[Pki-devel] [PATCH] Fixed adminEnroll servlet browser import issue

Matthew Harmsen Tue, 03 May 2016 11:43:32 -0700

Please review the attached patch which addresses:

 * PKI TRAC Ticket #1669 - adminEnroll servlet EnrollSuccess.template
   succeeds but fails on import into browser
   <https://fedorahosted.org/pki/ticket/1669>


This was tested on Fedora 23 by doing the following:

 * installed and configured a CA
 * Successfully tested enrollment in a browser after importing the
   original Admin certificate
 * systemctl stop [email protected]
 * edited /etc/pki/pki-tomcat/ca/CS.cfg to set:
     o ca.Policy.enable=true
     o   cmsgateway.enableAdminEnroll=true
 * systemctl start [email protected]
 * created a new Firefox profile
 * traversed to the EE page, went to the Retrieval tab, imported the CA
   cert, and trusted it
 * within this new profile, traversed to
   https://pki.example.com:8443/ca/admin/ca/adminEnroll.html, and
   filled out the form
 * with this patch installed, it should generate a new admin
   certificate and import it successfully into this new profile -- to
   check, attempt to use the imported admin certificate to traverse to
   the Agents page

From 25ef766acc6f7040c3f25396345eb796cac66fdb Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <[email protected]>
Date: Tue, 3 May 2016 11:45:36 -0600
Subject: [PATCH] Fixed adminEnroll servlet browser import issue

- PKI TRAC Ticket #1669 - adminEnroll servlet EnrollSuccess.template succeeds
  but fails on import into browser
---
 base/ca/shared/conf/CS.cfg.in             |  4 ++--
 base/ca/shared/webapps/ca/WEB-INF/web.xml | 12 +++++++++---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 3f25d0e..1a1f653 100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -745,14 +745,14 @@ cmsgateway._002=## for a given instance, perform the following steps to
 cmsgateway._003=## re-enroll for a new Admin Certificate:
 cmsgateway._004=##
 cmsgateway._005=##   (1) Become 'root'
-cmsgateway._006=##   (2) Type:  'service [PKI_INSTANCE_NAME] stop'
+cmsgateway._006=##   (2) Type:  'systemctl stop pki-tomcatd@[PKI_INSTANCE_NAME].service'
 cmsgateway._007=##   (3) Edit '[PKI_CFG_PATH_NAME]'
 cmsgateway._008=##       and set the following name-value pairs (if necessary):
 cmsgateway._009=##
 cmsgateway._010=##           ca.Policy.enable=true
 cmsgateway._011=##           cmsgateway.enableAdminEnroll=true
 cmsgateway._012=##
-cmsgateway._013=##   (4) Type:  'service [PKI_INSTANCE_NAME] start'
+cmsgateway._013=##   (4) Type:  'systemctl start pki-tomcatd@[PKI_INSTANCE_NAME].service'
 cmsgateway._014=##   (5) Launch a browser and re-enroll for
 cmsgateway._015=##       a new Admin Certificate by typing:
 cmsgateway._016=##
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 628eea2..eae6ef9 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -70,10 +70,16 @@
       <servlet-class> com.netscape.cms.servlet.cert.GetBySerial  </servlet-class>
              <init-param><param-name>  GetClientCert  </param-name>
                          <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  successTemplate  </param-name>
+                         <param-value> /admin/ca/ImportCert.template </param-value> </init-param>
+             <init-param><param-name>  importCertTemplate  </param-name>
+                         <param-value> /admin/ca/ImportAdminCert.template </param-value> </init-param>
              <init-param><param-name>  AuthzMgr    </param-name>
                          <param-value> BasicAclAuthz </param-value> </init-param>
              <init-param><param-name>  authority   </param-name>
                          <param-value> ca          </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> admin       </param-value> </init-param>
              <init-param><param-name>  ID          </param-name>
                          <param-value> caGetAdminCertBySerial </param-value> </init-param>
              <init-param><param-name>  resourceID  </param-name>
@@ -451,7 +457,7 @@
              <init-param><param-name>  GetClientCert  </param-name>
                          <param-value> true        </param-value> </init-param>
              <init-param><param-name>  successTemplate  </param-name>
-                         <param-value> /ca/ImportCert.template </param-value> </init-param>
+                         <param-value> /agent/ca/ImportCert.template </param-value> </init-param>
              <init-param><param-name>  AuthzMgr    </param-name>
                          <param-value> BasicAclAuthz </param-value> </init-param>
              <init-param><param-name>  authority   </param-name>
@@ -1868,7 +1874,7 @@
 
    <servlet-mapping>
       <servlet-name>  caGetAdminCertBySerial  </servlet-name>
-      <url-pattern>   /ca/getAdminCertBySerial  </url-pattern>
+      <url-pattern>   /getAdminCertBySerial  </url-pattern>
    </servlet-mapping>
 
    <servlet-mapping>
@@ -1988,7 +1994,7 @@
 
    <servlet-mapping>
       <servlet-name>  caGetBySerial-agent  </servlet-name>
-      <url-pattern>   /ca/getBySerial  </url-pattern>
+      <url-pattern>   /agent/ca/getBySerial  </url-pattern>
    </servlet-mapping>
 
    <servlet-mapping>
-- 
2.5.5

_______________________________________________
Pki-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Fixed adminEnroll servlet browser import issue

Reply via email to