We created a user (pkidbuser) to be able to connect to the database using client certificate authentication.
The problem is that we chose to use the subsystem certificate for this user, rather than creating a new system cert for db interactions. There is, however, another user that has been created for the CA-DS interaction which has the same certificate. This user is in the trusted manager's group.
So, in this case, when the CA connects to the KRA and presents the subsystem cert, we retrieve the wrong user (pkidbuser, which is not in the Trusted Users group) - and the KRA-CA connector fails.
The simplest solution is to add the pkidbuser to the Trusted Managers group.
Steps to Reproduce:
Install CA/KRA, and attempt archival threw archival-enabled CA profile. If the database returns the pkidbuser rather than the subsystem user, this archival will fail. May be intermittent as it depends on the behavior of the database.
I'm not able to reproduce the problem. Here is the test procedure:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret123 -n caadmin \ ca-cert-request-review <request ID> --action approve
The enrollment and approval operations generate the following LDAP operations:
[08/Sep/2015:21:34:48 +0200] conn=252 op=122 ADD dn="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com" [08/Sep/2015:21:34:48 +0200] conn=252 op=122 RESULT err=0 tag=105 nentries=0 etime=0 [08/Sep/2015:21:34:48 +0200] conn=252 op=123 MOD dn="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com" [08/Sep/2015:21:34:48 +0200] conn=252 op=123 RESULT err=0 tag=103 nentries=0 etime=0 [08/Sep/2015:21:34:48 +0200] conn=252 op=124 MOD dn="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com" [08/Sep/2015:21:34:48 +0200] conn=252 op=124 RESULT err=0 tag=103 nentries=0 etime=0 [08/Sep/2015:21:34:48 +0200] conn=252 op=125 ADD dn="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com" [08/Sep/2015:21:34:48 +0200] conn=252 op=125 RESULT err=0 tag=105 nentries=0 etime=0 [08/Sep/2015:21:34:48 +0200] conn=252 op=126 MOD dn="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com" [08/Sep/2015:21:34:48 +0200] conn=252 op=126 RESULT err=0 tag=103 nentries=0 etime=0 [08/Sep/2015:21:34:48 +0200] conn=252 op=127 MOD dn="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com" [08/Sep/2015:21:34:48 +0200] conn=252 op=127 RESULT err=0 tag=103 nentries=0 etime=0 [08/Sep/2015:21:35:46 +0200] conn=252 op=129 SRCH base="cn=6,ou=certificateRepository,ou=ca,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:35:46 +0200] conn=252 op=129 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:46 +0200] conn=254 op=47 SRCH base="ou=People,dc=ca,dc=example,dc=com" scope=2 filter="(description=2;6;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE)" attrs=ALL [08/Sep/2015:21:35:46 +0200] conn=254 op=47 RESULT err=0 tag=101 nentries=1 etime=0 notes=U [08/Sep/2015:21:35:46 +0200] conn=254 op=48 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:35:46 +0200] conn=254 op=48 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:46 +0200] conn=254 op=49 SRCH base="ou=Groups,dc=ca,dc=example,dc=com" scope=1 filter="(&(objectClass=groupofuniquenames)(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com))" attrs="cn description" [08/Sep/2015:21:35:46 +0200] conn=254 op=49 RESULT err=0 tag=101 nentries=9 etime=0 [08/Sep/2015:21:35:46 +0200] conn=254 op=50 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:35:46 +0200] conn=254 op=50 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:46 +0200] conn=254 op=51 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn" [08/Sep/2015:21:35:46 +0200] conn=254 op=51 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:46 +0200] conn=252 op=130 SRCH base="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:35:46 +0200] conn=252 op=130 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:46 +0200] conn=254 op=52 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:35:46 +0200] conn=254 op=52 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:46 +0200] conn=254 op=53 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn" [08/Sep/2015:21:35:46 +0200] conn=254 op=53 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:46 +0200] conn=252 op=131 SRCH base="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:35:46 +0200] conn=252 op=131 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:46 +0200] conn=254 op=54 SRCH base="ou=People,dc=ca,dc=example,dc=com" scope=2 filter="(description=2;6;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE)" attrs=ALL [08/Sep/2015:21:35:46 +0200] conn=254 op=54 RESULT err=0 tag=101 nentries=1 etime=0 notes=U [08/Sep/2015:21:35:46 +0200] conn=254 op=55 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:35:46 +0200] conn=254 op=55 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:46 +0200] conn=254 op=56 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn" [08/Sep/2015:21:35:46 +0200] conn=254 op=56 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:46 +0200] conn=254 op=57 SRCH base="ou=Groups,dc=ca,dc=example,dc=com" scope=2 filter="(&(objectClass=groupofuniquenames)(cn=*))" attrs=ALL [08/Sep/2015:21:35:46 +0200] conn=254 op=57 RESULT err=0 tag=101 nentries=14 etime=0 [08/Sep/2015:21:35:47 +0200] conn=242 op=6 SRCH base="ou=People,dc=kra,dc=example,dc=com" scope=2 filter="(description=2;4;CN=CA Signing Certificate,O=EXAMPLE;CN=Subsystem Certificate,O=EXAMPLE)" attrs=ALL [08/Sep/2015:21:35:47 +0200] conn=242 op=6 RESULT err=0 tag=101 nentries=1 etime=0 notes=U [08/Sep/2015:21:35:47 +0200] conn=242 op=7 SRCH base="uid=CA-vm-182.abc.idm.lab.eng.brq.redhat.com-8443,ou=People,dc=kra,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:35:47 +0200] conn=242 op=7 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:47 +0200] conn=242 op=8 SRCH base="cn=Trusted Managers,ou=groups,dc=kra,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=CA-vm-182.abc.idm.lab.eng.brq.redhat.com-8443,ou=people,dc=kra,dc=example,dc=com)" attrs="cn" [08/Sep/2015:21:35:47 +0200] conn=242 op=8 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:35:47 +0200] conn=242 op=9 SRCH base="ou=Groups,dc=kra,dc=example,dc=com" scope=2 filter="(&(objectClass=groupofuniquenames)(cn=*))" attrs=ALL [08/Sep/2015:21:35:47 +0200] conn=242 op=9 RESULT err=0 tag=101 nentries=8 etime=0 [08/Sep/2015:21:35:48 +0200] conn=240 op=13 SRCH base="ou=kra,ou=requests,dc=kra,dc=example,dc=com" scope=1 filter="(requestSourceId=CN=Subsystem Certificate,O=EXAMPLE:12)" attrs=ALL [08/Sep/2015:21:35:48 +0200] conn=240 op=13 RESULT err=0 tag=101 nentries=0 etime=0 notes=U [08/Sep/2015:21:35:48 +0200] conn=240 op=14 ADD dn="cn=2,ou=keyRepository,ou=kra,dc=kra,dc=example,dc=com" [08/Sep/2015:21:35:48 +0200] conn=240 op=14 RESULT err=0 tag=105 nentries=0 etime=0 [08/Sep/2015:21:35:48 +0200] conn=240 op=15 ADD dn="cn=2,ou=kra,ou=requests,dc=kra,dc=example,dc=com" [08/Sep/2015:21:35:48 +0200] conn=240 op=15 RESULT err=0 tag=105 nentries=0 etime=0 [08/Sep/2015:21:35:48 +0200] conn=240 op=16 MOD dn="cn=2,ou=kra,ou=requests,dc=kra,dc=example,dc=com" [08/Sep/2015:21:35:48 +0200] conn=240 op=16 RESULT err=0 tag=103 nentries=0 etime=0 [08/Sep/2015:21:35:48 +0200] conn=252 op=133 ADD dn="cn=12,ou=certificateRepository,ou=ca,dc=ca,dc=example,dc=com" [08/Sep/2015:21:35:48 +0200] conn=252 op=133 RESULT err=0 tag=105 nentries=0 etime=0 [08/Sep/2015:21:35:49 +0200] conn=252 op=134 MOD dn="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com" [08/Sep/2015:21:35:49 +0200] conn=252 op=134 RESULT err=0 tag=103 nentries=0 etime=0 [08/Sep/2015:21:35:49 +0200] conn=252 op=135 SRCH base="cn=12,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:35:49 +0200] conn=252 op=135 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:36:05 +0200] conn=254 op=59 SRCH base="ou=People,dc=ca,dc=example,dc=com" scope=2 filter="(description=2;6;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE)" attrs=ALL [08/Sep/2015:21:36:05 +0200] conn=254 op=59 RESULT err=0 tag=101 nentries=1 etime=0 notes=U [08/Sep/2015:21:36:05 +0200] conn=254 op=60 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:36:05 +0200] conn=254 op=60 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:36:05 +0200] conn=254 op=61 SRCH base="ou=Groups,dc=ca,dc=example,dc=com" scope=1 filter="(&(objectClass=groupofuniquenames)(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com))" attrs="cn description" [08/Sep/2015:21:36:05 +0200] conn=254 op=61 RESULT err=0 tag=101 nentries=9 etime=0 [08/Sep/2015:21:36:06 +0200] conn=254 op=62 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:36:06 +0200] conn=254 op=62 RESULT err=0 tag=101 nentries=1 etime=1 [08/Sep/2015:21:36:06 +0200] conn=254 op=63 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn" [08/Sep/2015:21:36:06 +0200] conn=254 op=63 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:36:07 +0200] conn=252 op=136 SRCH base="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:36:07 +0200] conn=252 op=136 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:36:08 +0200] conn=254 op=65 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:36:08 +0200] conn=254 op=65 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:36:08 +0200] conn=254 op=66 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn" [08/Sep/2015:21:36:08 +0200] conn=254 op=66 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:36:08 +0200] conn=252 op=138 SRCH base="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:36:08 +0200] conn=252 op=138 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:36:08 +0200] conn=254 op=67 SRCH base="ou=People,dc=ca,dc=example,dc=com" scope=2 filter="(description=2;6;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE)" attrs=ALL [08/Sep/2015:21:36:08 +0200] conn=254 op=67 RESULT err=0 tag=101 nentries=1 etime=0 notes=U [08/Sep/2015:21:36:08 +0200] conn=254 op=68 SRCH base="uid=caadmin,ou=People,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:36:08 +0200] conn=254 op=68 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:36:08 +0200] conn=254 op=69 SRCH base="cn=Certificate Manager Agents,ou=groups,dc=ca,dc=example,dc=com" scope=0 filter="(uniqueMember=uid=caadmin,ou=people,dc=ca,dc=example,dc=com)" attrs="cn" [08/Sep/2015:21:36:08 +0200] conn=254 op=69 RESULT err=0 tag=101 nentries=1 etime=0 [08/Sep/2015:21:36:08 +0200] conn=254 op=70 SRCH base="ou=Groups,dc=ca,dc=example,dc=com" scope=2 filter="(&(objectClass=groupofuniquenames)(cn=*))" attrs=ALL [08/Sep/2015:21:36:08 +0200] conn=254 op=70 RESULT err=0 tag=101 nentries=14 etime=0 [08/Sep/2015:21:36:08 +0200] conn=252 op=139 ADD dn="cn=13,ou=certificateRepository,ou=ca,dc=ca,dc=example,dc=com" [08/Sep/2015:21:36:08 +0200] conn=252 op=139 RESULT err=0 tag=105 nentries=0 etime=0 [08/Sep/2015:21:36:08 +0200] conn=252 op=140 MOD dn="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com" [08/Sep/2015:21:36:08 +0200] conn=252 op=140 RESULT err=0 tag=103 nentries=0 etime=0 [08/Sep/2015:21:36:08 +0200] conn=252 op=141 SRCH base="cn=13,ou=ca,ou=requests,dc=ca,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [08/Sep/2015:21:36:08 +0200] conn=252 op=141 RESULT err=0 tag=101 nentries=1 etime=0
As shown in the logs, the search for the Subsystem Certificate is done correctly within KRA's ou=People subtree:
[08/Sep/2015:21:35:47 +0200] conn=242 op=6 SRCH base="ou=People,dc=kra,dc=example,dc=com" scope=2 filter="(description=2;4;CN=CA Signing Certificate,O=EXAMPLE;CN=Subsystem Certificate,O=EXAMPLE)" attrs=ALL
So it's unclear how the certificate could have been incorrectly mapped to the pkidbuser that only exists in CA's ou=People subtree.
After further investigation, the issue can be reproduced with the following steps:
pki_share_db=False
$ pki -c Secret123 client-init $ pki ca-cert-find --name "DRM Transport Certificate" $ pki ca-cert-show <serial number> --output transport.pem $ pki -c Secret123 client-cert-request uid=testuser --profile caDualCert --type crmf --transport transport.pem
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-cert-request-review <request ID> --action approve
Actual result: the approval fails (quite consistently) with the following error:
PKIException: Internal Server Error
Expected result: the approval should complete successfully.
See also: http://pki.fedoraproject.org/wiki/PKI_Ticket_1595
Fixed in master: 2c9121efc84c80c60e018911593406fc2e631bc9.
Workaround for existing instances: http://pki.fedoraproject.org/wiki/PKI_Ticket_1595#Short_Term_Solution
Metadata Update from @vakwetu: - Issue assigned to edewata - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2154
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.