Note: This patch is intended for Dogtag 10.1. Once approved, it will
also need to be applied to the 'master' branch.
-------- Original Message --------
Subject: [Pki-devel] [PATCH] TRAC Ticket #816 - pki-tomcat cannot be
started after installation of ipa replica with ca [20140225]
Date: Tue, 25 Feb 2014 17:31:50 -0800
From: Matthew Harmsen <mharmsen(a)redhat.com>
To: pki-devel <pki-devel(a)redhat.com>
This patch causes the 'sslserver' certificate for a CA clone to be
signed by its associated master CA during configuration, and resolves
the following bug:
* Dogtag TRAC Ticket #816 - pki-tomcat cannot be started after
installation of ipa replica with ca
<
https://fedorahosted.org/pki/ticket/816>
This was necessary to avoid any changes which may have been made to the
X500Name directory string encoding order (i. e. - creating a Cloned CA
on Fedora 20 from a Master CA on Fedora 19).
The code was tested (applying the CAVEAT below) via end-to-end
'pkispawn' installation and batch-based configuration; it has not yet
been tested with GUI-based configuration.
*CAVEAT:*
During the preparation of this patch it was discovered that an
end-to-end test of functionality cannot be accomplished due to the
389 TRAC Ticket #47721 - Schema Replication Issue
<
https://fedorahosted.org/389/ticket/47721> which prevents the
'99user.ldif' file from being properly replicated from the Master CA
to the Cloned CA. However, I verified that this code does work by
shutting down DS on the cloned CA machine, manually replacing
'/etc/dirsrv/slapd-<clone>/schema/99user.ldif' with
'/etc/dirsrv/slapd-<master>/schema/99user.ldif, restarting DS and
the Cloned CA, and successfully performing a test enrollment.