Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-9285

Warn about incorrect peer role configuration that breaks RA nodes

    Details

    • Issue discovered during:
      Customer

      Description

      An incorrect peer role configuration on the VA can make the CA stop processing requests from the RAs.

      To reproduce
      On a system with a CA, RA and VA connected with peers:
      1. On the VA, add /ra_master/invoke_api and /ra_slave/manage to the peer connector role
      2. Make sure there is no active CA on the VA.
      3. Clear/reset the peer connection on the CA and VA, and then ping from the CA, to make sure the changes take effect.
      4. Try to enroll a certificate from the RA web on the RA.

      Expected result
      Certificate is issued and sent to browser.

      Actual result
      "Check server log" error on RA, and a stack trace on the CA:
      (or one of several other errors, see comment below)

      08:59:00,234 DEBUG [org.ejbca.peerconnector.ra.PeerRaMasterMessageHandoff] (EJB default - 19) Request to invoke method 'createCertificate' on master over peers.
      08:59:00,235 DEBUG [org.ejbca.peerconnector.ra.PeerRaMasterMessageHandoff] (EJB default - 19) Request to invoke method 'createCertificate' on master over peers resulted in 9654 bytes.
      08:59:00,278 DEBUG [org.ejbca.peerconnector.ra.PeerRaSerialization] (EJB default - 19) Exception has been purged of everything except its error code. Original exception:: org.ejbca.core.EjbcaException
              at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [rt.jar:1.8.0_141-BLFS]
              at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) [rt.jar:1.8.0_141-BLFS]
              at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) [rt.jar:1.8.0_141-BLFS]
              at java.lang.reflect.Constructor.newInstance(Constructor.java:423) [rt.jar:1.8.0_141-BLFS]
              at org.ejbca.peerconnector.ra.PeerRaSerialization.deserialize(PeerRaSerialization.java:158) [peerconnector-ra.jar:]
              at org.ejbca.peerconnector.ra.PeerRaMasterMessageHandoff.invokeMasterFunctionOverPeers(PeerRaMasterMessageHandoff.java:285) [peerconnector-ra.jar:]
              at org.ejbca.peerconnector.ra.PeerRaMasterMessageHandoff.invokeRaMasterApiMethod(PeerRaMasterMessageHandoff.java:230) [peerconnector-ra.jar:]
              at org.ejbca.peerconnector.ra.RaMasterApiPeerImpl.createCertificate(RaMasterApiPeerImpl.java:649) [peerconnector-ra.jar:]
              at org.ejbca.core.model.era.RaMasterApiProxyBean.createCertificate(RaMasterApiProxyBean.java:1283) [ejbca-ejb.jar:]
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_141-BLFS]
      [...]
              at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)
              at org.ejbca.core.model.era.RaMasterApiProxyBeanLocal$$$view162.createCertificate(Unknown Source)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_141-BLFS]
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_141-BLFS]
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_141-BLFS]
              at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_141-BLFS]
              at org.ejbca.peerconnector.ra.RaMasterApiReflectionInvoker.invoke(RaMasterApiReflectionInvoker.java:92) [peerconnector-ra.jar:]
              at org.ejbca.peerconnector.ra.PeerRaConnection.processNextMessageFromSlave(PeerRaConnection.java:61) [peerconnector-ra.jar:]
              at org.ejbca.peerconnector.ra.PeerRaMasterServiceThreadBean.keepServingRaPeer(PeerRaMasterServiceThreadBean.java:82) [peerconnector-ejb.jar:]
              at sun.reflect.GeneratedMethodAccessor419.invoke(Unknown Source) [:1.8.0_141-BLFS]
      [...]
      at org.jboss.threads.JBossThread.run(JBossThread.java:485)
      

      Problem Analysis
      This seems to happen because the EJBCA checks the access rules it has on the remote system, and if it has /ra_master/invoke_api, EJBCA will assume that it is an RA and that the remote system is a CA.

      In this case, the remote system is actually a VA, but with misconfigured access rules.

      Suggested solution
      I suggest that we add these safety checks before considering a remote system to be a CA:

      • Check that there is a matching role (there will always be a matching "CA role" on the RA)
      • Check the matching role has /ra_slave/manage

      If not, do not consider the remote system a CA, and do not forward requests to it.

      The configuration above does not appear to work in current EJBCA versions. We should double check, to make sure we do not break any existing installations.

      The above did not work, instead I added warning icons on the Peer Systems page and a warning in the server log on the CA.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              samuel Samuel Lidén Borell
              Reporter:
              samuel Samuel Lidén Borell
              Verified by:
              Ulf Undmark
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 week
                  1w
                  Remaining:
                  Time Spent - 1 day, 6 hours, 45 minutes Remaining Estimate - 3 days, 1 hour, 15 minutes
                  3d 1h 15m
                  Logged:
                  Time Spent - 1 day, 6 hours, 45 minutes Remaining Estimate - 3 days, 1 hour, 15 minutes
                  1d 6h 45m