[RHEL-32172] Allow configuration of ca.crl.MasterCRL.nextUpdateGracePeriod

Type: Story
Resolution: Won't Do
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: ipa
Labels:
None

Severity:
Medium

Pool Team:

rhel-sst-idm-ipa
Sub-System Group:

ssg_idm

Story Points:
None
Target Version:

rhel-9.5
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Products:

Red Hat Enterprise Linux
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Goal

To be able to change the ca.crl.MasterCRL.nextUpdateGracePeriod setting with IPA tools

- For example: We have a freeradius server that for various reason we must use CRLs with instead of OCSP. Currently the CRL is generated on the CA at the exact time of expiration. This forces a time window where the CRL is expired on the freeradius server until the new CRL can be fetch. Adding a grace period resolves this.

Acceptance Criteria

A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

curl -s --location http://ipa-mry01.mry.nwra.com/ipa/c
rl/MasterCRL.bin | openssl crl -inform der -text | grep Next

Verify that the time is incremented by the grace period.

Francisco Trivino Garcia added a comment - 2024/05/08 9:25 AM

based on comment: https://issues.redhat.com/browse/RHEL-32172?focusedId=24534986&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-24534986

Francisco Trivino Garcia added a comment - 2024/05/08 9:25 AM based on comment: https://issues.redhat.com/browse/RHEL-32172?focusedId=24534986&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-24534986

Rob Crittenden added a comment - 2024/04/15 12:48 PM

This would be relatively straightforward to implement in ipa-crlgen-manage by doing a direct CS.cfg update wrapped with a PKI start/stop. The problem is that if the server this is configured on is removed or demoted from being the CRL generator this value would be lost and there would be no way to identify that it has or will be lost.

To retain the information the schema would need to be extended with a new attribute stored somewhere along with code to manage the reads/writes. This represents a fair bit additional work for a feature of limited value.

I'm inclined to close this as WONTFIX. We can alternatively convert this to a documentation bug so this CS.cfg value is more discoverable.

Rob Crittenden added a comment - 2024/04/15 12:48 PM This would be relatively straightforward to implement in ipa-crlgen-manage by doing a direct CS.cfg update wrapped with a PKI start/stop. The problem is that if the server this is configured on is removed or demoted from being the CRL generator this value would be lost and there would be no way to identify that it has or will be lost. To retain the information the schema would need to be extended with a new attribute stored somewhere along with code to manage the reads/writes. This represents a fair bit additional work for a feature of limited value. I'm inclined to close this as WONTFIX. We can alternatively convert this to a documentation bug so this CS.cfg value is more discoverable.

Assignee:: Florence Renaud

Reporter:: Orion Poplawski

Developer:: Florence Renaud

QA Contact:: IPA QE Bot

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/04/08 9:53 PM

Updated:: 2024/09/06 12:36 PM

Resolved:: 2024/05/08 9:25 AM

Details

Description

Goal

Acceptance Criteria

Attachments

Easy Agile Planning Poker

Activity

Collapse comment: Francisco Trivino Garcia added a comment - 2024/05/08 9:25 AM

Expand comment: Francisco Trivino Garcia added a comment - 2024/05/08 9:25 AM

Collapse comment: Rob Crittenden added a comment - 2024/04/15 12:48 PM

Expand comment: Rob Crittenden added a comment - 2024/04/15 12:48 PM

People

Dates