Good we can get this feature going. A couple of comments: 1. I'm sure we have done a bunch of testing to get the hsm case working, if not done, it might be good to try a basic software case to make sure that still works.

2. In SystemConfigService.java line: 1120 I think we may replace: throw new BadRequestException("HSM clones must share their HSM master's private keys"); with: if (data.getP12File() != null) { throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys"); } if (data.getP12Password() != null) { throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys"); } Because I think the only time the situation is fatal is when we have a clone on the HSM, BUT provide the pkcs12 file data.

3. Ran a quck pycharm on the python and it reported a couple of PEP warnings at lines 563 and 579, something about indentation. Sounds like easy fix.

----- Original Message ----- From: "Matthew Harmsen" <mharmsen(a)redhat.com&gt; To: "pki-devel" <pki-devel(a)redhat.com&gt; Sent: Thursday, May 21, 2015 4:40:21 PM Subject: [Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM Please review the attached patch which addresses the following ticket: * PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys This was tested as a successful installation of a Master CA and Cloned CA using a LunaSA HSM. _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Based on the changes and the excruciating testing done! ACK ----- Original Message ----- From: "Matthew Harmsen" <mharmsen(a)redhat.com&gt; To: "John Magne" <jmagne(a)redhat.com&gt; Cc: "pki-devel" <pki-devel(a)redhat.com&gt; Sent: Friday, May 22, 2015 5:23:38 PM Subject: Re: [Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM On 05/22/15 12:51, John Magne wrote: > Good we can get this feature going. > A couple of comments: > > 1. I'm sure we have done a bunch of testing to get the hsm case working, > if not done, it might be good to try a basic software case to make sure that > still works. Done. Successfully build and installed software master/clone, and enrolled/approved all four possibilities: * master/master * clone/clone * master/clone * clone/master > 2. In SystemConfigService.java line: 1120 > > I think we may replace: > > throw new BadRequestException("HSM clones must share their HSM master's private keys"); > > with: > if (data.getP12File() != null) { > throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys"); > } > > if (data.getP12Password() != null) { > throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys"); > } > > > Because I think the only time the situation is fatal is when we have a clone on the HSM, BUT provide the pkcs12 file data. Fixed > 3. > > Ran a quck pycharm on the python and it reported a couple of PEP warnings at lines 563 and 579, something about indentation. Sounds like easy fix. Fixed > > ----- Original Message ----- > From: "Matthew Harmsen" <mharmsen(a)redhat.com&gt; > To: "pki-devel" <pki-devel(a)redhat.com&gt; > Sent: Thursday, May 21, 2015 4:40:21 PM > Subject: [Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM > > Please review the attached patch which addresses the following ticket: > > > * PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys > > > This was tested as a successful installation of a Master CA and Cloned CA using a LunaSA HSM. > > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel New patch attached.