSecret with secret, so I'm not sure how it ends up with both. Does IPA modify any of these attributes in server.xml?

Comment 3 Rob Crittenden 2021-10-01 18:18:12 UTC
I guess as long as that version of tomcat is available it's fine to set it as the minimum.

IPA also upgrades these settings in https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L351 and it needs to keep the secrets in sync with its proxy configuration otherwise most CA requests fail with a 403.

I wasn't able to reproduce the behavior but at least three freeIPA users reported that they had both values set, with different secrets. IPA tries to honor existing secrets so its very possible it got confused by seeing both values, but like I said, I tried that and it worked for me.

Comment 7 Endi Sukma Dewata 2021-11-04 17:19:58 UTC
Fixed in v10.12 branch (PKI 10.12):

Fixed in master branch (PKI 11.1):

Comment 16 Sudhir Menon 2022-01-17 14:06:23 UTC
Marking the bugzilla verified using 


[root@server yum.repos.d]# pki-server upgrade --verbose
INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
INFO: Upgrading PKI server pki-tomcat
INFO: Setting pki-tomcat instance tracker to version 10.12.0

[root@server yum.repos.d]# grep secret /etc/pki/pki-tomcat/server.xml
[root@server yum.repos.d]# grep requiredSecret /etc/pki/pki-tomcat/server.xml
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="" requiredSecret="0Yl54vh2WQ04lJ9SVObvdPrcm7nnrF2NOmJChVK7nuPA" name="Connector1"/>
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="::1" requiredSecret="0Yl54vh2WQ04lJ9SVObvdPrcm7nnrF2NOmJChVK7nuPA" name="Connector2"/>

[root@server yum.repos.d]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

[root@server yum.repos.d]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Comment 18 errata-xmlrpc 2022-05-10 13:51:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.