10:37 p.m.
On 04/08/13 17:02, Matthew Harmsen wrote:
Please perform an initial code review on the attached patches (only
applicable for RHCS 8.1 on RHEL 5).
Three new patches (two which are revisions to the previous patches, and
one which represents a simple recursive diffs between the two 'pki'
trees which contain the code changes) have been attached with address
the following issues raised during code review (also see inline comments
regarding other issues):
* base/common/src/com/netscape/cms/authentication/TokenAuthentication.java:
o remove CMS.debug("TokenAuthentication: givenHost=" + givenHost);
* base/common/src/com/netscape/cms/servlet/csadmin/*Panel.java:
o rename 'buildSANsslserverURLextension' to
'buildSANSSLserverURLExtension'
o fix preop.ca.hostname (be explicit as to which host this refers to)
* base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java:
o try to make them all use EE host and EE port (which did not work
as the EE connection is unavailable during installation of a CA)
o since that did not work for all cases, fixed all cases to
utilize Admin host and Admin port as requested
* base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java:
o break line CMS.debug("WizardPanelBase updateDomainXML start
hostname=" + hostname + " port=" + port + " url=" +
servlet + "
content=" + uri);
o change 'Vector v_admin_host = parser.getValuesFromContainer(
nodeList.item(i), "Host" );' to 'Vector v_admin_host =
parser.getValuesFromContainer( nodeList.item(i), "AdminHost" );'
* base/pkisilent/templates:
o fixed failure of pkisilent to successfully configure a PKI instance
o New IP Port Separation pkisilent templates have been created for
CA, KRA, OCSP, and TKS
o New pkisilent templates for CA and KRA utilizing IP Port
Separation were successfully executed
* base/setup/pkicommon:
o make 'addr' a local variable rather than global variable
o used join() for SAN uniqueness routine
o renamed 'IsPortConfigurationModeValid' to
'get_port_configuration_mode' and changed it to return strings
rather than integers
o added logic to check for unlabeled ports being defined on
installation host primarily to support IP Separation (e. g. -
all interfaces distinguishable by unique IPs using a common port)
The lone remaining item that MUST be addressed (besides any additional
feedback associated with these revised patches) is:
* reported concerns regarding the ability to install/configure an
RA/TPS instance which uses the existing code changes requiredfor
interaction with the revised security domain
* will be investigated starting on 4/11/2013
The new patches do not address the following items from the previous
code review, and may not be addressed due to schedule and resources:
* base/setup/pkiremove:
o revive 'use strict' - was removed since 'pkiremove' now
references variables from the 'require pkicommon' file; this was
probably the cause for 'use strict' not being a part of
'pkicreate'
o in pkiremove, in the function where is is determined which
selinux ports to remove, the $i variable is used to track the
index of the array - no need to do that -- just use append()
* base/setup/pkicommon:
o modularization of IsPortConfigurationModeValid() - e. g. -
uniqueness helper functions to replace large conditional blocks
o refactor IsPortConfigurationModeValid() - rejected as it was
discussed that since the code has been tested numerous times,
and while this may help with maintainability, this code is only
used for the 8.1 code base errata process
o standardize coding style - rejected for the 8.1 code base --
this has already been addressed in the Dogtag 10 code base
-- Matt
The following two patches address:
* 'pkicreate' now does three types of port configuration:
o IP Port Separation
o Port Separation
o Shared Ports (deprecated)
* security manager issue was fixed
* new security domain schema is complete
* the security domain has been implementedto comply with this new schema
* generated a multi-host CA complete with an SSL Server Certificate
containing SAN information (utilizes profile framework)
* generated a multi-host KRA complete with an SSL Server Certificate
containing SAN information (utilizes name/value pairs passed in
via the enrollment URL which are processed via the profile framework)
* addressed 'TokenAuthenticate' SSL_ForceHandshake issue by
utilizing DNSName instead of DirectoryName attributes in the SSL
Server certificate SAN extensions
* applied the checkIP() feature described in 'Bugzilla Bug #708075
-Clone installation does not work over NAT'
* applied substitution of raw IP addresses from 'pkicreate' into the
'server.xml' to support the new IP Port Separation mode
Development test info:
* pki-ip-host (installation host - RHEL 5.9 x86_64)
o pki-ca-agent (CA agent interface - virtual IP)
o pki-ca-ee (CA EE interface- virtual IP)
o pki-ca-ee-ca (CA EE clientauth interface- virtual IP)
o pki-ca-admin (CA admin interface- virtual IP)
o pki-kra-agent (KRA agent interface- virtual IP)
o pki-kra-ee (KRA EE interface- virtual IP)
o pki-kra-admin (KRA admin interface- virtual IP)
* pki-rhel6 (RHDS 9.1 - RHEL 6.3 x86_64 which uses a different domain)
Thus far, only the following tests have been run against these patches:
* successfully tested regression case of CA and KRA installed using
Port Separation
* successfully tested sanity case of CA and KRA installed using IP
Port Separation
* successfully tested mixed mode deployment case of a CA installed
using Port Separation and a KRA installed using IP Port Separation
* successfully tested mixed mode deployment case of a CA installed
using IP Port Separation and a KRA installed using Port Separation
* successfully tested miscellaneous case of specifying a CA with
four virtual IPs (none of which belonged to the host that the
server was being installed upon) using IP Port Separation
* successfully tested miscellaneous case of CA and KRA installed
using IP Port Separation utilizing unique IP addresses for each
interface (none of which specified the installation host IP), but
specifying the same HTTP/HTTPS port numbers (e. g. - 19080/19443)
and unique ports for Tomcat (9701/10701)
o NOTE: I managed to successfully test this case with SELinux
in Enforcing mode -- this is because the only ports that would
be labeled are the Tomcat ports which exist on the
installation machine (which do not in this case, as they are
the default cases for pki_ca_port_t and pki_kra_port_t). In
this test case, since none of the interfaces refer to the
installation machine IP, none of these ports are labeled by
SELinux. The 'pkicreate' executable enforces unique
<hostname:port> entries. While a second instance (e. g. -
KRA) could be installed re-using the <hostname:port> entries
specified (e. g. - CA), the two instances could not be started
simultaneously due to an inability to bind
(java.net.BindException: Address already in use) - see
'netstat -a | grep <host>' or 'netstat -a | grep
<port>'.
* successfully tested miscellaneous case of installing a CA using IP
Port Separation which was configured using a customized SAN
'serverCert.profile' which included two additional SAN entries on
top of the entries computed for IP Port Separation
The following issues are still actively being addressed:
* failure of java security manager to allow server to start when
specifying non-installation host ports 80/443 (SELinux in
permissive mode) results in (java.net.BindException: Permission
denied:80) - (i. e. - see
http://www.jvmhost.com/articles/java-net-bindexception-permisssion-denied...)
This issue will be documented, and does not block the release of this patch.
*
* failure of pkisilent to successfully configure a PKI instance
Fixed -- new pkisilent templates for CA and KRA utilizing IP Port
Separation were successfully executed. New IP Port Separation pkisilent
templates have been created for CA, KRA, OCSP, and TKS.
* reported concerns regarding the ability to install/configure an
RA/TPS instance which uses the existing code changes requiredfor
interaction with the revised security domain
This last remaining issue will be investigated starting on 4/11/2013.
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel