non-CA cli looks for CA in the instance during a request
Steps to Reproduce:
1. Install CA and KRA 2. Import the KRA admin cert in the security database 3.
Actual results:
[root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n "PKI KRA Administrator for Example.Org" kra-group-find [root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n "PKI KRA Administrator for Example.Org" kra-group-find pki-desktop.usersys.redhat.com:/mnt/home/mharmsen[18] cat x [root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n "PKI KRA Administrator for Example.Org" kra-group-find PKI options: -v -d . -c Secret123 PKI command: pki1.example.com -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org kra-group-find Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d . -c Secret123 --verbose -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org kra-group-find Server URI: http://pki1.example.com:21080 Client security database: /root/multihost_tests/certdb/. Message format: null Command: kra-group-find Initializing security database Logging into security token Module: kra Initializing PKIClient HTTP request: GET /pki/rest/info HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=8B8FC58EB2540BB6939D2DF41620CDF9; Path=/pki/; HttpOnly Content-Type: application/xml Content-Length: 106 Date: Sat, 01 Apr 2017 12:24:11 GMT HTTP request: GET /pki/rest/info HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Cookie: JSESSIONID=8B8FC58EB2540BB6939D2DF41620CDF9 Cookie2: $Version=1 HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 106 Date: Sat, 01 Apr 2017 12:24:11 GMT HTTP request: GET /kra/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 19:00:00 EST Location: https://pki1.example.com:21443/kra/rest/account/login Content-Length: 0 Date: Sat, 01 Apr 2017 12:24:11 GMT HTTP redirect: https://pki1.example.com:21443/kra/rest/account/login Client certificate: PKI KRA Administrator for Example.Org HTTP request: GET /kra/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Server certificate: CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 19:00:00 EST Set-Cookie: JSESSIONID=12AF5E29953498554C609F4EFE704FFC; Path=/kra/; Secure; HttpOnly Content-Type: application/xml Content-Length: 248 Date: Sat, 01 Apr 2017 12:24:11 GMT Account: - User ID: kraadmin - Full Name: kraadmin - Email: kraadmin@example.com - Roles: [Administrators, Data Recovery Manager Agents] Module: group Module: find HTTP request: GET /ca/rest/admin/groups HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 991 Date: Sat, 01 Apr 2017 12:24:11 GMT com.netscape.certsrv.base.PKIException: Not Found at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKICon nection.java:417) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:397) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:118) at com.netscape.certsrv.group.GroupClient.findGroups(GroupClient.java:45) at com.netscape.cmstools.group.GroupFindCLI.execute(GroupFindCLI.java:80) at com.netscape.cmstools.cli.CLI.execute(CLI.java:344) at com.netscape.cmstools.cli.CLI.execute(CLI.java:344) at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67) at com.netscape.cmstools.cli.CLI.execute(CLI.java:344) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:626) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:662) ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '.', '-c', 'Secret123', '--verbose', '-h', 'pki1.example.com', '-p', '21080', '-n', 'PKI KRA Administrator for Example.Org', 'kra-group-find']' returned non-zero exit status 255
Expected results:
The operation should be successful
Additional info:
The workaround is to use -t option with the cli [root@pki1 certdb]# pki -v -d . -c Secret123 -h pki1.example.com -p 21080 -n "PKI KRA Administrator for Example.Org" -t kra kra-group-find PKI options: -v -d . -c Secret123 PKI command: pki1.example.com -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org -t kra kra-group-find Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d . -c Secret123 --verbose -h pki1.example.com -p 21080 -n PKI KRA Administrator for Example.Org -t kra kra-group-find Server URI: http://pki1.example.com:21080/kra Client security database: /root/multihost_tests/certdb/. Message format: null Command: kra-group-find Initializing security database Logging into security token Module: kra Initializing PKIClient HTTP request: GET /pki/rest/info HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=06D409FFE031D937DF8CBA96A51AD405; Path=/pki/; HttpOnly Content-Type: application/xml Content-Length: 106 Date: Sat, 01 Apr 2017 12:27:06 GMT HTTP request: GET /pki/rest/info HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Cookie: JSESSIONID=06D409FFE031D937DF8CBA96A51AD405 Cookie2: $Version=1 HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 106 Date: Sat, 01 Apr 2017 12:27:06 GMT HTTP request: GET /kra/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 19:00:00 EST Location: https://pki1.example.com:21443/kra/rest/account/login Content-Length: 0 Date: Sat, 01 Apr 2017 12:27:06 GMT HTTP redirect: https://pki1.example.com:21443/kra/rest/account/login Client certificate: PKI KRA Administrator for Example.Org HTTP request: GET /kra/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Server certificate: CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 19:00:00 EST Set-Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209; Path=/kra/; Secure; HttpOnly Content-Type: application/xml Content-Length: 248 Date: Sat, 01 Apr 2017 12:27:06 GMT Account: - User ID: kraadmin - Full Name: kraadmin - Email: kraadmin@example.com - Roles: [Administrators, Data Recovery Manager Agents] Module: group Module: find HTTP request: GET /kra/rest/admin/groups HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 19:00:00 EST Location: https://pki1.example.com:21443/kra/rest/admin/groups Content-Length: 0 Date: Sat, 01 Apr 2017 12:27:06 GMT HTTP redirect: https://pki1.example.com:21443/kra/rest/admin/groups Client certificate: PKI KRA Administrator for Example.Org HTTP request: GET /kra/rest/admin/groups HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209 Cookie2: $Version=1 HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 19:00:00 EST Content-Type: application/xml Content-Length: 4664 Date: Sat, 01 Apr 2017 12:27:06 GMT ----------------- 8 entries matched ----------------- Group ID: Data Recovery Manager Agents Description: Agents for Data Recovery Manager Link: https://pki1.example.com:21443/kra/rest/admin/groups/Data+Recovery+Mana ger+Agents Group ID: Subsystem Group Description: Subsystem Group Link: https://pki1.example.com:21443/kra/rest/admin/groups/Subsystem+Group Group ID: Trusted Managers Description: Managers trusted by this PKI instance Link: https://pki1.example.com:21443/kra/rest/admin/groups/Trusted+Managers Group ID: Administrators Description: People who manage the Certificate System Link: https://pki1.example.com:21443/kra/rest/admin/groups/Administrators Group ID: Auditors Description: People who can read the signed audits Link: https://pki1.example.com:21443/kra/rest/admin/groups/Auditors Group ID: ClonedSubsystems Description: People who can clone the master subsystem Link: https://pki1.example.com:21443/kra/rest/admin/groups/ClonedSubsystems Group ID: Security Domain Administrators Description: People who are the Security Domain administrators Link: https://pki1.example.com:21443/kra/rest/admin/groups/Security+Domain+Ad ministrators Group ID: Enterprise KRA Administrators Description: People who are the administrators for the security domain for KRA Link: https://pki1.example.com:21443/kra/rest/admin/groups/Enterprise+KRA+Adm inistrators ---------------------------- Number of entries returned 8 ---------------------------- HTTP request: GET /kra/rest/account/logout HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 19:00:00 EST Location: https://pki1.example.com:21443/kra/rest/account/logout Content-Length: 0 Date: Sat, 01 Apr 2017 12:27:06 GMT HTTP redirect: https://pki1.example.com:21443/kra/rest/account/logout Client certificate: PKI KRA Administrator for Example.Org HTTP request: GET /kra/rest/account/logout HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:21443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Cookie: JSESSIONID=4179BB56F153E38B4BF2B7AD5CD17209 Cookie2: $Version=1 HTTP response: HTTP/1.1 204 No Content Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 19:00:00 EST Content-Type: application/xml Date: Sat, 01 Apr 2017 12:27:06 GMT
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1437602
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to QE - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue priority set to: critical
Fixed in master: * 1d3216aece7381cbac7b812dfbb969b466b31abe
Metadata Update from @edewata: - Issue assigned to edewata - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.2 (was: 10.4)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2746
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.