#2626 non-CA cli looks for CA in the instance during a request
Closed: fixed 6 years ago Opened 6 years ago by mharmsen.

non-CA cli looks for CA in the instance during a request

Steps to Reproduce:

1. Install CA and KRA
2. Import the KRA admin cert in the security database
3.

Actual results:

[root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n
"PKI KRA Administrator for Example.Org" kra-group-find
[root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n
"PKI KRA Administrator for Example.Org" kra-group-find
pki-desktop.usersys.redhat.com:/mnt/home/mharmsen[18] cat x
[root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n
"PKI KRA Administrator for Example.Org" kra-group-find
PKI options: -v -d . -c Secret123
PKI command: pki1.example.com -h pki1.example.com -p 21080 -n PKI KRA
Administrator for Example.Org kra-group-find
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-Djava.ext.dirs=/usr/share/pki/lib
-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties
com.netscape.cmstools.cli.MainCLI -d . -c Secret123 --verbose -h
pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org
kra-group-find
Server URI: http://pki1.example.com:21080
Client security database: /root/multihost_tests/certdb/.
Message format: null
Command: kra-group-find
Initializing security database
Logging into security token
Module: kra
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:21080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8B8FC58EB2540BB6939D2DF41620CDF9; Path=/pki/; HttpOnly
Content-Type: application/xml
Content-Length: 106
Date: Sat, 01 Apr 2017 12:24:11 GMT
HTTP request: GET /pki/rest/info HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:21080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Cookie: JSESSIONID=8B8FC58EB2540BB6939D2DF41620CDF9
Cookie2: $Version=1
HTTP response: HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Content-Length: 106
Date: Sat, 01 Apr 2017 12:24:11 GMT
HTTP request: GET /kra/rest/account/login HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:21080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Wed, 31 Dec 1969 19:00:00 EST
Location: https://pki1.example.com:21443/kra/rest/account/login
Content-Length: 0
Date: Sat, 01 Apr 2017 12:24:11 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/account/login
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/account/login HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:21443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate:
CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org
HTTP response: HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Wed, 31 Dec 1969 19:00:00 EST
Set-Cookie: JSESSIONID=12AF5E29953498554C609F4EFE704FFC; Path=/kra/; Secure;
HttpOnly
Content-Type: application/xml
Content-Length: 248
Date: Sat, 01 Apr 2017 12:24:11 GMT
Account:
- User ID: kraadmin
- Full Name: kraadmin
- Email: kraadmin@example.com
- Roles: [Administrators, Data Recovery Manager Agents]
Module: group
Module: find
HTTP request: GET /ca/rest/admin/groups HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:21080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 991
Date: Sat, 01 Apr 2017 12:24:11 GMT
com.netscape.certsrv.base.PKIException: Not Found
at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKICon
nection.java:417)
at
com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:397)
at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:118)
at
com.netscape.certsrv.group.GroupClient.findGroups(GroupClient.java:45)
at
com.netscape.cmstools.group.GroupFindCLI.execute(GroupFindCLI.java:80)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:344)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:344)
at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:344)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:626)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:662)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java',
'-Djava.ext.dirs=/usr/share/pki/lib',
'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties',
'com.netscape.cmstools.cli.MainCLI', '-d', '.', '-c', 'Secret123', '--verbose',
'-h', 'pki1.example.com', '-p', '21080', '-n', 'PKI KRA Administrator for
Example.Org', 'kra-group-find']' returned non-zero exit status 255

Expected results:

The operation should be successful

Additional info:

The workaround is to use -t option with the cli

[root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n
"PKI KRA Administrator for Example.Org" -t kra kra-group-find
PKI options: -v -d . -c Secret123
PKI command: pki1.example.com -h pki1.example.com -p 21080 -n PKI KRA
Administrator for Example.Org -t kra kra-group-find
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-Djava.ext.dirs=/usr/share/pki/lib
-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties
com.netscape.cmstools.cli.MainCLI -d . -c Secret123 --verbose -h
pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org -t kra
kra-group-find
Server URI: http://pki1.example.com:21080/kra
Client security database: /root/multihost_tests/certdb/.
Message format: null
Command: kra-group-find
Initializing security database
Logging into security token
Module: kra
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=06D409FFE031D937DF8CBA96A51AD405; Path=/pki/; HttpOnly
  Content-Type: application/xml
  Content-Length: 106
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=06D409FFE031D937DF8CBA96A51AD405
  Cookie2: $Version=1
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Content-Type: application/xml
  Content-Length: 106
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP request: GET /kra/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Location: https://pki1.example.com:21443/kra/rest/account/login
  Content-Length: 0
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/account/login
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate:
CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Set-Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209; Path=/kra/; Secure;
HttpOnly
  Content-Type: application/xml
  Content-Length: 248
  Date: Sat, 01 Apr 2017 12:27:06 GMT
Account:
 - User ID: kraadmin
 - Full Name: kraadmin
 - Email: kraadmin@example.com
 - Roles: [Administrators, Data Recovery Manager Agents]
Module: group
Module: find
HTTP request: GET /kra/rest/admin/groups HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Location: https://pki1.example.com:21443/kra/rest/admin/groups
  Content-Length: 0
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/admin/groups
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/admin/groups HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209
  Cookie2: $Version=1
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Content-Type: application/xml
  Content-Length: 4664
  Date: Sat, 01 Apr 2017 12:27:06 GMT
-----------------
8 entries matched
-----------------
  Group ID: Data Recovery Manager Agents
  Description: Agents for Data Recovery Manager
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Data+Recovery+Mana
ger+Agents

  Group ID: Subsystem Group
  Description: Subsystem Group
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Subsystem+Group

  Group ID: Trusted Managers
  Description: Managers trusted by this PKI instance
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Trusted+Managers

  Group ID: Administrators
  Description: People who manage the Certificate System
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Administrators

  Group ID: Auditors
  Description: People who can read the signed audits
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Auditors

  Group ID: ClonedSubsystems
  Description: People who can clone the master subsystem
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/ClonedSubsystems

  Group ID: Security Domain Administrators
  Description: People who are the Security Domain administrators
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Security+Domain+Ad
ministrators

  Group ID: Enterprise KRA Administrators
  Description: People who are the administrators for the security domain for
KRA
  Link: https://pki1.example.com:21443/kra/rest/admin/groups/Enterprise+KRA+Adm
inistrators
----------------------------
Number of entries returned 8
----------------------------
HTTP request: GET /kra/rest/account/logout HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Location: https://pki1.example.com:21443/kra/rest/account/logout
  Content-Length: 0
  Date: Sat, 01 Apr 2017 12:27:06 GMT
HTTP redirect: https://pki1.example.com:21443/kra/rest/account/logout
Client certificate: PKI KRA Administrator for Example.Org
HTTP request: GET /kra/rest/account/logout HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:21443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209
  Cookie2: $Version=1
HTTP response: HTTP/1.1 204 No Content
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 19:00:00 EST
  Content-Type: application/xml
  Date: Sat, 01 Apr 2017 12:27:06 GMT

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1437602

6 years ago

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1437602

6 years ago

Metadata Update from @mharmsen:
- Custom field component adjusted to General
- Custom field feature adjusted to ''
- Custom field origin adjusted to QE
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field type adjusted to defect
- Custom field version adjusted to ''
- Issue priority set to: critical

6 years ago

Fixed in master:
* 1d3216aece7381cbac7b812dfbb969b466b31abe

Metadata Update from @edewata:
- Issue assigned to edewata
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.2 (was: 10.4)

6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2746

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata