[Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18

Wed Aug 8 20:05:26 UTC 2012

Hi, 

Dogtag 10 is being released on f18, and has a number of changes that
will affect IPA.  In particular, the following changes will affect
current IPA code. 

* The directory layout of the dogtag instance has changed.  Instead of
using separate tomcat instances to host different subsystems, the
standard dogtag installation will allow one to install a CA. KRA, OCSP
and TKS within the same instance.  There have been corresponding changes
in the directory layout, as well as the default instance name
(pki-tomcat instead of pki-ca), and startup daemon (pki-tomcatd, instead
of pki-cad, pki-krad etc.) 

* The default instance will use only four ports (HTTPS, HTTP, AJP and
tomcat shutdown port) rather than the 6 previously used.  The default
ports will be changed to the standard tomcat ports.  As these ports are
local to the ipa server machine, this should not cause too much
disruption. 

* There is a new single step installer written in python.
(pkispawn/destroy) vs. pkicreate/pkisilent/pkiremove.

* Dogtag 10 runs on tomcat7 - with a new corresponding version of
tomcatjss.

The attached patch integrates all the above changes in IPA installation
and maintenance code.  Once the patch is applied, users will be able to:

1. run ipa-server-install to completion on f18 with dogtag 10.
2. install a new replica on f18 on dogtag 10.
3. upgrade an f17 machine with an existing IPA instance to f18/ dogtag
10 - and have that old-style dogtag instance continue to run correctly.
This will require the installation of the latest version of tomcatjss as
well as the installation of tomcat6.  The old-style instance will
continue to use tomcat6.
4. in addition, the new cert renewal code has been patched and should
continue to work.

What is not yet completed / supported:

1. Installation with an external CA is not yet completed in the new
installer.  We plan to complete this soon.

2. There is some IPA upgrade code that has not yet been touched
(install/tools/ipa-upgradeconfig).

3. A script needs to be written to allow admins to convert their
old-style dogtag instances to new style instances, as well as code to
periodically prompt admins to do this.

4. Installation of old-style instances using pkicreate/pkisilent on
dogtag 10 will no longer be supported, and will be disabled soon.

5.  The pki-selinux policy has been updated to reflect these changes,
but is still in flux.  In fact, it is our intention to place the dogtag
selinux policy in the base selinux policy for f18.  In the meantime, it
may be necessary to run installs in permissive mode.

The dogtag 10 code will be released shortly into f18.  Prior to that
though, we have placed the new dogtag 10 and tomcatjss code in a
developer repo that is located at 
http://nkinder.fedorapeople.org/dogtag-devel/

Testing can be done on both f18 and f17 - although the target platform -
and the only platform for which official builds will be created is f18.

Thanks, 
Ade
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Modifications-to-install-scripts-for-dogtag-10.patch
Type: text/x-patch
Size: 43546 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120808/f4b46dc1/attachment.bin>