Bug 245661 - Clone DRM, with HSM, does NOT function correctly after install
Clone DRM, with HSM, does NOT function correctly after install
Status: CLOSED ERRATA
Product: Red Hat Certificate System
Classification: Red Hat
Component: Cloning (Show other bugs)
7.2
All Linux
high Severity high
: rc
: ---
Assigned To: Bob Lord
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2007-06-25 18:36 EDT by Issue Tracker
Modified: 2017-04-10 10 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:25:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Issue Tracker 2007-06-25 18:36:42 EDT
Escalated to Bugzilla from IssueTracker
Comment 1 Issue Tracker 2007-06-25 18:36:46 EDT
Description of problem:
after finished the clone DRM Setup Wizard, couple of configurations were missing

01) cs.state was set to 0
02) missing kraTransportCert cert-drm-da cert
03) missing kraStorageCert cert-drm-da cert
04) missing subsystemCert cert-rhpki-drm-da cert
05) access DRM agent page, I got "Error Message:
java.lang.NullPointerException:"

How reproducible:

01) Manually set cs.state to 1
02) import kraTransportCert cert-drm-da cert from master DRM
03) import kraStorageCert cert-drm-da from master DRM
04) import subsystemCert cert-rhpki-drm-da from master DRM
05) goto DRM Agent page, click "Search for Keys"
07) check "Key Identifiers" and click "show key"
08) Got this message,
The Certificate System has encountered an unrecoverable error.

Error Message:
java.lang.NullPointerException:

Please contact your local administrator for assistance. 

This event sent from IssueTracker by mrhodes  [Support Engineering Group]
 issue 123812
Comment 2 Issue Tracker 2007-06-25 18:36:50 EDT
File uploaded: drm-db-CS.cfg

This event sent from IssueTracker by mrhodes  [Support Engineering Group]
 issue 123812
it_file 93667
Comment 3 Issue Tracker 2007-06-25 18:36:52 EDT
File uploaded: drm-db-debug

This event sent from IssueTracker by mrhodes  [Support Engineering Group]
 issue 123812
it_file 93668
Comment 4 Issue Tracker 2007-06-25 18:36:55 EDT
hi,

I am able to overcome the java.lang.NullPointerException: issue. The
problem was 
01) authz.instance.DirAclAuthz.ldap.database=CertificateServer
02) internaldb.database=CertificateServer

I changed those 2 parameters to userRoot1
01) authz.instance.DirAclAuthz.ldap.database=userRoot1
02) internaldb.database=userRoot1

After fix previous issue, I am able to browser the exist keys from clone
DRM agent page. However, when I try to recover an exist key, I got another
error message.


    Failed to recover key for recovery id 1.
    Exception: All serial numbers are used. The max serial number is
0x20000001

attach drm-db.cfg and drm-db-debug files.


This event sent from IssueTracker by mrhodes  [Support Engineering Group]
 issue 123812
Comment 5 Issue Tracker 2007-06-25 18:36:59 EDT
hi Kent,

I copied following parameters from Master DRM to Clone DRM's CD.cfg. Then
I did Key Recovery. That was successful.  Some how the Clone DRM's request
# and serial # are NOT work correctly.

dbs.beginRequestNumber=1
dbs.beginSerialNumber=1
dbs.endRequestNumber=10000000
dbs.endSerialNumber=10000000
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
dbs.requestNumber.increment=10000000
dbs.requestNumber.previncrement=1
dbs.serialNumber.increment=10000000
dbs.serialNumber.previncrement=1

Following is original clone DRM's parameters.
dbs.beginRequestNumber=10000001
dbs.beginSerialNumber=10000001
dbs.endRequestNumber=20000001
dbs.endSerialNumber=20000001
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
dbs.requestNumber.increment=10000000
dbs.requestNumber.previncrement=10000000
dbs.serialNumber.increment=10000000
dbs.serialNumber.previncrement=10000000

Let me know, if you need more information.

Thanks,
Fu


This event sent from IssueTracker by mrhodes  [Support Engineering Group]
 issue 123812
Comment 6 Issue Tracker 2007-06-25 18:37:02 EDT
Kent,

I got good news on clone DRM. After I changed some parameters(see previous
update), I am able to do token operations with clone DRM. The enrollment
was successful against Master-CA, Master-TKS, and Clone DRM. Here is small
section of Clone DRM's log. The hostname of clone DRM is
drm-db.hmca.ops.aol.com

[2007-06-19 09:25:55] b2b7298 RA::ServerSideKeyGen - finding DRM servlet
info, configname=conn.drm1.servlet.GenerateKeyPair
[2007-06-19 09:25:55] b2b7298 HttpConnection::getResponse - Send request
to host drm-db.hmca.ops.aol.com:8100 servlet
/kra/agent/kra/GenerateKeyPair
[2007-06-19 09:25:59] b2b7298 RA::ServerSideKeyGen - response from DRM
(drm-db.hmca.ops.aol.com:8100) is not NULL.
[2007-06-19 09:25:59] b2b7298  RA:: ServerSideKeyGen - in ServerSideKeyGen
- got response
[2007-06-19 09:25:59] b2b7298 RA::ServerSideKeyGen - response from DRM
status ok




This event sent from IssueTracker by mrhodes  [Support Engineering Group]
 issue 123812
Comment 8 Marco Rhodes 2007-07-20 17:14:50 EDT
Per Thomas (from Issue Tracker #123812):

I just checked the code and the server should use the following parameters to
control the serial numbers of the DRM clone.

I think AOL needs to the do following:

1) Find our current ranges for all 4 DRM (1 Master, 3 Clones)

2) Check the database to see if the issued requests and keys fell into the ranges

3) Then, adjust the following range for requests:
dbs.beginRequestNumber=1000
dbs.endRequestNumber=10000000

4) adjust the following range for the key records:
dbs.beginSerialNumber=1000
dbs.endSerialNumber=10000000


I did the following test.

a) Install CA, DRM

b) Perform a key archival, and a request #1 is created, and a key #1 is created

c) Then, I changed the following paramters

dbs.beginRequestNumber=1000
dbs.endRequestNumber=10000000
dbs.beginSerialNumber=1000
dbs.endSerialNumber=10000000

d) Do another archival, now i have a request #1000, and a key record #1000.

This demostrates that the server is using beginRequestNumber and
beginSerialNumber to determine the next serial number to use for request and key.
Comment 10 Red Hat Bugzilla 2007-10-27 11:32:31 EDT
User nkwan@redhat.com's account has been closed
Comment 11 Chandrasekar Kannan 2008-08-26 20:06:12 EDT
Bug already MODIFIED. setting target CS8.0 and marking screened+

Note You need to log in before you can comment on or make changes to this bug.