Hide Forgot
Description of problem: The parameters <type>.cert.<tag>.nickname are supposed to look like: token_name: nickname After cloning, though, they do not have the token_name attached. This is OK for internal token but not for HSM. These parameters are used for system cert verification on instance startup - so these tests will fail if not fixed. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 518911 [details] patch to fix
8.1: [vakwetu@goofy-vm4 base]$ svn ci -m "Resolves #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm)" Sending base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java Transmitting file data . Committed revision 2157. 8.2: svn ci -m "Resolves #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm)" Sending base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java Transmitting file data . Committed revision 2158. tip: vakwetu@dhcp231-121 pki]$ svn ci -m "Resolves #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm)" base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java Sending base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java Transmitting file data . Committed revision 2159.
Verified. RHEL Version: [root@nocp5 kaleem]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.7 (Tikanga) RHCS Version: [root@nocp5 ~]# rpm -qa *pki*|sort pki-ca-8.1.0-8.el5pki pki-common-8.1.0-16.el5pki pki-console-8.1.0-4.el5pki pki-java-tools-8.1.0-6.el5pki pki-kra-8.1.0-8.el5pki pki-native-tools-8.1.0-6.el5pki pkinit-nss-0.7.6-1.el5 pki-ocsp-8.1.0-7.el5pki pki-selinux-8.1.0-2.el5pki pki-setup-8.1.0-4.el5pki pki-silent-8.1.0-2.el5pki pki-util-8.1.0-5.el5pki redhat-pki-ca-ui-8.1.0-6.el5pki redhat-pki-common-ui-8.1.0-2.el5pki redhat-pki-console-ui-8.1.0-2.el5pki redhat-pki-kra-ui-8.1.0-6.el5pki redhat-pki-ocsp-ui-8.1.0-5.el5pki [root@nocp5 ~]# Steps used to verify: (1)Create and Configure a Master CA instance with HSM (2)Create a clone CA instance with new DS instance with HSM (3)Export Certificates with Keys of Master CA in clone CA's directory /var/lib/<instance-name>/alias [root@nocp5 kaleem]# PKCS12Export -d /var/lib/pki-ca-sep20/alias/ -p /tmp/internal.pwd -w /tmp/master-ca-crts.pwd -o master-ca-crts.p12 (4)Change permission of exported p12 file to pkiuser:pkiuser [root@nocp5 kaleem]# cp master-ca-crts.p12 /var/lib/pki-cloneca-sep20/alias/. [root@nocp5 kaleem]# cd /var/lib/pki-cloneca-sep20/alias/ [root@nocp5 alias]# chown pkiuser:pkiuser master-ca-crts.p12 [root@nocp5 alias]# ls -la total 140 drwxrwxr-x 2 pkiuser pkiuser 4096 Sep 20 01:34 . drwxrwxr-x 9 pkiuser pkiuser 4096 Sep 20 01:15 .. -rw------- 1 pkiuser pkiuser 65536 Sep 20 01:32 cert8.db -rw------- 1 pkiuser pkiuser 16384 Sep 20 01:14 key3.db -rw-r--r-- 1 pkiuser pkiuser 5278 Sep 20 01:34 master-ca-crts.p12 -rw------- 1 pkiuser pkiuser 16384 Sep 20 01:14 secmod.db [root@nocp5 alias]# (5)Configure Clone CA instance. (6)Now search certificate nickname in CS.cfg of Clone CA for prefixed with HSM name. Result: (1)Master CA's CS.cfg [root@nocp5 conf]# pwd /var/lib/pki-ca-sep20/conf [root@nocp5 conf]# cat CS.cfg |grep NHSM6000-OCS ca.audit_signing.tokenname=NHSM6000-OCS ca.cert.audit_signing.nickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20 ca.cert.ocsp_signing.nickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20 ca.cert.signing.nickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20 ca.cert.sslserver.nickname=NHSM6000-OCS:Server-Cert cert-pki-ca-sep20 ca.cert.subsystem.nickname=NHSM6000-OCS:subsystemCert cert-pki-ca-sep20 ca.ocsp_signing.newNickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20 ca.ocsp_signing.tokenname=NHSM6000-OCS ca.signing.newNickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20 ca.signing.tokenname=NHSM6000-OCS ca.sslserver.tokenname=NHSM6000-OCS ca.subsystem.tokenname=NHSM6000-OCS cloning.module.token=NHSM6000-OCS cms.tokenPasswordList=NHSM6000-OCS log.instance.SignedAudit.signedAuditCertNickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20 (2)Clone CA's CS.cfg [root@nocp5 conf]# pwd /var/lib/pki-cloneca-sep20/conf [root@nocp5 conf]# cat CS.cfg |grep NHSM6000-OCS ca.audit_signing.tokenname=NHSM6000-OCS ca.cert.audit_signing.nickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20 ca.cert.ocsp_signing.nickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20 ca.cert.signing.nickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20 ca.cert.sslserver.nickname=NHSM6000-OCS:Server-Cert cert-pki-cloneca-sep20 ca.cert.subsystem.nickname=NHSM6000-OCS:subsystemCert cert-pki-ca-sep20 ca.ocsp_signing.newNickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20 ca.ocsp_signing.tokenname=NHSM6000-OCS ca.signing.newNickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20 ca.signing.tokenname=NHSM6000-OCS ca.sslserver.tokenname=NHSM6000-OCS ca.subsystem.tokenname=NHSM6000-OCS cloning.module.token=NHSM6000-OCS cms.tokenPasswordList=NHSM6000-OCS log.instance.SignedAudit.signedAuditCertNickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20 [root@nocp5 conf]# Here in clone CA's CS.cfg certificate's nickname are prefixed with hsm name.