Bug 705107 - rhcs80 cannot do client auth with pkiconsole (ok with 7.3)
Summary: rhcs80 cannot do client auth with pkiconsole (ok with 7.3)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: tomcatjss
Version: 6.2
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Jack Magne
QA Contact:
URL:
Whiteboard:
Depends On: 636597 702716
Blocks: 445047
TreeView+ depends on / blocked
 
Reported: 2011-05-16 16:30 UTC by Jack Magne
Modified: 2011-12-06 16:51 UTC (History)
10 users (show)

Fixed In Version: tomcatjss-2.1.0-2.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 702716
Environment:
Last Closed: 2011-12-06 16:51:58 UTC
Target Upstream Version:

Attachments (Terms of Use)
Patch to address this issue. (862 bytes, patch)
2011-08-06 00:53 UTC, Jack Magne 		no flags Details | Diff
Patch to address this issue. (1.69 KB, patch)
2011-08-06 01:10 UTC, Jack Magne 		alee: review+
Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1674 0 normal SHIPPED_LIVE tomcatjss bug fix update 2011-12-06 00:50:13 UTC

Comment 2 Jack Magne 2011-08-06 00:53:38 UTC 
Created attachment 516968 [details]
Patch to address this issue.
Comment 3 Jack Magne 2011-08-06 01:07:59 UTC 
Tested patch on 6.1 system with the CA and tomcat 6. Configured the admin port to be set to "clientAuth=want".

Proceeding to this URL with firefox: https://host.com:9445/ca/admin/ca/getDomainXML. The servlet gave results for the case of presenting a valid client auth certificate and the case of not presenting a client auth certificate.

Caveat:

Ade: We had to fix an issue with respect to "sslget" that allowed it to only optionally provide a client cert. This fix was needed to pair up with this fix when doing the TPS and RA wizards. Do you recall that bug number?
Comment 4 Jack Magne 2011-08-06 01:10:49 UTC 
Created attachment 516969 [details]
Patch to address this issue.

This is the actual patch, the previous one was entered in error.
Comment 5 Jack Magne 2011-08-08 19:29:55 UTC 
Checkins:

rhel 6.2 branch:

svn commit -m "Fix Bug# 705107 -- rhcs80 cannot do client auth with pkiconsole (ok with 7.3)"
Enter passphrase for key '/home/jmagne/.ssh/id_rsa': 
Sending        jss/JSSSocketFactory.java
Transmitting file data .
Committed revision 164.
Comment 6 Jack Magne 2011-08-08 21:26:42 UTC 
How To Test:

Perform the testing procedure for the original bug here:

https://bugzilla.redhat.com/show_bug.cgi?id=702716

Note that the console is not supported in this context so the web browser based portion of the test should be done.
Comment 8 Matthew Harmsen 2011-08-10 22:28:01 UTC 
IPA_v2_RHEL_6_ERRATA_BRANCH:

# cd tomcatjss

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       tomcatjss.spec
A       patches
A       patches/tomcatjss-client-auth.patch

# svn commit
Adding         patches
Adding         patches/tomcatjss-client-auth.patch
Sending        tomcatjss.spec
Transmitting file data ..
Committed revision 168.
Comment 9 Kashyap Chamarthy 2011-10-11 11:52:25 UTC 
To verify this bz on RHEL6.2 , I'm trying to get 'getDomianXML' page for a CA.

So, I've got pki-ca configured on a RHEL 6.2
#############################################################
[root@dhcp201-176 ~]# service pki-cad status
pki-ca (pid 32108) is running...                           [  OK  ]
    Unsecure Port       = http://dhcp201-176.englab.pnq.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://dhcp201-176.englab.pnq.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://dhcp201-176.englab.pnq.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://dhcp201-176.englab.pnq.redhat.com:9445/ca/services
    EE Client Auth Port = https://dhcp201-176.englab.pnq.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://dhcp201-176.englab.pnq.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  silentdom
    URL:   https://dhcp201-176.englab.pnq.redhat.com:9445
    ==========================================================================
[root@dhcp201-176 ~]# 
#############################################################

Then I tried to traverse
https://dhcp201-176.englab.pnq.redhat.com:9445/ca/admin/ca/getDomianXML

Result: All I see is a blank page.


Version info:
#############################################################
[root@dhcp201-176 ~]# rpm -q pki-ca ; cat /etc/redhat-release 
pki-ca-9.0.3-20.el6.noarch
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
[root@dhcp201-176 ~]# 
#############################################################

Any hints here?
Comment 10 Marc Sauton 2011-10-11 12:53:36 UTC 
typo?...
getDomainXML
Comment 11 Kashyap Chamarthy 2011-10-11 13:11:56 UTC 
Whoops. That's right, thanks Marc.

Correct URL -- https://dhcp201-176.englab.pnq.redhat.com:9445/ca/admin/ca/getDomainXML

#####################
<XMLResponse><DomainInfo><?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>silentdom</Name><CAList><CA><Host>dhcp201-176.englab.pnq.redhat.com</Host><SecurePort>9444</SecurePort><SecureAgentPort>9443</SecureAgentPort><SecureAdminPort>9445</SecureAdminPort><SecureEEClientAuthPort>9446</SecureEEClientAuthPort><UnSecurePort>9180</UnSecurePort><Clone>FALSE</Clone><SubsystemName>Certificate Authority-ca</SubsystemName><DomainManager>TRUE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo></DomainInfo><Status>0</Status></XMLResponse>
#####################
Comment 12 Kashyap Chamarthy 2011-10-11 13:18:08 UTC 
Turned to VERIFIED per Comment #11 

Version info:
#############################################################
[root@dhcp201-176 ~]# rpm -q pki-ca ; cat /etc/redhat-release ; arch
pki-ca-9.0.3-20.el6.noarch
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
x86_64
[root@dhcp201-176 ~]# 
#############################################################
Comment 13 errata-xmlrpc 2011-12-06 16:51:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1674.html
Note You need to log in before you can comment on or make changes to this bug.