[PATCH] 149 - systemd fixes
by Ade Lee
Fixed service file so that instances are all started correctly when
executing systemctl restart pki-tomcatd.target
Also added SuccessExitStatus directive to specify that error code 143 is
a valid exit code. With this change, systemd returns exit code 0 - and
the warning we print is unnecessary.
Please review,
Ade
10 years, 7 months
Enterprise CA Architecture
by orrious@yahoo.com
Hi Everyone,
I am setting up a Dogtag 9.0.3 CA PoC and have a couple deployment questions. My goal is to have a secure and redundant CA and subsystems. The RA is external, redundant, and outside the scope of the discussion (for now). OCSP services will more than likely be distributed in multiple Server/LB pairs behind a single GTM VIP.
I am documenting each step of the install and will happily provide it so others don't have to ask the same questions.
Thank you for taking the time to read and provide feedback.
Scenario:
I have successfully deployed CA1 and cloned CA2 from CA1. The VIP: CA.lab load balances all incoming ports to both servers, during testing.
Q1.) When I configure OCSP1, it will not allow me to configure it to the VIP: CA.lab. Instead I must select either CA1.lab or CA2.lab. Is there a way to configure the OCSP to connect to the VIP rather than a specific CA server?
Q2.) If I am unable to configure OCSP against a VIP, should I configure OCSP1->CA1 and OCSP2->CA2?
Q3.) If Q2 is True and one of the CA's is down will OCSP failover to the other CA or will it just not answer a request.
Q4.) For the Dogtag Web pages, how do I change the server name in the URI to the VIP, rather than the actual host name of the server? i.e, I go to https://ca.lab:9445/ca/services. Depending on the server I am load balanced to, the URLs for "Dogtag Certificate System", 'SSL End Users Services", and "Agent Services" all go to CA1.lab:944x/ca.. rather than https://ca.lab:944x/ca This also pertains to OCSP pages.
Q5.) Certificates issues by default contain the OCSP service of the CA server that issued the Certificate. i.e. http://ca1.lab:9180/ca/ocsp. Can this URI be changed to the LB VIP: http://ca.lab:9180/ca/ocsp or can the VIP only be added to the certificate? If it can only be added, can the priority be changed so the VIP is queried first, as the CA would be firewalled in production and inaccessible.
Q6.) Should the OCSP services become unavailable, I would also like to publish the CRL in the certificates. What is the best performance for large CRLs, say 100K entries; a web page or LDAP?
Kind Regards,
Paul
10 years, 7 months
[PATCH] UserSubjectNameConstraint plug-in
by Andrew Wnuk
This patch provides new UserSubjectNameConstraint plug-in allowing to
include user subject name with its original encoding into certificate.
Ticket #682.
10 years, 7 months
[PATCH] CRMFPopClient update
by Andrew Wnuk
This patch provides enhancement to CRMFPopClient allowing to control
encoding for components of the subject name.
Ticket #676
10 years, 7 months
patches
by Andrew Wnuk
Ade thanks for reviewing patches: "PKCS10Client update" and
"Pre-registration of UserSubjectNameConstraint plug-in".
I would appreciate reviews of the following patches:
"UserSubjectNameConstraint plug-in" "CRMFPopClient update", "CA cross
signing profile", and "Pre-registration of CA cross signing profile".
Thanks,
Andrew
10 years, 7 months
[PATCH] 296 Fixed pkispawn blocking during TPS deployment.
by Endi Sukma Dewata
Due to a recent change pkispawn would ask for the certificate
database password interactively during TPS deployment. To fix the
problem, the certutil invocation in pkihelper.py has been restored
to the proper indentation.
--
Endi S. Dewata
10 years, 7 months
[PATCH] 295 Added TPS certificate resource.
by Endi Sukma Dewata
New TPS services and clients have been added for TPS certificates. The
certificate database is currently implemented as in-memory database with
some sample data. Later it will be converted into LDAP database.
Ticket #652
--
Endi S. Dewata
10 years, 7 months