Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

Thanks for review, Ade. Comments to specific feedback inline. Rebased and updated patches attached. The substantive changes are: - KeyRetriever implementations are now required NOT to import the key themselves. Instead the API is updated with KeyRetriever.retrieveKey returning a Result, which contains PKCS #12 data and password for same. - KeyRetrieverRunner reads the Result and imports the PKCS #12 into NSSDB. - Added new patch 0097 which provides the IPACustodiaKeyRetriever and assoicated Python helper script. It depends on an unmerged FreeIPA patch[1] as well as a particular principal and associated keytab and Custodia keys existing. I'm working on FreeIPA updates to satisfy these requirements automatically on install or upgrade but if you want to test this patch LMK and I'll provide detailed instructions. [1] https://www.redhat.com/archives/freeipa-devel/2016-April/msg00055.html Other comments inline. Cheers, Fraser On Fri, Apr 08, 2016 at 11:16:19AM -0400, Ade Lee wrote: One can't get additional info out of ObjectNotFound without inspecting the String message, which I'm not comfortable doing. The key retrieval system should import key and cert at same time so I've renamed the exception to CAMissingKeyOrCert for clarity. dbFactory.reset() is already called in the shutdown() method. (Only the host authority calls it). Done. Syncrepl is not supported by ldapjdk (iirc). If/when it is, and if syncrepl provides a tangible advantage over persistent search in our use case (where it can be assumed that disconnections from DS are infrequent and brief, and full refresh of local view is tolerable), then I am happy to change it - in a separate commit (because LDAPProfileSubsystem is also affected). Noted. KeyRetriever implementations can access instance info via the `CMS' class. Cheers, Fraser