2096922 – secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is present in /etc/pki/pki-tomcat/server.xml

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2096922 - secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is present in /etc/pki/pki-tomcat/server.xml

Summary: secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is pr...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Mohammad Rizwan
Docs Contact:
URL:
Whiteboard:
Depends On:	2092015
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-14 14:57 UTC by Rob Crittenden
Modified:	2022-11-15 10:33 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ipa-4.9.10-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2092015
Environment:
Last Closed:	2022-11-15 10:00:08 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-8359	None	None	None	2022-06-14 15:34:54 UTC
Red Hat Issue Tracker	RHELPLAN-125238	None	None	None	2022-06-14 15:35:06 UTC
Red Hat Product Errata	RHBA-2022:7988	None	None	None	2022-11-15 10:00:33 UTC

Description Rob Crittenden 2022-06-14 14:57:50 UTC

+++ This bug was initially created as a clone of Bug #2092015 +++

Description of problem:
<Continuation of the issue>
https://bugzilla.redhat.com/show_bug.cgi?id=2029023 - this bug tracks the issue with attribute name for pki-tomcat (secret changed to sharedSecret),

https://bugzilla.redhat.com/show_bug.cgi?id=2061458 - this bug fixes the config if old secret is present in  /etc/pki/pki-tomcat/server.xml

Now, as we can see in 
https://github.com/dogtagpki/pki/commit/bbdb82268026821cd6a00edae09cc30079effd30#diff-d448de858fda07d3c3395089190c9259e97541e42204ef3bce21945e4d7d5e61R880

if the correct attributes are in place, their value is not checked. But since it's a new attribute on PKI side, it usually has got different value.

We discussed this issue with Endi Dewata, and, as ipa-pki-proxy.conf is in IPA's responsibility, it's probably a good idea to keep track of modifying it on IPA's team's side.

Version-Release number of selected component (if applicable):
Verified on 8.5,
ipa-server-4.9.6-12.module+el8.5.0+14525+2137cc8f.x86_64
pki-server-10.11.2-5.module+el8.5.0+14437+bc030dcc.noarch

How reproducible:
should every time when sharedSecret is added into /etc/pki/pki-tomcat/server.xml

Steps to Reproduce:
1.
2.
3.

Actual results:
 [wsgi:error] [pid 1884012:tid 139838145005312] [remote 172.22.154.43:34178] ipa: ERROR: ra.find(): Unable to communicate with CMS (403)


Expected results:
httpd can communicate with CA correctly

Additional info:

--- Additional comment from Rob Crittenden on 2022-05-31 14:51:10 UTC ---

Why would PKI change a secret value? Changing the attribute ok, but changing the value? This will affect any AJP user so is not IPA-specific.

--- Additional comment from Aleksandr Sharov on 2022-05-31 15:19:44 UTC ---

Hi Rob!

Thank I don't know. I've got two cases with similar symptoms attached - both configs have correct parameter names, but don't have matching secrets. Happened after update to 8.5 and pki-server-10.11.2-5.

Best regards,
Aleksandr Sharov
Red Hat EMEA

--- Additional comment from Rob Crittenden on 2022-05-31 15:41:27 UTC ---

Endi, same question from comment 1

--- Additional comment from Endi Sukma Dewata on 2022-06-08 15:44:49 UTC ---

Rob, to my understanding this is how it works:

During installation pkispawn generates a random value for AJP
connector's secret:
https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/deployment/pkiparser.py#L290

Then pkispawn stores the value in the "secret" attribute in server.xml:
https://github.com/dogtagpki/pki/blob/master/base/server/etc/default.cfg#L266
https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/deployment/pkiparser.py#L717-L718
https://github.com/dogtagpki/pki/blob/master/base/server/config/pkislots.cfg#L10
https://github.com/dogtagpki/pki/blob/master/base/tomcat-9.0/conf/server.xml#L149
https://github.com/dogtagpki/pki/blob/master/base/tomcat-9.0/conf/server.xml#L154

Every time the server is started, the startup script will update the
connector according to the Tomcat version:
https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/instance.py#L962-L965

If it's an older Tomcat, the "secret" will be removed and the
"requiredSecret" will be added with the same value. However,
if the connector already has a "requiredSecret", its existing
value will not be overwritten:
https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/instance.py#L932-L953

Similarly, if it's a newer Tomcat, the "requiredSecret" will be
removed and the "secret" will be added with the same value. However,
if the connector already has a "secret", its existing value will not
be overwritten:
https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/instance.py#L878-L899

So if for some reason the connector has both attributes with different
secrets, one of the attributes will be dropped and it will look like
the secret has changed but as explained above PKI doesn't actually
change it.

Since ipa-pki-proxy.conf is owned by IPA, PKI cannot read that file
to determine which secret to use and then update the server.xml, nor
it can update ipa-pki-proxy.conf with the secret from server.xml.

I think there are 2 ways to handle this:

1. Let PKI generate the secret in server.xml, then every time IPA
restarts HTTPD it needs to read the secret from server.xml and update
ipa-pki-proxy.conf. IPA should not assume that the secret will be
constant, and IPA should not modify the connector in server.xml.

2. Let IPA generate the secret for both server.xml and ipa-pki-proxy.conf.
PKI should not change the secret in server.xml, but PKI still can make
other modifications to server.xml (e.g. for upgrades).

I prefer option #1, but either way the changes need to be made on IPA side.

--- Additional comment from Rob Crittenden on 2022-06-08 17:36:08 UTC ---

IPA has similar detection https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L366

Pre 9.0.31.0 uses requiredSecret. After uses secret.

The code loops through the connectors looking for existing secrets and if found, it maintains them, otherwise a new one is generated. So maybe there is some conflict here because PKI just does a string replace.

If it determines that something has changed then server.xml and ipa-pki-proxy.conf are updated.

I haven't been able to duplicate the problem purely using the IPA upgrade methods but I also don't have a clear view of what server.xml looks like prior to the updates (and sosreport does not capture this file).

How can I trigger the pki upgrade script that would do the replacement?

--- Additional comment from Endi Sukma Dewata on 2022-06-08 18:19:48 UTC ---

You just need to restart PKI server, it will execute some commands
to update the configuration before actually running the server:
https://github.com/dogtagpki/pki/blob/master/base/server/share/lib/systemd/system/pki-tomcatd%40.service

--- Additional comment from Rob Crittenden on 2022-06-09 02:01:14 UTC ---

What we lack is are reproducible steps. It has certainly affected a number of people but I've yet to discover how.

A vanilla 8.5.0 server results in a server.xml with both secrete and requiredSecret values:

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" secret="1HxvHuR5XAJ6Yjp33IpBqG2ZAKIdXcUEzLJOMZlPBbPu" name="Connector1" requiredSecret="0FqBtwc1hL6T6dxiIlQSW1JLY25A93Dt61BQIOfXB1Cp"/>
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="::1" secret="1HxvHuR5XAJ6Yjp33IpBqG2ZAKIdXcUEzLJOMZlPBbPu" name="Connector2" requiredSecret="0FqBtwc1hL6T6dxiIlQSW1JLY25A93Dt61BQIOfXB1Cp"/>

ipa-pki-proxy.conf is using the requiredSecret value.

This incorrect adding of secret was fixed in https://bugzilla.redhat.com/show_bug.cgi?id=2006070 but older installs may still have both.

IPA and the CA work fine in this scenario because the AJP secrets match. What makes them not match I don't know.

IPA will only do the secret swap if tomcat is > 9.0.30.0. RHEL 8 only has 9.0.30.0 AFAIK. The only way I've been able to reproduce the failure is to trick IPA into thinking that tomcat is newer. But that drops the requiredSecret value and it isn't what we've seen, which is both values but they both differ from the IPA proxy.

Unfortunately server.xml is not included in sosreports so I only know that the secrets are different but not when they were generated or by what.

The most sensible fix is to try to catch this condition in the IPA upgrade code and just fix it. This is just additional fallout from 2006070.

--- Additional comment from Rob Crittenden on 2022-06-09 13:34:55 UTC ---

Cloned to https://pagure.io/freeipa/issue/9176

--- Additional comment from Florence Blanc-Renaud on 2022-06-14 14:53:16 UTC ---

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/deaaaaf1492410269c1f66f8d4bb57e41b99d87c

master:
https://pagure.io/freeipa/c/7572174175415a113a95c1094503bb1102257610

Comment 6 Mohammad Rizwan 2022-07-12 07:17:48 UTC

version:
ipa-server-4.10.0-2.el9.x86_64
ipa-server-common-4.10.0-2.el9.noarch
ipa-server-dns-4.10.0-2.el9.noarch


 
uname: posix.uname_result(sysname='Linux', nodename='runner.testrelm.test', release='5.14.0-127.el9.x86_64', version='#1 SMP PREEMPT_DYNAMIC Sat Jul 9 08:20:22 EDT 2022', machine='x86_64')
euid: 0, egid: 0
working dir: /usr/lib/python3.9/site-packages/ipatests
sys.version: 3.9.13 (main, Jun  9 2022, 00:00:00) 
[GCC 11.3.1 20220421 (Red Hat 11.3.1-2)]
============================= test session starts ==============================
platform linux -- Python 3.9.13, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.9.13', 'Platform': 'Linux-5.14.0-127.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.7.0', 'multihost': '3.0', 'html': '3.1.1', 'sourceorder': '0.6.0'}}
rootdir: /usr/lib/python3.9/site-packages/ipatests
plugins: metadata-1.7.0, multihost-3.0, html-3.1.1, sourceorder-0.6.0
collecting ... collected 7 items

test_ipaserver/test_secure_ajp_connector.py::TestAJPSecretUpgrade::test_connecter[test_data0] PASSED [ 14%]
test_ipaserver/test_secure_ajp_connector.py::TestAJPSecretUpgrade::test_connecter[test_data1] PASSED [ 28%]
test_ipaserver/test_secure_ajp_connector.py::TestAJPSecretUpgrade::test_connecter[test_data2] PASSED [ 42%]
test_ipaserver/test_secure_ajp_connector.py::TestAJPSecretUpgrade::test_connecter[test_data3] PASSED [ 57%]
test_ipaserver/test_secure_ajp_connector.py::TestAJPSecretUpgrade::test_connecter[test_data4] PASSED [ 71%]
test_ipaserver/test_secure_ajp_connector.py::TestAJPSecretUpgrade::test_connecter[test_data5] PASSED [ 85%]
test_ipaserver/test_secure_ajp_connector.py::TestAJPSecretUpgrade::test_connecter[test_data6] PASSED [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
============================== 7 passed in 0.13s ===============================

Automation passed, Hence marking the bug as verified

Comment 9 errata-xmlrpc 2022-11-15 10:00:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7988

Note You need to log in before you can comment on or make changes to this bug.