Re: [Pki-devel] [PATCH] fixes to move to admin port for cloning CA's (RHCS 8.x)

This code was reviewed by testing out PKI_8_1_ERRATA_BRANCH source code on RHEL 5.9 using Directory Server storage located on RHEL 6.3: * ACK with CAVEATS Presuming that the CAVEATS are addressed, the patches for PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH may be checked-in. CAVEAT 1: In TokenAuthentication.java, change line 166 from: c = sendAuthRequest(authHost, authAdminPort, authURL, content); to: c = sendAuthRequest(authHost, authEEPort, authURL, content);

CAVEAT 2: This was more of an observation that may be due to CAVEAT 1 above, but in TEST SCENARIO 2 below, please note the comments in RED text.

TEST SCENARIO 1: Pre-Patched CA Master, Pre-Patched KRA, Patched CA Clone * On a 64-bit x86_64 RHEL 6.3 machine: * cd /usr/sbin * ./setup-ds-admin (ds-master - 389) * ./setup-ds (ds-clone - 8389) * Stopped both servers * Turned syntax checking off in both DS servers -- nsslapd-syntaxcheck: off * Restarted both servers * On the 64-bit x86_64 RHEL 5.9 machine: * svn co svn +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki * svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki... pki/redhat * Successfully built and installed a Master CA 'pki-ca' using the pre-patched source code * Using a fresh profile in a browser, successfully configured 'pki-ca' using ports in the default CA range and the 'ds-master' DS server * Successfully created, submitted, and approved a certificate: * 'Test PRE-PATCHED EE Master PRE-PATCHED Agent Master' * Successfully built and installed a KRA 'pki-kra' using the pre-patched source code * Successfully configured 'pki-kra' using ports in the default KRA range and the 'ds-master' DS server * Successfully created, submitted, and approved a certificate in which the keys were backed up to the DRM: * 'DRM Test PRE-PATCHED EE Master PRE-PATCHED Agent Master' * svn co svn +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki * svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki... pki/redhat * Saved 'cloning.8.errata.patch' from email attachment * cd pki * patch -p0 < ../cloning.8.errata.patch patching file base/ca/shared/webapps/ca/WEB-INF/web.xml patching file base/ca/shared/conf/acl.ldif patching file base/common/src/com/netscape/cms/authentication/TokenAuthentication.java patching file base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java patching file base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java patching file base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java patching file base/setup/pkiremove patching file base/tks/shared/webapps/tks/WEB-INF/web.xml patching file base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml patching file base/kra/shared/webapps/kra/WEB-INF/web.xml * Applied the change documented in CAVEAT 1 above * Successfully built and updated all CA and KRA packages * Restarted both CA and KRA instances * Successfully tested that CA still worked: * 'Test PATCHED EE Master PATCHED Agent Master' * Successfully tested that KRA still worked: * 'DRM Test PATCHED EE Master PATCHED Agent Master' * Successfully installed a CA Clone called 'pki-ca-clone' via 'pkicreate' using ports in the default+10000 range using the patched source code * Installed the PK12 file that contained all of the certs and keys backed up via configuration of 'pki-ca' into /var/lib/pki-ca-clone/alias and set all ownership permissions to be 'pkiuser': # ls -lZ /var/lib/pki-ca-clone/alias/* -rw-rw-r-- pkiuser pkiuser user_u:object_r:pki_ca_var_lib_t pki_ca_master_backup.p12 -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t cert8.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t key3.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t secmod.db * Successfully configured 'pki-ca-clone' using ports in the default CA + 10000 range and the 'ds-clone' DS server * Successfully tested that CA Master and CA Clone worked together: * 'Test EE Master Agent Master' * 'Test EE Master Agent Clone' * 'Test EE Clone Agent Master' * 'Test EE Clone Agent Clone' * Successfully tested that CA Master, CA Clone, and KRA worked together: * 'DRM Test EE Master Agent Master' * 'DRM Test EE Master Agent Clone' * 'DRM Test EE Clone Agent Master' * 'DRM Test EE Clone Agent Clone' TEST SCENARIO 2: Patched CA Master, Patched KRA, Patched CA Clone * On a 64-bit x86_64 RHEL 6.3 machine: * cd /usr/sbin * ./setup-ds-admin (ds-master - 389) * ./setup-ds (ds-clone - 8389) * Stopped both servers * Turned syntax checking off in both DS servers -- nsslapd-syntaxcheck: off * Restarted both servers * On the 64-bit x86_64 RHEL 5.9 machine: * svn co svn +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki * svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki... pki/redhat * Successfully built and installed a Master CA 'pki-ca' using the pre-patched source code * Using a fresh profile in a browser, successfully configured 'pki-ca' using ports in the default CA range and the 'ds-master' DS server * Successfully created, submitted, and approved a certificate: * 'Test PRE-PATCHED EE Master PRE-PATCHED Agent Master' * Successfully built and installed a KRA 'pki-kra' using the pre-patched source code * Successfully configured 'pki-kra' using ports in the default KRA range and the 'ds-master' DS server * Successfully created, submitted, and approved a certificate in which the keys were backed up to the DRM: * 'DRM Test PRE-PATCHED EE Master PRE-PATCHED Agent Master' * svn co svn +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki * svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki... pki/redhat * Saved 'cloning.8.errata.patch' from email attachment * cd pki * patch -p0 < ../cloning.8.errata.patch patching file base/ca/shared/webapps/ca/WEB-INF/web.xml patching file base/ca/shared/conf/acl.ldif patching file base/common/src/com/netscape/cms/authentication/TokenAuthentication.java patching file base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java patching file base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java patching file base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java patching file base/setup/pkiremove patching file base/tks/shared/webapps/tks/WEB-INF/web.xml patching file base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml patching file base/kra/shared/webapps/kra/WEB-INF/web.xml * Applied the change documented in CAVEAT 1 above * Successfully built and installed a Master CA 'pki-ca' * Using a fresh profile in a browser, successfully configured 'pki-ca' using ports in the default CA range and the 'ds-master' DS server * Successfully created, submitted, and approved a certificate: * 'Test' * Successfully built and installed a KRA 'pki-kra' * Successfully configured 'pki-kra' using ports in the default KRA range and the 'ds-master' DS server * Successfully created, submitted, and approved a certificate in which the keys were backed up to the DRM: * 'DRM Test' * Successfully installed a CA Clone called 'pki-ca-clone' via 'pkicreate' using ports in the default+10000 range * Installed the PK12 file that contained all of the certs and keys backed up via configuration of 'pki-ca' into /var/lib/pki-ca-clone/alias and set all ownership permissions to be 'pkiuser': # ls -lZ /var/lib/pki-ca-clone/alias/* -rw-rw-r-- pkiuser pkiuser user_u:object_r:pki_ca_var_lib_t pki_ca_master_backup.p12 -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t cert8.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t key3.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t secmod.db * Successfully configured 'pki-ca-clone' using ports in the default CA + 10000 range and the 'ds-clone' DS server * Per request, verified that 'admin' port was being used for CA Clone:

# cd /var/log/pki-ca-clone # grep -i agent localhost_access_log.2013-02-14.txt # grep -i ee localhost_access_log.2013-02-14.txt 10.14.16.14 - - [14/Feb/2013:01:00:58 -0500] "GET /ca/ee/ca/getCAChain?op=download&mimeType=application/x-x509-ca-cert HTTP/1.1" 200 1035 # grep -i admin localhost_access_log.2013-02-14.txt 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/config/login?pin=ZGWfUxpUzIfBcgW6UI6Q HTTP/1.1" 302 - 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/config/wizard HTTP/1.1" 200 8510 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 200 1316 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 200 1787 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/favicon.ico HTTP/1.1" 200 318 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 200 1146 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 11862 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] "GET /ca/admin/console/img/clearpixel.gif HTTP/1.1" 200 43 10.14.16.14 - - [14/Feb/2013:00:58:40 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 10106 10.14.16.14 - - [14/Feb/2013:00:58:47 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 12566 10.14.16.14 - - [14/Feb/2013:00:58:52 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 302 - 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "POST /ca/admin/console/config/wizard?p=5&subsystem=CA HTTP/1.1" 200 8852 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:11 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 12557 10.14.16.14 - - [14/Feb/2013:00:59:14 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 8492 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 10006 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 32918 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:42 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 11690 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 68264 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] "GET /ca/admin/console/img/certificate.png HTTP/1.1" 200 4663 10.14.16.14 - - [14/Feb/2013:01:00:52 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 8652 10.14.16.14 - - [14/Feb/2013:01:00:56 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 8215 10.14.16.14 - - [14/Feb/2013:01:01:02 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 7832 * Successfully tested that CA Master and CA Clone worked together: * 'Test EE Master Agent Master' * 'Test EE Master Agent Clone' * 'Test EE Clone Agent Master' * 'Test EE Clone Agent Clone' * Successfully tested that CA Master, CA Clone, and KRA worked together: * 'DRM Test EE Master Agent Master' * 'DRM Test EE Master Agent Clone' * 'DRM Test EE Clone Agent Master' * 'DRM Test EE Clone Agent Clone' On 02/12/13 12:11, Ade Lee wrote: > We want to use the admin interface for installation work. This patch > moves the interfaces used in cloning from either the EE or agent > interface to the admin one. See: > http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning > > Specifically, > 1. Change call to use /ca/admin/ca/getCertChain > 2. Remove unneeded getTokenInfo servlet. The logic not to use this > servlet has already been committed to dogtag 10. > 3. Move updateNumberRange to the admin interface. For backward > compatibility with old instances, the install code will > call /ca/agent/updateNumberRange as a fallback. > 4. Add updateDomainXML to admin interface. For backward compatibility, > updateDomainXML will continue to be exposed on the agent interface with > agent client auth. > 5. Changed pkidestroy to get an install token and use the admin > interface to update the security domain. For backward compatibility, > the user and password and not specified as mandatory arguments - > although we want to do that in future. > 6. Added tokenAuthenticate to the admin interface. > > Note, existing subsystems will need to have config changes manually > added in order to use the new interfaces. Instructions will be added to > the link above. With new instances, you should be able to clone a CA > all on the admin interface. > > The patches are for the PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH > > Please review, > Ade > > > _______________________________________________ > Pki-devel mailing list > Pki-devel(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel