This code was reviewed by testing out PKI_8_1_ERRATA_BRANCH source code on RHEL 5.9 using Directory Server storage located on RHEL 6.3:
Presuming that the CAVEATS are addressed, the patches for PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH may be checked-in.

In, change line 166 from:
    c = sendAuthRequest(authHost, authAdminPort, authURL, content);
    c = sendAuthRequest(authHost, authEEPort, authURL, content);
This was more of an observation that may be due to CAVEAT 1 above, but in TEST SCENARIO 2 below, please note the comments in RED text.
TEST SCENARIO 1:  Pre-Patched CA Master, Pre-Patched KRA, Patched CA Clone
TEST SCENARIO 2:  Patched CA Master, Patched KRA, Patched CA Clone
On 02/12/13 12:11, Ade Lee wrote:
We want to use the admin interface for installation work.  This patch
moves the interfaces used in cloning from either the EE or agent
interface to the admin one.  See:

1. Change call to use /ca/admin/ca/getCertChain
2. Remove unneeded getTokenInfo servlet.  The logic not to use this
servlet has already been committed to dogtag 10.
3. Move updateNumberRange to the admin interface.  For backward
compatibility with old instances, the install code will
call /ca/agent/updateNumberRange as a fallback.
4. Add updateDomainXML to admin interface.  For backward compatibility,
updateDomainXML will continue to be exposed on the agent interface with
agent client auth.
5. Changed pkidestroy to get an install token and use the admin
interface to update the security domain.  For backward compatibility,
the user and password and not specified as mandatory arguments -
although we want to do that in future.
6. Added tokenAuthenticate to the admin interface. 

Note, existing subsystems will need to have config changes manually
added in order to use the new interfaces.  Instructions will be added to
the link above.  With new instances, you should be able to clone a CA
all on the admin interface.

The patches are for the PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH

Please review, 

Pki-devel mailing list