February 2016 - Pki-devel - Dogtag Pki List Archives

[PATCH] 691 Added Python wrapper for pki pkcs12-import.

by Endi Sukma Dewata

A wrapper has been added for the pki pkcs12-import command to allow implementing a workaround in Python to address JSS import limitations. https://fedorahosted.org/pki/ticket/1742 Note: The build fails due to weird pylint errors. The Python code itself seems to be working just fine. -- Endi S. Dewata

8 years, 2 months

3
4
0 / 0

[PATCH] 0048-0050 Fedora 24 fixes

by Christian Heimes

Hi, here are the patches for Fedora 24. They address G++, javac and pylint issues caused by new versions of GCC, Tomcat and pylint. https://fedorahosted.org/pki/attachment/ticket/2221 https://fedorahosted.org/pki/attachment/ticket/2222 https://fedorahosted.org/pki/attachment/ticket/2223 Christian

8 years, 2 months

2
2
0 / 0

[PATCH] 277 - add precheck option to pkispawn

by Ade Lee

Add precheck option to pkispawn. This runs various tests without actually doing any installation to ensure that the pkipawn parameters are sane. https://fedorahosted.org/pki/ticket/2042 Please review, Thanks, Ade

8 years, 2 months

2
2
0 / 0

pki-tomcatd restart timeout during installation of KRA on FreeIPA master using LDAPS

by Martin Babinsky

Hi List, I have encountered a strange behavior in Dogtag when working on https://fedorahosted.org/freeipa/ticket/5570 I have set the deployment config for KRA to use LDAPS for communication with IPA dirsrv backend during spawn. Everything works perfectly, except that I see the following timeout during ipa-kra-install on FreeIPA master: http://fpaste.org/329271/45641447/ However the installation finishes as usual and pki-tomcatd service is running in the end, albeit showing the following traceback: http://fpaste.org/329260/56413840/ The KRA subsystem is also recognized by subsystem-find: http://fpaste.org/329335/20387145/ Our upstream XMLRPC tests excersizing KRA and CA subystem also pass, so clearly functionality is not affected. Nevertheless something is preventing Dogtag to start up given our 300 s timeout (i have tried longer intervals up to 1200 s to no avail). In the IPA KRA install log, I can see our code polling CA's REST interface unsuccessfully: http://fpaste.org/329294/15776145/ After some few additional installation steps when Dogtag instance is shutdown and started up again, it goes up just fine and REST api reports ready status. I would like to know if this is issue on Dogtag side or some misconfiguration from my side. I have CA and KRA subsystem logs at hand. If anyone is interested ping me on IRC and I will give them to you. Endi an Christian (CC'ed) should also have them at hand. I should also mentioned that I was only able to reproduce this in my local vagrant/libvirt environment. Also, deploying CA subsystem on hardened CA-less FreeIPA server using LDAPS works fine without any timeouts. Thank you for your help. -- Martin^3 Babinsky

8 years, 2 months

1
0
0 / 0

[PATCH] 689 Added pki-server commands to export system certificates.

by Endi Sukma Dewata

Some pki-server commands have been added to simplify exporting the required certificates for subsystem installations. These commands will invoke the pki pkcs12 utility to export the certificates from the instance NSS database. The pki-server ca-cert-chain-export command will export the the certificate chain needed for installing additional subsystems running on a separate instance. The pki-server <subsystem>-clone-prepare commands will export the certificates required for cloning a subsystem. https://fedorahosted.org/pki/ticket/1742 -- Endi S. Dewata

8 years, 2 months

2
2
0 / 0

[PATCH] 688 Updated PKCS12Util.

by Endi Sukma Dewata

The PKCSUtil has been updated to match the functionality provided by JSS. In order to import a certificate properly, the certificate needs to be exported with its private key and certificate chain, so the option to export without key or without the certificate chain has been removed. The option to export only the certificate chain has also been removed since it can be done by exporting the complete certificate chain, then remove the leaf certificate while keeping the chain. The pki pkcs12-cert-add has been modified to provide an option to create a new PKCS #12 file to store the certificate. The pki pkcs12-export has been modified to always overwrite existing file to match the behavior of PKCS12Export. It also has been modified to accept a list of nicknames of certificates to export. https://fedorahosted.org/pki/ticket/1742 -- Endi S. Dewata

8 years, 2 months

1
1
0 / 0

PKI TRAC Ticket access disabled due to excessive spamming

by Matthew Harmsen

This is to advise users of the PKI TRAC system, that until the following ticket is resolved: * Fedora Infrastructure TRAC Ticket #1521 - https://fedorahosted.org NEEDS_TRIAGE is being SPAMMED <https://fedorahosted.org/fedora-infrastructure/ticket/5121> access to the create/update PKI TRAC tickets and wiki pages has been restricted. We apologize in advance for any problems this causes. Until this issue is resolved, please utilize the pki-users(a)redhat.com, pki-devel(a)redhat.com, and #dogtag-pki FreeNode IRC channel to request PKI TRAC Tickts. Thanks, -- The Dogtag Team

8 years, 2 months

1
0
0 / 0

Python integration tests with betamax, Vagrant and Ansible

by Christian Heimes

Hi, I have made some progress with integration tests of our Python API. You can find my experiments at https://github.com/tiran/pki/commits/betamax . The integration tests are using pytest fixtures and betamax. What is betamax? ---------------- https://betamax.readthedocs.org/en/latest/ Betamax is recorder and player. More precisely it is a testing library for python-requests to record requests and replay responses. In recording mode it records all requests and stores the requests and responses in cassettes (JSON files). In replay mode (aka off-line) it intercepts requests and serves responses from pre-recorded cassettes. With betamax we can run integration tests against a life Dogtag installation. Once our tests have been recorded, we don't need a Dogtag server any more. The recorded test cases become self-sustained and fully reproducible. Betamax is in Fedora 23! How to record? -------------- Of course we also need a simple to record the initial set, new tests or to update recordings. Please welcome Ansible and Vagrant! I wrote a Vagrant file and Ansible playbook that do all the heavily lifting in the background. The code is currently located at https://github.com/tiran/pki-vagans . Once you installed and set up Vagrant and Ansible on your machine, it takes just one command and about 7 to 10 minutes to install a VM with Dogtag. The command 'vagrant up' will download Fedora 23, upgrade the box, set up 389 DS and a Dogtag instance with CA and KRA. With 'vagrant provision' you can update the machine and even install custom builds from a directory with RPMs. What's left to do? ------------------ * write more tests (obviously) * pki-vagans and integration tests are tuned to my machine. The setup might not work on your box. * Tests are currently read-only. I need to figure out a good way for tests that create data, probably a fixture on module or class level. Please test :) Christian

8 years, 2 months

1
0
0 / 0

Karma Request for Dogtag 10.2.6 in Fedora 22 and Fedora 23

by Matthew Harmsen

Everyone, Please provide Karma for the following Dogtag 10.2.6 packages in Fedora 22 and Fedora 23: * pki-core-10.2.6-11.fc22 <https://bodhi.fedoraproject.org/updates/FEDORA-2016-40144ea6d6> * pki-core-10.2.6-15.fc23 <https://bodhi.fedoraproject.org/updates/FEDORA-2016-2519bac533> Which address the following PKI TRAC Ticktets: * PKI TRAC Ticket #1714 - mod_revocator and mod_nss dependency for tps should be removed <https://fedorahosted.org/pki/ticket/1714> * PKI TRAC Ticket #456 - The user have a chance to import own CA certificate with private key <https://fedorahosted.org/pki/ticket/456> * PKI TRAC Ticket #1681 - pkispawn: External CA option: allow shutdown and restart between phase 1 and 2 <https://fedorahosted.org/pki/ticket/1681> * PKI TRAC Ticket #1682 - Mismatching certificate validity calculation <https://fedorahosted.org/pki/ticket/1682> * PKI TRAC Ticket #2040 - Determine supported javadoc options <https://fedorahosted.org/pki/ticket/2040> Additionally, a new Dogtag 10.2.6 package is under construction for Fedora 24, but it is currently encountering the following issue: * Bugzilla Bug #1307866 - pki-core: FTBFS in rawhide <https://bugzilla.redhat.com/show_bug.cgi?id=1307866> Thanks, -- Matt

8 years, 2 months

1
0
0 / 0

[PATCH] 0052 Lightweight CAs: enrol cert via profile subsystem

by Fraser Tweedale

The attached patch fixes: - #1624 generate lightweight CAs via profile subsystem - #1632 ensure CA certs bear correct Authority Key Identifier Thanks, Fraser

8 years, 2 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-devel February 2016