pkidestroy does not work with nuxwdog
Steps to Reproduce:
1. pkispawn CA 2. Enable nuxwdog as follows cms.tokenList=<TOKEN_NAME> # pki-server nuxwdog-enable --------------------------- Nuxwdog enabled for system. systemctl start pki-tomcatd-nuxwdog@<pki-ca>.service 3. pkidestroy -s CA -i <pki-ca>
Actual results:
pkidestroy is successful but seeign the following [root@nocp1 ~]# ps -aef | grep pki-ca- root 2689 28144 0 10:51 pts/0 00:00:00 grep --color=auto pki-ca- dirsrv 17917 1 0 Oct04 ? 00:03:12 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-pki-ca-Oct5-LDAP -i /var/run/dirsrv/slapd-pki-ca-Oct5-LDAP.pid root 18391 1 0 Oct04 ? 00:00:00 /bin/nuxwdog -f /etc/pki/pki-ca-Oct5/nuxwdog.conf root 18392 18391 0 Oct04 ? 00:01:31 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-ca-Oct5 -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-ca-Oct5/temp -Djava.util.logging.config.file=/var/lib/pki/pki-ca-Oct5/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-ca-Oct5/conf/catalina.policy org.apache.catalina.startup.Bootstrap start
Expected results:
pkidestroy should kill the related processes and cleanup the security domain
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1498957 - Custom field type adjusted to None - Custom field version adjusted to None - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @mharmsen: - Issue priority set to: blocker - Issue set to the milestone: 10.5 (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @mharmsen: - Issue assigned to mharmsen
https://review.gerrithub.io/393423 Fix various PEP8 and pylint issues https://review.gerrithub.io/393424 Modified systemd invocations in pkispawn to handle nuxwdog https://review.gerrithub.io/393425 Allow prompting for token passwords if not present
master:
commit 7ef597aae0a78bc2542f9cb8c5f4b1ba0e9a5cfb Author: Ade Lee alee@redhat.com Date: Tue Jan 2 14:52:32 2018 -0500
Allow prompting for token passwords if not present Change-Id: Ifa2e60424d713ebe15bf9aa92f1d5b7691b7e0ff
commit 6e4a1050879df712f93a8103e3f4a25fc9450765 Author: Ade Lee alee@redhat.com Date: Tue Jan 2 13:38:40 2018 -0500
Modified systemd invocations in pkispawn to handle nuxwdog The systemd invocations in pkispawn/pkidestroy did not account for nuxwdog enabled instances. This patch allows pkispawn/pkidestroy to use the right service name if the nuxwdog service unit files exist. Also modified instance_layout deployment script to delete the right systemd link. Change-Id: I25eac0555aad022784d7728913ae4a335eab3463
commit d7269edbe3ec8dbe344343d74f1003a0207eb85a Author: Ade Lee alee@redhat.com Date: Tue Jan 2 13:24:23 2018 -0500
Fix various PEP8 and pylint issues Change-Id: I8b2b52599ab6b2d4738b748f36598319f11477c7
10.5 branch (upstream):100:
commit 6716b82ecc38b23de81c8f0fe18863e1df4bfddb Author: Ade Lee alee@redhat.com Date: Tue Jan 2 14:52:32 2018 -0500
commit c7c907c07599ef1d9b52638c25153f7bd82de999 Author: Ade Lee alee@redhat.com Date: Tue Jan 2 13:38:40 2018 -0500
commit e9b5fc7ef000abfd2cbdd6be6bfd4b2d015816a2 Author: Ade Lee alee@redhat.com Date: Tue Jan 2 13:24:23 2018 -0500
Metadata Update from @vakwetu: - Issue assigned to vakwetu (was: mharmsen)
Metadata Update from @vakwetu: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
As a note here, here are the expected results:
pkidestroy will attempt to read the password for the token containing the subsystem cert from the password.conf file. If that file is not present, or the password is not present in that file, it will prompt for the password.
pkidestroy will then use the subsystem cert as a credential to remove the entry from the security domain.
pkidestroy may then restart the service. This will result in nuxwdog prompting for the required passwords.
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.4 (was: 10.5)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.4-1.fc27
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 10.5.4) - Issue status updated to: Open (was: Closed)
Metadata Update from @mharmsen: - Issue assigned to jmagne (was: vakwetu)
Metadata Update from @mharmsen: - Issue priority set to: critical (was: blocker)
This issue is highly confusing --- the associated bug has been closed, and there are no notes on why this ticket was re-opened?
Marking Per 10.5.x/10.6 Triage: 10.5.x for now
Metadata Update from @mharmsen: - Issue priority set to: major (was: critical)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2955
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.