The patch works. I was able to get a KRA installed.
Comments:
1. The logic in pkijython for determining whether to send the issuing CA
information is incorrect. Specifically, all clones still need to
contact a CA to generate their server cert.
2. The same logic applies to the code in pkiparser.py. In fact, I
think we can simplify the logic there significantly. There is no need
to distinguish in the subsystem name whether the server is a clone or
subordinate or external. Just use "{subsystem_type} {hostname} {port}"
for all subsystems (apache and tomcat).
Its very difficult to follow the logic in that section. For the
parameters in that section the logic should be:
# for all subsystems
set_default(subsystem_name, "{subsystem_type} {hostname} {port}")
if (root ca) {
security_domain_type = "new"
set_default(security_domain_name, "{dnsname} Security Domain")
} else {
security_domain_type = "existing"
set_default(security_domain_host, "{pki_hostname}")
set_default(security_domain_uri, "https://
{security_domain_host}:{security)_domain_port}")
}
where set_default() is defined as :
set_default(x, y) {
if not len (master_dict[x]) {
master_dict[x] = y
}
}
I need to think about the conditional a bit to decide when we can say we
need a new vs. existing security domain.
Ade
On Thu, 2012-08-09 at 17:29 -0700, Matthew Harmsen wrote:
This patch documents continued implementation of the PKI Deployment
Framework based upon the revised filesystem layout documented here:
*
http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_...
This patch addresses the following issues:
* TRAC Ticket #184 - Dogtag 10: Update PKI Deployment to handle
cloning CA/KRA/OCSP/TKS . . .
* TRAC Ticket #285 - Dogtag 10: Fix installation issues for KRA,
OCSP, and TKS
It has been tested and proven to work successfully to deploy a KRA as
a separate instance on a 64-bit Fedora 17 machine (using the
appropriate 'tomcatjss.jar').
P. S. -- Ade, as you are the most probable reviewer of this patch,
please feel free to 'push' it to 'master' if you find it in order.
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel