With this version, and Ade's patch posted to the PKI list, we have a functioning proxy.

I still need to do some cleanup in the /etc/httpd/conf.d directory: the modifications to nss.conf are not removed in uninstall, nor is the symlink to /etc/pki-ca/proxy.conf.

We also need to limit the number of suburls of the PKI CA that the proxy exposes.  This version exposes all of the.  I think we need a very limited subset.

I've created a replica  --no-pki and successfully requested a certificate on it.

On 08/19/2011 01:57 PM, Dmitri Pal wrote:
On 08/19/2011 01:19 PM, Adam Young wrote:
The complete solution for this patch requires changes in Dogtag that Ade Lee is working on right now.  In order to test, I have provided a couple of files that I have been using:

1.  Apply patch, build and install IPA rpms, run ipaserver-install as per usual.
2.  Move the dogtag.conf file into /etc/httpd/conf.d directorys
3.  Run the proxy_dogtag.py script   to modify the Dogtag instance to accept AJP connections from httpd so httpd can act as a proxy
4. Restart IPA

To test:

1. add a host.
2.  Generate a csr:   http://freeipa.org/page/Certificate_Authority#Request_a_certificate
3.  request a certificate for the newly added host.
4.  Optionally, Revoke the certificate for the host

Please do not forget to test the proxy test when replica does not have the CA installed and has to forward the request to the one that has.

_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-devel mailing list