Created users for KRA subsystem using "-t kra" option and using CA admin certificate. But unable to add a user to a group. Note: KRA and CA are in the same instance.
Following explains the steps in CLI:
List of users : pki -d /tmp/tmp.N0YVPa7edJ/nssdb -n "PKI Administrator for rhts.eng.bos.redhat.com" -c Password -t kra user-find
User ID: kraadmin Full name: kraadmin
User ID: CA-nec-em19.rhts.eng.bos.redhat.com-8443 Full name: CA-nec-em19.rhts.eng.bos.redhat.com-8443
User ID: pkidbuser Full name: pkidbuser
User ID: KRA_adminV Full name: KRA_Admin_ValidCert
Number of entries returned 4
Add user "KRA_adminV" to group "Administrators" group using -t option and CA admin cert:
pki -d /tmp/tmp.N0YVPa7edJ/nssdb -n "PKI Administrator for rhts.eng.bos.redhat.com" -c Password -t kra group-add-member Administrators KRA_adminV PKIException: CertProcessor: authority is null
I basically tested this on an x86_64 Fedora 20 machine (e. g. - fedora20.example.com) using a CA and KRA installed to the same default '/var/lib/pki/pki-tomcat' directory. I copied the client databases from my Firefox browser to the '/tmp/client_db' directory; the databases contained the following data:
# certutil -d /tmp/client_db -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI fedora20.example.com ,, CA Signing Certificate - example.com Security Domain CT,C,C VeriSign Class 3 Secure Server CA - G3 ,, DigiCert High Assurance EV CA-1 ,, Google Internet Authority G2 ,, PKI Administrator for example.com u,u,u
I then ran the following commands:
# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra user-find
----------------- 3 user(s) matched ----------------- User ID: kraadmin Full name: kraadmin User ID: CA-fedora20.example.com-8443 Full name: CA-fedora20.example.com-8443 User ID: pkidbuser Full name: pkidbuser ---------------------------- Number of entries returned 3 ----------------------------
# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra user-add foobar --fullName "Foo Bar"
------------------- Added user "foobar" ------------------- User ID: foobar Full name: Foo Bar
----------------- 4 user(s) matched ----------------- User ID: kraadmin Full name: kraadmin User ID: CA-fedora20.example.com-8443 Full name: CA-fedora20.example.com-8443 User ID: pkidbuser Full name: pkidbuser User ID: foobar Full name: Foo Bar ---------------------------- Number of entries returned 4 ----------------------------
# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra group-find
------------------ 8 group(s) matched ------------------ Group ID: Data Recovery Manager Agents Description: Agents for Data Recovery Manager Group ID: Subsystem Group Description: Subsystem Group Group ID: Trusted Managers Description: Managers trusted by this PKI instance Group ID: Administrators Description: People who manage the Certificate System Group ID: Auditors Description: People who can read the signed audits Group ID: ClonedSubsystems Description: People who can clone the master subsystem Group ID: Security Domain Administrators Description: People who are the Security Domain administrators Group ID: Enterprise KRA Administrators Description: People who are the administrators for the security domain for KRA ---------------------------- Number of entries returned 8 ----------------------------
# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra group-member-find Administrators
------------------------- 1 group member(s) matched ------------------------- User: kraadmin ---------------------------- Number of entries returned 1 ----------------------------
# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra group-member-add Administrators foobar
--------------------------- Added group member "foobar" --------------------------- User: foobar
------------------------- 2 group member(s) matched ------------------------- User: kraadmin User: foobar ---------------------------- Number of entries returned 2 ----------------------------
As can be seen, no exception was thrown.
NOTE: I used the 'group-member-add' command, and not the invalid 'group-add-member' command originally documented in the ticket, although using the invalid command no longer throws an exception, but currently displays the following error: # pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra group-add-member Administrators foobar Error: Missing required option: description usage: group-add <Group ID> [OPTIONS...] --description <description> Description
While I suspect that this ticket may have been fixed by other changes, I am closing this ticket as WORKSFORME.
Please retest this issue, and feel free to re-open this ticket if your issue is still not fixed.
Metadata Update from @lsunkara: - Issue assigned to mharmsen - Issue set to the milestone: 10.1 - 10/13 (October)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1258
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.