From 609b98cccc77fa8b8e8d307c2f84651429068ec6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 9 Oct 2017 16:26:21 +1100 Subject: [PATCH 1/5] CMSServlet.renderFinalError: log exception renderFinalError is a "last resort" error handler that writes an error message back to the client. If the exception was not already logged, the call stack will be discarded after renderFinalError is finished with the exception. Log the exception so that the call stack information is not lost. Part of: https://pagure.io/dogtagpki/issue/2557 Change-Id: I2fd608adf205e3f72b67d822b1966fdb1b8bc60f (cherry picked from commit 386357c347f8433e14ccd8637576f4c4a4e42492) (cherry picked from commit 3af42c306446ddc931fc0d44505cd237aa2267d7) --- base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java index 65dc06a..fe18ee1 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java @@ -763,6 +763,8 @@ public abstract class CMSServlet extends HttpServlet { public void renderFinalError(CMSRequest cmsReq, Exception ex) throws IOException { + CMS.debug("Caught exception in renderFinalError:"); + CMS.debug(ex); // this template is the last resort for all other unexpected // errors in other templates so we can only output text. HttpServletResponse httpResp = cmsReq.getHttpResp(); -- 1.8.3.1 From c160d49e0b61d650a14eae9be38e5f381aeb0b24 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 9 Oct 2017 16:45:51 +1100 Subject: [PATCH 2/5] TokenAuthenticate: avoid NPE on null session table If the security domain session table is null for some reason, detect this condition, log it, and return cleanly instead of throwing a NullPointerException. Part of: https://pagure.io/dogtagpki/issue/2557 Change-Id: Ie487492ed6eec913f0271221fd12842fe7128ceb (cherry picked from commit bc329a0162ae9af382c81e75742b282ea8c5df0d) (cherry picked from commit 76d85a648bc6be0f690d36341e6a11d64a3ff6b6) --- .../cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java index 27f4782..1d98693 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java @@ -81,7 +81,11 @@ public class TokenAuthenticate extends CMSServlet { String uid = ""; String gid = ""; CMS.debug("TokenAuthentication: checking session in the session table"); - if (table.sessionExists(sessionId)) { + if (table == null) { + CMS.debug("TokenAuthentication: session table is null"); + outputError(httpResp, "Error: session table is null"); + return; + } else if (table.sessionExists(sessionId)) { CMS.debug("TokenAuthentication: found session"); if (checkIP) { String hostname = table.getIP(sessionId); -- 1.8.3.1 From 275d3b1ad88721e1a5a5bfd8b5013a14d3db2263 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 10 Oct 2017 00:21:57 +1100 Subject: [PATCH 3/5] TokenAuthentication: log error message on error If a TokenAuthenticate response indicates failure (state != 0), log the error string in addition to the status code. Part of: https://pagure.io/dogtagpki/issue/2557 Change-Id: I22ba44be109a06f33ae6015e62393a2ef575b6b2 (cherry picked from commit 9eb354883c9d965bb271223bf870839bb756db26) (cherry picked from commit c9908785df9f22b1ca4f507c9f51bf904193a143) --- .../cms/src/com/netscape/cms/authentication/TokenAuthentication.java | 1 + 1 file changed, 1 insertion(+) diff --git a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java index ebda0b6..2aa32d4 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java +++ b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java @@ -183,6 +183,7 @@ public class TokenAuthentication implements IAuthManager, CMS.debug("TokenAuthentication: status=" + status); if (!status.equals("0")) { String error = parser.getValue("Error"); + CMS.debug("TokenAuthentication: error: " + error); throw new EBaseException(error); } -- 1.8.3.1 From 2a8f26e1169f8840a59f1707964d98b47619ca1c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 11 Oct 2017 15:41:15 +1100 Subject: [PATCH 4/5] Sleep after security domain login during configuration Clone installation can fail due to security domain token authentication failure that arises because: 1. The security domain session gets created on the replica's CA instance. 2. The "updateNumberRange" is performed against the subsystem being cloned, and results in a token authentication request to the CA subsystem on the same host. 3. LDAP replication lag means that the master does not yet see the security domain session that was created on the replica. To avoid this problem, introduce a small delay after logging into the security domain, to allow for replication to occur. The delay is configurable and defaults to 5 seconds. Fixes: https://pagure.io/dogtagpki/issue/2557 Change-Id: Ib11c077518c40b3b16699c9170b61085f55a1913 (cherry picked from commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3) (cherry picked from commit 5fae20defb5e938a621fc40f92954eb7daba1c7b) --- .../netscape/certsrv/system/ConfigurationRequest.java | 14 ++++++++++++++ .../org/dogtagpki/server/rest/SystemConfigService.java | 17 ++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java index 26f45f0..03dbfa6 100644 --- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java @@ -244,6 +244,11 @@ public class ConfigurationRequest { @XmlElement protected String signingCertSerialNumber; + /** Seconds to sleep after logging into the Security Domain, + * so that replication of the session data may complete. */ + @XmlElement + protected Long securityDomainPostLoginSleepSeconds; + public ConfigurationRequest() { // required for JAXB } @@ -974,6 +979,14 @@ public class ConfigurationRequest { this.signingCertSerialNumber = signingCertSerialNumber; } + public Long getSecurityDomainPostLoginSleepSeconds() { + return securityDomainPostLoginSleepSeconds; + } + + public void setSecurityDomainPostLoginSleepSeconds(Long d) { + securityDomainPostLoginSleepSeconds = d; + } + @Override public String toString() { return "ConfigurationRequest [pin=XXXX" + @@ -983,6 +996,7 @@ public class ConfigurationRequest { ", securityDomainName=" + securityDomainName + ", securityDomainUser=" + securityDomainUser + ", securityDomainPassword=XXXX" + + ", securityDomainPostLoginSleepSeconds=" + securityDomainPostLoginSleepSeconds + ", isClone=" + isClone + ", cloneUri=" + cloneUri + ", subsystemName=" + subsystemName + diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index afbb24a..9ffb6e3 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -950,7 +950,22 @@ public class SystemConfigService extends PKIService implements SystemConfigResou getInstallToken(data, host, port); - return getDomainXML(host, port); + String domainXML = getDomainXML(host, port); + + /* Sleep for a bit to allow security domain session to replicate + * to other clones. In the future we can use signed tokens + * (ticket https://pagure.io/dogtagpki/issue/2831) but we need to + * be mindful of working with older versions, too. + * + * The default sleep time is 5s. + */ + Long d = data.getSecurityDomainPostLoginSleepSeconds(); + if (null == d || d <= 0) + d = new Long(5); + CMS.debug("Logged into security domain; sleeping for " + d + "s"); + Thread.sleep(d * 1000); + + return domainXML; } private String getDomainXML(String host, int port) { -- 1.8.3.1 From 2cf5ab35f9fda67405b209ae46891232c38eb4f0 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 11 Oct 2017 18:12:04 +1100 Subject: [PATCH 5/5] pkispawn: make security domain login sleep duration configurable Add the pki_security_domain_post_login_sleep_seconds pkispawn config, so that the administrator may set a duration other than the default. Part of: https://pagure.io/dogtagpki/issue/2557 Change-Id: I74f16ea15621773e0742f709adc87df559cb530a (cherry picked from commit 8c0a7eee3bbfe01b2d965dbe09e95221c5031c8b) (cherry picked from commit 32ec33f8e49d1085ac1b28657a8321547a6bf910) --- base/server/man/man8/pkispawn.8 | 7 +++++++ base/server/python/pki/server/deployment/pkihelper.py | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 index 002520a..1d4ae24 100644 --- a/base/server/man/man8/pkispawn.8 +++ b/base/server/man/man8/pkispawn.8 @@ -956,6 +956,7 @@ pki_security_domain_password=\fISecret123\fP pki_security_domain_hostname= pki_security_domain_https_port= pki_security_domain_user=caadmin +pki_security_domain_post_login_sleep_seconds=\fI5\fP [Tomcat] pki_clone=True @@ -997,6 +998,12 @@ and the \fBpki_backup_password\fP is set. The PKCS#12 file is then found under be generated at any time post-installation using \fBPKCS12Export\fP. .PP +The \fBpki_security_domain_post_login_sleep_seconds\fP config specifies sleep +duration after logging into a security domain, to allow the security domain +session data to be replicated to subsystems on other hosts. It is optional and +defaults to 5 seconds. + +.PP An example invocation showing the export of the system certificates and keys, copying the keys to the replica subsystem, and setting the relevant SELinux and file permissions is shown below. \fBpwfile\fP is a text file containing the diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index cf2a748..9bb0dfc 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -4045,6 +4045,13 @@ class ConfigClient: if self.subordinate: self.set_subca_security_domain(data) + try: + d = int(self.mdict['pki_security_domain_post_login_sleep_seconds']) + if d > 0: + data.securityDomainPostLoginSleepSeconds = d + except (KeyError, ValueError): + pass + # database if self.subsystem != "RA": self.set_database_parameters(data) -- 1.8.3.1