Bug 504697 - certificates always issued by admin
certificates always issued by admin
Status: CLOSED NOTABUG
Product: Dogtag Certificate System
Classification: Community
Component: CA (Show other bugs)
unspecified
All Linux
urgent Severity high
: ---
: ---
Assigned To: Andrew Wnuk
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-06-08 16:15 EDT by Chandrasekar Kannan
Modified: 2015-01-04 18:38 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-10 00:21:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chandrasekar Kannan 2009-06-08 16:15:56 EDT
Steps that I used to reproduce:

 - yum install pki-ca
 - configure the ca instance. Get the default admin/agent cert.
 - this user is called 'admin'
 - request/issue a couple of certs. ProfileReview page when approving the
   cert says "Approved By: admin" which is correct.
 - goto pkiconsole, add a new user : ckannan . Add user to group "Certificate
   Manager Agents"
 - goto the ca ee page and request a cert for ckannan. Approve it. 
 - Import certificate via pkiconsole for 'ckannan'.
 - open another tab and request a new test cert. 
 - relaunch browser and authenticate to the CA agent page with 'ckannan' cert. 
 - try to approve this cert. Profile Review page , shows "approved by: admin".

Seems like admin is hard coded which is not the expected behaviour. Should show other agents name such as Approved by : ckannan.
Comment 1 Chandrasekar Kannan 2009-06-08 17:07:03 EDT
[08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet:service() uri = /ca/agent/ca/listRequests.html
[08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: caListRequests start to service.
[08/Jun/2009:13:05:38][http-9443-Processor16]: DisplayHtmlServlet about to service 
[08/Jun/2009:13:05:38][http-9443-Processor16]: IP: 10.14.52.236
[08/Jun/2009:13:05:38][http-9443-Processor16]: AuthMgrName: certUserDBAuthMgr
[08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: retrieving SSL certificate
[08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: certUID=UID=ckannan,E=ckannan@redhat.com,CN=Chandrasekar Kannan,O=Red Hat,C=US
[08/Jun/2009:13:05:38][http-9443-Processor16]: CertUserDBAuth: started
[08/Jun/2009:13:05:38][http-9443-Processor16]: CertUserDBAuth: Retrieving client certificate
[08/Jun/2009:13:05:38][http-9443-Processor16]: CertUserDBAuth: Got client certificate
[08/Jun/2009:13:05:38][http-9443-Processor16]: Authentication: client certificate found
[08/Jun/2009:13:05:38][http-9443-Processor16]: getConn: mNumConns now 14
[08/Jun/2009:13:05:38][http-9443-Processor16]: returnConn: mNumConns now 15
[08/Jun/2009:13:05:38][http-9443-Processor16]: Authentication: mapped certificate to user
[08/Jun/2009:13:05:38][http-9443-Processor16]: authenticated uid=ckannan,ou=People,dc=sigma.dsdev.sjc.redhat.com-pki-ca
[08/Jun/2009:13:05:38][http-9443-Processor16]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=ckannan][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success

[08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: curDate=Mon Jun 08 13:05:38 PDT 2009 id=caListRequests time=2

-------------

[08/Jun/2009:13:06:48][http-9443-Processor8]: CMSServlet: curDate=Mon Jun 08 13:06:48 PDT 2009 id=caqueryReq time=22
[08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet:service() uri = /ca/agent/ca/profileReview
[08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet::service() param name='requestId' value='79980'
[08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: caProfileReview start to service.
[08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: start serving
[08/Jun/2009:13:06:50][http-9443-Processor14]: IP: 10.14.52.236
[08/Jun/2009:13:06:50][http-9443-Processor14]: AuthMgrName: certUserDBAuthMgr
[08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: retrieving SSL certificate
[08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: certUID=UID=ckannan,E=ckannan@redhat.com,CN=Chandrasekar Kannan,O=Red Hat,C=US
[08/Jun/2009:13:06:50][http-9443-Processor14]: CertUserDBAuth: started
[08/Jun/2009:13:06:50][http-9443-Processor14]: CertUserDBAuth: Retrieving client certificate
[08/Jun/2009:13:06:50][http-9443-Processor14]: CertUserDBAuth: Got client certificate
[08/Jun/2009:13:06:50][http-9443-Processor14]: Authentication: client certificate found
[08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14
[08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15
[08/Jun/2009:13:06:50][http-9443-Processor14]: Authentication: mapped certificate to user
[08/Jun/2009:13:06:50][http-9443-Processor14]: authenticated uid=ckannan,ou=People,dc=sigma.dsdev.sjc.redhat.com-pki-ca
[08/Jun/2009:13:06:50][http-9443-Processor14]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=ckannan][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success

[08/Jun/2009:13:06:50][http-9443-Processor14]: checkACLS(): ACLEntry expressions= group="Certificate Manager Agents"
[08/Jun/2009:13:06:50][http-9443-Processor14]: evaluating expressions: group="Certificate Manager Agents"
[08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14
[08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15
[08/Jun/2009:13:06:50][http-9443-Processor14]: UGSubsystem.isMemberOf() using new lookup code
[08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14
[08/Jun/2009:13:06:50][http-9443-Processor14]: authorization search base: cn=Certificate Manager Agents,ou=groups,dc=sigma.dsdev.sjc.redhat.com-pki-ca
[08/Jun/2009:13:06:50][http-9443-Processor14]: authorization search filter: (uniquemember=uid=ckannan,ou=People,dc=sigma.dsdev.sjc.redhat.com-pki-ca)
[08/Jun/2009:13:06:50][http-9443-Processor14]: authorization result: true
[08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15
[08/Jun/2009:13:06:50][http-9443-Processor14]: evaluated expression: group="Certificate Manager Agents" to be true
[08/Jun/2009:13:06:50][http-9443-Processor14]: DirAclAuthz: authorization passed
[08/Jun/2009:13:06:50][http-9443-Processor14]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=ckannan][Outcome=Success][aclResource=certServer.ca.request.profile][Op=read] authorization success

[08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14
[08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15
[08/Jun/2009:13:06:50][http-9443-Processor14]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=ckannan][Outcome=Success][Role=Certificate Manager Agents] assume privileged role

[08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: SubId=profile
[08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: requestId=79980
[08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14
[08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15
[08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: requestId=79980 profileId=caUserCert
[08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: profileSetId=userCertSet
[08/Jun/2009:13:06:50][http-9443-Processor14]: AuthInfoAccess num=5
[08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: createExtension i=0
[08/Jun/2009:13:06:50][http-9443-Processor14]: gname is empty, not added
[08/Jun/2009:13:06:50][http-9443-Processor14]: count is 0
[08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: populate sees no extension.  get out
[08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: createExtension i=0
[08/Jun/2009:13:06:50][http-9443-Processor14]: gname is empty, not added
[08/Jun/2009:13:06:50][http-9443-Processor14]: count is 0
[08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: populate sees no extension.  get out
[08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: curDate=Mon Jun 08 13:06:50 PDT 2009 id=caProfileReview time=11
-----------------

Certificate Profile Information
Certificate Profile Id:         caUserCert
Approved By:    admin
Certificate Profile Name:       Manual User Dual-Use Certificate Enrollment
Certificate Profile Description:        This certificate profile is for enrolling user certificates.

----------------
Comment 2 Andrew Wnuk 2009-06-08 19:15:00 EDT
0x0000006a issued for 'agent2' by 'admin'  with caUserCert
0x0000006b issued for 'aaa'    by 'agent2' with caUserCert
0x0000006c issued for 'xxx'    by 'system' with caDirUserCert

I do not all certificates being issued by admin only.


Here is a corresponding certificate list:

Serial number 	Subject name
0x0000006a 	UID=agent2
Version 	Certificate Type 	Subject public key algorithm
3 	X.509 	PKCS #1 RSA with 2048-bit key
	Not valid before 	Not valid after
6/8/2009 15:09:37 	12/5/2009 14:09:37
	Issued on 	Issued by
6/8/2009 15:09:50 	admin
 	 	 
Serial number 	Subject name
0x0000006b 	UID=aaa
Version 	Certificate Type 	Subject public key algorithm
3 	X.509 	PKCS #1 RSA with 512-bit key
	Not valid before 	Not valid after
6/8/2009 15:11:37 	12/5/2009 14:11:37
	Issued on 	Issued by
6/8/2009 15:11:54 	agent2
 	 	 
Serial number 	Subject name
0x0000006c 	UID=xxx, OU=People, DC=sjc, DC=redhat, DC=com
Version 	Certificate Type 	Subject public key algorithm
3 	X.509 	PKCS #1 RSA with 512-bit key
	Not valid before 	Not valid after
6/8/2009 15:13:41 	12/5/2009 14:13:41
	Issued on 	Issued by
6/8/2009 15:13:41 	system
Comment 3 Chandrasekar Kannan 2009-06-10 00:21:34 EDT
hvn't been able to reproduce this myself. closing bug.

Note You need to log in before you can comment on or make changes to this bug.