WARNING: Due to some of the changes to the command-line
parameters (mainly the introduction of a dependency on the
existence of a new symlink), instances previously created with
the old "pkispawn" will once again need to be removed by the
old "pkidestroy" PRIOR to the installation of this patch.
Note: You will definitely need to establish the
following "passwords" in your copy of "pkideployment.cfg" in
order to install a "CA":
I ran the following command: pkispawn -s CA -f /tmp/pki/pkideployment.cfg -vvv
- pki_admin_password
- pki_client_pkcs12_password
- pki_ds_password
- pki_security_domain_password
Unfortunately, for me, out-of-the-box installation failed with the following problem:
This error occurred despite downloading the latest SELinux policies on my 64-bit Fedora 17 box and compiling 'pki-selinux' against them.
- pkispawn : ERROR ....... port 8080 has invalid selinux context http_cache_port_t
The work-around that I used was to edit "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py" and comment out the call to "util.configuration_file.verify_selinux_ports()" in the 'spawn()' method.
Re-running the command 'pkispawn -s CA -f /tmp/pki/pkideployment.cfg -vvv' now produces the following error:
pkispawn : INFO ... populating 'pki.deployment.selinux_setup'My work-around to fix to this error is to remove the symlinks which call the 'selinux_setup.py' scriptlet for both 'pkispawn' and 'pkidestroy':
Traceback (most recent call last):
File "/bin/pkispawn", line 225, in <module>
main(sys.argv)
File "/bin/pkispawn", line 212, in main
rv = instance.spawn()
File "/usr/lib/python2.7/site-packages/pki/deployment/selinux_setup.py", line 69, in spawn
port1.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT)
File "/usr/lib64/python2.7/site-packages/seobject.py", line 1045, in add
self.__add(port, proto, serange, type)
File "/usr/lib64/python2.7/site-packages/seobject.py", line 1002, in __add
raise ValueError(_("Port %s/%s already defined") % (proto, port))
ValueError: Port tcp/8080 already defined
Unfortunately, at this stage, sufficient installation has been made which prevents a new installation, and 'pkidestroy' in its current incarnation
- rm /usr/share/pki/deployment/spawn/*/035_selinux_setup
- rm /usr/share/pki/deployment/destroy/*/985_selinux_setup
will be unable to completely remove the instance. Therefore, presuming an instance name of 'pki-tomcat', run the following commands:
- rm -rf /var/lib/pki
- rm -rf /etc/pki/pki-tomcat/
- rm -rf /etc/sysconfig/pki
- rm -rf /var/log/pki
- rm /etc/sysconfig/pki-tomcat (this command will fail, as it has not yet been created)
Re-running the command 'pkispawn -s CA -f /tmp/pki/pkideployment.cfg -vvv'should now run to successful completion!Thanks,
To test this patch, run the test instructions documented in earlier patches for installing the Admin Cert.
Note that the 'ca_admin_cert.p12' file is now located under '/var/lib/pki/{pki-instance-id}/conf/alias/ca_admin_cert.p12', and since a browser may not
have the appropriate permissions to traverse past the '/var/lib/pki' directory, the administrator will need to make this file available (i. e. - copy it to /tmp).
Please note, that although KRA, OCSP, and TKS installations will run to completion, at the present time, a crash occurs in the invocation of the java configuration
client (quite possibly due to the specification of incorrect/incomplete parameters for these subsystems).