[Pki-devel] [PATCH] PKI Deployment Framework PKI TRAC issues (07/28/2012)

This patch documents continued implementation of the PKI Deployment Framework based upon the revised filesystem layout documented here: * http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_... This patch addresses the following issues: * TRAC Ticket #263 - Dogtag 10: Fix 'pkidestroy' problem of sporadically "not" removing "/etc/sysconfig/{pki_instance_id}" . . . * TRAC Ticket #264 - Dogtag 10: Enable various other subsystems for configuration . . . * TRAC Ticket #261 - Dogtag 10: Revisit command-line options of 'pkispawn' and 'pkidestroy' . . . * TRAC Ticket #268 - Dogtag 10: Create a parameter for optional restart of configured PKI instance . . . * TRAC Ticket #270 - Dogtag 10: Add missing parameters to 'pkideployment.cfg' . . . * TRAC Ticket #265 - Dogtag 10: Provide configurable options for PKI client information . . . * TRAC Ticket #275 - Dogtag 10: Add debug information (comments) to Tomcat 7 "logging.properties" * TRAC Ticket #276 - Dogtag 10: Relocate all 'pin' data to the 'sensitive' dictionary * TRAC Ticket #277 - Dogtag 10: Create an 'archive' for 'manifest' and 'pkideployment.cfg' files *WARNING: Due to some of the changes to the command-line parameters (mainly the introduction of a dependency on the existence of a new symlink), instances previously created with the old "pkispawn" will once again need to be removed by the old "pkidestroy" PRIOR to the installation of this patch.* Note: You will definitely need to establish the following "passwords" in your copy of "pkideployment.cfg" in order to install a "CA": * pki_admin_password * pki_client_pkcs12_password * pki_ds_password * pki_security_domain_password I ran the following command: pkispawn -s CA -f /tmp/pki/pkideployment.cfg -vvv Unfortunately, for me, out-of-the-box installation failed with the following problem: * pkispawn : ERROR ....... port 8080 has invalid selinux context http_cache_port_t This error occurred despite downloading the latest SELinux policies on my 64-bit Fedora 17 box and compiling 'pki-selinux' against them. The work-around that I used was to edit "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py" and comment out the call to "util.configuration_file.verify_selinux_ports()" in the 'spawn()' method. Re-running the command 'pkispawn -s CA -f /tmp/pki/pkideployment.cfg -vvv' now produces the following error: pkispawn : INFO ... populating 'pki.deployment.selinux_setup' Traceback (most recent call last): File "/bin/pkispawn", line 225, in <module> main(sys.argv) File "/bin/pkispawn", line 212, in main rv = instance.spawn() File "/usr/lib/python2.7/site-packages/pki/deployment/selinux_setup.py", line 69, in spawn port1.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) File "/usr/lib64/python2.7/site-packages/seobject.py", line 1045, in add self.__add(port, proto, serange, type) File "/usr/lib64/python2.7/site-packages/seobject.py", line 1002, in __add raise ValueError(_("Port %s/%s already defined") % (proto, port)) ValueError: Port tcp/8080 already defined My work-around to fix to this error is to remove the symlinks which call the 'selinux_setup.py' scriptlet for both 'pkispawn' and 'pkidestroy': * rm /usr/share/pki/deployment/spawn/*/035_selinux_setup * rm /usr/share/pki/deployment/destroy/*/985_selinux_setup Unfortunately, at this stage, sufficient installation has been made which prevents a new installation, and 'pkidestroy' in its current incarnation will be unable to completely remove the instance. Therefore, presuming an instance name of 'pki-tomcat', run the following commands: * rm -rf /var/lib/pki * rm -rf /etc/pki/pki-tomcat/ * rm -rf /etc/sysconfig/pki * rm -rf /var/log/pki * rm /etc/sysconfig/pki-tomcat (this command will fail, as it has not yet been created) Re-running the command 'pkispawn -s CA -f /tmp/pki/pkideployment.cfg -vvv'should now run to successful completion! To test this patch, run the test instructions documented in earlier patches for installing the Admin Cert. Note that the 'ca_admin_cert.p12' file is now located under '/var/lib/pki/{pki-instance-id}/conf/alias/ca_admin_cert.p12', and since a browser may not have the appropriate permissions to traverse past the '/var/lib/pki' directory, the administrator will need to make this file available (i. e. - copy it to /tmp). *Please note, that although KRA, OCSP, and TKS installations will run to completion, at the present time, a crash occurs in the invocation of the java configuration client (quite possibly due to the specification of incorrect/incomplete parameters for these subsystems).* Thanks, -- Matt