Re: [Pki-devel] [PATCH] fixes to move to admin port for cloning CA's (RHCS 8.x)

This code was reviewed by testing out PKI_8_1_ERRATA_BRANCH source code on RHEL 5.9 using Directory Server storage located on RHEL 6.3: * ACKwith CAVEATS Presuming that the CAVEATS are addressed, the patches for PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH may be checked-in. *CAVEAT 1:* In TokenAuthentication.java, change line 166 from: c = sendAuthRequest(authHost, authAdminPort, authURL, content); to: c = sendAuthRequest(authHost, authEEPort, authURL, content); *CAVEAT 2: * This was more of an observation that may be due to *CAVEAT 1* above, but in *T**EST SCENARIO 2* below, please note the *comments in RED text*. *TEST SCENARIO 1: Pre-Patched CA Master, Pre-Patched KRA, Patched CA Clone* * On a 64-bit x86_64 RHEL 6.3 machine: o cd /usr/sbin o ./setup-ds-admin(ds-master - 389) o ./setup-ds (ds-clone - 8389) o Stopped both servers o Turned syntax checking off in both DS servers -- nsslapd-syntaxcheck: off o Restarted both servers * On the 64-bit x86_64 RHEL 5.9 machine: o svn co svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki o svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki... o Successfully built and installed aMaster CA 'pki-ca' using the pre-patchedsource code o Using a fresh profile in a browser, successfully configured 'pki-ca' using ports in the defaultCA range and the 'ds-master' DS server o Successfully created, submitted, and approved a certificate: + 'Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master' o Successfully built and installed a KRA'pki-kra' using the pre-patched source code o Successfully configured 'pki-kra' using ports in the default KRArange and the 'ds-master' DS server o Successfully created, submitted, and approved a certificatein which the keys were backed up to the DRM: + 'DRM Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master' o svn co svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki o svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki... o Saved 'cloning.8.errata.patch' from email attachment o cd pki o patch -p0 < ../cloning.8.errata.patch patching file base/ca/shared/webapps/ca/WEB-INF/web.xml patching file base/ca/shared/conf/acl.ldif patching file base/common/src/com/netscape/cms/authentication/TokenAuthentication.java patching file base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java patching file base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java patching file base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java patching file base/setup/pkiremove patching file base/tks/shared/webapps/tks/WEB-INF/web.xml patching file base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml patching file base/kra/shared/webapps/kra/WEB-INF/web.xml o Applied the change documented in *CAVEAT 1* above o Successfully built and updated all CA and KRA packages o Restarted both CA and KRAinstances o Successfully tested that CA still worked: + 'Test PATCHEDEE Master PATCHEDAgent Master' o Successfully tested that KRA still worked: + 'DRM Test PATCHED EE Master PATCHED Agent Master' o Successfully installed a CA Clone called 'pki-ca-clone' via 'pkicreate' using ports in thedefault+10000range using the patched source code o Installed the PK12 file that contained all of the certs and keys backed up via configuration of 'pki-ca' into /var/lib/pki-ca-clone/alias and set all ownership permissions to be 'pkiuser': # ls -lZ /var/lib/pki-ca-clone/alias/* -rw-rw-r-- pkiuser pkiuser user_u:object_r:pki_ca_var_lib_t pki_ca_master_backup.p12 -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t cert8.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t key3.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t secmod.db o Successfully configured 'pki-ca-clone' using ports in the default CA + 10000range and the 'ds-clone' DS server o Successfully tested that CA MasterandCACloneworked together: + 'Test EE Master Agent Master' + 'Test EE Master Agent Clone' + 'Test EE Clone Agent Master' + 'Test EE Clone Agent Clone' o Successfully tested that CA Master, CA Clone, andKRA worked together: + 'DRM Test EE Master Agent Master' + 'DRM Test EE Master Agent Clone' + 'DRM Test EE Clone Agent Master' + 'DRM Test EE Clone Agent Clone' *TEST SCENARIO 2: Patched CA Master, Patched KRA, Patched CA Clone** *** * On a 64-bit x86_64 RHEL 6.3 machine: o cd /usr/sbin o ./setup-ds-admin(ds-master - 389) o ./setup-ds (ds-clone - 8389) o Stopped both servers o Turned syntax checking off in both DS servers -- nsslapd-syntaxcheck: off o Restarted both servers * On the 64-bit x86_64 RHEL 5.9 machine: o svn co svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki o svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki... o Successfully built and installed aMaster CA 'pki-ca' using the pre-patchedsource code o Using a fresh profile in a browser, successfully configured 'pki-ca' using ports in the defaultCA range and the 'ds-master' DS server o Successfully created, submitted, and approved a certificate: + 'Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master' o Successfully built and installed a KRA'pki-kra' using the pre-patched source code o Successfully configured 'pki-kra' using ports in the default KRArange and the 'ds-master' DS server o Successfully created, submitted, and approved a certificatein which the keys were backed up to the DRM: + 'DRM Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master' o svn co svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki o svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki... o Saved 'cloning.8.errata.patch' from email attachment o cd pki o patch -p0 < ../cloning.8.errata.patch patching file base/ca/shared/webapps/ca/WEB-INF/web.xml patching file base/ca/shared/conf/acl.ldif patching file base/common/src/com/netscape/cms/authentication/TokenAuthentication.java patching file base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java patching file base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java patching file base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java patching file base/setup/pkiremove patching file base/tks/shared/webapps/tks/WEB-INF/web.xml patching file base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml patching file base/kra/shared/webapps/kra/WEB-INF/web.xml o Applied the change documented in *CAVEAT **1* above o Successfully built and installed aMaster CA 'pki-ca' o Using a fresh profile in a browser, successfully configured 'pki-ca' using ports in the defaultCA range and the 'ds-master' DS server o Successfully created, submitted, and approved a certificate: + 'Test' o Successfully built and installed a KRA'pki-kra' o Successfully configured 'pki-kra' using ports in the default KRArange and the 'ds-master' DS server o Successfully created, submitted, and approved a certificatein which the keys were backed up to the DRM: + 'DRM Test' o Successfully installed a CA Clone called 'pki-ca-clone' via 'pkicreate' using ports in thedefault+10000range o Installed the PK12 file that contained all of the certs and keys backed up via configuration of 'pki-ca' into /var/lib/pki-ca-clone/alias and set all ownership permissions to be 'pkiuser': # ls -lZ /var/lib/pki-ca-clone/alias/* -rw-rw-r-- pkiuser pkiuser user_u:object_r:pki_ca_var_lib_t pki_ca_master_backup.p12 -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t cert8.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t key3.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t secmod.db o Successfully configured 'pki-ca-clone' using ports in the default CA + 10000range and the 'ds-clone' DS server o Per request, verified that 'admin' port was being used for CA Clone: # cd /var/log/pki-ca-clone # grep -i agent localhost_access_log.2013-02-14.txt *# grep -i ee localhost_access_log.2013-02-14.txt** **10.14.16.14 - - [14/Feb/2013:01:00:58 -0500] "GET /ca/ee/ca/getCAChain?op=download&mimeType=application/x-x509-ca-cert HTTP/1.1" 200 1035* # grep -i admin localhost_access_log.2013-02-14.txt 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/config/login?pin=ZGWfUxpUzIfBcgW6UI6Q HTTP/1.1" 302 - 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/config/wizard HTTP/1.1" 200 8510 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 200 1316 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 200 1787 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/favicon.ico HTTP/1.1" 200 318 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 200 1146 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 11862 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] "GET /ca/admin/console/img/clearpixel.gif HTTP/1.1" 200 43 10.14.16.14 - - [14/Feb/2013:00:58:40 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 10106 10.14.16.14 - - [14/Feb/2013:00:58:47 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 12566 10.14.16.14 - - [14/Feb/2013:00:58:52 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 302 - 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "POST /ca/admin/console/config/wizard?p=5&subsystem=CA HTTP/1.1" 200 8852 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:11 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 12557 10.14.16.14 - - [14/Feb/2013:00:59:14 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 8492 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 10006 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 32918 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:42 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 11690 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 68264 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] "GET /ca/admin/console/img/certificate.png HTTP/1.1" 200 4663 10.14.16.14 - - [14/Feb/2013:01:00:52 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 8652 10.14.16.14 - - [14/Feb/2013:01:00:56 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 8215 10.14.16.14 - - [14/Feb/2013:01:01:02 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 7832 o Successfully tested that CA MasterandCACloneworked together: + 'Test EE Master Agent Master' + 'Test EE Master Agent Clone' + 'Test EE Clone Agent Master' + 'Test EE Clone Agent Clone' o Successfully tested that CA Master, CA Clone, andKRA worked together: + 'DRM Test EE Master Agent Master' + 'DRM Test EE Master Agent Clone' + 'DRM Test EE Clone Agent Master' + 'DRM Test EE Clone Agent Clone' On 02/12/13 12:11, Ade Lee wrote: