This code was reviewed by testing
out PKI_8_1_ERRATA_BRANCH source code on RHEL 5.9 using
Directory Server storage located on RHEL 6.3:
Presuming that the CAVEATS are addressed, the patches for
PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH may be checked-in.
CAVEAT 1:
In TokenAuthentication.java, change line 166 from:
c = sendAuthRequest(authHost, authAdminPort, authURL, content);
to:
c = sendAuthRequest(authHost, authEEPort, authURL, content);
CAVEAT 2:
This was more of an observation that may be due to
CAVEAT 1 above, but in TEST SCENARIO 2
below, please note the comments in
RED text.
TEST SCENARIO 1: Pre-Patched CA Master, Pre-Patched KRA,
Patched CA Clone
- On a 64-bit x86_64 RHEL 6.3 machine:
- cd /usr/sbin
- ./setup-ds-admin (ds-master - 389)
- ./setup-ds (ds-clone - 8389)
- Stopped both servers
- Turned syntax checking off in both DS servers --
nsslapd-syntaxcheck: off
- Restarted both servers
- On the 64-bit x86_64 RHEL 5.9 machine:
- svn co
svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki
pki
- svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat
pki/redhat
- Successfully built and installed a Master
CA 'pki-ca' using the pre-patched
source code
- Using a fresh profile in a browser, successfully
configured 'pki-ca' using ports in the default
CA range and the 'ds-master' DS server
- Successfully created, submitted, and approved a
certificate:
- 'Test PRE-PATCHED EE
Master PRE-PATCHED Agent Master'
- Successfully built and installed a KRA
'pki-kra' using the pre-patched source
code
- Successfully configured 'pki-kra'
using ports in the default KRA range
and the 'ds-master' DS server
- Successfully created, submitted, and approved a
certificate in which the keys were
backed up to the DRM:
- 'DRM Test PRE-PATCHED EE Master PRE-PATCHED
Agent Master'
- svn co
svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki
pki
- svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat
pki/redhat
- Saved 'cloning.8.errata.patch' from email attachment
- cd pki
- patch -p0 < ../cloning.8.errata.patch
patching file
base/ca/shared/webapps/ca/WEB-INF/web.xml
patching file base/ca/shared/conf/acl.ldif
patching file
base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
patching file base/setup/pkiremove
patching file
base/tks/shared/webapps/tks/WEB-INF/web.xml
patching file
base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
patching file
base/kra/shared/webapps/kra/WEB-INF/web.xml
- Applied the change documented in CAVEAT
1 above
- Successfully built and updated all CA
and KRA packages
- Restarted both CA and KRA
instances
- Successfully tested that CA still worked:
- 'Test PATCHED EE Master PATCHED
Agent Master'
- Successfully tested that KRA still worked:
- 'DRM Test PATCHED EE Master PATCHED Agent Master'
- Successfully installed a CA Clone
called 'pki-ca-clone' via 'pkicreate' using
ports in the default+10000 range using
the patched source code
- Installed the PK12 file that contained all of the
certs and keys backed up via configuration of
'pki-ca' into /var/lib/pki-ca-clone/alias and set all
ownership permissions to be 'pkiuser':
# ls -lZ /var/lib/pki-ca-clone/alias/*
-rw-rw-r-- pkiuser pkiuser
user_u:object_r:pki_ca_var_lib_t pki_ca_master_backup.p12
-rw------- pkiuser pkiuser
system_u:object_r:pki_ca_var_lib_t cert8.db
-rw------- pkiuser pkiuser
system_u:object_r:pki_ca_var_lib_t key3.db
-rw------- pkiuser pkiuser
system_u:object_r:pki_ca_var_lib_t secmod.db
- Successfully configured 'pki-ca-clone'
using ports in the default CA + 10000
range and the 'ds-clone' DS server
- Successfully tested that CA Master and
CA Clone worked together:
- 'Test EE Master Agent Master'
- 'Test EE Master Agent Clone'
- 'Test EE Clone Agent Master'
- 'Test EE Clone Agent Clone'
- Successfully tested that CA Master, CA Clone,
and KRA worked together:
- 'DRM Test EE Master Agent Master'
- 'DRM Test EE Master Agent Clone'
- 'DRM Test EE Clone Agent Master'
- 'DRM Test EE Clone Agent Clone'
TEST SCENARIO 2: Patched CA Master, Patched KRA, Patched
CA Clone
- On a 64-bit x86_64 RHEL 6.3 machine:
- cd /usr/sbin
- ./setup-ds-admin (ds-master - 389)
- ./setup-ds (ds-clone - 8389)
- Stopped both servers
- Turned syntax checking off in both DS servers --
nsslapd-syntaxcheck: off
- Restarted both servers
- On the 64-bit x86_64 RHEL 5.9 machine:
- svn co
svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki
pki
- svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat
pki/redhat
- Successfully built and installed a Master
CA 'pki-ca' using the pre-patched
source code
- Using a fresh profile in a browser, successfully
configured 'pki-ca' using ports in the default
CA range and the 'ds-master' DS server
- Successfully created, submitted, and approved a
certificate:
- 'Test PRE-PATCHED EE
Master PRE-PATCHED Agent Master'
- Successfully built and installed a KRA
'pki-kra' using the pre-patched source
code
- Successfully configured 'pki-kra'
using ports in the default KRA range
and the 'ds-master' DS server
- Successfully created, submitted, and approved a
certificate in which the keys were
backed up to the DRM:
- 'DRM Test PRE-PATCHED EE Master PRE-PATCHED
Agent Master'
- svn co
svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki
pki
- svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat
pki/redhat
- Saved 'cloning.8.errata.patch' from email attachment
- cd pki
- patch -p0 < ../cloning.8.errata.patch
patching file
base/ca/shared/webapps/ca/WEB-INF/web.xml
patching file base/ca/shared/conf/acl.ldif
patching file
base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
patching file base/setup/pkiremove
patching file
base/tks/shared/webapps/tks/WEB-INF/web.xml
patching file
base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
patching file
base/kra/shared/webapps/kra/WEB-INF/web.xml
- Applied the change documented in CAVEAT
1 above
- Successfully built and installed a Master
CA 'pki-ca'
- Using a fresh profile in a browser, successfully
configured 'pki-ca' using ports in the default
CA range and the 'ds-master' DS server
- Successfully created, submitted, and approved a
certificate:
- Successfully built and installed a KRA
'pki-kra'
- Successfully configured 'pki-kra'
using ports in the default KRA range
and the 'ds-master' DS server
- Successfully created, submitted, and approved a
certificate in which the keys were
backed up to the DRM:
- Successfully installed a CA Clone
called 'pki-ca-clone' via 'pkicreate' using
ports in the default+10000 range
- Installed the PK12 file that contained all of the
certs and keys backed up via configuration of
'pki-ca' into /var/lib/pki-ca-clone/alias and set all
ownership permissions to be 'pkiuser':
# ls -lZ /var/lib/pki-ca-clone/alias/*
-rw-rw-r-- pkiuser pkiuser
user_u:object_r:pki_ca_var_lib_t pki_ca_master_backup.p12
-rw------- pkiuser pkiuser
system_u:object_r:pki_ca_var_lib_t cert8.db
-rw------- pkiuser pkiuser
system_u:object_r:pki_ca_var_lib_t key3.db
-rw------- pkiuser pkiuser
system_u:object_r:pki_ca_var_lib_t secmod.db
- Successfully configured 'pki-ca-clone'
using ports in the default CA + 10000
range and the 'ds-clone' DS server
- Per request, verified that 'admin' port was being used
for CA Clone:
# cd /var/log/pki-ca-clone
# grep -i agent localhost_access_log.2013-02-14.txt
# grep -i ee
localhost_access_log.2013-02-14.txt
10.14.16.14 - - [14/Feb/2013:01:00:58 -0500] "GET
/ca/ee/ca/getCAChain?op=download&mimeType=application/x-x509-ca-cert
HTTP/1.1" 200 1035
# grep -i admin localhost_access_log.2013-02-14.txt
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/config/login?pin=ZGWfUxpUzIfBcgW6UI6Q
HTTP/1.1" 302 -
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/config/wizard HTTP/1.1" 200 8510
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/img/logo_header.gif HTTP/1.1" 200 1316
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/img/bigrotation2.gif HTTP/1.1" 200 1787
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/img/favicon.ico HTTP/1.1" 200 318
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/img/icon-software.gif HTTP/1.1" 200 1146
10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 11862
10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] "GET
/ca/admin/console/img/clearpixel.gif HTTP/1.1" 200 43
10.14.16.14 - - [14/Feb/2013:00:58:40 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 10106
10.14.16.14 - - [14/Feb/2013:00:58:47 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 12566
10.14.16.14 - - [14/Feb/2013:00:58:52 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 302 -
10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "POST
/ca/admin/console/config/wizard?p=5&subsystem=CA
HTTP/1.1" 200 8852
10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET
/ca/admin/console/img/logo_header.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET
/ca/admin/console/img/icon-software.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET
/ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:59:11 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 12557
10.14.16.14 - - [14/Feb/2013:00:59:14 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 8492
10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 10006
10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET
/ca/admin/console/img/logo_header.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET
/ca/admin/console/img/icon-software.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET
/ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 32918
10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET
/ca/admin/console/img/logo_header.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET
/ca/admin/console/img/icon-software.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET
/ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:01:00:42 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 11690
10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 68264
10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] "GET
/ca/admin/console/img/certificate.png HTTP/1.1" 200 4663
10.14.16.14 - - [14/Feb/2013:01:00:52 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 8652
10.14.16.14 - - [14/Feb/2013:01:00:56 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 8215
10.14.16.14 - - [14/Feb/2013:01:01:02 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 7832
- Successfully tested that CA Master and
CA Clone worked together:
- 'Test EE Master Agent Master'
- 'Test EE Master Agent Clone'
- 'Test EE Clone Agent Master'
- 'Test EE Clone Agent Clone'
- Successfully tested that CA Master, CA Clone,
and KRA worked together:
- 'DRM Test EE Master Agent Master'
- 'DRM Test EE Master Agent Clone'
- 'DRM Test EE Clone Agent Master'
- 'DRM Test EE Clone Agent Clone'
On 02/12/13 12:11, Ade Lee wrote:
We want to use the admin interface for installation work. This patch
moves the interfaces used in cloning from either the EE or agent
interface to the admin one. See:
http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning
Specifically,
1. Change call to use /ca/admin/ca/getCertChain
2. Remove unneeded getTokenInfo servlet. The logic not to use this
servlet has already been committed to dogtag 10.
3. Move updateNumberRange to the admin interface. For backward
compatibility with old instances, the install code will
call /ca/agent/updateNumberRange as a fallback.
4. Add updateDomainXML to admin interface. For backward compatibility,
updateDomainXML will continue to be exposed on the agent interface with
agent client auth.
5. Changed pkidestroy to get an install token and use the admin
interface to update the security domain. For backward compatibility,
the user and password and not specified as mandatory arguments -
although we want to do that in future.
6. Added tokenAuthenticate to the admin interface.
Note, existing subsystems will need to have config changes manually
added in order to use the new interfaces. Instructions will be added to
the link above. With new instances, you should be able to clone a CA
all on the admin interface.
The patches are for the PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH
Please review,
Ade
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel