Missing registry entries for EST on upgraded server #5149
Description
I've upgraded to the latest PKI version 11.7 from PKI 11.2. At the time of EST deployment on the upgraded PKI version, Adding estServiceCert profile to CA was not working and failing with error "Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null"
Builds:
# uname -r
6.15.3-200.fc42.x86_64
# rpm -qa | grep -e pki -e jss -e jackson -e resteasy | sort
dogtag-jss-5.7.0-0.1.alpha1.20250326234708UTC.26cced2e.fc42.x86_64
dogtag-jss-tomcat-5.7.0-0.1.alpha1.20250326234708UTC.26cced2e.fc42.x86_64
dogtag-pki-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.x86_64
dogtag-pki-acme-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-base-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-ca-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-est-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-java-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-javadoc-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-kra-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-ocsp-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-server-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tests-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-theme-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tks-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tools-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.x86_64
dogtag-pki-tps-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
python3-dogtag-pki-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
Reproducible: Always
Steps to Reproduce:
1. Install PKI 11.2 and create CA instance, and then upgrade to latest PKI version i.e PKI 11.7
2. Deploying EST on upgraded PKI 11.7 version, refer: https://docs.redhat.com/en/documentation/red_hat_certificate_system/10/html/planning_installation_and_deployment_guide/installation_and_configuration#installing-est-pki-server
3. Add EST profile using following command:
$ pki -p 8443 -u caadmin -w password ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
Actual Results:
[root@pki1 fedora]# pki -p 8443 -u caadmin -w password ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
BadRequestException: Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null
CA debug log:
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: Creating profile from raw data
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - profileId: estServiceCert
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - classId: caEnrollImpl
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - name: EST Service Certificate Enrollment
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - description: EST service certificate profile
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] SEVERE: Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null
java.lang.NullPointerException: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null
at com.netscape.cms.profile.common.Profile.init(Profile.java:269)
at org.dogtagpki.server.ca.rest.v1.ProfileService.createProfileRaw(ProfileService.java:646)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
...
...
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:1583)
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: PKIExceptionMapper: Returning BadRequestException
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: PKIExceptionMapper: XML exception:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PKIException>
<ClassName>com.netscape.certsrv.base.BadRequestException</ClassName>
<Attributes/>
<Code>400</Code>
<Message>Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null</Message>
</PKIException>
Expected Results:
EST profile add should work as expected.
Additional Information:
Missing parameters in upgraded PKI's registry.cfg file:
constraintPolicy.raClientAuthSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.RAClientAuthSubjectNameContraint
constraintPolicy.raClientAuthSubjectNameConstraintImpl.desc=RA Client Subject Name Constraint
constraintPolicy.raClientAuthSubjectNameConstraintImpl.name=RA Client Subject Name Constraint
raClientAuthInfoInputImpl from profileInput.ids=
raClientAuthSubjectNameConstraintImpl from constraintPolicy.ids=
profileInput.raClientAuthInfoInputImpl.class=com.netscape.cms.profile.input.RAClientAuthInfoInput
profileInput.raClientAuthInfoInputImpl.desc=RA Client Authentication Information Input
profileInput.raClientAuthInfoInputImpl.name=RA Client Authentication Information Input
As a workaround: When I replaced registry.cfg with latest or added above parameters in upgraded PKI's registry.cfg file, EST profile add worked.