Closed pki-bot closed 3 years ago
Comment from saipandi at 2014-07-24 17:23:52
CLONECA config file cloneca_instance.inf
Comment from mharmsen (@mharmsen) at 2014-08-04 23:58:16
Per CS/DS meeting of 08/04/2014: moving to Milestone 10.2 (August)
IMPORTANT: Investigate whether this is a regression, or if
cloned CAs always created their own security
domain rather than referencing that of the
Master CA. Consider pushing this to 10.2.1.
Comment from saipandi at 2014-08-07 18:28:53
I am doing a quickinstall where on one machine I install Master CA, KRA, OCSP and TKS on one instance and Clone CA, KRA and TKS on another instance and a SUBCA on a third tomcat instance.
The pki cli for security domain shows the clone CA as part of the security domain of master
The command I used was: pki -U https://nu5.idm.lab.eng.rdu2.redhat.com:30042 -d /opt/rhqa_pki/certs_db -c Secret123 securitydomain-show
In this command I am checking the security domain info of master CA and which subsystems have joined the domain.
The output was:
Domain: idm.lab.eng.rdu2.redhat.com
CA Subsystem:
Host ID: CA nu5.idm.lab.eng.rdu2.redhat.com 30042
Hostname: nu5.idm.lab.eng.rdu2.redhat.com
Port: 30044
Secure Port: 30042
Domain Manager: TRUE
Host ID: CA nu5.idm.lab.eng.rdu2.redhat.com 30002
Hostname: nu5.idm.lab.eng.rdu2.redhat.com
Port: 30009
Secure Port: 30002
Domain Manager: TRUE
OCSP Subsystem:
Host ID: OCSP nu5.idm.lab.eng.rdu2.redhat.com 30042
Hostname: nu5.idm.lab.eng.rdu2.redhat.com
Port: 30044
Secure Port: 30042
Domain Manager: FALSE
KRA Subsystem:
Host ID: KRA nu5.idm.lab.eng.rdu2.redhat.com 30042
Hostname: nu5.idm.lab.eng.rdu2.redhat.com
Port: 30044
Secure Port: 30042
Domain Manager: FALSE
Host ID: KRA nu5.idm.lab.eng.rdu2.redhat.com 30002
Hostname: nu5.idm.lab.eng.rdu2.redhat.com
Port: 30009
Secure Port: 30002
Domain Manager: FALSE
TKS Subsystem:
Host ID: TKS nu5.idm.lab.eng.rdu2.redhat.com 30042
Hostname: nu5.idm.lab.eng.rdu2.redhat.com
Port: 30044
Secure Port: 30042
Domain Manager: FALSE
Host ID: TKS nu5.idm.lab.eng.rdu2.redhat.com 30002
Hostname: nu5.idm.lab.eng.rdu2.redhat.com
Port: 30009
Secure Port: 30002
Domain Manager: FALSE
The output for pkidaemon status tomcat was:
Status for pki-clone: pki-clone is running ..
[CA Status Definitions]
Unsecure URL = http://nu5.idm.lab.eng.rdu2.redhat.com:30009/ca/ee/ca
Secure Agent URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30002/ca/agent/ca
Secure EE URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30002/ca/ee/ca
Secure Admin URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30002/ca/services
EE Client Auth URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30002/ca/eeca/ca
PKI Console Command = pkiconsole https://nu5.idm.lab.eng.rdu2.redhat.com:30002/ca
Tomcat Port = 30005 (for shutdown)
[DRM Status Definitions]
Unsecure URL = http://nu5.idm.lab.eng.rdu2.redhat.com:30009/kra/ee/kra
Secure Agent URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30002/kra/agent/kra
Secure EE URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30002/kra/ee/kra
Secure Admin URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30002/kra/services
PKI Console Command = pkiconsole https://nu5.idm.lab.eng.rdu2.redhat.com:30002/kra
Tomcat Port = 30005 (for shutdown)
[TKS Status Definitions]
Unsecure URL = http://nu5.idm.lab.eng.rdu2.redhat.com:30009/tks/ee/tks
Secure Agent URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30002/tks/agent/tks
Secure EE URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30002/tks/ee/tks
Secure Admin URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30002/tks/services
PKI Console Command = pkiconsole https://nu5.idm.lab.eng.rdu2.redhat.com:30002/tks
Tomcat Port = 30005 (for shutdown)
[CA Configuration Definitions]
PKI Instance Name: pki-clone
PKI Subsystem Type: CA Clone (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: idm.lab.eng.rdu2.redhat.com
URL: https://nu5.idm.lab.eng.rdu2.redhat.com:30002
==========================================================================
[DRM Configuration Definitions]
PKI Instance Name: pki-clone
PKI Subsystem Type: DRM Clone
Registered PKI Security Domain Information:
==========================================================================
Name: idm.lab.eng.rdu2.redhat.com
URL: https://nu5.idm.lab.eng.rdu2.redhat.com:30042
==========================================================================
[TKS Configuration Definitions]
PKI Instance Name: pki-clone
PKI Subsystem Type: TKS Clone
Registered PKI Security Domain Information:
==========================================================================
Name: idm.lab.eng.rdu2.redhat.com
URL: https://nu5.idm.lab.eng.rdu2.redhat.com:30042
==========================================================================
Status for pki-master: pki-master is running ..
[CA Status Definitions]
Unsecure URL = http://nu5.idm.lab.eng.rdu2.redhat.com:30044/ca/ee/ca
Secure Agent URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/ca/agent/ca
Secure EE URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/ca/ee/ca
Secure Admin URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/ca/services
EE Client Auth URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/ca/eeca/ca
PKI Console Command = pkiconsole https://nu5.idm.lab.eng.rdu2.redhat.com:30042/ca
Tomcat Port = 30045 (for shutdown)
[DRM Status Definitions]
Unsecure URL = http://nu5.idm.lab.eng.rdu2.redhat.com:30044/kra/ee/kra
Secure Agent URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/kra/agent/kra
Secure EE URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/kra/ee/kra
Secure Admin URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/kra/services
PKI Console Command = pkiconsole https://nu5.idm.lab.eng.rdu2.redhat.com:30042/kra
Tomcat Port = 30045 (for shutdown)
[OCSP Status Definitions]
Unsecure URL = http://nu5.idm.lab.eng.rdu2.redhat.com:30044/ocsp/ee/ocsp
Secure Agent URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/ocsp/agent/ocsp
Secure EE URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/ocsp/ee/ocsp
Secure Admin URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/ocsp/services
PKI Console Command = pkiconsole https://nu5.idm.lab.eng.rdu2.redhat.com:30042/ocsp
Tomcat Port = 30045 (for shutdown)
[TKS Status Definitions]
Unsecure URL = http://nu5.idm.lab.eng.rdu2.redhat.com:30044/tks/ee/tks
Secure Agent URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/tks/agent/tks
Secure EE URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/tks/ee/tks
Secure Admin URL = https://nu5.idm.lab.eng.rdu2.redhat.com:30042/tks/services
PKI Console Command = pkiconsole https://nu5.idm.lab.eng.rdu2.redhat.com:30042/tks
Tomcat Port = 30045 (for shutdown)
[CA Configuration Definitions]
PKI Instance Name: pki-master
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: idm.lab.eng.rdu2.redhat.com
URL: https://nu5.idm.lab.eng.rdu2.redhat.com:30042
==========================================================================
[DRM Configuration Definitions]
PKI Instance Name: pki-master
PKI Subsystem Type: DRM
Registered PKI Security Domain Information:
==========================================================================
Name: idm.lab.eng.rdu2.redhat.com
URL: https://nu5.idm.lab.eng.rdu2.redhat.com:30042
==========================================================================
[OCSP Configuration Definitions]
PKI Instance Name: pki-master
PKI Subsystem Type: OCSP
Registered PKI Security Domain Information:
==========================================================================
Name: idm.lab.eng.rdu2.redhat.com
URL: https://nu5.idm.lab.eng.rdu2.redhat.com:30042
==========================================================================
[TKS Configuration Definitions]
PKI Instance Name: pki-master
PKI Subsystem Type: TKS
Registered PKI Security Domain Information:
==========================================================================
Name: idm.lab.eng.rdu2.redhat.com
URL: https://nu5.idm.lab.eng.rdu2.redhat.com:30042
==========================================================================
Status for pki-subca1: pki-subca1 is running ..
[CA Status Definitions]
Unsecure URL = http://nu5.idm.lab.eng.rdu2.redhat.com:31001/ca/ee/ca
Secure Agent URL = https://nu5.idm.lab.eng.rdu2.redhat.com:31000/ca/agent/ca
Secure EE URL = https://nu5.idm.lab.eng.rdu2.redhat.com:31000/ca/ee/ca
Secure Admin URL = https://nu5.idm.lab.eng.rdu2.redhat.com:31000/ca/services
EE Client Auth URL = https://nu5.idm.lab.eng.rdu2.redhat.com:31000/ca/eeca/ca
PKI Console Command = pkiconsole https://nu5.idm.lab.eng.rdu2.redhat.com:31000/ca
Tomcat Port = 31003 (for shutdown)
[CA Configuration Definitions]
PKI Instance Name: pki-subca1
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: idm.lab.eng.rdu2.redhat.com
URL: https://nu5.idm.lab.eng.rdu2.redhat.com:31000
==========================================================================
Comment from saipandi at 2014-08-07 19:10:14
The subca config file is: 30042 is masters port and the master is on the same machine
[DEFAULT]
pki_instance_name=pki-subca1
pki_https_port=31000
pki_http_port=31001
pki_ajp_port=31002
pki_tomcat_server_port=31003
pki_user=pkiuser
pki_group=pkiuser
pki_audit_group=pkiaudit
pki_token_name=Internal
pki_token_password=Secret123
pki_client_pkcs12_password=Secret123
pki_admin_password=Secret123
pki_ds_password=Secret123
pki_subordinate=True
pki_ds_password=Secret123
pki_client_dir=/tmp/subca
pki_issuing_ca=https://nu5.idm.lab.eng.rdu2.redhat.com:30042
[CA]
pki_admin_name=subcaadmin
pki_admin_uid=subcaadmin
pki_admin_email=example@redhat.com
pki_admin_dualkey=True
pki_admin_key_size=2048
pki_admin_key_type=rsa
pki_admin_subject_dn=cn=PKI SUBCA1 ADMIN Certificate,O = redhat
pki_admin_nickname=subcaadmincert
pki_import_admin_cert=False
pki_client_admin_cert_p12=/tmp/subca/subcaadmincert.p12
pki_subsystem_key_type=rsa
pki_subsystem_key_size=2048
pki_subsystem_key_algorithm=SHA512withRSA
pki_subsystem_signing_algorithm=SHA512withRSA
pki_subsystem_token=Internal
pki_subsystem_nickname=subcasubsystemcert
pki_subsystem_subject_dn=cn=PKI SUBSYTEM CA Certificate,O=redhat
pki_ds_database=pki-subca1
pki_ca_signing_key_type=rsa
pki_ca_signing_key_size=2048
pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_signing_algorithm=SHA512withRSA
pki_ca_signing_token=Internal
pki_ca_signing_nickname=subcasigningcert
pki_ca_signing_subject_dn=cn=PKI SUBCA1 Signing Certificate,O=redhat
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_signing_algorithm=SHA512withRSA
pki_ocsp_signing_token=Internal
pki_ocsp_signing_nickname=caocspsigningcert
pki_ocsp_signing_subject_dn=cn=PKI CA OCSP Signing Certificate, O=redhat
pki_audit_signing_key_type=rsa
pki_audit_signing_key_size=2048
pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_signing_algorithm=SHA512withRSA
pki_audit_signing_token=Internal
pki_audit_signing_nickname=subcaauditsigningcert
pki_audit_signing_subject_dn=cn=PKI SUBCA1 Audit Signing Certificate, O=redhat
pki_security_domain_hostname=nu5.idm.lab.eng.rdu2.redhat.com
pki_security_domain_https_port=30042
pki_security_domain_user=caadmin
pki_security_domain_password=Secret123
pki_security_domain_name=idm.lab.eng.rdu2.redhat.com
pki_ds_hostname=localhost
pki_ds_ldap_port=2100
pki_ds_bind_dn=cn=DS Manager
pki_ds_password=Secret123
pki_ds_secure_connection=False
pki_ds_remove_data=True
pki_ds_base_dn=dc=pki-subca
pki_ds_database=pki-subca1
pki_backup_keys=True
pki_backup_password=Secret123
pki_backup_fname=/opt/rhqa_pki/ca_backup.p12
pki_client_database_dir=/tmp/subca/db
pki_client_database_password=Secret123
pki_client_database_purge=True
pki_restart_configured_instance=True
pki_skip_configuration=False
pki_skip_installation=False
pki_enable_access_log=True
pki_enable_java_debugger=False
pki_security_manager=True
Comment from saipandi at 2014-08-07 20:32:36
ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=newdomain, securityDomainUri=null, securityDomainName=idm.lab.eng.rdu2.redhat.com, securityDomainUser=null, securityDomainPassword=XXXX, isClone=false, cloneUri=null, subsystemName=CA nu5.idm.lab.eng.rdu2.redhat.com 31000, p12File=null, p12Password=XXXX, hierarchy=root, dsHost=localhost, dsPort=2100, baseDN=dc=pki-subca, bindDN=cn=DS Manager, bindpwd=XXXX, database=pki-subca1, secureConn=false, removeData=true, replicateSchema=null, masterReplicationPort=null, cloneReplicationPort=null, replicationSecurity=null, systemCerts=[com.netscape.certsrv.system.SystemCertData@5f785b22, com.netscape.certsrv.system.SystemCertData@56a74625, com.netscape.certsrv.system.SystemCertData@7fee5394, com.netscape.certsrv.system.SystemCertData@77b15b29, com.netscape.certsrv.system.SystemCertData@1cd81e23], issuingCA=null, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-subca1/alias/ca_backup_keys.p12, adminUID=subcaadmin, adminPassword=XXXX, adminEmail=example@redhat.com, adminCertRequest=MIICfTCCAWUCAQAwODEPMA0GA1UEChMGcmVkaGF0MSUwIwYDVQQDExxQS0kgU1VC^MQ0ExIEFETUlOIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB^MCgKCAQEA0jFDZ28ES7pj5/MSpjtTxQlIdKFMllhNxF9fWxVFhD9PdBmNXdH5mhpn^MO9ale3jObtjC3Fw9CtIDjDJJlLfjf0ndurQcVQ9icA2n3kMFiuXYSabRwjWSXWd6^MwSkdMNLh1VJC+M7YG7U2DC2wHvZ0x0MRqqo89FCTq5sgyo5LWwgjw3m0Tla+ru6O^MT3M1WZ7T/7XI6tJ3bBFrPqXiyV+n3MsAWjBolCCldufvI+MgXPYlPw11CRx8vIEP^MgsV3zrTZiupXATIqmHIGH0BEXCrucCBbnxGA8jhxCK8x1P5F9SECehZ8jbC7e5qZ^M6HrV7qt4O1c9fxESMHfcfWkfl7Id2wIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEB^MAHM8WyT0tNysPrTaTB3hicLSUHMpNxgMLhsRyzpYLLZk5Xfg2dAGkICS+dvftz+h^M8KHZoHsKtMXSLl5+dSES/qylsLwvIF2bAcJy+ie0y41BrmK2ELw5ETIiedL1mQpo^MKAtOCAzHshsZtnZr1RQJrmunBfNdBKpoWwcVk6xcJwhuQLm1u3NUe7zLkEQwDCUZ^Mw5Wq5SMrjKEfmWYl9o5kGYT/zZ067ZYuBiSg19PziVhRhhNz0/U4OHb6kv7z4doQ^MbravAG2J+lzwU3jlKFsz/3/FCuf8qKXOfw9kTRtnqvVOiiinrNBZtZXRWwCLoeDl^MmNLblfNvSck0KqEKZe+/xu8=^M, adminCertRequestType=pkcs10, adminSubjectDN=cn=PKI SUBCA1 ADMIN Certificate,O = redhat, adminName=subcaadmin, adminProfileID=caAdminCert, adminCert=null, importAdminCert=false, generateServerCert=true, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=true, sharedDB=false, sharedDBUserDN=null]
Comment from saipandi at 2014-08-07 20:51:17
spawn log :
'pki_security_domain_hostname': 'nu5.idm.lab.eng.rdu2.redhat.com',
'pki_security_domain_https_port': '30042',
'pki_security_domain_name': 'idm.lab.eng.rdu2.redhat.com',
'pki_security_domain_password': 'XXXXXXXX',
'pki_security_domain_type': 'new',
'pki_security_domain_user': 'caadmin',
'pki_security_manager': 'True',
Comment from saipandi at 2014-08-07 21:45:05
The subca config file parameter, pki_subordinate was mentioned in the default section and it should be mentioned in the CA section because of which that parameter was getting assigned the value False (default value of CA section pki_subordinate=false). Due to this the CA was being considered as a root level CA. After the change the subca is able to join the security domain of the master as expected.
Comment from saipandi at 2017-02-27 14:10:13
Metadata Update from @saipandi:
This issue was migrated from Pagure Issue #1080. Originally filed by saipandi on 2014-07-24 17:23:30:
On a single host, the set up is Master CA, KRA, OCSP and TKS under one instance and the Clone CA, KRA and TKS on another instance, there is also a SubCA configured on a third tomcat instance.
So, according to man page of pkispawn the security domain parameters are listed in the default section of the config file but the Clone CA still does not join the security domain of the master CA but creates a sec domain of its own as seen from the URL given for the Clone CA after execution of the command pkispawn.
Also although the SubCA need not join the security domain of the master, we tried making the SubCA join the security domain of the master but it created a security domain of its own.
I am attaching the clone CA config file for reference.