dogtagpki

Clone
Source Code
GIT

#1595 CA fails to authenticate to KRA for archival
Closed: Fixed None Opened 8 years ago by vakwetu.

Closed: Fixed
Reopen Issue

We created a user (pkidbuser) to be
able to connect to the database using client certificate
authentication.

The problem is that we chose to use the subsystem certificate for this
user, rather than creating a new system cert for db interactions.
There is, however, another user that has been created for the CA-DS
interaction which has the same certificate. This user is in the
trusted manager's group.

So, in this case, when the CA connects to the KRA and presents the
subsystem cert, we retrieve the wrong user (pkidbuser, which is not in
the Trusted Users group) - and the KRA-CA connector fails.

The simplest solution is to add the pkidbuser to the Trusted Managers
group.

Steps to Reproduce:

Install CA/KRA, and attempt archival threw archival-enabled CA profile.
If the database returns the pkidbuser rather than the subsystem user, this
archival will fail.  May be intermittent as it depends on the behavior of the
database.

I'm not able to reproduce the problem. Here is the test procedure:

  • Install CA and KRA in a shared instance
  • Using Firefox 34 submit an enrollment request with caDualCert profile
  • Approve the two new requests with the following command:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret123 -n caadmin \
  ca-cert-request-review <request ID> --action approve

The enrollment and approval operations generate the following LDAP operations:

[08/Sep/2015:21:34:48 +0200] conn=252 op=122 ADD dn="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com"
[08/Sep/2015:21:34:48 +0200] conn=252 op=122 RESULT err=0 tag=105 nentries=0 etime=0
[08/Sep/2015:21:34:48 +0200] conn=252 op=123 MOD dn="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com"
[08/Sep/2015:21:34:48 +0200] conn=252 op=123 RESULT err=0 tag=103 nentries=0 etime=0
[08/Sep/2015:21:34:48 +0200] conn=252 op=124 MOD dn="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com"
[08/Sep/2015:21:34:48 +0200] conn=252 op=124 RESULT err=0 tag=103 nentries=0 etime=0
[08/Sep/2015:21:34:48 +0200] conn=252 op=125 ADD dn="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com"
[08/Sep/2015:21:34:48 +0200] conn=252 op=125 RESULT err=0 tag=105 nentries=0 etime=0
[08/Sep/2015:21:34:48 +0200] conn=252 op=126 MOD dn="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com"
[08/Sep/2015:21:34:48 +0200] conn=252 op=126 RESULT err=0 tag=103 nentries=0 etime=0
[08/Sep/2015:21:34:48 +0200] conn=252 op=127 MOD dn="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com"
[08/Sep/2015:21:34:48 +0200] conn=252 op=127 RESULT err=0 tag=103 nentries=0 etime=0
[08/Sep/2015:21:35:46 +0200] conn=252 op=129 SRCH base="cn=6,ou=certificateRepository,ou=ca,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:35:46 +0200] conn=252 op=129 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:46 +0200] conn=254 op=47 SRCH base="ou=People,dc=ca,dc=example,dc=com" scope=2 filter="(description=2;6;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE)" attrs=ALL
[08/Sep/2015:21:35:46 +0200] conn=254 op=47 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
[08/Sep/2015:21:35:46 +0200] conn=254 op=48 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:35:46 +0200] conn=254 op=48 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:46 +0200] conn=254 op=49 SRCH base="ou=Groups,dc=ca,dc=example,dc=com" scope=1 filter="(&(objectClass=groupofuniquenames)(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com))" attrs="cn description"
[08/Sep/2015:21:35:46 +0200] conn=254 op=49 RESULT err=0 tag=101 nentries=9 etime=0
[08/Sep/2015:21:35:46 +0200] conn=254 op=50 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:35:46 +0200] conn=254 op=50 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:46 +0200] conn=254 op=51 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn"
[08/Sep/2015:21:35:46 +0200] conn=254 op=51 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:46 +0200] conn=252 op=130 SRCH base="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:35:46 +0200] conn=252 op=130 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:46 +0200] conn=254 op=52 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:35:46 +0200] conn=254 op=52 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:46 +0200] conn=254 op=53 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn"
[08/Sep/2015:21:35:46 +0200] conn=254 op=53 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:46 +0200] conn=252 op=131 SRCH base="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:35:46 +0200] conn=252 op=131 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:46 +0200] conn=254 op=54 SRCH base="ou=People,dc=ca,dc=example,dc=com" scope=2 filter="(description=2;6;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE)" attrs=ALL
[08/Sep/2015:21:35:46 +0200] conn=254 op=54 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
[08/Sep/2015:21:35:46 +0200] conn=254 op=55 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:35:46 +0200] conn=254 op=55 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:46 +0200] conn=254 op=56 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn"
[08/Sep/2015:21:35:46 +0200] conn=254 op=56 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:46 +0200] conn=254 op=57 SRCH base="ou=Groups,dc=ca,dc=example,dc=com" scope=2 filter="(&(objectClass=groupofuniquenames)(cn=*))" attrs=ALL
[08/Sep/2015:21:35:46 +0200] conn=254 op=57 RESULT err=0 tag=101 nentries=14 etime=0
[08/Sep/2015:21:35:47 +0200] conn=242 op=6 SRCH base="ou=People,dc=kra,dc=example,dc=com" scope=2 filter="(description=2;4;CN=CA Signing Certificate,O=EXAMPLE;CN=Subsystem Certificate,O=EXAMPLE)" attrs=ALL
[08/Sep/2015:21:35:47 +0200] conn=242 op=6 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
[08/Sep/2015:21:35:47 +0200] conn=242 op=7 SRCH base="uid=CA-vm-182.abc.idm.lab.eng.brq.redhat.com-8443,ou=People,dc=kra,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:35:47 +0200] conn=242 op=7 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:47 +0200] conn=242 op=8 SRCH base="cn=Trusted Managers,ou=groups,dc=kra,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=CA-vm-182.abc.idm.lab.eng.brq.redhat.com-8443,ou=people,dc=kra,dc=example,dc=com)" attrs="cn"
[08/Sep/2015:21:35:47 +0200] conn=242 op=8 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:35:47 +0200] conn=242 op=9 SRCH base="ou=Groups,dc=kra,dc=example,dc=com" scope=2 filter="(&(objectClass=groupofuniquenames)(cn=*))" attrs=ALL
[08/Sep/2015:21:35:47 +0200] conn=242 op=9 RESULT err=0 tag=101 nentries=8 etime=0
[08/Sep/2015:21:35:48 +0200] conn=240 op=13 SRCH base="ou=kra,ou=requests,dc=kra,dc=example,dc=com" scope=1 filter="(requestSourceId=CN=Subsystem Certificate,O=EXAMPLE:12)" attrs=ALL
[08/Sep/2015:21:35:48 +0200] conn=240 op=13 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[08/Sep/2015:21:35:48 +0200] conn=240 op=14 ADD dn="cn=2,ou=keyRepository,ou=kra,dc=kra,dc=example,dc=com"
[08/Sep/2015:21:35:48 +0200] conn=240 op=14 RESULT err=0 tag=105 nentries=0 etime=0
[08/Sep/2015:21:35:48 +0200] conn=240 op=15 ADD dn="cn=2,ou=kra,ou=requests,dc=kra,dc=example,dc=com"
[08/Sep/2015:21:35:48 +0200] conn=240 op=15 RESULT err=0 tag=105 nentries=0 etime=0
[08/Sep/2015:21:35:48 +0200] conn=240 op=16 MOD dn="cn=2,ou=kra,ou=requests,dc=kra,dc=example,dc=com"
[08/Sep/2015:21:35:48 +0200] conn=240 op=16 RESULT err=0 tag=103 nentries=0 etime=0
[08/Sep/2015:21:35:48 +0200] conn=252 op=133 ADD dn="cn=12,ou=certificateRepository,ou=ca,dc=ca,dc=example,dc=com"
[08/Sep/2015:21:35:48 +0200] conn=252 op=133 RESULT err=0 tag=105 nentries=0 etime=0
[08/Sep/2015:21:35:49 +0200] conn=252 op=134 MOD dn="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com"
[08/Sep/2015:21:35:49 +0200] conn=252 op=134 RESULT err=0 tag=103 nentries=0 etime=0
[08/Sep/2015:21:35:49 +0200] conn=252 op=135 SRCH base="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:35:49 +0200] conn=252 op=135 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:36:05 +0200] conn=254 op=59 SRCH base="ou=People,dc=ca,dc=example,dc=com" scope=2 filter="(description=2;6;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE)" attrs=ALL
[08/Sep/2015:21:36:05 +0200] conn=254 op=59 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
[08/Sep/2015:21:36:05 +0200] conn=254 op=60 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:36:05 +0200] conn=254 op=60 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:36:05 +0200] conn=254 op=61 SRCH base="ou=Groups,dc=ca,dc=example,dc=com" scope=1 filter="(&(objectClass=groupofuniquenames)(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com))" attrs="cn description"
[08/Sep/2015:21:36:05 +0200] conn=254 op=61 RESULT err=0 tag=101 nentries=9 etime=0
[08/Sep/2015:21:36:06 +0200] conn=254 op=62 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:36:06 +0200] conn=254 op=62 RESULT err=0 tag=101 nentries=1 etime=1
[08/Sep/2015:21:36:06 +0200] conn=254 op=63 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn"
[08/Sep/2015:21:36:06 +0200] conn=254 op=63 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:36:07 +0200] conn=252 op=136 SRCH base="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:36:07 +0200] conn=252 op=136 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:36:08 +0200] conn=254 op=65 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:36:08 +0200] conn=254 op=65 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:36:08 +0200] conn=254 op=66 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn"
[08/Sep/2015:21:36:08 +0200] conn=254 op=66 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:36:08 +0200] conn=252 op=138 SRCH base="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:36:08 +0200] conn=252 op=138 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:36:08 +0200] conn=254 op=67 SRCH base="ou=People,dc=ca,dc=example,dc=com" scope=2 filter="(description=2;6;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE)" attrs=ALL
[08/Sep/2015:21:36:08 +0200] conn=254 op=67 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
[08/Sep/2015:21:36:08 +0200] conn=254 op=68 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:36:08 +0200] conn=254 op=68 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:36:08 +0200] conn=254 op=69 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn"
[08/Sep/2015:21:36:08 +0200] conn=254 op=69 RESULT err=0 tag=101 nentries=1 etime=0
[08/Sep/2015:21:36:08 +0200] conn=254 op=70 SRCH base="ou=Groups,dc=ca,dc=example,dc=com" scope=2 filter="(&(objectClass=groupofuniquenames)(cn=*))" attrs=ALL
[08/Sep/2015:21:36:08 +0200] conn=254 op=70 RESULT err=0 tag=101 nentries=14 etime=0
[08/Sep/2015:21:36:08 +0200] conn=252 op=139 ADD dn="cn=13,ou=certificateRepository,ou=ca,dc=ca,dc=example,dc=com"
[08/Sep/2015:21:36:08 +0200] conn=252 op=139 RESULT err=0 tag=105 nentries=0 etime=0
[08/Sep/2015:21:36:08 +0200] conn=252 op=140 MOD dn="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com"
[08/Sep/2015:21:36:08 +0200] conn=252 op=140 RESULT err=0 tag=103 nentries=0 etime=0
[08/Sep/2015:21:36:08 +0200] conn=252 op=141 SRCH base="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Sep/2015:21:36:08 +0200] conn=252 op=141 RESULT err=0 tag=101 nentries=1 etime=0

As shown in the logs, the search for the Subsystem Certificate is done correctly within KRA's ou=People subtree:

[08/Sep/2015:21:35:47 +0200] conn=242 op=6 SRCH base="ou=People,dc=kra,dc=example,dc=com" scope=2 filter="(description=2;4;CN=CA Signing Certificate,O=EXAMPLE;CN=Subsystem Certificate,O=EXAMPLE)" attrs=ALL

So it's unclear how the certificate could have been incorrectly mapped to the pkidbuser that only exists in CA's ou=People subtree.

After further investigation, the issue can be reproduced with the following steps:

  • Install CA and KRA on separate databases by adding the following deployment parameter:
pki_share_db=False
  • Request a certificate with key archival:
$ pki -c Secret123 client-init
$ pki ca-cert-find --name "DRM Transport Certificate"
$ pki ca-cert-show <serial number> --output transport.pem
$ pki -c Secret123 client-cert-request uid=testuser --profile caDualCert --type crmf --transport transport.pem
  • Approve the request:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-cert-request-review <request ID> --action approve

Actual result: the approval fails (quite consistently) with the following error:

PKIException: Internal Server Error

Expected result: the approval should complete successfully.

See also: http://pki.fedoraproject.org/wiki/PKI_Ticket_1595

Fixed in master: 2c9121efc84c80c60e018911593406fc2e631bc9.

Workaround for existing instances: http://pki.fedoraproject.org/wiki/PKI_Ticket_1595#Short_Term_Solution

Metadata Update from @vakwetu:
- Issue assigned to edewata
- Issue set to the milestone: 10.2.6
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2154

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
major
None
None
defect
None
None
None
None
None
Community
None
None
None
None
None
None
General
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.