It was recently re-discovered that we need to add the 'pkiuser' to the 'nfast' group.
The following code was a part of 'pkicreate':
# At this point in time, ALWAYS attempt to add $pki_user as a # valid member of $default_nfast_group (presuming one exists) if (group_exists($default_nfast_group)) { # Ignore failures as this should be considered a 'benign' error if (add_user_as_a_member_of_group($pki_user, $default_nfast_group)) { emit("User '$pki_user' is a member of group " . "'$default_nfast_group'.\n"); } }
It needs to be added to 'pkispawn'.
Additionally, it was necessary to restart 'nCipher' so that it was aware of this information; although 'pkicreate'/Configuration Wizard did not attempt to restart the 'nCipher' instance, I will propose a patch which adds this user and restarts the 'nCipher' process.
Work-around BEFORE installing an instance that requires the 'nCipher' HSM:
(1) Add 'pkiuser' to 'nfast' group: # usermod -a -G nfast pkiuser (2) Restart 'nCipher': # /opt/nfast/sbin/init.d-ncipher restart (3) Verify 'nCipher' has been restarted: # /opt/nfast/bin/enquiry
Checked into 'master':
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1232020 (Red Hat Certificate System)
Metadata Update from @mharmsen: - Issue assigned to mharmsen - Issue set to the milestone: 10.2.5
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1976
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.