ACK
Code review of this produced two new TRAC Tickets:
* TRAC Ticket #502 - Dogtag 10: Change pkidestroy "-w" option to
require a password file rather than a raw password
* TRAC Ticket #503 - Dogtag 10: Security Domain Issues
These changes were tested using two scenarios as described in TRAC
Ticket #503 - Dogtag 10: Security Domain Issues.
-- Matt
On 02/04/13 17:39, Matthew Harmsen wrote:
On 02/01/13 11:54, Ade Lee wrote:
> We want to use the admin interface for installation work. This patch
> moves the interfaces used in cloning from either the EE or agent
> interface to the admin one. See:
>
http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning
>
> Specifically,
> 1. Change call to use /ca/admin/ca/getCertChain
> 2. Remove unneeded getTokenInfo servlet. The logic not to use this
> servlet has already been committed to dogtag 10.
> 3. Move updateNumberRange to the admin interface. For backward
> compatibility with old instances, the install code will
> call /ca/agent/updateNumberRange as a fallback.
> 4. Add updateDomainXML to admin interface. For backward compatibility,
> updateDomainXML will continue to be exposed on the agent interface with
> agent client auth.
> 5. Changed pkidestroy to get an install token and use the admin
> interface to update the security domain. For backward compatibility,
> the user and password and not specified as mandatory arguments -
> although we want to do that in future.
>
> Please review,
> Ade
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-devel
Alee,
Sorry, but I require some additional information to properly test this
patch for a CA and its clone using a single machine. Hopefully, I can
address these issues relatively quickly tomorrow after obtaining your
answers.
I have pulled a new tree after the meeting this morning (which does
not include the patches added at 3:49 P. M. by edewata), created a
branch, applied all five of your changes, and built and installed the
packages on a fresh x86_64 Fedora 18 system (e. g. -
'foobar.example.com').
In order to test the code, I would like to perform the following two
tests using a single machine:
1. pkispawn using the new configuration servlet for both the CA and
the CA Clone
2. pkispawn using the old GUI configuration (by specifying a DEFAULT
value of pki_skip_configuration=True) for both CA and the CA Clone
However, with the new interpolation model, I do not know every single
value that needs to be overridden to have both the CA and CA Clone, as
well as the two directory servers, on the same system.
I have the following:
* installed a default directory server instance (e. g. - foobar)
running on port 389
* installed a CA (e. g. - default configuration specifying backup
keys in order to create the CA clone):
*[DEFAULT]*
pki_admin_password=XXXXXXXX
pki_backup_password=XXXXXXXX
pki_client_pkcs12_password=XXXXXXXX
pki_ds_password=XXXXXXXX
pki_security_domain_password=XXXXXXXX
pki_backup_keys=True
* successfully configured a browser, requested, enrolled, and issued
a test certificate
* installed a second directory server instance (e. g. -
foobar-clone) running on port 8389
* about to install a CA Clone using the following parameters:
*[DEFAULT]*
pki_admin_password=XXXXXXXX
pki_client_pkcs12_password=XXXXXXXX
pki_ds_password=XXXXXXXX
pki_security_domain_password=XXXXXXXX
pki_security_domain_hostname=foobar.example.com
pki_security_domain_https_port=8443
pki_ds_ldap_port=8389
pki_ds_ldaps_port=8636
*[CA]*
pki_ajp_port=17009
pki_clone=True
pki_clone_pkcs12_password=XXXXXXXX
pki_clone_pkcs12_path=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12
pki_clone_replicate_schema=True
pki_clone_replication_master_port=
pki_clone_replication_clone_port=
pki_clone_replication_security=None
pki_clone_uri=http://foobar.example.com:8443
pki_http_port=17080
pki_https_port=17443
pki_instance_name=pki-tomcat-ca-clone
pki_tomcat_server_port=17005
Questions:
* Are the two tests specified above sufficient to test your patch,
or do I need to check the other two test cases of mixing an old
GUI configuration (CA) with new configuration servlet (CA clone),
and vice-versa?(I believe that this code will require re-testing
under a separated ports model for versions of the product earlier
than Dogtag 10).
* What parameter(s) do I need to add to the CA Clone configuration
file under what sections to reference the 'foobar-clone' directory
instance?
* What value, if any, do I need to supply to the
'pki_clone_replication_master_port'?
* What value, if any, do I need to supply to the
'pki_clone_replication_clone_port'?
* Should I leave 'pki_clone_replication_security=None'?
* Are there any other parameters that I am missing, and if so, under
what section should they be defined?
* Are there any parameters specified that contain incorrect values?
* Are any parameters specified in the incorrect sections?
Thanks in advance,
-- Matt
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel