CRL to file publishing on Clone CA
by Aleksey Chudov
Hi,
I have configured the same rules for CRL publishing on Master CA and two
Clone CAs
+ca.publish.enable=true
+ca.publish.ldappublish.enable=false
+ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
+ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
+ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
+ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
+ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
+ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
+ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
+ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
+ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
+ca.publish.rule.instance.FileCrlRule.enable=true
+ca.publish.rule.instance.FileCrlRule.mapper=NoMap
+ca.publish.rule.instance.FileCrlRule.pluginName=Rule
+ca.publish.rule.instance.FileCrlRule.predicate=
+ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
+ca.publish.rule.instance.FileCrlRule.type=crl
But only Master CA publishes CRLs to /var/lib/pki/pki-tomcat/webapps/crl
directory.
According to documentation
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...,
only one replicated CA can generate, cache, and publish CRLs.
What are the best practices of publishing CRLs on Clone CA? Should I just
sync CRL directory on both clones from master, or is there a better
approach?
Aleksey
8 years, 7 months
Possible PKI LDAP connections leak?
by Aleksey Chudov
Hi,
I have found possible PKI LDAP connections leak on access to
/ca/rest/securityDomain/domainInfo url.
To reproduce
# ss -ant state established sport = :636
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 10.172.3.13:636 10.172.3.13:57696
0 0 10.172.3.13:636 10.172.3.13:57692
0 0 10.172.3.13:636 10.172.3.13:57695
0 0 10.172.3.13:636 10.172.3.13:57690
0 0 10.172.3.13:636 10.172.3.13:57689
0 0 10.172.3.13:636 10.172.3.13:57693
0 0 10.172.3.13:636 10.172.3.13:57688
0 0 10.172.3.13:636 10.172.3.13:57691
0 0 10.172.3.13:636 10.172.3.13:57687
# ss -ant state established sport = :636 | wc -l
10
# for ((i=0; i<256; i++)); do curl
http://localhost/ca/rest/securityDomain/domainInfo &>/dev/null; done
# ss -ant state established sport = :636 | wc -l
266
Every request to /ca/rest/securityDomain/domainInfo url increases number on
LDAP connections and produces the same message in debug log
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SessionContextInterceptor: Not authenticated.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
AuthMethodInterceptor: SecurityDomainResource.getDomainInfo()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
AuthMethodInterceptor: mapping: default
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
AuthMethodInterceptor: required auth methods: [*]
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
AuthMethodInterceptor: anonymous access allowed
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor:
SecurityDomainResource.getDomainInfo()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
ACLInterceptor.filter: no authorization required
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: No
ACL mapping; authz not required.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SignedAuditEventFactory: create()
message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL
mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization
success
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
MessageFormatInterceptor: SecurityDomainResource.getDomainInfo()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
MessageFormatInterceptor: content-type: null
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
MessageFormatInterceptor: accept: [*/*]
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
MessageFormatInterceptor: response format: application/xml
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: according to ccMode,
authorization for servlet: securitydomain is LDAP based, not XML {1}, use
default authz mgr: {2}.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Creating
LdapBoundConnFactor(SecurityDomainProcessor)
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
LdapBoundConnFactory: init
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
LdapBoundConnFactory:doCloning true
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init
begins
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
prompt is internaldb
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
try getting from memory cache
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
got password from memory
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
password found for prompt.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo:
password ok: store in memory cache
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init
ends
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: init: before
makeConnection errorIfDown is false
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: makeConnection:
errorIfDown false
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SSL handshake
happened
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Established LDAP
connection using basic authentication to host srv334.example.com port 636
as cn=Directory Manager
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: initializing with
mininum 3 and maximum 15 connections to host srv334.example.com port 636,
secure connection, true, authentication type 1
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: increasing minimum
connections by 3
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new total available
connections 3
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new number of
connections 3
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: In
LdapBoundConnFactory::getConn()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: masterConn is
connected: true
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: conn is
connected true
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: mNumConns
now 2
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: name: Company LLC
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn=srv333.example.com:8443,cn=CAList,ou=Security
Domain,o=pki-tomcat-CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - DomainManager: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn: srv333.example.com:8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SubsystemName: CA srv333.example.com 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - Clone: FALSE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - UnSecurePort: 8080
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAdminPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAgentPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecurePort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - host: srv333.example.com
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - objectClass: top
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn=srv334.example.com:8443,cn=CAList,ou=Security
Domain,o=pki-tomcat-CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - objectClass: top
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn: srv334.example.com:8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - host: srv334.example.com
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecurePort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAgentPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAdminPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - UnSecurePort: 8080
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - DomainManager: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - Clone: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SubsystemName: CA srv334.example.com 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn=srv335.example.com:8443,cn=CAList,ou=Security
Domain,o=pki-tomcat-CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - objectClass: top
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - cn: srv335.example.com:8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - host: srv335.example.com
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecurePort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAgentPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureAdminPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - UnSecurePort: 8080
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - DomainManager: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - Clone: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: - SubsystemName: CA srv335.example.com 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: OCSP
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: KRA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: RA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: TKS
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
SecurityDomainProcessor: subtype: TPS
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Releasing ldap
connection
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: returnConn:
mNumConns now 3
At the same time requests to different urls does not increase the number of
established LDAP connections.
Is it a bug or expected behavior?
Aleksey
8 years, 7 months
Dogtag 10.1 API
by Lan Chen
Hi All,
Is there good documentation on Dogtag 10.1 API somewhere?
Lan
----- Original Message -----
From: "Ryan Murray" <rmurray(a)stonedoorgroup.com>
To: "Lan Chen" <lachen(a)redhat.com>
Sent: Wednesday, September 2, 2015 9:53:09 AM
Subject: Re: Dogtag 10.1
There is a massive difference between the API's, I checked before raising the concern. By massive I mean they are all different.
Example:
10.1
Noun=certs
10.2
Noun=certificates
None of the other nouns are working as documented by 10.2.
On Sep 2, 2015 9:50 AM, "Lan Chen" < lachen(a)redhat.com > wrote:
Ryan, I just checked with Paul, we need it installed on RHEL. Could you see if the APIs documented for 10.2 also works for 10.1, there shouldn't be too big of a difference between the versions.
From: "Ryan Murray" < rmurray(a)stonedoorgroup.com >
To: "Lan Chen" < lachen(a)redhat.com >
Sent: Wednesday, September 2, 2015 9:38:25 AM
Subject: Re: Dogtag 10.1
The packages are not avaliable to the RHEL 7 channels or EPEL channels. From a technical standpoint I would need to spend time getting the exact limitations, but as it stands I would have to install tons of fedora packages or compile from source to get 10.2 running on RHEL.
On Wednesday, September 2, 2015, Lan Chen < lachen(a)redhat.com > wrote:
<blockquote>
I meant why can't 10.2 be on RHEL, and need to be on Fedora?
From: "Ryan Murray" < rmurray(a)stonedoorgroup.com >
To: "Lan Chen" < lachen(a)redhat.com >
Sent: Wednesday, September 2, 2015 9:33:08 AM
Subject: Re: Dogtag 10.1
There is no issue with the install, that was done Monday night. The issue is with the API not being documented. The client had to use fedora in all of their tests due to the newer 10.2 version and better API.
On Wednesday, September 2, 2015, Lan Chen < lachen(a)redhat.com > wrote:
<blockquote>
What's the issue on installing Dogtag 10.2 on RHEL?
From: "Ryan Murray" < rmurray(a)stonedoorgroup.com >
To: "Lan Chen" < lachen(a)redhat.com >
Sent: Wednesday, September 2, 2015 8:02:27 AM
Subject: Dogtag 10.1
Hi Lan,
Could you please see if there is anyone at Red Hat technical that would have any documentation on the dog tag 10.1 API? It is not documented online that I can find. Hunting through source code to find undocumented API calls is a stretch on the SOW, and installing Fedora is a change to needs Red Hat's OK.
Thanks
</blockquote>
</blockquote>
8 years, 7 months