From 609b98cccc77fa8b8e8d307c2f84651429068ec6 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Mon, 9 Oct 2017 16:26:21 +1100

Subject: [PATCH 1/5] CMSServlet.renderFinalError: log exception

renderFinalError is a "last resort" error handler that writes an

error message back to the client.  If the exception was not already

logged, the call stack will be discarded after renderFinalError is

finished with the exception.

Log the exception so that the call stack information is not lost.

Part of: https://pagure.io/dogtagpki/issue/2557

Change-Id: I2fd608adf205e3f72b67d822b1966fdb1b8bc60f

(cherry picked from commit 386357c347f8433e14ccd8637576f4c4a4e42492)

(cherry picked from commit 3af42c306446ddc931fc0d44505cd237aa2267d7)

---

 base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java

index 65dc06a..fe18ee1 100644

--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java

+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java

@@ -763,6 +763,8 @@ public abstract class CMSServlet extends HttpServlet {

     public void renderFinalError(CMSRequest cmsReq, Exception ex)

             throws IOException {

+        CMS.debug("Caught exception in renderFinalError:");

+        CMS.debug(ex);

         // this template is the last resort for all other unexpected

         // errors in other templates so we can only output text.

         HttpServletResponse httpResp = cmsReq.getHttpResp();

-- 

1.8.3.1

From c160d49e0b61d650a14eae9be38e5f381aeb0b24 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Mon, 9 Oct 2017 16:45:51 +1100

Subject: [PATCH 2/5] TokenAuthenticate: avoid NPE on null session table

If the security domain session table is null for some reason, detect

this condition, log it, and return cleanly instead of throwing a

NullPointerException.

Part of: https://pagure.io/dogtagpki/issue/2557

Change-Id: Ie487492ed6eec913f0271221fd12842fe7128ceb

(cherry picked from commit bc329a0162ae9af382c81e75742b282ea8c5df0d)

(cherry picked from commit 76d85a648bc6be0f690d36341e6a11d64a3ff6b6)

---

 .../cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java | 6 +++++-

 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java

index 27f4782..1d98693 100644

--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java

+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java

@@ -81,7 +81,11 @@ public class TokenAuthenticate extends CMSServlet {

         String uid = "";

         String gid = "";

         CMS.debug("TokenAuthentication: checking session in the session table");

-        if (table.sessionExists(sessionId)) {

+        if (table == null) {

+            CMS.debug("TokenAuthentication: session table is null");

+            outputError(httpResp, "Error: session table is null");

+            return;

+        } else if (table.sessionExists(sessionId)) {

             CMS.debug("TokenAuthentication: found session");

             if (checkIP) {

                 String hostname = table.getIP(sessionId);

-- 

1.8.3.1

From 275d3b1ad88721e1a5a5bfd8b5013a14d3db2263 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Tue, 10 Oct 2017 00:21:57 +1100

Subject: [PATCH 3/5] TokenAuthentication: log error message on error

If a TokenAuthenticate response indicates failure (state != 0), log

the error string in addition to the status code.

Part of: https://pagure.io/dogtagpki/issue/2557

Change-Id: I22ba44be109a06f33ae6015e62393a2ef575b6b2

(cherry picked from commit 9eb354883c9d965bb271223bf870839bb756db26)

(cherry picked from commit c9908785df9f22b1ca4f507c9f51bf904193a143)

---

 .../cms/src/com/netscape/cms/authentication/TokenAuthentication.java     | 1 +

 1 file changed, 1 insertion(+)

diff --git a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java

index ebda0b6..2aa32d4 100644

--- a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java

+++ b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java

@@ -183,6 +183,7 @@ public class TokenAuthentication implements IAuthManager,

                 CMS.debug("TokenAuthentication: status=" + status);

                 if (!status.equals("0")) {

                     String error = parser.getValue("Error");

+                    CMS.debug("TokenAuthentication: error: " + error);

                     throw new EBaseException(error);

                 }

-- 

1.8.3.1

From 2a8f26e1169f8840a59f1707964d98b47619ca1c Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Wed, 11 Oct 2017 15:41:15 +1100

Subject: [PATCH 4/5] Sleep after security domain login during configuration

Clone installation can fail due to security domain token

authentication failure that arises because:

1. The security domain session gets created on the replica's CA

   instance.

2. The "updateNumberRange" is performed against the subsystem being

   cloned, and results in a token authentication request to the CA

   subsystem on the same host.

3. LDAP replication lag means that the master does not yet see

   the security domain session that was created on the replica.

To avoid this problem, introduce a small delay after logging into

the security domain, to allow for replication to occur.  The delay

is configurable and defaults to 5 seconds.

Fixes: https://pagure.io/dogtagpki/issue/2557

Change-Id: Ib11c077518c40b3b16699c9170b61085f55a1913

(cherry picked from commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3)

(cherry picked from commit 5fae20defb5e938a621fc40f92954eb7daba1c7b)

---

 .../netscape/certsrv/system/ConfigurationRequest.java   | 14 ++++++++++++++

 .../org/dogtagpki/server/rest/SystemConfigService.java  | 17 ++++++++++++++++-

 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java

index 26f45f0..03dbfa6 100644

--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java

+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java

@@ -244,6 +244,11 @@ public class ConfigurationRequest {

     @XmlElement

     protected String signingCertSerialNumber;

+    /** Seconds to sleep after logging into the Security Domain,

+     * so that replication of the session data may complete. */

+    @XmlElement

+    protected Long securityDomainPostLoginSleepSeconds;

+

     public ConfigurationRequest() {

         // required for JAXB

     }

@@ -974,6 +979,14 @@ public class ConfigurationRequest {

         this.signingCertSerialNumber = signingCertSerialNumber;

     }

+    public Long getSecurityDomainPostLoginSleepSeconds() {

+        return securityDomainPostLoginSleepSeconds;

+    }

+

+    public void setSecurityDomainPostLoginSleepSeconds(Long d) {

+        securityDomainPostLoginSleepSeconds = d;

+    }

+

     @Override

     public String toString() {

         return "ConfigurationRequest [pin=XXXX" +

@@ -983,6 +996,7 @@ public class ConfigurationRequest {

                ", securityDomainName=" + securityDomainName +

                ", securityDomainUser=" + securityDomainUser +

                ", securityDomainPassword=XXXX" +

+               ", securityDomainPostLoginSleepSeconds=" + securityDomainPostLoginSleepSeconds +

                ", isClone=" + isClone +

                ", cloneUri=" + cloneUri +

                ", subsystemName=" + subsystemName +

diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java

index afbb24a..9ffb6e3 100644

--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java

+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java

@@ -950,7 +950,22 @@ public class SystemConfigService extends PKIService implements SystemConfigResou

         getInstallToken(data, host, port);

-        return getDomainXML(host, port);

+        String domainXML = getDomainXML(host, port);

+

+        /* Sleep for a bit to allow security domain session to replicate

+         * to other clones.  In the future we can use signed tokens

+         * (ticket https://pagure.io/dogtagpki/issue/2831) but we need to

+         * be mindful of working with older versions, too.

+         *

+         * The default sleep time is 5s.

+         */

+        Long d = data.getSecurityDomainPostLoginSleepSeconds();

+        if (null == d || d <= 0)

+            d = new Long(5);

+        CMS.debug("Logged into security domain; sleeping for " + d + "s");

+        Thread.sleep(d * 1000);

+

+        return domainXML;

     }

     private String getDomainXML(String host, int port) {

-- 

1.8.3.1

From 2cf5ab35f9fda67405b209ae46891232c38eb4f0 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Wed, 11 Oct 2017 18:12:04 +1100

Subject: [PATCH 5/5] pkispawn: make security domain login sleep duration

 configurable

Add the pki_security_domain_post_login_sleep_seconds pkispawn

config, so that the administrator may set a duration other than the

default.

Part of: https://pagure.io/dogtagpki/issue/2557

Change-Id: I74f16ea15621773e0742f709adc87df559cb530a

(cherry picked from commit 8c0a7eee3bbfe01b2d965dbe09e95221c5031c8b)

(cherry picked from commit 32ec33f8e49d1085ac1b28657a8321547a6bf910)

---

 base/server/man/man8/pkispawn.8                       | 7 +++++++

 base/server/python/pki/server/deployment/pkihelper.py | 7 +++++++

 2 files changed, 14 insertions(+)

diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8

index 002520a..1d4ae24 100644

--- a/base/server/man/man8/pkispawn.8

+++ b/base/server/man/man8/pkispawn.8

@@ -956,6 +956,7 @@ pki_security_domain_password=\fISecret123\fP

 pki_security_domain_hostname=<master_ca_hostname>

 pki_security_domain_https_port=<master_ca_https_port>

 pki_security_domain_user=caadmin

+pki_security_domain_post_login_sleep_seconds=\fI5\fP

 [Tomcat]

 pki_clone=True

@@ -997,6 +998,12 @@ and the \fBpki_backup_password\fP is set.  The PKCS#12 file is then found under

 be generated at any time post-installation using \fBPKCS12Export\fP.

 .PP

+The \fBpki_security_domain_post_login_sleep_seconds\fP config specifies sleep

+duration after logging into a security domain, to allow the security domain

+session data to be replicated to subsystems on other hosts.  It is optional and

+defaults to 5 seconds.

+

+.PP

 An example invocation showing the export of the system certificates and keys,

 copying the keys to the replica subsystem, and setting the relevant SELinux and

 file permissions is shown below.  \fBpwfile\fP is a text file containing the

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py

index cf2a748..9bb0dfc 100644

--- a/base/server/python/pki/server/deployment/pkihelper.py

+++ b/base/server/python/pki/server/deployment/pkihelper.py

@@ -4045,6 +4045,13 @@ class ConfigClient:

         if self.subordinate:

             self.set_subca_security_domain(data)

+        try:

+            d = int(self.mdict['pki_security_domain_post_login_sleep_seconds'])

+            if d > 0:

+                data.securityDomainPostLoginSleepSeconds = d

+        except (KeyError, ValueError):

+            pass

+

         # database

         if self.subsystem != "RA":

             self.set_database_parameters(data)

-- 

1.8.3.1