From 609b98cccc77fa8b8e8d307c2f84651429068ec6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 9 Oct 2017 16:26:21 +1100
Subject: [PATCH 1/5] CMSServlet.renderFinalError: log exception
renderFinalError is a "last resort" error handler that writes an
error message back to the client. If the exception was not already
logged, the call stack will be discarded after renderFinalError is
finished with the exception.
Log the exception so that the call stack information is not lost.
Part of: https://pagure.io/dogtagpki/issue/2557
Change-Id: I2fd608adf205e3f72b67d822b1966fdb1b8bc60f
(cherry picked from commit 386357c347f8433e14ccd8637576f4c4a4e42492)
(cherry picked from commit 3af42c306446ddc931fc0d44505cd237aa2267d7)
---
base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
index 65dc06a..fe18ee1 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
@@ -763,6 +763,8 @@ public abstract class CMSServlet extends HttpServlet {
public void renderFinalError(CMSRequest cmsReq, Exception ex)
throws IOException {
+ CMS.debug("Caught exception in renderFinalError:");
+ CMS.debug(ex);
// this template is the last resort for all other unexpected
// errors in other templates so we can only output text.
HttpServletResponse httpResp = cmsReq.getHttpResp();
--
1.8.3.1
From c160d49e0b61d650a14eae9be38e5f381aeb0b24 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 9 Oct 2017 16:45:51 +1100
Subject: [PATCH 2/5] TokenAuthenticate: avoid NPE on null session table
If the security domain session table is null for some reason, detect
this condition, log it, and return cleanly instead of throwing a
NullPointerException.
Part of: https://pagure.io/dogtagpki/issue/2557
Change-Id: Ie487492ed6eec913f0271221fd12842fe7128ceb
(cherry picked from commit bc329a0162ae9af382c81e75742b282ea8c5df0d)
(cherry picked from commit 76d85a648bc6be0f690d36341e6a11d64a3ff6b6)
---
.../cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java
index 27f4782..1d98693 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java
@@ -81,7 +81,11 @@ public class TokenAuthenticate extends CMSServlet {
String uid = "";
String gid = "";
CMS.debug("TokenAuthentication: checking session in the session table");
- if (table.sessionExists(sessionId)) {
+ if (table == null) {
+ CMS.debug("TokenAuthentication: session table is null");
+ outputError(httpResp, "Error: session table is null");
+ return;
+ } else if (table.sessionExists(sessionId)) {
CMS.debug("TokenAuthentication: found session");
if (checkIP) {
String hostname = table.getIP(sessionId);
--
1.8.3.1
From 275d3b1ad88721e1a5a5bfd8b5013a14d3db2263 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 10 Oct 2017 00:21:57 +1100
Subject: [PATCH 3/5] TokenAuthentication: log error message on error
If a TokenAuthenticate response indicates failure (state != 0), log
the error string in addition to the status code.
Part of: https://pagure.io/dogtagpki/issue/2557
Change-Id: I22ba44be109a06f33ae6015e62393a2ef575b6b2
(cherry picked from commit 9eb354883c9d965bb271223bf870839bb756db26)
(cherry picked from commit c9908785df9f22b1ca4f507c9f51bf904193a143)
---
.../cms/src/com/netscape/cms/authentication/TokenAuthentication.java | 1 +
1 file changed, 1 insertion(+)
diff --git a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java
index ebda0b6..2aa32d4 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java
@@ -183,6 +183,7 @@ public class TokenAuthentication implements IAuthManager,
CMS.debug("TokenAuthentication: status=" + status);
if (!status.equals("0")) {
String error = parser.getValue("Error");
+ CMS.debug("TokenAuthentication: error: " + error);
throw new EBaseException(error);
}
--
1.8.3.1
From 2a8f26e1169f8840a59f1707964d98b47619ca1c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 11 Oct 2017 15:41:15 +1100
Subject: [PATCH 4/5] Sleep after security domain login during configuration
Clone installation can fail due to security domain token
authentication failure that arises because:
1. The security domain session gets created on the replica's CA
instance.
2. The "updateNumberRange" is performed against the subsystem being
cloned, and results in a token authentication request to the CA
subsystem on the same host.
3. LDAP replication lag means that the master does not yet see
the security domain session that was created on the replica.
To avoid this problem, introduce a small delay after logging into
the security domain, to allow for replication to occur. The delay
is configurable and defaults to 5 seconds.
Fixes: https://pagure.io/dogtagpki/issue/2557
Change-Id: Ib11c077518c40b3b16699c9170b61085f55a1913
(cherry picked from commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3)
(cherry picked from commit 5fae20defb5e938a621fc40f92954eb7daba1c7b)
---
.../netscape/certsrv/system/ConfigurationRequest.java | 14 ++++++++++++++
.../org/dogtagpki/server/rest/SystemConfigService.java | 17 ++++++++++++++++-
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
index 26f45f0..03dbfa6 100644
--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
@@ -244,6 +244,11 @@ public class ConfigurationRequest {
@XmlElement
protected String signingCertSerialNumber;
+ /** Seconds to sleep after logging into the Security Domain,
+ * so that replication of the session data may complete. */
+ @XmlElement
+ protected Long securityDomainPostLoginSleepSeconds;
+
public ConfigurationRequest() {
// required for JAXB
}
@@ -974,6 +979,14 @@ public class ConfigurationRequest {
this.signingCertSerialNumber = signingCertSerialNumber;
}
+ public Long getSecurityDomainPostLoginSleepSeconds() {
+ return securityDomainPostLoginSleepSeconds;
+ }
+
+ public void setSecurityDomainPostLoginSleepSeconds(Long d) {
+ securityDomainPostLoginSleepSeconds = d;
+ }
+
@Override
public String toString() {
return "ConfigurationRequest [pin=XXXX" +
@@ -983,6 +996,7 @@ public class ConfigurationRequest {
", securityDomainName=" + securityDomainName +
", securityDomainUser=" + securityDomainUser +
", securityDomainPassword=XXXX" +
+ ", securityDomainPostLoginSleepSeconds=" + securityDomainPostLoginSleepSeconds +
", isClone=" + isClone +
", cloneUri=" + cloneUri +
", subsystemName=" + subsystemName +
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index afbb24a..9ffb6e3 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -950,7 +950,22 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
getInstallToken(data, host, port);
- return getDomainXML(host, port);
+ String domainXML = getDomainXML(host, port);
+
+ /* Sleep for a bit to allow security domain session to replicate
+ * to other clones. In the future we can use signed tokens
+ * (ticket https://pagure.io/dogtagpki/issue/2831) but we need to
+ * be mindful of working with older versions, too.
+ *
+ * The default sleep time is 5s.
+ */
+ Long d = data.getSecurityDomainPostLoginSleepSeconds();
+ if (null == d || d <= 0)
+ d = new Long(5);
+ CMS.debug("Logged into security domain; sleeping for " + d + "s");
+ Thread.sleep(d * 1000);
+
+ return domainXML;
}
private String getDomainXML(String host, int port) {
--
1.8.3.1
From 2cf5ab35f9fda67405b209ae46891232c38eb4f0 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 11 Oct 2017 18:12:04 +1100
Subject: [PATCH 5/5] pkispawn: make security domain login sleep duration
configurable
Add the pki_security_domain_post_login_sleep_seconds pkispawn
config, so that the administrator may set a duration other than the
default.
Part of: https://pagure.io/dogtagpki/issue/2557
Change-Id: I74f16ea15621773e0742f709adc87df559cb530a
(cherry picked from commit 8c0a7eee3bbfe01b2d965dbe09e95221c5031c8b)
(cherry picked from commit 32ec33f8e49d1085ac1b28657a8321547a6bf910)
---
base/server/man/man8/pkispawn.8 | 7 +++++++
base/server/python/pki/server/deployment/pkihelper.py | 7 +++++++
2 files changed, 14 insertions(+)
diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
index 002520a..1d4ae24 100644
--- a/base/server/man/man8/pkispawn.8
+++ b/base/server/man/man8/pkispawn.8
@@ -956,6 +956,7 @@ pki_security_domain_password=\fISecret123\fP
pki_security_domain_hostname=<master_ca_hostname>
pki_security_domain_https_port=<master_ca_https_port>
pki_security_domain_user=caadmin
+pki_security_domain_post_login_sleep_seconds=\fI5\fP
[Tomcat]
pki_clone=True
@@ -997,6 +998,12 @@ and the \fBpki_backup_password\fP is set. The PKCS#12 file is then found under
be generated at any time post-installation using \fBPKCS12Export\fP.
.PP
+The \fBpki_security_domain_post_login_sleep_seconds\fP config specifies sleep
+duration after logging into a security domain, to allow the security domain
+session data to be replicated to subsystems on other hosts. It is optional and
+defaults to 5 seconds.
+
+.PP
An example invocation showing the export of the system certificates and keys,
copying the keys to the replica subsystem, and setting the relevant SELinux and
file permissions is shown below. \fBpwfile\fP is a text file containing the
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index cf2a748..9bb0dfc 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -4045,6 +4045,13 @@ class ConfigClient:
if self.subordinate:
self.set_subca_security_domain(data)
+ try:
+ d = int(self.mdict['pki_security_domain_post_login_sleep_seconds'])
+ if d > 0:
+ data.securityDomainPostLoginSleepSeconds = d
+ except (KeyError, ValueError):
+ pass
+
# database
if self.subsystem != "RA":
self.set_database_parameters(data)
--
1.8.3.1