Bug 502267 - Allow CA, DRM, OCSP, and TKS to be started using the Security Manager
Allow CA, DRM, OCSP, and TKS to be started using the Security Manager
Status: CLOSED CURRENTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: Certificate Manager (Show other bugs)
1.1
All Linux
high Severity medium
: ---
: ---
Assigned To: Matthew Harmsen
Chandrasekar Kannan
: FutureFeature
Depends On:
Blocks: 636613 445047
  Show dependency treegraph
 
Reported: 2009-05-22 17:05 EDT by Matthew Harmsen
Modified: 2015-01-05 20:18 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 636613 (view as bug list)
Environment:
Last Closed: 2012-06-04 16:12:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Updated PKI Catalina.policy file . . . (16.80 KB, text/plain)
2009-05-26 15:13 EDT, Matthew Harmsen
no flags Details
Updated PKI Catalina.policy file . . . (spec files) (3.84 KB, patch)
2009-05-26 15:15 EDT, Matthew Harmsen
no flags Details | Diff
Updated PKI Catalina.policy file . . . (16.80 KB, patch)
2009-05-26 15:16 EDT, Matthew Harmsen
no flags Details | Diff

  None (edit)
Description Matthew Harmsen 2009-05-22 17:05:48 EDT
Description of problem:

Although CA, DRM, OCSP, and TKS do NOT startup with Security Manager out of the box, they do include their own "catalina.policy" file, and if a start script is manually altered to startup using the security manager, each PKI instance will crash prior to starting up.


Version-Release number of selected component (if applicable):

Dogtag 1.1 CA, DRM, OCSP, and TKS


How reproducible:

Always


Steps to Reproduce:

1.  As root, change the /etc/init.d/<pki_instance> start/stop script from:

    ...
    # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start
    if [ ${OS} = "SunOS" ] ; then
        su  $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null
    else
        runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null
    fi
    ...

to:

    ...
    # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start
    if [ ${OS} = "SunOS" ] ; then
        su  $TOMCAT_USER -c "$TOMCAT_SCRIPT start -security" > /dev/null
    else
        runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start -security" > /dev/null
    fi
    ...

2.  Invoke "/sbin/service <pki_instance> start"

3.  Although the system says that it "started, invoking "/sbin/service <pki_instance> status" will show that the system is no longer running, but did produce an empty pid file.


Actual results:

The selected instance will "start", but immediately die producing an empty pid file.


Expected results:

The selected instance should "start", and continue to run producing a valid pid file.


Additional info:
Comment 4 Matthew Harmsen 2009-05-26 15:13:37 EDT
Created attachment 345501 [details]
Updated PKI Catalina.policy file . . .
Comment 5 Matthew Harmsen 2009-05-26 15:15:24 EDT
Created attachment 345502 [details]
Updated PKI Catalina.policy file . . . (spec files)
Comment 6 Matthew Harmsen 2009-05-26 15:16:26 EDT
Created attachment 345503 [details]
Updated PKI Catalina.policy file . . .
Comment 7 Andrew Wnuk 2009-05-26 15:43:43 EDT
attachment (id=345502)
attachment (id=345503)
+awnuk
Comment 8 Matthew Harmsen 2009-05-26 15:55:36 EDT
cd pki/base

% svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M      ca/shared/conf/catalina.policy
M      tks/shared/conf/catalina.policy
M      ocsp/shared/conf/catalina.policy
M      kra/shared/conf/catalina.policy

% svn commit
Sending        base/ca/shared/conf/catalina.policy
Sending        base/kra/shared/conf/catalina.policy
Sending        base/ocsp/shared/conf/catalina.policy
Sending        base/tks/shared/conf/catalina.policy
Transmitting file data ....
Committed revision 496.



cd pki/dogtag

% svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M      ca/pki-ca.spec
M      tks/pki-tks.spec
M      ocsp/pki-ocsp.spec
M      kra/pki-kra.spec

% svn commit
Sending        dogtag/ca/pki-ca.spec
Sending        dogtag/kra/pki-kra.spec
Sending        dogtag/ocsp/pki-ocsp.spec
Sending        dogtag/tks/pki-tks.spec
Transmitting file data ....
Committed revision 497.

Note You need to log in before you can comment on or make changes to this bug.