#689 Unable to add KRA users to a group using CA admin cert
Closed: Invalid None Opened 9 years ago by lsunkara.

Created users for KRA subsystem using "-t kra" option and using CA admin certificate. But unable to add a user to a group.
Note: KRA and CA are in the same instance.

Following explains the steps in CLI:

List of users :
pki -d /tmp/tmp.N0YVPa7edJ/nssdb -n "PKI Administrator for rhts.eng.bos.redhat.com" -c Password -t kra user-find


4 user(s) matched

User ID: kraadmin
Full name: kraadmin

User ID: CA-nec-em19.rhts.eng.bos.redhat.com-8443
Full name: CA-nec-em19.rhts.eng.bos.redhat.com-8443

User ID: pkidbuser
Full name: pkidbuser

User ID: KRA_adminV
Full name: KRA_Admin_ValidCert


Number of entries returned 4

Add user "KRA_adminV" to group "Administrators" group using -t option and CA admin cert:

pki -d /tmp/tmp.N0YVPa7edJ/nssdb -n "PKI Administrator for rhts.eng.bos.redhat.com" -c Password -t kra group-add-member Administrators KRA_adminV
PKIException: CertProcessor: authority is null


I basically tested this on an x86_64 Fedora 20 machine (e. g. - fedora20.example.com) using a CA and KRA installed to the same default '/var/lib/pki/pki-tomcat' directory. I copied the client databases from my Firefox browser to the '/tmp/client_db' directory; the databases contained the following data:

# certutil -d /tmp/client_db -L

Certificate Nickname                                  Trust Attributes
                                                      SSL,S/MIME,JAR/XPI

fedora20.example.com                                  ,,   
CA Signing Certificate - example.com Security Domain  CT,C,C
VeriSign Class 3 Secure Server CA - G3                ,,   
DigiCert High Assurance EV CA-1                       ,,   
Google Internet Authority G2                          ,,   
PKI Administrator for example.com                     u,u,u

I then ran the following commands:

# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra user-find

-----------------
3 user(s) matched
-----------------
  User ID: kraadmin
  Full name: kraadmin

  User ID: CA-fedora20.example.com-8443
  Full name: CA-fedora20.example.com-8443

  User ID: pkidbuser
  Full name: pkidbuser
----------------------------
Number of entries returned 3
----------------------------

# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra user-add foobar --fullName "Foo Bar"

-------------------
Added user "foobar"
-------------------
  User ID: foobar
  Full name: Foo Bar

# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra user-find

-----------------
4 user(s) matched
-----------------
  User ID: kraadmin
  Full name: kraadmin

  User ID: CA-fedora20.example.com-8443
  Full name: CA-fedora20.example.com-8443

  User ID: pkidbuser
  Full name: pkidbuser

  User ID: foobar
  Full name: Foo Bar
----------------------------
Number of entries returned 4
----------------------------

# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra group-find

------------------
8 group(s) matched
------------------
  Group ID: Data Recovery Manager Agents
  Description: Agents for Data Recovery Manager

  Group ID: Subsystem Group
  Description: Subsystem Group

  Group ID: Trusted Managers
  Description: Managers trusted by this PKI instance

  Group ID: Administrators
  Description: People who manage the Certificate System

  Group ID: Auditors
  Description: People who can read the signed audits

  Group ID: ClonedSubsystems
  Description: People who can clone the master subsystem

  Group ID: Security Domain Administrators
  Description: People who are the Security Domain administrators

  Group ID: Enterprise KRA Administrators
  Description: People who are the administrators for the security domain for KRA
----------------------------
Number of entries returned 8
----------------------------

# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra group-member-find Administrators

-------------------------
1 group member(s) matched
-------------------------
  User: kraadmin
----------------------------
Number of entries returned 1
----------------------------

# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra group-member-add Administrators foobar

---------------------------
Added group member "foobar"
---------------------------
  User: foobar

# pki -d /tmp/client_db -n "PKI Administrator for example.com" -t kra group-member-find Administrators

-------------------------
2 group member(s) matched
-------------------------
  User: kraadmin

  User: foobar
----------------------------
Number of entries returned 2
----------------------------

As can be seen, no exception was thrown.

NOTE:  I used the 'group-member-add' command, and not the invalid
       'group-add-member' command originally documented in the ticket,
       although using the invalid command no longer throws an exception,
       but currently displays the following error:

           # pki -d /tmp/client_db -n "PKI Administrator for example.com"
           -t kra group-add-member Administrators foobar 
           Error: Missing required option: description
           usage: group-add <Group ID> [OPTIONS...]
               --description <description>   Description

While I suspect that this ticket may have been fixed by other changes, I am closing this ticket as WORKSFORME.

Please retest this issue, and feel free to re-open this ticket if your issue is still not fixed.

Metadata Update from @lsunkara:
- Issue assigned to mharmsen
- Issue set to the milestone: 10.1 - 10/13 (October)

5 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1258

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata