1:14 a.m.
Please review the attached patches which seek to implement '*Bugzilla
Bug #902956* <https://bugzilla.redhat.com/show_bug.cgi?id=902956>-[RFE]
Cert System 8.1 - Provide automated option for IP separated
configuration' for RHCS 8.1.
Three new patches (two which are revisions to the previous patches, and
one which represents a simple recursive diffs between the two 'pki'
trees which contain the code changes) have been attached whichaddress
the remaining issues.
* This version of the code has been tested utilizing the following
configuration:
o pki-ip-host (installation host - RHEL 5.9 x86_64)
+ pki-ca-agent (CA agent interface - virtual IP)
+ pki-ca-ee (CA EE interface- virtual IP)
+ pki-ca-ee-ca (CA EE clientauth interface- virtual IP)
+ pki-ca-admin (CA admin interface- virtual IP)
+ pki-kra-agent (KRA agent interface- virtual IP)
+ pki-kra-ee (KRA EE interface- virtual IP)
+ pki-kra-admin (KRA admin interface- virtual IP)
o pki-rhel6 (RHDS 9.1 - RHEL 6.3 x86_64 which uses a different domain)
* Tests utilizing the browser GUI interface have been tested
successfully for the following PKI subsystems:
o CA using four VIPs
o KRA using three VIPs
o OCSP (was never tested, but is strongly believed to work since
the batch 'pkisilent' worked successfully)
o TKS using 'pki-ip-host' as the address for all three hosts
o RAconnecting to this CA
o TPS connecting to this CA, KRA, and TKS
* Tests utilizing new'pkisilent'batch process templates, the following
PKI subsystems have been tested successfully:
o CA using four VIPs
o KRA using three VIPs
o OCSPusing 'pki-ip-host' as the address for all three hosts
o TKS using 'pki-ip-host' as the address for all three hosts
o RA failed to connect to this CA (Bugzilla Bug #951891 filed)
o TPS connecting to this CA, KRA, and TKS
* Bugs have been filed for all remaining issues (many of which may be
addressable duringthe Q/E test cycle):
o *Bugzilla Bug #224770*
<https://bugzilla.redhat.com/show_bug.cgi?id=224770>-Apply "use
strict" methodology to
"pkicommon/pkicreate/pkiremove/pkicomplete" . . .
o *Bugzilla Bug #951886*
<https://bugzilla.redhat.com/show_bug.cgi?id=951886>-Refactor
'get_port_configuration_mode()' in 'pkicommon'
o *Bugzilla Bug #951887*
<https://bugzilla.redhat.com/show_bug.cgi?id=951887>-Use of
unlabelled SELinux ports on VIPs to support 'IP Separation'
o *Bugzilla Bug #951890*
<https://bugzilla.redhat.com/show_bug.cgi?id=951890>-Include
default EE clientauth port (9446) in pki-selinux policy
o *Bugzilla Bug #951891*
<https://bugzilla.redhat.com/show_bug.cgi?id=951891>-'silent_ra_to_...
fails to configure an RA successfully
o *Bugzilla Bug #910175*
<https://bugzilla.redhat.com/show_bug.cgi?id=910175>-[DOC] Cert
System 8.1 - IP Port Separation Configuration Mode (additional
material has been added to this bug)
10:09 a.m.
Couple of small points:
In CAInfoPanel.pm, KRAInfoPanel.pm, TKSInfoPanel.pm (for TPS), and
CAInfoPanel (for RA):
* You add a comment about a code path that is no longer used. This is
actually a bug in pkisilent. Basically, we should be using - or have
the ability to use this option. Otherwise, we effectively only use the
first URL in the list when selecting CA, KRA, etc. Therefore I would
NOT put in this comment. We may even want to add a BZ to make TPS and
RA use this option.
* In the functions, get_secure_*_port_domain_xml and
get_secure_*_host_from domain_xml, you should break to exit the loop
once a match is made. Also, there is an unused counter variable $count
that should be removed.
Other than these issues, ACK.
Ade
On Sat, 2013-04-13 at 23:14 -0700, Matthew Harmsen wrote:
Please review the attached patches which seek to implement
'Bugzilla
Bug #902956 - [RFE] Cert System 8.1 - Provide automated option for IP
separated configuration' for RHCS 8.1.
Three new patches (two which are revisions to the previous patches,
and one which represents a simple recursive diffs between the two
'pki' trees which contain the code changes) have been attached which
address the remaining issues.
* This version of the code has been tested utilizing the
following configuration:
* pki-ip-host (installation host - RHEL 5.9 x86_64)
* pki-ca-agent (CA agent interface - virtual IP)
* pki-ca-ee (CA EE interface - virtual IP)
* pki-ca-ee-ca (CA EE clientauth interface -
virtual IP)
* pki-ca-admin (CA admin interface - virtual IP)
* pki-kra-agent (KRA agent interface - virtual
IP)
* pki-kra-ee (KRA EE interface - virtual IP)
* pki-kra-admin (KRA admin interface - virtual
IP)
* pki-rhel6 (RHDS 9.1 - RHEL 6.3 x86_64 which uses a
different domain)
* Tests utilizing the browser GUI interface have been tested
successfully for the following PKI subsystems:
* CA using four VIPs
* KRA using three VIPs
* OCSP (was never tested, but is strongly believed to
work since the batch 'pkisilent' worked successfully)
* TKS using 'pki-ip-host' as the address for all three
hosts
* RA connecting to this CA
* TPS connecting to this CA, KRA, and TKS
* Tests utilizing new 'pkisilent' batch process templates, the
following PKI subsystems have been tested successfully:
* CA using four VIPs
* KRA using three VIPs
* OCSP using 'pki-ip-host' as the address for all three
hosts
* TKS using 'pki-ip-host' as the address for all three
hosts
* RA failed to connect to this CA (Bugzilla Bug #951891
filed)
* TPS connecting to this CA, KRA, and TKS
* Bugs have been filed for all remaining issues (many of which
may be addressable during the Q/E test cycle):
* Bugzilla Bug #224770 - Apply "use strict" methodology
to "pkicommon/pkicreate/pkiremove/pkicomplete" . . .
* Bugzilla Bug #951886 - Refactor
'get_port_configuration_mode()' in 'pkicommon'
* Bugzilla Bug #951887 - Use of unlabelled SELinux ports
on VIPs to support 'IP Separation'
* Bugzilla Bug #951890 - Include default EE clientauth
port (9446) in pki-selinux policy
* Bugzilla Bug #951891 - 'silent_ra_to_ip_port.template'
fails to configure an RA successfully
* Bugzilla Bug #910175 - [DOC] Cert System 8.1 - IP Port
Separation Configuration Mode (additional material has
been added to this bug)
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
4269
days inactive
4270
days old
1 comments
2 participants
participants (2)
-
Ade Lee -
Matthew Harmsen