pkispawn CA with HSM - if the config file has pki_client related params the dir is not created and the admin cert p12 file is stored nowhere
Steps to Reproduce:
The inf file used for pkispawn has the following params pki_client_dir=/opt/rhqa_pki pki_client_admin_cert_p12=/opt/rhqa_pki/caadmincert.p12 pki_client_database_dir=/opt/rhqa_pki/rootca/certs_db pki_client_database_password=Secret123 pki_client_database_purge=True
Actual results:
the client directory is not created and admin cert p12 file is stored nowhere
Expected results:
the client directory should be created and the admin cert p12 file should be stored under it.
Additional info:
I tried removing these params from the inf file. pkispawnn stored the admin cert p12 file under the default location /root/.dogtag/<pki-tomcat-inst>. With this configuration the ca ee/admin/agent requests were successful.
The following configuration works fine with soft token:
[CA] pki_admin_email=caadmin@example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret123 pki_admin_uid=caadmin pki_backup_keys=True pki_backup_password=Secret123 pki_client_dir=/opt/rhqa_pki pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_ds_base_dn=dc=ca,dc=example,dc=com pki_ds_database=ca pki_ds_password=Secret123 pki_security_domain_name=EXAMPLE pki_token_password=Secret123
The /opt/rhqa_pki folder is created properly:
$ ls -la /opt/rhqa_pki/ total 24 drwxrwxr-x. 3 root root 4096 Jun 18 20:46 . drwxr-xr-x. 5 root root 4096 Jun 18 20:45 .. drwxr-xr-x. 3 root root 4096 Jun 18 20:45 ca -rw-rw----. 1 root root 1288 Jun 18 20:46 ca_admin.cert -rw-rw----. 1 root root 935 Jun 18 20:46 ca_admin.cert.der -rw-------. 1 root root 2634 Jun 18 20:46 ca_admin_cert.p12
It needs to be retested using HSM. Moving to 10.2.6 per discussion with mharmsen.
Checked into master:
NOTE: This change will need to be removed once the actual problem is fixed.
Downgrading ticket to 'major' 10.2.6.
As I feel that this is not urgent (it has already been noted in the 'pkispawn' man page), and is not as critical as man page/documentation in the 10.2.X lifecycle, I am moving this ticket to 10.3.
This ticket has been marked a duplicate of PKI TRAC Ticket #2313 - Deletion and again creation of client directory by subsystems.
Metadata Update from @mharmsen: - Issue assigned to mharmsen - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1985
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.