7:02 p.m.
The fixes here look good and to what is intended.
Allow me to counter propose though.
Those OCSP URLs, at least on my system with an OCSP responder actually
do something:
For instance:
http://host:8080/ee/ocsp/ee/<binary ocsp request> blob actually works.
It works with wget or with the browser if you append "/<binary ocsp
request>"
on the end.
The server actually processes the request and send a file with the binary
ocsp response.
The proposal is: Can we just put the dummy <OCSP Request Blob> on the end
to tell the user that these URLs are in fact used to verify certificates?
For those that report that going to the URL with the browser results in an error,
I do not understand. On my box, if you go straight to the URL with no request on the end,
it just greets you with a blank page and does not error out.
----- Original Message -----
From: "Matthew Harmsen" <mharmsen(a)redhat.com>
To: "pki-devel" <pki-devel(a)redhat.com>
Sent: Tuesday, August 4, 2015 3:43:19 PM
Subject: [Pki-devel] [PATCH] Removed more inaccessible URLs from server.xml
Please review the attached patch which addresses the following two tickets:
* PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI
subsystems which are not accessible
* PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat
shows an error page
These were tested by installing four new instances and running 'pkidaemon
status tomcat pki-tomcat'. The following four inaccessible URLs no longer
showed up:
* Unsecure URL = http://pki.example.com:8080/kra/ee/kra (1443)
* Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp (1518)
* Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp (1518)
* Unsecure URL = http://pki.example.com:8080/tks/ee/tks (1443)
Additionally, a test was run which showed that the upgrade code worked
successfully:
# pkidaemon status tomcat pki-tomcat
Status for pki-tomcat: pki-tomcat is running ..
[CA Status Definitions]
Unsecure URL = http://pki.example.com:8080/ca/ee/ca
Secure Agent URL = https://pki.example.com:8443/ca/agent/ca
Secure EE URL = https://pki.example.com:8443/ca/ee/ca
Secure Admin URL = https://pki.example.com:8443/ca/services
PKI Console Command = pkiconsole https://pki.example.com:8443/ca
Tomcat Port = 8005 (for shutdown)
[DRM Status Definitions]
Unsecure URL = http://pki.example.com:8080/kra/ee/kra
Secure Agent URL = https://pki.example.com:8443/kra/agent/kra
Secure Admin URL = https://pki.example.com:8443/kra/services
PKI Console Command = pkiconsole https://pki.example.com:8443/kra
Tomcat Port = 8005 (for shutdown)
[OCSP Status Definitions]
Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp
Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp
Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp
Secure Admin URL = https://pki.example.com:8443/ocsp/services
PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp
Tomcat Port = 8005 (for shutdown)
[TKS Status Definitions]
Unsecure URL = http://pki.example.com:8080/tks/ee/tks
Secure Agent URL = https://pki.example.com:8443/tks/agent/tks
Secure Admin URL = https://pki.example.com:8443/tks/services
PKI Console Command = pkiconsole https://pki.example.com:8443/tks
Tomcat Port = 8005 (for shutdown)
[CA Configuration Definitions]
PKI Instance Name: pki-tomcat
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: example.com Security Domain
URL: https://pki.example.com:8443
==========================================================================
[DRM Configuration Definitions]
PKI Instance Name: pki-tomcat
PKI Subsystem Type: DRM
Registered PKI Security Domain Information:
==========================================================================
Name: example.com Security Domain
URL: https://pki.example.com:8443
==========================================================================
[OCSP Configuration Definitions]
PKI Instance Name: pki-tomcat
PKI Subsystem Type: OCSP
Registered PKI Security Domain Information:
==========================================================================
Name: example.com Security Domain
URL: https://pki.example.com:8443
==========================================================================
[TKS Configuration Definitions]
PKI Instance Name: pki-tomcat
PKI Subsystem Type: TKS
Registered PKI Security Domain Information:
==========================================================================
Name: example.com Security Domain
URL: https://pki.example.com:8443
==========================================================================
After running the upgrade script, the inaccessible URLs were removed:
# pkidaemon status tomcat pki-tomcat
Status for pki-tomcat: pki-tomcat is running ..
[CA Status Definitions]
Unsecure URL = http://pki.example.com:8080/ca/ee/ca
Secure Agent URL = https://pki.example.com:8443/ca/agent/ca
Secure EE URL = https://pki.example.com:8443/ca/ee/ca
Secure Admin URL = https://pki.example.com:8443/ca/services
PKI Console Command = pkiconsole https://pki.example.com:8443/ca
Tomcat Port = 8005 (for shutdown)
[DRM Status Definitions]
Secure Agent URL = https://pki.example.com:8443/kra/agent/kra
Secure Admin URL = https://pki.example.com:8443/kra/services
PKI Console Command = pkiconsole https://pki.example.com:8443/kra
Tomcat Port = 8005 (for shutdown)
[OCSP Status Definitions]
Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp
Secure Admin URL = https://pki.example.com:8443/ocsp/services
PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp
Tomcat Port = 8005 (for shutdown)
[TKS Status Definitions]
Secure Agent URL = https://pki.example.com:8443/tks/agent/tks
Secure Admin URL = https://pki.example.com:8443/tks/services
PKI Console Command = pkiconsole https://pki.example.com:8443/tks
Tomcat Port = 8005 (for shutdown)
[CA Configuration Definitions]
PKI Instance Name: pki-tomcat
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: example.com Security Domain
URL: https://pki.example.com:8443
==========================================================================
[DRM Configuration Definitions]
PKI Instance Name: pki-tomcat
PKI Subsystem Type: DRM
Registered PKI Security Domain Information:
==========================================================================
Name: example.com Security Domain
URL: https://pki.example.com:8443
==========================================================================
[OCSP Configuration Definitions]
PKI Instance Name: pki-tomcat
PKI Subsystem Type: OCSP
Registered PKI Security Domain Information:
==========================================================================
Name: example.com Security Domain
URL: https://pki.example.com:8443
==========================================================================
[TKS Configuration Definitions]
PKI Instance Name: pki-tomcat
PKI Subsystem Type: TKS
Registered PKI Security Domain Information:
==========================================================================
Name: example.com Security Domain
URL: https://pki.example.com:8443
==========================================================================
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel