Bug 731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm)
Summary: some CS.cfg nickname parameters not updated correctly when subsystem cloned (...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Cloning
Version: 9.0
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 445047
TreeView+ depends on / blocked
 
Reported: 2011-08-18 14:15 UTC by Ade Lee
Modified: 2015-01-04 23:50 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-04 20:05:41 UTC


Attachments (Terms of Use)
patch to fix (1.48 KB, patch)
2011-08-18 18:04 UTC, Ade Lee
cfu: review+
Details | Diff

Description Ade Lee 2011-08-18 14:15:58 UTC
Description of problem:

The parameters <type>.cert.<tag>.nickname are supposed to look like: 
token_name: nickname

After cloning, though, they do not have the token_name attached.  This is OK for internal token but not for HSM.  These parameters are used for system cert verification on instance startup - so these tests will fail if not fixed.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Ade Lee 2011-08-18 18:04:31 UTC
Created attachment 518911 [details]
patch to fix

Comment 2 Ade Lee 2011-08-23 02:45:56 UTC
8.1:

[vakwetu@goofy-vm4 base]$ svn ci -m "Resolves #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm)"
Sending        base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Transmitting file data .
Committed revision 2157.

8.2:

svn ci -m "Resolves #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm)"
Sending        base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Transmitting file data .
Committed revision 2158.

tip:

vakwetu@dhcp231-121 pki]$  svn ci -m "Resolves #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm)" base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java 
Sending        base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Transmitting file data .
Committed revision 2159.

Comment 5 Kaleem 2011-09-20 08:36:18 UTC
Verified.

RHEL Version:
[root@nocp5 kaleem]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.7 (Tikanga)

RHCS Version:
[root@nocp5 ~]# rpm -qa *pki*|sort
pki-ca-8.1.0-8.el5pki
pki-common-8.1.0-16.el5pki
pki-console-8.1.0-4.el5pki
pki-java-tools-8.1.0-6.el5pki
pki-kra-8.1.0-8.el5pki
pki-native-tools-8.1.0-6.el5pki
pkinit-nss-0.7.6-1.el5
pki-ocsp-8.1.0-7.el5pki
pki-selinux-8.1.0-2.el5pki
pki-setup-8.1.0-4.el5pki
pki-silent-8.1.0-2.el5pki
pki-util-8.1.0-5.el5pki
redhat-pki-ca-ui-8.1.0-6.el5pki
redhat-pki-common-ui-8.1.0-2.el5pki
redhat-pki-console-ui-8.1.0-2.el5pki
redhat-pki-kra-ui-8.1.0-6.el5pki
redhat-pki-ocsp-ui-8.1.0-5.el5pki
[root@nocp5 ~]#

Steps used to verify:
(1)Create and Configure a Master CA instance with HSM
(2)Create a clone CA instance with new DS instance with HSM
(3)Export Certificates with Keys of Master CA in clone CA's directory /var/lib/<instance-name>/alias
  [root@nocp5 kaleem]# PKCS12Export -d /var/lib/pki-ca-sep20/alias/ -p /tmp/internal.pwd -w /tmp/master-ca-crts.pwd -o master-ca-crts.p12


(4)Change permission of exported p12 file to pkiuser:pkiuser

[root@nocp5 kaleem]# cp master-ca-crts.p12 /var/lib/pki-cloneca-sep20/alias/.
[root@nocp5 kaleem]# cd /var/lib/pki-cloneca-sep20/alias/
[root@nocp5 alias]# chown pkiuser:pkiuser master-ca-crts.p12 
[root@nocp5 alias]# ls -la
total 140
drwxrwxr-x 2 pkiuser pkiuser  4096 Sep 20 01:34 .
drwxrwxr-x 9 pkiuser pkiuser  4096 Sep 20 01:15 ..
-rw------- 1 pkiuser pkiuser 65536 Sep 20 01:32 cert8.db
-rw------- 1 pkiuser pkiuser 16384 Sep 20 01:14 key3.db
-rw-r--r-- 1 pkiuser pkiuser  5278 Sep 20 01:34 master-ca-crts.p12
-rw------- 1 pkiuser pkiuser 16384 Sep 20 01:14 secmod.db
[root@nocp5 alias]#
(5)Configure Clone CA instance.
(6)Now search certificate nickname in CS.cfg of Clone CA for prefixed with HSM name.

Result:
(1)Master CA's CS.cfg 

[root@nocp5 conf]# pwd
/var/lib/pki-ca-sep20/conf

[root@nocp5 conf]# cat CS.cfg |grep NHSM6000-OCS
ca.audit_signing.tokenname=NHSM6000-OCS
ca.cert.audit_signing.nickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20
ca.cert.ocsp_signing.nickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20
ca.cert.signing.nickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20
ca.cert.sslserver.nickname=NHSM6000-OCS:Server-Cert cert-pki-ca-sep20
ca.cert.subsystem.nickname=NHSM6000-OCS:subsystemCert cert-pki-ca-sep20
ca.ocsp_signing.newNickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20
ca.ocsp_signing.tokenname=NHSM6000-OCS
ca.signing.newNickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20
ca.signing.tokenname=NHSM6000-OCS
ca.sslserver.tokenname=NHSM6000-OCS
ca.subsystem.tokenname=NHSM6000-OCS
cloning.module.token=NHSM6000-OCS
cms.tokenPasswordList=NHSM6000-OCS
log.instance.SignedAudit.signedAuditCertNickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20

(2)Clone CA's CS.cfg

[root@nocp5 conf]# pwd
/var/lib/pki-cloneca-sep20/conf

[root@nocp5 conf]# cat CS.cfg |grep NHSM6000-OCS
ca.audit_signing.tokenname=NHSM6000-OCS
ca.cert.audit_signing.nickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20
ca.cert.ocsp_signing.nickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20
ca.cert.signing.nickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20
ca.cert.sslserver.nickname=NHSM6000-OCS:Server-Cert cert-pki-cloneca-sep20
ca.cert.subsystem.nickname=NHSM6000-OCS:subsystemCert cert-pki-ca-sep20
ca.ocsp_signing.newNickname=NHSM6000-OCS:ocspSigningCert cert-pki-ca-sep20
ca.ocsp_signing.tokenname=NHSM6000-OCS
ca.signing.newNickname=NHSM6000-OCS:caSigningCert cert-pki-ca-sep20
ca.signing.tokenname=NHSM6000-OCS
ca.sslserver.tokenname=NHSM6000-OCS
ca.subsystem.tokenname=NHSM6000-OCS
cloning.module.token=NHSM6000-OCS
cms.tokenPasswordList=NHSM6000-OCS
log.instance.SignedAudit.signedAuditCertNickname=NHSM6000-OCS:auditSigningCert cert-pki-ca-sep20
[root@nocp5 conf]#

Here in clone CA's CS.cfg certificate's nickname are prefixed with hsm name.


Note You need to log in before you can comment on or make changes to this bug.