CA/KRA failover during TPS Key recovery with externalReg enabled fails
Steps to Reproduce:
1.tps.connector.ca1.enable=true tps.connector.ca1.host=qe-blade-08.idmqe.lab.eng.bos.redhat.com tps.connector.ca1.maxHttpConns=15 tps.connector.ca1.minHttpConns=1 tps.connector.ca1.nickName=subsystemCert cert-pki-tps tps.connector.ca1.port=8443 tps.connector.ca1.timeout=30 tps.connector.ca1.uri.enrollment=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca1.uri.getcert=/ca/ee/ca/displayBySerial tps.connector.ca1.uri.renewal=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca1.uri.revoke=/ca/ee/subsystem/ca/doRevoke tps.connector.ca1.uri.unrevoke=/ca/ee/subsystem/ca/doUnrevoke tps.connector.ca3.enable=true tps.connector.ca3.host=cloud-qe-15.idmqe.lab.eng.bos.redhat.com tps.connector.ca3.maxHttpConns=15 tps.connector.ca3.minHttpConns=1 tps.connector.ca3.nickName=subsystemCert cert-pki-tps tps.connector.ca3.port=8443 tps.connector.ca3.timeout=30 tps.connector.ca3.uri.enrollment=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca3.uri.getcert=/ca/ee/ca/displayBySerial tps.connector.ca3.uri.renewal=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca3.uri.revoke=/ca/ee/subsystem/ca/doRevoke tps.connector.ca3.uri.unrevoke=/ca/ee/subsystem/ca/doUnrevoke tps.connector.kra1.enable=true tps.connector.kra1.host=qe-blade-08.idmqe.lab.eng.bos.redhat.com tps.connector.kra1.maxHttpConns=15 tps.connector.kra1.minHttpConns=1 tps.connector.kra1.nickName=subsystemCert cert-pki-tps tps.connector.kra1.port=21443 tps.connector.kra1.timeout=30 tps.connector.kra1.uri.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair tps.connector.kra1.uri.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery tps.connector.kra2.enable=true tps.connector.kra2.host=cloud-qe-15.idmqe.lab.eng.bos.redhat.com tps.connector.kra2.maxHttpConns=15 tps.connector.kra2.minHttpConns=1 tps.connector.kra2.nickName=subsystemCert cert-pki-tps tps.connector.kra2.port=21443 tps.connector.kra2.timeout=30 tps.connector.kra2.uri.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair tps.connector.kra2.uri.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery op.enroll.externalRegAddToToken.keyGen.encryption.ca.conn=ca3 op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.drm.conn=kra2 externalReg.allowRecoverInvalidCert.enable=true externalReg.authId=ldap1 externalReg.default.tokenType=externalRegAddToToken externalReg.delegation.enable=false externalReg.enable=true externalReg.format.loginRequest.enable=true externalReg.mappingResolver=keySetMappingResolver 2. Shutdown ca1 and kra1 3. ca3 and kra2 are clones of ca1 and kra1 resp. 4. Enroll a token with a user with externalReg token type
Actual results:
Key recovery fails
Expected results:
Key recovery operation should failover to the clone CA/KRA
Additional info:
userKey enrollment is successful in the same environment log messages are attached to associated bug
Per PKI Bug Council of 10/18/2016: 10.3
cfu to investigate
Christina Fu 2016-10-20 14:21:38 EDT
I just realized something. In case of externalReg, it goes to the ca specified in the user record, and kra too. Make sure those are set up correctly.
Roshni 2016-10-20 15:03:01 EDT
After I made changes specified above, I do not see this issue.
Closing ticket as WORKSFORME.
Metadata Update from @rpattath: - Issue set to the milestone: 10.3.6
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: worksforme (was: Invalid)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2637
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.