Ticket was cloned from Red Hat Bugzilla (product Red Hat Certificate System): Bug 961552
Description of problem: When using pkisilent or the web based configuration wizard, any string can be provided for the SSL server cert subject DNs, like in the option ca_server_cert-usbject option of a CA instance. A CA instance can be configured and started successfully with what seem like a possibly invalid subject DN, incorrect example that is accepted by the CA: Subject: "CN=example root ca8 ca1.example.com,OU=pki,DC=example,DC=co m" And this becomes a problem when it comes to create other subsystems, like a TKS. The configuration wizard of a TKS instance will use the CA's SSL server certificate, and fail with an SSL error like this: [06/May/2013:21:16:38][http-8444-Processor25]: TokenAuthentication authenticate Exception=org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12276) Unable to communicate securely with peer: requested domain name does not match the server's certificate. This configuration failure of a TKS is not obvious at all if that small TKS debug log entry is missed in the large log file. Using a "correct" SSL server cert subject DN works fine, like for example with: Subject: "CN=ca1.example.com,OU=pki-ca8,O=Example Domain ca8" If sub system configuration can fail on a SSL server cert subject DN, then the pkisilent configuration tool and the web wizard should make sure the subject DN of the SSL server certicates for the sub systems are valid with a fully qualified domain name of a server hostname as the value of the cn attribute. like in http://www.ietf.org/rfc/rfc2377.txt 5.2.5 Server and Server Application Schema where is says " ...some context snipped... the server's subject DN for the SSL server certificate should be cn=host.acme.com, dc=host, dc=acme, dc=com and the server's certificate should be stored in a directory entry with this name. " Version-Release number of selected component (if applicable): 8.1 How reproducible: always Steps to Reproduce: 1. pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ca8 -subsystem_type=ca -agent_secure_port=8443 -ee_secure_port=8444 -ee_secure_client_auth_port=8446 -admin_secure_port=8445 -unsecure_port=8180 -tomcat_server_port=8701 -redirect conf=/etc/pki-ca8 -redirect logs=/var/log/pki-ca8 2. configre CA with incorrect SSL server cert subject DN like CN=example root ca8 ca1.example.com,OU=pki,DC=example,DC=com 3. create a TKS pkicreate -pki_instance_root=/var/lib \ -pki_instance_name=pki-tks8 \ -subsystem_type=tks \ -agent_secure_port=13843 \ -ee_secure_port=13844 \ -admin_secure_port=13845 \ -unsecure_port=13880 \ -tomcat_server_port=13801 \ -user=pkiuser \ -group=pkiuser \ -redirect conf=/etc/pki-tks8 \ -redirect logs=/var/log/pki-tks8 \ -verbose 4. configure the TKS it will fail in the "Requests and Certificates" panel Actual results: Requests and Certificates No Certificate Generated. Please import. View Certificate Request (CSR) View Certificate in Base64-Encoding VelocityServlet: Error processing the template Invocation of method 'getEscapedCertpp' in class com.netscape.cms.servlet.csadmin.Cert threw exception class java.lang.NullPointerException : null org.apache.velocity.exception.MethodInvocationException: Invocation of method 'getEscapedCertpp' in class com.netscape.cms.servlet.csadmin.Cert threw exception class java.lang.NullPointerException : null at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:246) at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTRefe rence.java:175) ...snip... CA debug log trace, see the " TokenAuthentication authenticate Exception=org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12276) Unable to communicate securely with peer: requested domain name does not match the server's certificate. " [06/May/2013:21:16:38][http-8444-Processor25]: TokenAuthentication: start [06/May/2013:21:16:38][http-8444-Processor25]: TokenAuthentication: content=sessionID=-4514535760947022742&hostname=10.14.5.14 [06/May/2013:21:16:38][http-8444-Processor25]: TokenAuthentication authenticate Exception=org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12276) Unable to communicate securely with peer: requested domain name does not match the server's certificate. [06/May/2013:21:16:38][http-8444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=$NonRoleUser$ : Unidentified][Outcome=Success][AuthMgr=TokenAuth] authentication success [06/May/2013:21:16:38][http-8444-Processor25]: ProfileSubmitServlet authToken not null [06/May/2013:21:16:38][http-8444-Processor25]: ProfileSubmitServlet: authz using acl: group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" [06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet: in auditSubjectID [06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet: auditSubjectID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientC ertProvider@40b890dc, profileContext=com.netscape.cms.profile.common.EnrollProfileContext@152e7cb6, authManagerId=TokenAuth} [06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet auditSubjectID: subjectID: null [06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet: in auditGroupID [06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet: auditGroupID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientC ertProvider@40b890dc, profileContext=com.netscape.cms.profile.common.EnrollProfileContext@152e7cb6, authManagerId=TokenAuth} [06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet auditGroupID: groupID: null [06/May/2013:21:16:38][http-8444-Processor25]: evaluating expressions: group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" [06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate: uid null [06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression: group="Enterprise OCSP Administrators" to be false [06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate: uid null [06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression: group="Enterprise RA Administrators" to be false [06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate: uid null [06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression: group="Enterprise CA Administrators" to be false [06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate: uid null [06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression: group="Enterprise KRA Administrators" to be false [06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate: uid null [06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression: group="Enterprise TKS Administrators" to be false [06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate: uid null [06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression: group="Enterprise TPS Administrators" to be false [06/May/2013:21:16:38][http-8444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_FAIL][SubjectID=$NonRoleUser$][Outcome=Failu re][aclResource=caInternalAuthAuditSigningCert.authz.acl][Op=enroll] authorization failure [06/May/2013:21:16:38][http-8444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Fail ure][Role=$NonRoleUser$] assume privileged role [06/May/2013:21:16:38][http-8444-Processor25]: ProfileSubmitServlet authorize: Authorization failed on resource: group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators", operation: {1} [06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet: curDate=Mon May 06 21:16:38 PDT 2013 id=caProfileSubmit time=22 Expected results: Additional info: workaround: use a valid subject DN in CA SSL server cert CN=ca1.example.com,OU=pki-ca8,O=Example Domain ca8 I havn't tested with Dogtag 10 newer tools.
[06/04/2014] - Moving to Milestone 10.3 due to schedule restrictions.
Metadata Update from @nkinder: - Issue assigned to mharmsen - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1232
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.