TPS Revocation routing fails
Steps to Reproduce:
Create a root CA "pki-ca" on host1 Create a subca "pki-subca1" joining the security domain and certificates issued by "pki-ca" on host2 Create a subca "pki-subca2" joining the security domain and certificates issued by "pki-ca" on host3 Create "pki-kra1", "pki-ocsp1", "pki-tks1" and "pki-tps" on host2 whose certs are issued by "pki-subca1". tpsclient enrollment is successful and certs are issued by pki-subca1 Import the ca signing cert of pki-subca2 under TPS alias directory. Add the TPS user that exists under pki-subca1 to pki-subca2 Make the following changes to TPS CS.cfg target.Subsystem_Connections.list=ca1,tks1,kra1,ca2 tps.connector.ca1.enable=true tps.connector.ca1.host=ipaqavmd.idmqe.lab.eng.bos.redhat.com tps.connector.ca1.maxHttpConns=15 tps.connector.ca1.minHttpConns=1 tps.connector.ca1.nickName=tps1subsystemcert tps.connector.ca1.port=31000 tps.connector.ca1.timeout=30 tps.connector.ca1.uri.enrollment=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca1.uri.getcert=/ca/ee/ca/displayBySerial tps.connector.ca1.uri.renewal=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca1.uri.revoke=/ca/ee/subsystem/ca/doRevoke tps.connector.ca1.uri.unrevoke=/ca/ee/subsystem/ca/doUnrevoke tps.connector.ca2.enable=true tps.connector.ca2.host=ibm-hs23-02.rhts.eng.bos.redhat.com tps.connector.ca2.maxHttpConns=15 tps.connector.ca2.minHttpConns=1 tps.connector.ca2.nickName=tps1subsystemcert tps.connector.ca2.port=31020 tps.connector.ca2.timeout=30 tps.connector.ca2.uri.enrollment=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca2.uri.getcert=/ca/ee/ca/displayBySerial tps.connector.ca2.uri.renewal=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca2.uri.revoke=/ca/ee/subsystem/ca/doRevoke tps.connector.ca2.uri.unrevoke=/ca/ee/subsystem/ca/doUnrevoke tps.connector.ca1.caNickname="PKI SUBCA1 Signing Certificate - redhat" tps.connector.ca2.caNickname="PKI SUBCA2 Signing Certificate - redhat" op.enroll.userKey.keyGen.encryption.ca.conn=ca2 op.enroll.userKey.keyGen.signing.ca.conn=ca2 Enroll a token using tpsclient
Actual results:
certs are still issued by pki-subca1
Expected results:
certs must be issued by pki-subca2
Additional info:
I also tried tps.connector.ca1.enable=false but then enrollment is not successful.
Per CS/DS Meeting of 08/03/2015: 10.3
pushed to master: commit 74197061be89f650f6bc10f0887ab1c87470272e
commit dc13bd1a2366c71880a59586ebe70f40683afa3c Author: Christina Fu cfu@redhat.com Date: Tue May 17 17:57:11 2016 -0700
Ticket #1527 reopened: retrieved wrong ca connector config parameter This ticket was reopened due to retrieving wrong ca connector config param for the case when format is done within an enrollment. The following is attempted: op.enroll.userKey.ca.conn while the following is intended: op.format.userKey.ca.conn In addition, this patch also fixes the following issues; a. reason param name is not conforming: "reason" instead of "revokeReason" b. adding default reason to format TPS profiles c. by default mappingResolver.formatProfileMappingResolver resolves to tokenKey, while enroll resolves to userKey. -> now changed the userKey d. if revocation fails during format, it was forgiving. -> now changed so that error is logged in activity log and exception thrown and bail out
commit 3b93a22c4ffa6e5e16cfd5c8ec02348c58b78422 Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com Date: Mon Oct 3 17:02:10 2016 -0700
Ticket #1527 TPS Enrollment always goes to "ca1" (bug fix) This patch fixes the bug that after revocation ca discovery, the revokeCertificate call goes back to the default ca, the ca that the certificate is to be enrollmed with; This causes problem when the revocation ca is a different ca.
Metadata Update from @rpattath: - Issue assigned to cfu - Issue set to the milestone: 10.3.7
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2086
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.