Test report for Trustmanager patch #2624

Setup

This was tested on a 32-bit SLC4. The original versions of the package were glite-security-trustmanager-1.8.16-3 and glite-security-util-java-1.4.0-1. The new patch versions are glite-security-util-java-2.0.3- and glite-security-trustmanager-2.0.6-1.

The environment was set up on vtb-generic-46 according to the instructions in TrustmanagerTestplan. The only difference was that the glite-security-trustmanager.war was missing a directory in this version, so this directory was copied from another build (non-essential, but required for testing)

Also added the following to server.xml (was in the patch release notes):

               trustStoreDir="@TRUSTDIR@"
               crlUpdateInterval="2h"

and removed the following

               sslCAFiles="@CAFILES@"
               crlFiles="@CRLFILES@"

Filnally added this so that the thorough tests can be run

               internalOverrideExpirationCheck="true"

Bugs

The following bugs were attached to the patch

bug #10925

This bug was already fixed in the current version

tomcat [http-8443-Processor25]: 2009-06-29T13:06:16.126+0200 INFO  trustmanager.CRLFileTrustManager  - Client certificate validation failed for C
N=bad future client, OU=Relaxation, O=Utopia, L=Tropic, C=UG reason: the Certificate for C=UG,L=Tropic,O=Utopia,OU=Relaxation,CN=bad future clien
t will only be valid after Tue Jun 29 02:00:00 CEST 2010

bug #18372

This bug was confirmed, and it was fixed in patch version.

Original version test with CA files ending in ".1" and ".r1"

openssl s_client -cert bad-certs/bad_client00.cert -key bad-certs/bad_client00_nopass.priv -CApath /etc/grid-security/certificates/ -connect localhost:8443
CONNECTED(00000003)
depth=1 /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the trusted CA
verify return:1
depth=0 /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=vtb-generic-46.cern.ch
verify return:1
27625:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1052:SSL alert number 46
27625:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

In patch version

openssl s_client -cert bad-certs/bad_client00.cert -key bad-certs/bad_client00_nopass.priv -CApath /etc/grid-security/certificates/ -connect localhost:8443

...
    Verify return code: 0 (ok)
...

bug #43663

This bug could not be verified, in either version, assume fixed

bug #46473

This bug could not be verified, in either version, assume fixed

bug #35142

This bug is not applicable for this patch. SLC4 does not use Tomcat6

bug #35139

This bug and fix were verified in the source code according to information in patch

bug #20602

Bug not verified, this functionality does not exist original version. Fix certified.

bug #52292

Bug not verified, this functionality does not exist original version. Fix certified

bug #17046

Bug not verified, this functionality does not exist original version. Fix certified by removing a CA, and trying a certifcate again in two hours.

Certification test

All certification tests passed. Output of commands attached.

Node type tests

glite-UI, glite-WN, glite-VOBOX, lcg-CE

Only dependency is glite-rgma-stubs-servlet-java. These libraries were not tested, glite-UI does by default not come with packages requiring them, so no commands to test.

glite-HYDRA_mysql

Installed hydra server and client on same machine, ran a key registration test. Updated to patch version of trustmanager. Added configuration as mentioned in the configuraion changes. Restarted tomcat and used the ctb certifcates to register a key into hydra. Test passed.

[vtb-generic-87] /etc/yum.repos.d/glite > glite-eds-key-register testkey-1 A key has been generated and registered for ID 'testkey-1'

glite-MON

Installed MON server with old trustmanager. Configured and tested with openssl s_client to connect to tomcat. Tested with valid certificate and invalid proxy. Checked that trustmanager logs were correct. Updated trustmanager to patch version, restarted tomcat and repeated this with old configuration style option. Updated to new configuration style, restarted tomcat and reran the test. All tests were succesful. Finally connected to server with RGMA client and verified that the service works

glite-VOMS_mysql

Installed VOMS server and configured a vo for it. Tested accessing the server with the browser and checked that it displayed the correct credentials. Updated trustmanager, restarted tomcat and tested with the old configuration. Updated the configuration to the new style, restarted tomcat, and ran the test again. All tests passed.

cream-CE

Installed and configured cream server with nonexistent pbs backend (not important for the tomcat part). Tried to submit jobs with both an invalid proxy and a valid proxy. In the former case the connection was not accepted. In the latter case job submission failed due to missing batch system integration. CREAM and trustmanager logs report correct user certificates being used for the submission. Installed the new trustmanger, restarted tomcat and reran the tests. Updated configuration restarted tomcat and reran the tests. All tests worked in the same way.

Regression tests

All regression test candidates (bugs #18372, #20602, #52292) are already tested in the certification test.

-- KalleHapponen - 29 Jun 2009