Pki ocsp server generates following error messages in debug log when 2 step installation is followed for FIPS mode.
Steps to Reproduce:
1.Install CA subsystem in FIPS mode using Thales hsm. 2 Install ocsp following the 2 step install process using Thales hsm. 3. pkispwn reports success for both installation steps. 4. # certutil -L -d /var/lib/pki/pki-rootOCSP-aakkiang/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Directory Server CA certificate CT,C,C auditSigningCert cert-pki-rootOCSP-aakkiang OCSP ,,P # certutil -L -d /var/lib/pki/pki-rootOCSP-aakkiang/alias/ -h NHSM6000-OCS | grep pki-rootOCSP-aakkiang Enter Password or Pin for "NHSM6000-OCS": NHSM6000-OCS:ocspSigningCert cert-pki-rootOCSP-aakkiang OCSP u,u,u NHSM6000-OCS:Server-Cert cert-pki-rootOCSP-aakkiang u,u,u NHSM6000-OCS:subsystemCert cert-pki-rootOCSP-aakkiang u,u,u NHSM6000-OCS:auditSigningCert cert-pki-rootOCSP-aakkiang OCSP u,u,Pu
Actual results:
pkidaemon status for ocsp process is shown like this (notice <ocsp request blob>): Status for pki-rootOCSP-aakkiang: pki-rootOCSP-aakkiang is running .. [OCSP Status Definitions] Unsecure URL = http://csqa1.idm.lab.eng.rdu.redhat.com:32044/ocsp/ee/ocsp/<ocsp request blob> Secure Agent URL = https://csqa1.idm.lab.eng.rdu.redhat.com:32042/ocsp/agent/ocsp Secure EE URL = https://csqa1.idm.lab.eng.rdu.redhat.com:32042/ocsp/ee/ocsp/<ocsp request blob> Secure Admin URL = https://csqa1.idm.lab.eng.rdu.redhat.com:32042/ocsp/services PKI Console Command = pkiconsole https://csqa1.idm.lab.eng.rdu.redhat.com:32042/ocsp Tomcat Port = 32005 (for shutdown) [OCSP Configuration Definitions] PKI Instance Name: pki-rootOCSP-aakkiang PKI Subsystem Type: OCSP Registered PKI Security Domain Information: ========================================================================== Name: Example-Test-aakkiang URL: https://csqa1.idm.lab.eng.rdu.redhat.com:18443 ========================================================================== Debug log shows these messages: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-rootOCSP-aakkiang CMSEngine: cert not found:auditSigningCert cert-pki-rootOCSP-aakkiang
Expected results:
auditSigningCert should be detected.
Per PKI Bug Council of 11/10/2016: 10.4 - major
Metadata Update from @aakkiang: - Issue set to the milestone: UNTRIAGED
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None - Issue set to the milestone: 10.4 (was: UNTRIAGED)
Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.
Metadata Update from @mharmsen: - Issue set to the milestone: FUTURE (was: 10.4)
Metadata Update from @mharmsen: - Issue priority set to: minor (was: major)
Per 10.5.x/10.6 Triage: FUTURE
RHBZ: CLOSED UPSTREAM
alee: debug log cleanup
Metadata Update from @mharmsen: - Custom field rhbz reset (from https://bugzilla.redhat.com/show_bug.cgi?id=1392636)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2659
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.