<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 06/07/2013 10:23 AM, Tomas Babej wrote: </div> <blockquote cite="mid:51B19888.2050803@redhat.com" type="cite"> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> <div class="moz-cite-prefix">On 05/15/2013 01:36 PM, Ana Krivokapic wrote: </div> <blockquote cite="mid:51937353.3090501@redhat.com" type="cite"> <pre wrap="">On 05/15/2013 12:29 PM, Petr Viktorin wrote: </pre> <blockquote type="cite"> <pre wrap="">On 05/15/2013 12:04 PM, Tomas Babej wrote: </pre> <blockquote type="cite"> <pre wrap="">On 05/15/2013 11:40 AM, Ana Krivokapic wrote: </pre> <blockquote type="cite"> <pre wrap="">Hello, See the commit message for details. <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/3594">https://fedorahosted.org/freeipa/ticket/3594</a> _______________________________________________ Freeipa-devel mailing list <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a> <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a> </pre> </blockquote> <pre wrap="">+ def regenerate_ca_file(self, ca_file): + dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp() + keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp() + + os.write(dm_pwd_fd, self.dirman_password) + os.close(dm_pwd_fd) + + keydb_pwd = '' + with open('/etc/pki/pki-tomcat/password.conf') as f: + for line in f.readlines(): + key, value = line.strip().split('=') + if key == 'internal': + keydb_pwd = value + break + + os.write(keydb_pwd_fd, keydb_pwd) + os.close(keydb_pwd_fd) + + ipautil.run([ + '/usr/bin/PKCS12Export', + '-d', '/etc/pki/pki-tomcat/alias/', + '-p', keydb_pwd_fname, + '-w', dm_pwd_fname, + '-o', ca_file + ]) + If the PKCS12Export call fails (returns non-zero code), we raise exception here, and the temporary files are never removed. + os.remove(dm_pwd_fname) + os.remove(keydb_pwd_fname) This might not be a big issue since mkstemp() call creates temporary file readable and writable only be given user ID, however, we should not leave files with passwords in plaintext on the disk if it is not necessary. This can be easily prevented by wrapping the call up with try-chatch-finally block, or using raiseonerr=False options of run method. </pre> </blockquote> <pre wrap="">Or by using ipautil.write_tmp_file() – the file it creates is always removed after it's closed/garbage collected, and it has a name attribute. </pre> </blockquote> <pre wrap="">Updated patch uses `ipautil.write_tmp_file()`. </pre> <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-devel mailing list <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a> <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre> </blockquote> I'm testing on a fairly updated F19 VM: I'm getting the following error when preparing the replica info file: [root@vm-002 ~]# ipa-replica-prepare vm-003.ipa.com --ip-address 192.168.122.213 Directory Manager (existing master) password: Preparing replica for vm-003.ipa.com from vm-002.ipa.com Command '/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12' returned non When trying that manually: [root@vm-002 ~]# /usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12 Exception in thread "main" java.lang.NoClassDefFoundError: org/mozilla/jss/util/PasswordCallback at java.lang.Class.getDeclaredMethods0(Native Method) at java.lang.Class.privateGetDeclaredMethods(Class.java:2451) at java.lang.Class.getMethod0(Class.java:2694) at java.lang.Class.getMethod(Class.java:1622) at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494) at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486) Caused by: java.lang.ClassNotFoundException: org.mozilla.jss.util.PasswordCallback at java.net.URLClassLoader$1.run(URLClassLoader.java:366) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:423) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) at java.lang.ClassLoader.loadClass(ClassLoader.java:356) ... 6 more We might need to investigate what causes this, and if the issue is not on our side, file appropriate bugs. Tomas </blockquote> This is an bug in the PKCS12Export utility. I opened a Bugzilla for it: <a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=972753">https://bugzilla.redhat.com/show_bug.cgi?id=972753</a>. Below is a workaround, as suggested by Ade: <alee> as for a workaround, you could simply edit the file that starts PKCS12Export <alee> edit /usr/bin/PKCS12Export <alee> after line 134, simply add the line : CP=/usr/lib/java/jss4.jar <alee> but thats just a temp fix for f19 only <alee> not the real fix, <alee> you'll need the real fix checked in to pass the patch <pre class="moz-signature" cols="72">-- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc.</pre> </body> </html>