I'm trying to enable ocsp checking from KRA using CA's secure port when subsystems are installed on separate tomcats. Followed the instructions given in http://pki.fedoraproject.org/wiki/Certificate_Revocation_Checking , selftests failing during KRA restart.
Steps to Reproduce:
1. Imported "caocspsigningcert" certificate (no private key) from CA's certificate db to KRA's certificate db and trusted with "C,,". # certutil -L -d /var/lib/pki/rootkra/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI PKI ROOTCA Signing Cert - redhat CT,c, kra3transportcert u,u,u Server-Cert cert-pki-RootCA u,u,u kra3auditsigningcert u,u,Pu kra3storagecert u,u,u kra3subsystemcert u,u,u caocspsigningcert C,, 2. Global OCSP configuration of KRA instance's server.xml has following: <Connector name="Secure" port="30544" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="true" ocspResponderURL="https://vm-idm-002.xxx.xxx.xxx.xxx.com:30042/ca/ocsp" ocspResponderCertNickname="caocspsigningcert" ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10"
Actual results:
3. Re-starting KRA instance shows selftest failures: 0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=CIMC_ CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=kra3transp ortcert] CIMC certificate verification 0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=CIMC_ CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=kra3storag ecert] CIMC certificate verification 0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=CIMC_ CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=Server-Cer t cert-pki-RootCA] CIMC certificate verification 0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=AUDIT_LOG_SIGNING][SubjectID=$System$][Outcome=Success] signature of audit buffer just flushed: sig: wRc5e9z4hn0/5vdvmYhZob3nNC1wUe4pHh7D4jDAuawf Vdy1y8g/0F4sSVQr2whJFrLNm9PyBtep7JKQIh2/VzHlhCF6m8cSgdUNGKJQoa+wsGCn6Nu9K/F6Xg6 uTqndPx7rBnSIWyOtYa1O/VHvuxajeMj8LS2Ijb8Hzf9rv5VpTX2nxvhQD8JlGsbo2mDydkq3lklAnD 15oZObgBLkh/Nmu2+ISPlQbQk0o3bF9jPX5yIuJ674MgMOrGtg7UpbXIACCEKhf8Mpn/hl7YJy7cup+ CH23kOrquG6/It1jtWCDhOI4cBDgQvemqmVANkWzztu50hGg6oNJrj+dTogqA== 0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=CIMC_ CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=kra3subsys temcert] CIMC certificate verification 0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=CIMC_ CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=kra3audits igningcert] CIMC certificate verification 0.localhost-startStop-1 - [21/Jul/2015:19:57:31 IST] [14] [6] [AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)
Expected results:
Revocation checking should be enabled and kra should start successfully.
Additional info:
When I use ocspResponderURL with CA's unsecure port, KRA restarts successfully and revocation checking is successful.
Per CS/DS Meeting of 07/27/2015: 10.3 plus release note
Per Bug Triage of 05/05/2016: 10.3.2
NOTE: 10.3.2, cfu - just add a comment in server.xml to state http:// only URLs
Checked in 92cb1fc3271f5928e9ad0db798b67a5761aefdb1, as a trivial one line fix , which is a comment anyway.
Metadata Update from @aakkiang: - Issue assigned to jmagne - Issue set to the milestone: 10.3.3
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2066
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.