Re: [Pki-devel] [PATCH] 113-117 changes to install scripts to move calls to admin interface

On 02/01/13 11:54, Ade Lee wrote: > We want to use the admin interface for installation work. This patch > moves the interfaces used in cloning from either the EE or agent > interface to the admin one. See: > http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning > > Specifically, > 1. Change call to use /ca/admin/ca/getCertChain > 2. Remove unneeded getTokenInfo servlet. The logic not to use this > servlet has already been committed to dogtag 10. > 3. Move updateNumberRange to the admin interface. For backward > compatibility with old instances, the install code will > call /ca/agent/updateNumberRange as a fallback. > 4. Add updateDomainXML to admin interface. For backward compatibility, > updateDomainXML will continue to be exposed on the agent interface with > agent client auth. > 5. Changed pkidestroy to get an install token and use the admin > interface to update the security domain. For backward compatibility, > the user and password and not specified as mandatory arguments - > although we want to do that in future. > > Please review, > Ade > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel Alee, Sorry, but I require some additional information to properly test this patch for a CA and its clone using a single machine. Hopefully, I can address these issues relatively quickly tomorrow after obtaining your answers. I have pulled a new tree after the meeting this morning (which does not include the patches added at 3:49 P. M. by edewata), created a branch, applied all five of your changes, and built and installed the packages on a fresh x86_64 Fedora 18 system (e. g. - 'foobar.example.com'). In order to test the code, I would like to perform the following two tests using a single machine: 1. pkispawn using the new configuration servlet for both the CA and the CA Clone 2. pkispawn using the old GUI configuration (by specifying a DEFAULT value of pki_skip_configuration=True) for both CA and the CA Clone However, with the new interpolation model, I do not know every single value that needs to be overridden to have both the CA and CA Clone, as well as the two directory servers, on the same system. I have the following: * installed a default directory server instance (e. g. - foobar) running on port 389 * installed a CA (e. g. - default configuration specifying backup keys in order to create the CA clone): [DEFAULT] pki_admin_password=XXXXXXXX pki_backup_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_security_domain_password=XXXXXXXX pki_backup_keys=True * successfully configured a browser, requested, enrolled, and issued a test certificate * installed a second directory server instance (e. g. - foobar-clone) running on port 8389 * about to install a CA Clone using the following parameters: [DEFAULT] pki_admin_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_security_domain_password=XXXXXXXX pki_security_domain_hostname=foobar.example.com pki_security_domain_https_port=8443 pki_ds_ldap_port=8389 pki_ds_ldaps_port=8636 [CA] pki_ajp_port=17009 pki_clone=True pki_clone_pkcs12_password=XXXXXXXX pki_clone_pkcs12_path=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12 pki_clone_replicate_schema=True pki_clone_replication_master_port= pki_clone_replication_clone_port= pki_clone_replication_security=None pki_clone_uri=http://foobar.example.com:8443 pki_http_port=17080 pki_https_port=17443 pki_instance_name=pki-tomcat-ca-clone pki_tomcat_server_port=17005 Questions: * Are the two tests specified above sufficient to test your patch, or do I need to check the other two test cases of mixing an old GUI configuration (CA) with new configuration servlet (CA clone), and vice-versa? (I believe that this code will require re-testing under a separated ports model for versions of the product earlier than Dogtag 10). * What parameter(s) do I need to add to the CA Clone configuration file under what sections to reference the 'foobar-clone' directory instance? * What value, if any, do I need to supply to the 'pki_clone_replication_master_port'? * What value, if any, do I need to supply to the 'pki_clone_replication_clone_port'? * Should I leave 'pki_clone_replication_security=None'? * Are there any other parameters that I am missing, and if so, under what section should they be defined? * Are there any parameters specified that contain incorrect values? * Are any parameters specified in the incorrect sections? Thanks in advance, -- Matt