Issue #1507: [RFE] Enableocsp checking on KRA with CA's secure port shows self test failure - dogtagpki

dogtagpki

#1507 [RFE] Enableocsp checking on KRA with CA's secure port shows self test failure

Closed: Fixed None Opened 8 years ago by aakkiang.

I'm trying to enable ocsp checking from KRA using CA's secure port when
subsystems are installed on separate tomcats. Followed the instructions given
in http://pki.fedoraproject.org/wiki/Certificate_Revocation_Checking ,
selftests failing during KRA restart.

Steps to Reproduce:

1. Imported "caocspsigningcert" certificate (no private key) from CA's
certificate db to KRA's certificate db and trusted with "C,,".
# certutil -L -d /var/lib/pki/rootkra/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

PKI ROOTCA Signing Cert - redhat                             CT,c,
kra3transportcert                                            u,u,u
Server-Cert cert-pki-RootCA                                  u,u,u
kra3auditsigningcert                                         u,u,Pu
kra3storagecert                                              u,u,u
kra3subsystemcert                                            u,u,u
caocspsigningcert                                            C,,


2. Global OCSP configuration of KRA instance's  server.xml has following:

<Connector name="Secure" port="30544" protocol="HTTP/1.1" SSLEnabled="true"
sslProtocol="SSL" scheme="https" secure="true"
           maxHttpHeaderSize="8192"
           acceptCount="100" maxThreads="150" minSpareThreads="25"
           enableLookups="false" disableUploadTimeout="true"
sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
           enableOCSP="true"
ocspResponderURL="https://vm-idm-002.xxx.xxx.xxx.xxx.com:30042/ca/ocsp"
           ocspResponderCertNickname="caocspsigningcert"
           ocspCacheSize="1000"
           ocspMinCacheEntryDuration="60"
           ocspMaxCacheEntryDuration="120"
           ocspTimeout="10"

Actual results:

3. Re-starting KRA instance shows selftest failures:
0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=CIMC_
CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=kra3transp
ortcert] CIMC certificate verification
0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=CIMC_
CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=kra3storag
ecert] CIMC certificate verification
0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=CIMC_
CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=Server-Cer
t cert-pki-RootCA] CIMC certificate verification
0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6]
[AuditEvent=AUDIT_LOG_SIGNING][SubjectID=$System$][Outcome=Success] signature
of audit buffer just flushed: sig: wRc5e9z4hn0/5vdvmYhZob3nNC1wUe4pHh7D4jDAuawf
Vdy1y8g/0F4sSVQr2whJFrLNm9PyBtep7JKQIh2/VzHlhCF6m8cSgdUNGKJQoa+wsGCn6Nu9K/F6Xg6
uTqndPx7rBnSIWyOtYa1O/VHvuxajeMj8LS2Ijb8Hzf9rv5VpTX2nxvhQD8JlGsbo2mDydkq3lklAnD
15oZObgBLkh/Nmu2+ISPlQbQk0o3bF9jPX5yIuJ674MgMOrGtg7UpbXIACCEKhf8Mpn/hl7YJy7cup+
CH23kOrquG6/It1jtWCDhOI4cBDgQvemqmVANkWzztu50hGg6oNJrj+dTogqA==
0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=CIMC_
CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=kra3subsys
temcert] CIMC certificate verification
0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=CIMC_
CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=kra3audits
igningcert] CIMC certificate verification
0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6]
[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self
tests execution (see selftests.log for details)

Expected results:

Revocation checking should be enabled and kra should start successfully.

Additional info:

When I use ocspResponderURL with CA's unsecure port, KRA restarts successfully
and revocation checking is successful.

mharmsen commented 8 years ago

Per CS/DS Meeting of 07/27/2015: 10.3 plus release note

mharmsen commented 7 years ago

Per Bug Triage of 05/05/2016: 10.3.2

NOTE: 10.3.2, cfu - just add a comment in server.xml to state http:// only URLs

jmagne commented 7 years ago

Checked in 92cb1fc3271f5928e9ad0db798b67a5761aefdb1, as a trivial one line fix , which is a comment anyway.

Metadata Update from @aakkiang:
- Issue assigned to jmagne
- Issue set to the milestone: 10.3.3

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2066

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

jmagne

Tags

None

Blocking

None

Depending on

None

Priority

minor

Milestone

10.3.3

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1245246
https://bugzilla.redhat.com/show_bug.cgi?id=1247410

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

General

proposedmilestone

None

dogtagpki

Source Code

#1507 [RFE] Enableocsp checking on KRA with CA's secure port shows self test failure Closed: Fixed None Opened 8 years ago by aakkiang.

Metadata

#1507 [RFE] Enableocsp checking on KRA with CA's secure port shows self test failure

Closed: Fixed None Opened 8 years ago by aakkiang.