Bug 705107 - rhcs80 cannot do client auth with pkiconsole (ok with 7.3)
Summary: rhcs80 cannot do client auth with pkiconsole (ok with 7.3)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: tomcatjss
Version: 6.2
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Jack Magne
QA Contact:
URL:
Whiteboard:
Depends On: 636597 702716
Blocks: 445047
TreeView+ depends on / blocked
 
Reported: 2011-05-16 16:30 UTC by Jack Magne
Modified: 2011-12-06 16:51 UTC (History)
10 users (show)

Fixed In Version: tomcatjss-2.1.0-2.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 702716
Environment:
Last Closed: 2011-12-06 16:51:58 UTC
Target Upstream Version:


Attachments (Terms of Use)
Patch to address this issue. (862 bytes, patch)
2011-08-06 00:53 UTC, Jack Magne
no flags Details | Diff
Patch to address this issue. (1.69 KB, patch)
2011-08-06 01:10 UTC, Jack Magne
alee: review+
Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1674 0 normal SHIPPED_LIVE tomcatjss bug fix update 2011-12-06 00:50:13 UTC

Comment 2 Jack Magne 2011-08-06 00:53:38 UTC
Created attachment 516968 [details]
Patch to address this issue.

Comment 3 Jack Magne 2011-08-06 01:07:59 UTC
Tested patch on 6.1 system with the CA and tomcat 6. Configured the admin port to be set to "clientAuth=want".

Proceeding to this URL with firefox: https://host.com:9445/ca/admin/ca/getDomainXML. The servlet gave results for the case of presenting a valid client auth certificate and the case of not presenting a client auth certificate.

Caveat:

Ade: We had to fix an issue with respect to "sslget" that allowed it to only optionally provide a client cert. This fix was needed to pair up with this fix when doing the TPS and RA wizards. Do you recall that bug number?

Comment 4 Jack Magne 2011-08-06 01:10:49 UTC
Created attachment 516969 [details]
Patch to address this issue.

This is the actual patch, the previous one was entered in error.

Comment 5 Jack Magne 2011-08-08 19:29:55 UTC
Checkins:

rhel 6.2 branch:

svn commit -m "Fix Bug# 705107 -- rhcs80 cannot do client auth with pkiconsole (ok with 7.3)"
Enter passphrase for key '/home/jmagne/.ssh/id_rsa': 
Sending        jss/JSSSocketFactory.java
Transmitting file data .
Committed revision 164.

Comment 6 Jack Magne 2011-08-08 21:26:42 UTC
How To Test:

Perform the testing procedure for the original bug here:

https://bugzilla.redhat.com/show_bug.cgi?id=702716

Note that the console is not supported in this context so the web browser based portion of the test should be done.

Comment 8 Matthew Harmsen 2011-08-10 22:28:01 UTC
IPA_v2_RHEL_6_ERRATA_BRANCH:

# cd tomcatjss

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       tomcatjss.spec
A       patches
A       patches/tomcatjss-client-auth.patch

# svn commit
Adding         patches
Adding         patches/tomcatjss-client-auth.patch
Sending        tomcatjss.spec
Transmitting file data ..
Committed revision 168.

Comment 9 Kashyap Chamarthy 2011-10-11 11:52:25 UTC
To verify this bz on RHEL6.2 , I'm trying to get 'getDomianXML' page for a CA.

So, I've got pki-ca configured on a RHEL 6.2
#############################################################
[root@dhcp201-176 ~]# service pki-cad status
pki-ca (pid 32108) is running...                           [  OK  ]
    Unsecure Port       = http://dhcp201-176.englab.pnq.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://dhcp201-176.englab.pnq.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://dhcp201-176.englab.pnq.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://dhcp201-176.englab.pnq.redhat.com:9445/ca/services
    EE Client Auth Port = https://dhcp201-176.englab.pnq.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://dhcp201-176.englab.pnq.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  silentdom
    URL:   https://dhcp201-176.englab.pnq.redhat.com:9445
    ==========================================================================
[root@dhcp201-176 ~]# 
#############################################################

Then I tried to traverse
https://dhcp201-176.englab.pnq.redhat.com:9445/ca/admin/ca/getDomianXML

Result: All I see is a blank page.


Version info:
#############################################################
[root@dhcp201-176 ~]# rpm -q pki-ca ; cat /etc/redhat-release 
pki-ca-9.0.3-20.el6.noarch
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
[root@dhcp201-176 ~]# 
#############################################################

Any hints here?

Comment 10 Marc Sauton 2011-10-11 12:53:36 UTC
typo?...
getDomainXML

Comment 11 Kashyap Chamarthy 2011-10-11 13:11:56 UTC
Whoops. That's right, thanks Marc.

Correct URL -- https://dhcp201-176.englab.pnq.redhat.com:9445/ca/admin/ca/getDomainXML

#####################
<XMLResponse><DomainInfo><?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>silentdom</Name><CAList><CA><Host>dhcp201-176.englab.pnq.redhat.com</Host><SecurePort>9444</SecurePort><SecureAgentPort>9443</SecureAgentPort><SecureAdminPort>9445</SecureAdminPort><SecureEEClientAuthPort>9446</SecureEEClientAuthPort><UnSecurePort>9180</UnSecurePort><Clone>FALSE</Clone><SubsystemName>Certificate Authority-ca</SubsystemName><DomainManager>TRUE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo></DomainInfo><Status>0</Status></XMLResponse>
#####################

Comment 12 Kashyap Chamarthy 2011-10-11 13:18:08 UTC
Turned to VERIFIED per Comment #11 

Version info:
#############################################################
[root@dhcp201-176 ~]# rpm -q pki-ca ; cat /etc/redhat-release ; arch
pki-ca-9.0.3-20.el6.noarch
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
x86_64
[root@dhcp201-176 ~]# 
#############################################################

Comment 13 errata-xmlrpc 2011-12-06 16:51:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1674.html


Note You need to log in before you can comment on or make changes to this bug.