Issue #1527: TPS Enrollment always goes to "ca1" - dogtagpki

dogtagpki

#1527 TPS Enrollment always goes to "ca1"

Closed: Fixed None Opened 8 years ago by rpattath.

TPS Revocation routing fails

Steps to Reproduce:

Create a root CA "pki-ca" on host1
Create a subca "pki-subca1" joining the security domain and certificates issued
by "pki-ca" on host2
Create a subca "pki-subca2" joining the security domain and certificates issued
by "pki-ca" on host3
Create "pki-kra1", "pki-ocsp1", "pki-tks1" and "pki-tps" on host2 whose certs
are issued by "pki-subca1".

tpsclient enrollment is successful and certs are issued by pki-subca1

Import the ca signing cert of pki-subca2 under TPS alias directory. Add the TPS
user that exists under pki-subca1 to pki-subca2

Make the following changes to TPS CS.cfg

target.Subsystem_Connections.list=ca1,tks1,kra1,ca2
tps.connector.ca1.enable=true
tps.connector.ca1.host=ipaqavmd.idmqe.lab.eng.bos.redhat.com
tps.connector.ca1.maxHttpConns=15
tps.connector.ca1.minHttpConns=1
tps.connector.ca1.nickName=tps1subsystemcert
tps.connector.ca1.port=31000
tps.connector.ca1.timeout=30
tps.connector.ca1.uri.enrollment=/ca/ee/ca/profileSubmitSSLClient
tps.connector.ca1.uri.getcert=/ca/ee/ca/displayBySerial
tps.connector.ca1.uri.renewal=/ca/ee/ca/profileSubmitSSLClient
tps.connector.ca1.uri.revoke=/ca/ee/subsystem/ca/doRevoke
tps.connector.ca1.uri.unrevoke=/ca/ee/subsystem/ca/doUnrevoke
tps.connector.ca2.enable=true
tps.connector.ca2.host=ibm-hs23-02.rhts.eng.bos.redhat.com
tps.connector.ca2.maxHttpConns=15
tps.connector.ca2.minHttpConns=1
tps.connector.ca2.nickName=tps1subsystemcert
tps.connector.ca2.port=31020
tps.connector.ca2.timeout=30
tps.connector.ca2.uri.enrollment=/ca/ee/ca/profileSubmitSSLClient
tps.connector.ca2.uri.getcert=/ca/ee/ca/displayBySerial
tps.connector.ca2.uri.renewal=/ca/ee/ca/profileSubmitSSLClient
tps.connector.ca2.uri.revoke=/ca/ee/subsystem/ca/doRevoke
tps.connector.ca2.uri.unrevoke=/ca/ee/subsystem/ca/doUnrevoke
tps.connector.ca1.caNickname="PKI SUBCA1 Signing Certificate - redhat"
tps.connector.ca2.caNickname="PKI SUBCA2 Signing Certificate - redhat"

op.enroll.userKey.keyGen.encryption.ca.conn=ca2
op.enroll.userKey.keyGen.signing.ca.conn=ca2

Enroll a token using tpsclient

Actual results:

certs are still issued by pki-subca1

Expected results:

certs must be issued by pki-subca2

Additional info:

I also tried tps.connector.ca1.enable=false but then enrollment is not
successful.

mharmsen commented 8 years ago

Per CS/DS Meeting of 08/03/2015: 10.3

cfu commented 8 years ago

pushed to master:
commit 74197061be89f650f6bc10f0887ab1c87470272e

cfu commented 7 years ago

commit dc13bd1a2366c71880a59586ebe70f40683afa3c
Author: Christina Fu cfu@redhat.com
Date: Tue May 17 17:57:11 2016 -0700

Ticket #1527 reopened: retrieved wrong ca connector config parameter
This ticket was reopened due to retrieving wrong ca connector config param for the case when format is done within an enrollment.
The following is attempted:
op.enroll.userKey.ca.conn
while the following is intended:
op.format.userKey.ca.conn
In addition, this patch also fixes the following issues;
a. reason param name is not conforming: "reason" instead of "revokeReason"
b. adding default reason to format TPS profiles
c. by default mappingResolver.formatProfileMappingResolver resolves
   to tokenKey, while enroll resolves to userKey.
   -> now changed the userKey
d. if revocation fails during format, it was forgiving.
   -> now changed so that error is logged in activity log and exception
      thrown and bail out

cfu commented 7 years ago

commit 3b93a22c4ffa6e5e16cfd5c8ec02348c58b78422
Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com
Date: Mon Oct 3 17:02:10 2016 -0700

Ticket #1527 TPS Enrollment always goes to "ca1" (bug fix)
This patch fixes the bug that after revocation ca discovery, the revokeCertificate call goes back to the default ca, the ca that the certificate is to be enrollmed with; This causes problem when the revocation ca is a different ca.

Metadata Update from @rpattath:
- Issue assigned to cfu
- Issue set to the milestone: 10.3.7

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2086

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

cfu

Tags

None

Blocking

None

Depending on

None

Priority

blocker

Milestone

10.3.7

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1248553

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

TPS

proposedmilestone

None

dogtagpki

Source Code

#1527 TPS Enrollment always goes to "ca1" Closed: Fixed None Opened 8 years ago by rpattath.

Metadata

#1527 TPS Enrollment always goes to "ca1"

Closed: Fixed None Opened 8 years ago by rpattath.