This issue is discovered while working on https://fedorahosted.org/pki/ticket/862 TPS rewrite: provide connector service for JAVA-based TPS subsystem .
It only occurs in situation when the subsystems share the same tomcat instance. It seems whenever a connection is made, the ssl client auth cert ("subsystem cert") used for the connection gets inherited by the next connection, even if it's made by another subsystem.
To illustrate: I have all 4 subsystems sharing one Tomcat instance. Now with my new connector code in TPS (#862), when I run a cli (for testing purpose) that would trigger a "renewal" op sent from TPS to CA, it works fine. The cert used for client-auth is TPS's subsystem cert. However, immediately after, if I try to issue a cert from CA agent page, which is a crmf request with key archival, itwould trigger a request sent directly form CA to KRA. The funny thing is, it would fail, and upon investigation, I found the ssl client cert used between ca and kra was the TPS's subsystem cert (trust me, all config are absolutely correct). And, if I started out issuing a crmf key archival that triggers CA to KRA first, then if I run cli to tps, it would trigger TPS to CA using the ca's subsystem cert.
I supposed we can make up the rule and say all of them have to share the same subsystem cert, but I think an investigation that provides an explanation would help us understand this shared model better.
my suggestion for handling this case would be to make it so that there are no individual subsystem certs created, but just sharing one single subsystem cert within the same tomcat instance.
I am seeing this exact same problem when connecting to the database using client auth in IPA. In this case, there are two users: uid=dbuser, o=ipadrm and uid=dbuser,o=ipaca - each of which uses the subsystem cert for their respective subsystem.
In this case, I can see that the server is only presenting one of the certs for authentication. Need to resolve this sooner rather than later as its holding me up.
Ok, so I think the correct way to move forward on this is to use the same subsystem certificate in each subsystem in a shared instance.
Before explaining how this will work, let me explain how we currently use subsystem certs. Subsystem certs are currently used in two ways:
The exact details of what happens during configuration is as follows:
The ticket describes the problems that occur when tomcat instances/databases are shared.
The basic outline of the proposed solution is as follows:
The details are in the cases below:
This is what we decided would be the default case. For sake of illustration, I will consider the installation of a CA and KRA, although this is extensible to the TPS interactions as well.
In this case, we expect the existing code to work just fine. Because the tomcat instance is not shared, there is no problem with SSL caching, and we do not share subsystem certs.
It is worth also discussing how this will work with the TPS. Things are a little different than the CA->KRA setup because the CA initiates contact with the KRA.
In the TPS case, because the TPS initiates connections with the CA, KRA and TKS, the TPS configuration code must call a servlet (registerUser) on each of those subsystems to create a user.
The TPS communicates with the CA, KRA and TKS in essentially the same way. I will describe the setup of the TPS->CA connection.
Just an update on the above.
Found that a new query parameters is not needed in the registerUser() call because we already check for the existence of a user with the provided cert. I probably added this code awhile back.
Pushed changes to master:
commit b834efbaa8c929c10cf00252b71ebc29e2f10456
Metadata Update from @cfu: - Issue assigned to vakwetu - Issue set to the milestone: 10.2 - 03/14 (March)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1460
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.