On 1/9/2013 3:25 AM, Ade Lee wrote:
1. What does python -u do?
We're using different ways to display the messages: python/jython print,
python logging, jython javasystem.out. Apparently each of them has
separate buffer so the messages would not appear in the proper order
unless we disable buffering using -u.
> 1. We ought to have some code to ensure that only one invocation
> pkispawn or pkidestroy is running at a time. This is important for
> selinux. Maybe this is a separate ticket.
I opened this ticket:
> 2. We should prompt for passwords twice and confirm that the
> match (as they are not displayed).
Agreed, the initial patch was meant to provide the basic functionality.
I'm planning to add verifications & error checking in a follow up patch.
However, we should only do password verification for passwords that we
create. In this case we'll do it for the admin password only.
For DS we're only using an existing password, so I don't think we should
verify it. The DS password was created and verified during DS
installation. I believe the PKI UI also doesn't require DS password
Same thing for security domain password, the password is already
verified when we create the security domain itself. When we create KRA
we're only using the password.
> 3. After all inputs are entered, it would be good to output
> like "Starting installation ...". It would also be good to print out
> the choices made, and allow them to go back and change them by typing
> "back" - just like DS does.
OK, will add in follow up. If you type "back" you'd need to re-enter
everything, is that ok?
> 4. Man page for pkispawn and pkidestroy needs to be updated.
> for pkispawn -h.
OK. For the help page (-h) the -f option should be made optional (the -s
option is already fixed). Any other changes to the help page?
For the man page I opened this ticket:
> 5. For subsystem type - entering something incorrect - like RAT
> example, causes an unsightly traceback.
Will do the error checking in follow up.
> 6. When installing a KRA, you are prompted for a security domain
> certificate --why?
I think the prompt is wrong, it should have been "Import admin
certificate" instead of "Security domain certificate".
The default pki_admin_cert_file for KRA would point to the CA admin cert
in KRA's client dir. This will not work if the CA and KRA are installed
on different instances. By prompting for the cert, it will allow you to
enter the CA admin cert in the CA's client dir. If they are installed in
the same instances you can just accept the default value.
What's actually the difference between pki_admin_cert_file and
pki_client_admin_cert, is one for import and the other for export? Do
they contain the same certificate?
> 7. When installing KRA (and OCSP and TKS), you need to be
> connection info to two CA's -- the security domain CA, and the issuing
> CA. These need not be the same.
What are the parameters for the issuing CA? Do you have an example?
How common is it to have different CA's for the security domain and
issuing CA? Note that in the interactive mode we can limit ourselves to
support the most common scenarios only.
> 8. How do you handle the admin cert ie. whether to create a new
> reuse the cert of an old admin? I suspect this is related to question 6
The default pki_import_admin_cert for non-CA subsystems is True. So
right now it only supports reusing the old admin cert, that's why in #6
you're asked for the cert. I'll fix the logic to use pki_import_admin_cert.
There are several ways to handle this:
a) Add another prompt asking whether to create or reuse the admin cert.
b) Don't support that in the interactive mode. You'd have to use a
Which one would you suggest?
> 9. It would be nice if the interactive script wrong out a config
> (maybe with passwords XXX'ed out) after the install.
The user config file will be stored in the registry with the passwords
intact just like in the non-interactive mode. Is this sufficient?
Endi S. Dewata