Bug 492189 - Security Officer: a security officer token that is in temp lost status can be used to login to the so work station UI.
Security Officer: a security officer token that is in temp lost status can be...
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: ESC (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
:
Depends On:
Blocks: 443788 505685
  Show dependency treegraph
 
Reported: 2009-03-25 15:51 EDT by Asha Akkiangady
Modified: 2015-01-04 18:37 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 505685 (view as bug list)
Environment:
Last Closed: 2009-07-22 19:33:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Config changes to make this feature configurable. (1.81 KB, patch)
2009-06-11 19:54 EDT, Jack Magne
no flags Details | Diff
Fixed patch to address this problem. (1.78 KB, patch)
2009-06-12 13:04 EDT, Jack Magne
no flags Details | Diff
Sample documentation text to explain this feature. (4.18 KB, text/plain)
2009-06-12 14:36 EDT, Jack Magne
no flags Details

  None (edit)
Description Asha Akkiangady 2009-03-25 15:51:54 EDT
Description of problem:
A security officer token that is in temp lost status can be used to login to the so work-station UI.

Version-Release number of selected component (if applicable):
CS 8.0

How reproducible:


Steps to Reproduce:
1. Set phone home URL and Enroll Security Officer SOfficer#1 with a token#1.
2. From tps agent page select SOfficer#1 token and put it to a status "This
token has been temporarily lost".
3. From agent page select the token again and make sure token status is 'lost'
and Reason is 'onHold'.
4. set esc-prefs.js to have esc.security.url to be so workstation UI.
5. restart smart card manager app 
6. Insert token#1 

Actual results:
Token is recognized and requests for SOfficer#1's password, by providing the right password can do work station functions such as enrollment and format.

Expected results:
Esc should throw error message that its an invalid security officer token. 

Additional info:
Comment 1 Asha Akkiangady 2009-03-25 16:02:47 EDT
A permanently lost security officer token also able to login to work-station ui and perform operations.
Comment 2 Jack Magne 2009-06-10 14:01:10 EDT
Will give this a try with the ocsp feature turned on.
Comment 3 Jack Magne 2009-06-11 19:53:39 EDT
I've gotten this to basically work with the following test version of nss installed:

nss-3.12.3.99.3-1

This whole issue is talked about in the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=499052

Once a working nss is installed, the tps server can be configured by adding the following lines to the nss.conf file:


# Configure OCSP checking of client certs

NSSOCSP on
NSSOCSPDefaultResponder on


#URL of the ocsp service
#Example of the built in ocsp service of the  CS CA

NSSOCSPDefaultURL http://localhost:9180/ca/ocsp

#Nickname of ocsp signing cert
#Below is sufficient if using built in CS CA ocsp service
#If using outboard ocsp, make sure the cert listed below
#is imported into the local cert database.

NSSOCSPDefaultName caCert 


Set the URL to your actual CA.
The NSSOCSPDefaultNamne might have to change if using an outboard ocsp server.


I thought it would be reasonable to put these items in the nss.conf for both tps and ra, but have them all commented out, so the user can configure it as desired.


The following patch describes the changes to the nss.conf files.
Comment 4 Jack Magne 2009-06-11 19:54:35 EDT
Created attachment 347499 [details]
Config changes to make this feature configurable.
Comment 5 Jack Magne 2009-06-11 19:57:55 EDT
If OCSP is successfully configured on the TPS , this bug will be addressed to the following extent:

1. If the Security Officer's certificate has been revoked, TPS will consult the OCSP responder and deny entry into this UI. The following is the current downside of this approach:

The current NSS uses a caching mechanism for requests it has made to the OCSP server. The first time NSS has to consult the OCSP on behalf of a certificate, it puts that cert's information into a cache. If the cert is then  unrevoked, there is a wait of about one hour, as far as I can tell, before the OCSP is actually consulted again. For now, this may be the best we can do.
Comment 6 Jack Magne 2009-06-12 13:04:51 EDT
Created attachment 347615 [details]
Fixed patch to address this problem.
Comment 7 Jack Magne 2009-06-12 14:36:26 EDT
Created attachment 347644 [details]
Sample documentation text to explain this feature.

Here is some sample text designed to document to the user how to operate this feature.
Comment 8 Matthew Harmsen 2009-06-12 15:23:51 EDT
attachment (id=347615) +mharmsen

CAVEAT:

I would suggest the following format for clarity in both the RA and TPS nss.conf:

# Configure OCSP checking of client certs

#NSSOCSP on
#NSSOCSPDefaultResponder on

# URL of the ocsp service
#
#     Example of the built in ocsp service of the  CS CA

#NSSOCSPDefaultURL http://localhost:9180/ca/ocsp

# Nickname of ocsp signing cert
#
#     Below is sufficient if using built in CS CA ocsp service
#
#     If using outboard ocsp, make sure the cert listed below
#     is imported into the local cert database.

#NSSOCSPDefaultName caCert
Comment 9 Jack Magne 2009-06-12 15:32:35 EDT
svn commit -m "Bugzilla Bug# 492189, Security Officer: a security officer token that is in temp lost status can be used to login to the so work station UI."
Sending        base/ra/apache/conf/nss.conf
Sending        base/tps/apache/conf/nss.conf
Transmitting file data ..
Committed revision 585.
Comment 10 Asha Akkiangady 2009-07-09 19:59:29 EDT
Verified.

Trying to login to the so workstation with Temporarily lost security officer token shows dialog  wit  "SSL Peer rejected your certificate as revoked". 

Did the following changes and restarted tps server

Imported ocsp signing cert from CA's alias directory to tps's alias directory and Tps nss.conf has following settings:

# Configure OCSP checking of client certs

NSSOCSP on
NSSOCSPDefaultResponder on

# URL of the ocsp service
#
#   Example of the built in ocsp service of the  CS CA

NSSOCSPDefaultURL http://dhcp-108.sjc.redhat.com:9180/ca/ocsp

# Nickname of ocsp signing cert
#
#    Below is sufficient if using built in CS CA ocsp service
#    If using outboard ocsp, make sure the cert listed below
#    is imported into the local cert database.

NSSOCSPDefaultName "ocspSigningCert cert-pki-ca"
Comment 11 Asha Akkiangady 2009-07-12 17:01:26 EDT
Unable to login to the esc security officer station on Vista after these steps. Operation timed out when attempting to contact tps server host.
Putting this bug to assigned status.

1. Set phone home URL and Enroll Security Officer SOfficer#1 with a token#1.

2. Imported ocsp signing cert from CA's alias directory to tps's alias directory

3. Tps nss.conf has following settings:

# Configure OCSP checking of client certs

NSSOCSP on
NSSOCSPDefaultResponder on

# URL of the ocsp service
#
#   Example of the built in ocsp service of the  CS CA

NSSOCSPDefaultURL http://dhcp-108.sjc.redhat.com:9180/ca/ocsp

# Nickname of ocsp signing cert
#
#    Below is sufficient if using built in CS CA ocsp service
#    If using outboard ocsp, make sure the cert listed below
#    is imported into the local cert database.

NSSOCSPDefaultName "ocspSigningCert cert-pki-ca"

4. Restart tps.

5. From tps agent page select SOfficer#1 token token#1 and put it to a status "This token has been temporarily lost".

6. set esc-prefs.js to have esc.security.url to be so workstation UI.

7. Start esc and login to so workstation with  token#1, Error message "SSL Peer rejected your certificate as revoked".

8. From tps agent page select SOfficer#1 token token#1 and put it to a status "This temporarily lost token has been found".

9. Restart tps.

10. Start esc and login to so workstation with  token#1, able to login.

11. Reboot the machine on which CS subsyems are installed.

12. Start directory server and all the CS subsystems.

13. From ESC login to so workstation with token#1.

Actual Result:
Operation timed out when attempting to contact tps host.

Expected:
Successfully login to so workstation with token#1 and perform user enrollments.


Additional info:
Enrolling user in the regular esc mode after step #13 gives error message "Enrollment of smart card failed. Smart card manager has lost the connection to the Smart card server".
Comment 12 Jack Magne 2009-07-13 12:51:03 EDT
So, the problem here is the following:

1. Revoke the user and see that the OCSP server rejects the cert.
2. Bring back the user and see that the OCSP server lets the cert in.
3. For some reason, reboot the machine and restart all servers and try again, which results in a timed out connection.

If so, will take a look.
Comment 13 Asha Akkiangady 2009-07-13 14:41:59 EDT
The firewall was turned on on the host, we turned off the firewall, security officer token worked fine.

Note You need to log in before you can comment on or make changes to this bug.