Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 577949

Summary: clone from a clone requires contacting original security domain master
Product: [Retired] Dogtag Certificate System Reporter: Rob Crittenden <rcritten>
Component: CloningAssignee: Ade Lee <alee>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: 1.3CC: awnuk, benl, jgalipea, smohan
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-04 20:22:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 445047, 541012    
Attachments:
Description Flags
patch to fix
none
Screen Shots
none
patch to fix part 2
none
patch to fix part 3 none

Description Rob Crittenden 2010-03-29 20:01:08 UTC 
Description of problem:

When creating a clone from a clone the pkisilent argument -sd_hostname needs to point to the server that was installed first.

This is in the context of IPA.

I started by installing IPA on lion which in turn set up a dogtag instance.

I created a clone on tiger, pointing to lion as the master.

I created a clone on panther, pointing to tiger as the master. This installation failed. When I otherwise left everything else alone and just set -sd-hostname to lion the clone installed as expected.

The working pkisilent invocation was:

/usr/bin/pkisilent ConfigureCA -cs_hostname panther.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WVSbNZ -client_certdb_pwd XXXXXXXX -preop_pin 3edlfUfAPL1kaVvCYV2W -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host panther.example.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" -ca_server_cert_subject_name "CN=panther.example.com,O=IPA" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname lion.example.com -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password XXXXXXXX

Version-Release number of selected component (if applicable):

pki-native-tools-1.3.0-5.fc12.x86_64
pki-selinux-1.3.4-1.fc12.noarch
pki-util-1.3.0-5.fc12.noarch
pki-java-tools-1.3.1-1.fc12.noarch
pki-ca-1.3.3-1.fc12.noarch
pki-common-1.3.3-1.fc12.noarch
pki-silent-1.3.2-1.fc12.noarch
pki-setup-1.3.4-1.fc12.noarch
pki-symkey-1.3.2-3.fc12.x86_64
pki-console-1.3.1-1.fc12.noarch
Comment 2 Ade Lee 2010-04-26 14:35:13 UTC 
Created attachment 409191 [details]
patch to fix

patch contains changes needed to allow clone to be a domain master as well.
With these changes, clone of a clone need not contact the original master.

awnuk, please review.
Comment 3 Andrew Wnuk 2010-04-26 19:51:15 UTC 
attachment (id=409191) +awnuk
Comment 4 Ade Lee 2010-04-26 20:36:41 UTC 
checked into 8.1

[builder@goofy-vm4 base]$ svn ci -m "Bug 577949 - clone from a clone requires contacting original security domain master" 
Sending        base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Sending        base/common/src/com/netscape/cmscore/apps/CMSEngine.java
Transmitting file data ....
Committed revision 1079.

checked into tip:

[builder@dhcp231-70 base]$ svn ci -m "Bug 577949 - clone from a clone requires contacting original security domain master"
Sending        base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Sending        base/common/src/com/netscape/cmscore/apps/CMSEngine.java
Transmitting file data ....
Committed revision 1080.
Comment 5 Ade Lee 2010-04-26 21:04:45 UTC 
On tip:

[builder@dhcp231-70 dogtag]$ svn ci -m "update release numbers for 584917 and 577949"
Sending        dogtag/ca/pki-ca.spec
Sending        dogtag/common/pki-common.spec
Sending        dogtag/kra/pki-kra.spec
Sending        dogtag/ocsp/pki-ocsp.spec
Sending        dogtag/selinux/pki-selinux.spec
Sending        dogtag/tks/pki-tks.spec
Transmitting file data ......
Committed revision 1081.
Comment 6 Bhaskar Y Reddy 2010-05-07 05:29:58 UTC 
Able to select clone CA security domain url, while providing Subsystem Type details for clone of clone CA. But  in the subject names of clone  of clone CA, it is pointing to Master CA Security domain URL.


Please find the screen shots attached.
Comment 7 Bhaskar Y Reddy 2010-05-07 05:31:01 UTC 
Created attachment 412234 [details]
Screen Shots
Comment 8 Ade Lee 2010-05-18 20:20:48 UTC 
Created attachment 414955 [details]
patch to fix part 2

fixes problem in dogtag (due to fix for latest 389 package)
and well as hard-codedness in pkisilent.

tested by Rob.

awnuk, please review
Comment 9 Andrew Wnuk 2010-05-18 21:02:16 UTC 
attachment (id=414955) +awnuk
Comment 10 Ade Lee 2010-05-19 08:08:29 UTC 
Created attachment 415045 [details]
patch to fix part 3

Just fixed small UI issue reported by bhaskar.

Simple fix added to WizardPanelBase.java,

awnuk, please review
Comment 11 Ade Lee 2010-05-19 17:15:27 UTC 
checked into dogtag:

[builder@dhcp231-70 pki]$ svn ci -m "Bug 577949 - clone from a clone requires contacting original security domain master - additional fixes"
Sending        base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Sending        base/silent/src/ca/ConfigureCA.java
Sending        base/silent/templates/pki_silent.template
Transmitting file data ...
Committed revision 1103.

checked into 8.1
[builder@goofy-vm4 pki]$ svn ci -m "Bug 577949 - clone from a clone requires contacting original security domain master - additional fixes"
Sending        base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Sending        base/silent/src/ca/ConfigureCA.java
Sending        base/silent/templates/pki_silent.template
Transmitting file data ...
Committed revision 1104.
Comment 12 Ade Lee 2010-05-19 17:17:14 UTC 
Note to QE/ Docs:

when creating a clone using pkisilent, the following parameter is now required:

-clone_uri https://<hostname of ca to be cloned>:<EE port of ca to be cloned>
Comment 13 Andrew Wnuk 2010-05-19 19:12:25 UTC 
attachment (id=415045) +awnuk
Comment 14 Bhaskar Y Reddy 2010-05-24 15:24:18 UTC 
Tested on RHEL5.4 and it is working fine.

Version :

pki-ca-8.1.0-1.el5pki
redhat-pki-ca-ui-8.1.0-1.el5pki

*+ 1           /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java
   2           /usr/lib/jvm/jre1-4.2-gcj/bin/java


Verification:

Create a clone of a clone CA.

Actual results:

Able to select clone CA security domain url.


Expected Results:

Should be able to select Clone CA security domain url.