2375332 – Missing registry entries for EST on upgraded server

Bug 2375332 - Missing registry entries for EST on upgraded server

Summary: Missing registry entries for EST on upgraded server

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dogtag-pki
Sub Component:
Version:	42
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Endi Sukma Dewata
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-28 15:32 UTC by Pritam Singh
Modified:	2025-06-28 15:32 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pritam Singh 2025-06-28 15:32:48 UTC

I've upgraded to the latest PKI version 11.7 from PKI-11.2 to reproduce: https://bugzilla.redhat.com/show_bug.cgi?id=2350322#c6, At the time of EST deployment on the upgraded PKI version, Adding estServiceCert profile to CA was not working and failing with error "Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null"

Builds:

# uname -r
6.15.3-200.fc42.x86_64

# rpm -qa | grep -e pki -e jss -e jackson -e resteasy | sort
dogtag-jss-5.7.0-0.1.alpha1.20250326234708UTC.26cced2e.fc42.x86_64
dogtag-jss-tomcat-5.7.0-0.1.alpha1.20250326234708UTC.26cced2e.fc42.x86_64
dogtag-pki-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.x86_64
dogtag-pki-acme-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-base-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-ca-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-est-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-java-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-javadoc-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-kra-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-ocsp-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-server-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tests-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-theme-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tks-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tools-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.x86_64
dogtag-pki-tps-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
python3-dogtag-pki-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch

Reproducible: Always

Steps to Reproduce:
1. Follow test procedure: https://bugzilla.redhat.com/show_bug.cgi?id=2350322#c6
2. Deploying EST on upgraded PKI 11.7 version, refer: https://docs.redhat.com/en/documentation/red_hat_certificate_system/10/html/planning_installation_and_deployment_guide/installation_and_configuration#installing-est-pki-server
3. Add EST profile using following command:
$ pki -p 8443 -u caadmin -w SECret.123 ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
Actual Results:
[root@pki1 fedora]# pki -p 8443 -u caadmin -w SECret.123 ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg 
BadRequestException: Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null

CA debug log:

2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: Creating profile from raw data
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - profileId: estServiceCert
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - classId: caEnrollImpl
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - name: EST Service Certificate Enrollment
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - description: EST service certificate profile
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] SEVERE: Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null
java.lang.NullPointerException: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null
    at com.netscape.cms.profile.common.Profile.init(Profile.java:269)
    at org.dogtagpki.server.ca.rest.v1.ProfileService.createProfileRaw(ProfileService.java:646)
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
    at java.base/java.lang.reflect.Method.invoke(Method.java:580)
    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
...
...
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
    at java.base/java.lang.Thread.run(Thread.java:1583)

2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: PKIExceptionMapper: Returning BadRequestException
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: PKIExceptionMapper: XML exception:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PKIException>
  <ClassName>com.netscape.certsrv.base.BadRequestException</ClassName>
  <Attributes/>
  <Code>400</Code>
  <Message>Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null</Message>
</PKIException>

Expected Results:
EST profile add should work as expected.

Additional Information:
Missing parameters in upgraded PKI's registry.cfg file:

constraintPolicy.raClientAuthSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.RAClientAuthSubjectNameContraint
constraintPolicy.raClientAuthSubjectNameConstraintImpl.desc=RA Client Subject Name Constraint
constraintPolicy.raClientAuthSubjectNameConstraintImpl.name=RA Client Subject Name Constraint

raClientAuthInfoInputImpl from profileInput.ids=
raClientAuthSubjectNameConstraintImpl from constraintPolicy.ids=

profileInput.raClientAuthInfoInputImpl.class=com.netscape.cms.profile.input.RAClientAuthInfoInput
profileInput.raClientAuthInfoInputImpl.desc=RA Client Authentication Information Input
profileInput.raClientAuthInfoInputImpl.name=RA Client Authentication Information Input


As a workaround: When I replaced registry.cfg with latest or added above parameters in upgraded PKI's registry.cfg file, EST profile add worked.

Note You need to log in before you can comment on or make changes to this bug.