From edewata at redhat.com Fri Feb 1 19:38:58 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 01 Feb 2013 13:38:58 -0600 Subject: [Pki-devel] [PATCH] 205 Fixed getInstallToken() invocation. Message-ID: <510C19D2.2030108@redhat.com> The configuration code has been modified to use the REST interface to get the installation token and ignore CA cert validation errors. Ticket #476 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0205-Fixed-getInstallToken-invocation.patch Type: text/x-patch Size: 4497 bytes Desc: not available URL: From alee at redhat.com Fri Feb 1 19:54:09 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 01 Feb 2013 14:54:09 -0500 Subject: [Pki-devel] [PATCH] 113-117 changes to install scripts to move calls to admin interface Message-ID: <1359748449.2320.39.camel@aleeredhat.laptop> We want to use the admin interface for installation work. This patch moves the interfaces used in cloning from either the EE or agent interface to the admin one. See: http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning Specifically, 1. Change call to use /ca/admin/ca/getCertChain 2. Remove unneeded getTokenInfo servlet. The logic not to use this servlet has already been committed to dogtag 10. 3. Move updateNumberRange to the admin interface. For backward compatibility with old instances, the install code will call /ca/agent/updateNumberRange as a fallback. 4. Add updateDomainXML to admin interface. For backward compatibility, updateDomainXML will continue to be exposed on the agent interface with agent client auth. 5. Changed pkidestroy to get an install token and use the admin interface to update the security domain. For backward compatibility, the user and password and not specified as mandatory arguments - although we want to do that in future. Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0116-Add-updateDomainXML-to-admin-interface.patch Type: text/x-patch Size: 14783 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0117-Change-pkidestroy-to-get-an-install-token-and-use-ad.patch Type: text/x-patch Size: 22922 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0115-move-updateNumberRange-to-admin-interface.patch Type: text/x-patch Size: 10349 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0114-remove-unneeded-getTokenInfo-servlet.patch Type: text/x-patch Size: 7779 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0113-Fix-get-cert-chain-to-use-admin-port-only.patch Type: text/x-patch Size: 3700 bytes Desc: not available URL: From alee at redhat.com Fri Feb 1 22:15:24 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 01 Feb 2013 17:15:24 -0500 Subject: [Pki-devel] [PATCH] 204 Merged cert-request-review/approve commands. In-Reply-To: <510A8FC4.4030305@redhat.com> References: <510A8FC4.4030305@redhat.com> Message-ID: <1359756925.2320.46.camel@aleeredhat.laptop> This looks pretty straightforward. Couple of comments: 1. There are some places where you specify (accept/reject) as the options and some as (approve/reject) in other places. The correct option should be (approve/reject). 2. There are other things that can be done besides approve/ reject -- see CertRequestResource for other options (cancel, update, validate, assign, unassign). Not sure what all these options do - you'd have to look at the code, but if we can easily add the options, we should. Ade On Thu, 2013-01-31 at 09:37 -0600, Endi Sukma Dewata wrote: > The cert-request-approve has been merged into cert-request-review > to ensure that these operations are executed in the same session. > > Ticket #474 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Sun Feb 3 15:24:10 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 03 Feb 2013 09:24:10 -0600 Subject: [Pki-devel] [PATCH] 204 Merged cert-request-review/approve commands. In-Reply-To: <1359756925.2320.46.camel@aleeredhat.laptop> References: <510A8FC4.4030305@redhat.com> <1359756925.2320.46.camel@aleeredhat.laptop> Message-ID: <510E811A.7090204@redhat.com> New patch attached. On 2/1/2013 4:15 PM, Ade Lee wrote: > 1. There are some places where you specify (accept/reject) as the > options and some as (approve/reject) in other places. The correct > option should be (approve/reject). Fixed. I only found one place though. > 2. There are other things that can be done besides approve/ reject -- > see CertRequestResource for other options (cancel, update, validate, > assign, unassign). Not sure what all these options do - you'd have to > look at the code, but if we can easily add the options, we should. Added. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0204-1-Merged-cert-request-review-approve-commands.patch Type: text/x-patch Size: 16356 bytes Desc: not available URL: From edewata at redhat.com Sun Feb 3 15:34:39 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 03 Feb 2013 09:34:39 -0600 Subject: [Pki-devel] [PATCH] 206 Added AuthMapping annotation. Message-ID: <510E838F.9050004@redhat.com> Attached is a patch for ticket #477. The code is done, but since the patch renames one of the files in the deployed webapps there probably needs to be a migration script. This needs to be discussed further. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0206-Added-AuthMapping-annotation.patch Type: text/x-patch Size: 39538 bytes Desc: not available URL: From alee at redhat.com Mon Feb 4 14:42:07 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 04 Feb 2013 09:42:07 -0500 Subject: [Pki-devel] [PATCH] 204 Merged cert-request-review/approve commands. In-Reply-To: <510E811A.7090204@redhat.com> References: <510A8FC4.4030305@redhat.com> <1359756925.2320.46.camel@aleeredhat.laptop> <510E811A.7090204@redhat.com> Message-ID: <1359988928.2320.47.camel@aleeredhat.laptop> ack On Sun, 2013-02-03 at 09:24 -0600, Endi Sukma Dewata wrote: > New patch attached. > > On 2/1/2013 4:15 PM, Ade Lee wrote: > > 1. There are some places where you specify (accept/reject) as the > > options and some as (approve/reject) in other places. The correct > > option should be (approve/reject). > > Fixed. I only found one place though. > > > 2. There are other things that can be done besides approve/ reject -- > > see CertRequestResource for other options (cancel, update, validate, > > assign, unassign). Not sure what all these options do - you'd have to > > look at the code, but if we can easily add the options, we should. > > Added. > From alee at redhat.com Mon Feb 4 15:49:20 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 04 Feb 2013 10:49:20 -0500 Subject: [Pki-devel] [PATCH] 202 Session-based nonces. In-Reply-To: <510A8FC7.7000405@redhat.com> References: <5102E8A3.3050906@redhat.com> <5102F7A7.3020202@redhat.com> <510A8FC7.7000405@redhat.com> Message-ID: <1359992961.2320.48.camel@aleeredhat.laptop> Looks pretty good to me. Question: 1. What is the purpose of the isMemberOfSubsystemGroup() method, and why do we need it? Ade On Thu, 2013-01-31 at 09:37 -0600, Endi Sukma Dewata wrote: > On 1/25/2013 3:22 PM, Endi Sukma Dewata wrote: > > On 1/25/2013 2:18 PM, Endi Sukma Dewata wrote: > >> Previously nonces were stored in a global map which might not scale > >> well due to some issues: > >> 1. The map used the nonces as map keys. There were possible nonce > >> collisions which required special handling. > >> 2. The collision handling code was not thread safe. There were > >> possible race conditions during concurrent modifications. > >> 3. The map was shared and size limited. If there were a lot of > >> users using the system, valid nonces could get pruned. > >> 4. The map mapped the nonces to client certificates. This limited > >> the possible authentication methods that could be supported. > >> > >> Now the code has been modified such that each user has a private map > >> in the user's session to store the nonces. Additional locking has been > >> implemented to protect against concurrent modifications. The map now > >> uses the target of the operation as the map key, eliminating possible > >> collisions and allowing the use of other authentication methods. Since > >> this is a private map, it's not affected by the number of users using > >> the system. > >> > >> Ticket #474 > > > > New patch attached. Fixed the session attribute name in > > ProfileReviewServlet.java. > > Rebased on top of patch #204. Fixed exception type. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Mon Feb 4 16:24:58 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 04 Feb 2013 10:24:58 -0600 Subject: [Pki-devel] [PATCH] 202 Session-based nonces. In-Reply-To: <1359992961.2320.48.camel@aleeredhat.laptop> References: <5102E8A3.3050906@redhat.com> <5102F7A7.3020202@redhat.com> <510A8FC7.7000405@redhat.com> <1359992961.2320.48.camel@aleeredhat.laptop> Message-ID: <510FE0DA.9080308@redhat.com> On 2/4/2013 9:49 AM, Ade Lee wrote: > Looks pretty good to me. > > Question: > 1. What is the purpose of the isMemberOfSubsystemGroup() method, and why > do we need it? The original code checks whether the user specified in the client certificate belongs to the "Subsystem Group". If it does, the code will skip nonce verification. I suppose this is used by internal PKI operations which do not require 2-step processes using nonces. The isMemberOfSubsystemGroup() is a method that encapsulates the above logic, and it's created to separate the logic from nonce validation which should not be dependent on client certificates. -- Endi S. Dewata From alee at redhat.com Mon Feb 4 16:56:34 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 04 Feb 2013 11:56:34 -0500 Subject: [Pki-devel] [PATCH] 202 Session-based nonces. In-Reply-To: <510FE0DA.9080308@redhat.com> References: <5102E8A3.3050906@redhat.com> <5102F7A7.3020202@redhat.com> <510A8FC7.7000405@redhat.com> <1359992961.2320.48.camel@aleeredhat.laptop> <510FE0DA.9080308@redhat.com> Message-ID: <1359996995.2320.49.camel@aleeredhat.laptop> OK - I did not see that code in the original validateNonce() function. ACK On Mon, 2013-02-04 at 10:24 -0600, Endi Sukma Dewata wrote: > On 2/4/2013 9:49 AM, Ade Lee wrote: > > Looks pretty good to me. > > > > Question: > > 1. What is the purpose of the isMemberOfSubsystemGroup() method, and why > > do we need it? > > The original code checks whether the user specified in the client > certificate belongs to the "Subsystem Group". If it does, the code will > skip nonce verification. I suppose this is used by internal PKI > operations which do not require 2-step processes using nonces. > > The isMemberOfSubsystemGroup() is a method that encapsulates the above > logic, and it's created to separate the logic from nonce validation > which should not be dependent on client certificates. > > -- > Endi S. Dewata From edewata at redhat.com Mon Feb 4 17:13:48 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 04 Feb 2013 11:13:48 -0600 Subject: [Pki-devel] [PATCH] 204 Merged cert-request-review/approve commands. In-Reply-To: <1359988928.2320.47.camel@aleeredhat.laptop> References: <510A8FC4.4030305@redhat.com> <1359756925.2320.46.camel@aleeredhat.laptop> <510E811A.7090204@redhat.com> <1359988928.2320.47.camel@aleeredhat.laptop> Message-ID: <510FEC4C.3080001@redhat.com> On 2/4/2013 8:42 AM, Ade Lee wrote: > ack Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon Feb 4 17:13:57 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 04 Feb 2013 11:13:57 -0600 Subject: [Pki-devel] [PATCH] 202 Session-based nonces. In-Reply-To: <1359996995.2320.49.camel@aleeredhat.laptop> References: <5102E8A3.3050906@redhat.com> <5102F7A7.3020202@redhat.com> <510A8FC7.7000405@redhat.com> <1359992961.2320.48.camel@aleeredhat.laptop> <510FE0DA.9080308@redhat.com> <1359996995.2320.49.camel@aleeredhat.laptop> Message-ID: <510FEC55.1080008@redhat.com> On 2/4/2013 10:56 AM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From alee at redhat.com Mon Feb 4 17:56:23 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 04 Feb 2013 12:56:23 -0500 Subject: [Pki-devel] [PATCH] 205 Fixed getInstallToken() invocation. In-Reply-To: <510C19D2.2030108@redhat.com> References: <510C19D2.2030108@redhat.com> Message-ID: <1360000584.2320.53.camel@aleeredhat.laptop> ACK On Fri, 2013-02-01 at 13:38 -0600, Endi Sukma Dewata wrote: > The configuration code has been modified to use the REST interface > to get the installation token and ignore CA cert validation errors. > > Ticket #476 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Mon Feb 4 19:27:43 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 04 Feb 2013 14:27:43 -0500 Subject: [Pki-devel] [PATCH] 199 Added interactive subsystem installation. In-Reply-To: <510AAA0E.30601@redhat.com> References: <50E5807C.9040701@redhat.com> <50E60229.8000709@redhat.com> <1357674781.16107.24.camel@aleeredhat.laptop> <1357676742.16107.26.camel@aleeredhat.laptop> <50ECD1FF.9020802@redhat.com> <1357708989.16107.40.camel@aleeredhat.laptop> <510AAA0E.30601@redhat.com> Message-ID: <1360006063.2320.55.camel@aleeredhat.laptop> ACK On Thu, 2013-01-31 at 11:29 -0600, Endi Sukma Dewata wrote: > New patch attached. > > On 1/8/2013 11:23 PM, Ade Lee wrote: > > The password verification is mostly for sanity checking purposes. It is > > possible that the password that is entered for the DS password is > > mis-typed. Having ham-fisted fingers, I tend to do that. As the > > password is not displayed, its unclear until you actually start the > > installation whether the password was mis-typed. On the other hand, you > > are unlikely to mistype a password twice. > > > > So, I think it should be done for all passwords. > > This has been added. > > >>>> 3. After all inputs are entered, it would be good to output something > >>>> like "Starting installation ...". It would also be good to print out > >>>> the choices made, and allow them to go back and change them by typing > >>>> "back" - just like DS does. > >> > >> OK, will add in follow up. If you type "back" you'd need to re-enter > >> everything, is that ok? > >> > > Yes - and I understand, re-enter everything meaning that you have to go > > through the prompts again. > > A confirmation prompt has been added. I don't think it's necessary to > print out the choices again because most likely you can still see them > on the screen. > > > Ok - I am interested in how this is documented. In particular, we want > > to be careful to explain exactly what type of installation is available > > using the interactive install. I would suggest writing this first - so > > that we can decide if we agree on this - and if the options need to > > change accordingly. > > The doc is available here: > http://pki.fedoraproject.org/wiki/Interactive_Installation > > >>>> 5. For subsystem type - entering something incorrect - like RAT for > >>>> example, causes an unsightly traceback. > >> > >> Will do the error checking in follow up. > >> > > OK > > Error checking has been added. > > >>>> 7. When installing KRA (and OCSP and TKS), you need to be prompted for > >>>> connection info to two CA's -- the security domain CA, and the issuing > >>>> CA. These need not be the same. > >> > >> What are the parameters for the issuing CA? Do you have an example? > >> > >> How common is it to have different CA's for the security domain and > >> issuing CA? Note that in the interactive mode we can limit ourselves to > >> support the most common scenarios only. > >> > > This goes back to my statements about the man page. We need to decide > > exactly what we are supporting in the interactive install. > > > > I think its reasonable for the CA to be not the same as the security > > domain CA. > > As discussed, since the interactive installation doesn't support clone > or subordinate CA, the issuing CA will be identical to the security > domain, so it's not necessary to prompt for the issuing CA separately. > > >>>> 8. How do you handle the admin cert ie. whether to create a new admin or > >>>> reuse the cert of an old admin? I suspect this is related to question 6 > >>>> above. > >> > >> The default pki_import_admin_cert for non-CA subsystems is True. So > >> right now it only supports reusing the old admin cert, that's why in #6 > >> you're asked for the cert. I'll fix the logic to use pki_import_admin_cert. > >> > >> There are several ways to handle this: > >> a) Add another prompt asking whether to create or reuse the admin cert. > >> b) Don't support that in the interactive mode. You'd have to use a > >> config file. > >> > >> Which one would you suggest? > > I like option (a) -- and if the choice is to reuse an admin cert, prompt > > for its location. > > Prompts for importing and exporting admin certificates have been added. > From edewata at redhat.com Mon Feb 4 23:49:32 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 04 Feb 2013 17:49:32 -0600 Subject: [Pki-devel] [PATCH] 205 Fixed getInstallToken() invocation. In-Reply-To: <1360000584.2320.53.camel@aleeredhat.laptop> References: <510C19D2.2030108@redhat.com> <1360000584.2320.53.camel@aleeredhat.laptop> Message-ID: <5110490C.1090104@redhat.com> On 2/4/2013 11:56 AM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon Feb 4 23:49:37 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 04 Feb 2013 17:49:37 -0600 Subject: [Pki-devel] [PATCH] 199 Added interactive subsystem installation. In-Reply-To: <1360006063.2320.55.camel@aleeredhat.laptop> References: <50E5807C.9040701@redhat.com> <50E60229.8000709@redhat.com> <1357674781.16107.24.camel@aleeredhat.laptop> <1357676742.16107.26.camel@aleeredhat.laptop> <50ECD1FF.9020802@redhat.com> <1357708989.16107.40.camel@aleeredhat.laptop> <510AAA0E.30601@redhat.com> <1360006063.2320.55.camel@aleeredhat.laptop> Message-ID: <51104911.2050801@redhat.com> On 2/4/2013 1:27 PM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Feb 5 00:07:51 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 04 Feb 2013 18:07:51 -0600 Subject: [Pki-devel] [PATCH] 207 Fixed date format for cert-find parameters. Message-ID: <51104D57.2030306@redhat.com> All date parameters for cert-find have been modified to use the YYYY-MM-DD date format. Date parsing code in FilterBuilder has been modified not to ignore parsing errors. Ticket #497 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0207-Fixed-date-format-for-cert-find-parameters.patch Type: text/x-patch Size: 5689 bytes Desc: not available URL: From mharmsen at redhat.com Tue Feb 5 01:39:45 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 04 Feb 2013 17:39:45 -0800 Subject: [Pki-devel] [PATCH] 113-117 changes to install scripts to move calls to admin interface In-Reply-To: <1359748449.2320.39.camel@aleeredhat.laptop> References: <1359748449.2320.39.camel@aleeredhat.laptop> Message-ID: <511062E1.5010603@redhat.com> On 02/01/13 11:54, Ade Lee wrote: > We want to use the admin interface for installation work. This patch > moves the interfaces used in cloning from either the EE or agent > interface to the admin one. See: > http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning > > Specifically, > 1. Change call to use /ca/admin/ca/getCertChain > 2. Remove unneeded getTokenInfo servlet. The logic not to use this > servlet has already been committed to dogtag 10. > 3. Move updateNumberRange to the admin interface. For backward > compatibility with old instances, the install code will > call /ca/agent/updateNumberRange as a fallback. > 4. Add updateDomainXML to admin interface. For backward compatibility, > updateDomainXML will continue to be exposed on the agent interface with > agent client auth. > 5. Changed pkidestroy to get an install token and use the admin > interface to update the security domain. For backward compatibility, > the user and password and not specified as mandatory arguments - > although we want to do that in future. > > Please review, > Ade > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel Alee, Sorry, but I require some additional information to properly test this patch for a CA and its clone using a single machine. Hopefully, I can address these issues relatively quickly tomorrow after obtaining your answers. I have pulled a new tree after the meeting this morning (which does not include the patches added at 3:49 P. M. by edewata), created a branch, applied all five of your changes, and built and installed the packages on a fresh x86_64 Fedora 18 system (e. g. - 'foobar.example.com'). In order to test the code, I would like to perform the following two tests using a single machine: 1. pkispawn using the new configuration servlet for both the CA and the CA Clone 2. pkispawn using the old GUI configuration (by specifying a DEFAULT value of pki_skip_configuration=True) for both CA and the CA Clone However, with the new interpolation model, I do not know every single value that needs to be overridden to have both the CA and CA Clone, as well as the two directory servers, on the same system. I have the following: * installed a default directory server instance (e. g. - foobar) running on port 389 * installed a CA (e. g. - default configuration specifying backup keys in order to create the CA clone): *[DEFAULT]* pki_admin_password=XXXXXXXX pki_backup_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_security_domain_password=XXXXXXXX pki_backup_keys=True * successfully configured a browser, requested, enrolled, and issued a test certificate * installed a second directory server instance (e. g. - foobar-clone) running on port 8389 * about to install a CA Clone using the following parameters: *[DEFAULT]* pki_admin_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_security_domain_password=XXXXXXXX pki_security_domain_hostname=foobar.example.com pki_security_domain_https_port=8443 pki_ds_ldap_port=8389 pki_ds_ldaps_port=8636 *[CA]* pki_ajp_port=17009 pki_clone=True pki_clone_pkcs12_password=XXXXXXXX pki_clone_pkcs12_path=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12 pki_clone_replicate_schema=True pki_clone_replication_master_port= pki_clone_replication_clone_port= pki_clone_replication_security=None pki_clone_uri=http://foobar.example.com:8443 pki_http_port=17080 pki_https_port=17443 pki_instance_name=pki-tomcat-ca-clone pki_tomcat_server_port=17005 Questions: * Are the two tests specified above sufficient to test your patch, or do I need to check the other two test cases of mixing an old GUI configuration (CA) with new configuration servlet (CA clone), and vice-versa?(I believe that this code will require re-testing under a separated ports model for versions of the product earlier than Dogtag 10). * What parameter(s) do I need to add to the CA Clone configuration file under what sections to reference the 'foobar-clone' directory instance? * What value, if any, do I need to supply to the 'pki_clone_replication_master_port'? * What value, if any, do I need to supply to the 'pki_clone_replication_clone_port'? * Should I leave 'pki_clone_replication_security=None'? * Are there any other parameters that I am missing, and if so, under what section should they be defined? * Are there any parameters specified that contain incorrect values? * Are any parameters specified in the incorrect sections? Thanks in advance, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Tue Feb 5 15:59:35 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 05 Feb 2013 10:59:35 -0500 Subject: [Pki-devel] [PATCH] 113-117 changes to install scripts to move calls to admin interface In-Reply-To: <511062E1.5010603@redhat.com> References: <1359748449.2320.39.camel@aleeredhat.laptop> <511062E1.5010603@redhat.com> Message-ID: <1360079976.2320.69.camel@aleeredhat.laptop> On Mon, 2013-02-04 at 17:39 -0800, Matthew Harmsen wrote: > On 02/01/13 11:54, Ade Lee wrote: > > > We want to use the admin interface for installation work. This patch > > moves the interfaces used in cloning from either the EE or agent > > interface to the admin one. See: > > http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning > > > > Specifically, > > 1. Change call to use /ca/admin/ca/getCertChain > > 2. Remove unneeded getTokenInfo servlet. The logic not to use this > > servlet has already been committed to dogtag 10. > > 3. Move updateNumberRange to the admin interface. For backward > > compatibility with old instances, the install code will > > call /ca/agent/updateNumberRange as a fallback. > > 4. Add updateDomainXML to admin interface. For backward compatibility, > > updateDomainXML will continue to be exposed on the agent interface with > > agent client auth. > > 5. Changed pkidestroy to get an install token and use the admin > > interface to update the security domain. For backward compatibility, > > the user and password and not specified as mandatory arguments - > > although we want to do that in future. > > > > Please review, > > Ade > > > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > Alee, > > Sorry, but I require some additional information to properly test this > patch for a CA and its clone using a single machine. Hopefully, I can > address these issues relatively quickly tomorrow after obtaining your > answers. > > I have pulled a new tree after the meeting this morning (which does > not include the patches added at 3:49 P. M. by edewata), created a > branch, applied all five of your changes, and built and installed the > packages on a fresh x86_64 Fedora 18 system (e. g. - > 'foobar.example.com'). > > In order to test the code, I would like to perform the following two > tests using a single machine: > 1. pkispawn using the new configuration servlet for both the CA > and the CA Clone > 2. pkispawn using the old GUI configuration (by specifying a > DEFAULT value of pki_skip_configuration=True) for both CA and > the CA Clone > However, with the new interpolation model, I do not know every single > value that needs to be overridden to have both the CA and CA Clone, as > well as the two directory servers, on the same system. > > I have the following: > * installed a default directory server instance (e. g. - foobar) > running on port 389 > * installed a CA (e. g. - default configuration specifying > backup keys in order to create the CA clone): > [DEFAULT] > pki_admin_password=XXXXXXXX > pki_backup_password=XXXXXXXX > pki_client_pkcs12_password=XXXXXXXX > pki_ds_password=XXXXXXXX > pki_security_domain_password=XXXXXXXX > pki_backup_keys=True > * successfully configured a browser, requested, enrolled, and > issued a test certificate > * installed a second directory server instance (e. g. - > foobar-clone) running on port 8389 > * about to install a CA Clone using the following parameters: > [DEFAULT] > pki_admin_password=XXXXXXXX > pki_client_pkcs12_password=XXXXXXXX > pki_ds_password=XXXXXXXX > pki_security_domain_password=XXXXXXXX > pki_security_domain_hostname=foobar.example.com > pki_security_domain_https_port=8443 > pki_ds_ldap_port=8389 > pki_ds_ldaps_port=8636 > [CA] > pki_ajp_port=17009 > pki_clone=True > pki_clone_pkcs12_password=XXXXXXXX > pki_clone_pkcs12_path=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12 > pki_clone_replicate_schema=True > pki_clone_replication_master_port= > pki_clone_replication_clone_port= > pki_clone_replication_security=None > pki_clone_uri=http://foobar.example.com:8443 > pki_http_port=17080 > pki_https_port=17443 > pki_instance_name=pki-tomcat-ca-clone > pki_tomcat_server_port=17005 > Questions: > * Are the two tests specified above sufficient to test your > patch, or do I need to check the other two test cases of > mixing an old GUI configuration (CA) with new configuration > servlet (CA clone), and vice-versa? (I believe that this code > will require re-testing under a separated ports model for > versions of the product earlier than Dogtag 10). > * What parameter(s) do I need to add to the CA Clone > configuration file under what sections to reference the > 'foobar-clone' directory instance? > * What value, if any, do I need to supply to the > 'pki_clone_replication_master_port'? > * What value, if any, do I need to supply to the > 'pki_clone_replication_clone_port'? > * Should I leave 'pki_clone_replication_security=None'? > * Are there any other parameters that I am missing, and if so, > under what section should they be defined? > * Are there any parameters specified that contain incorrect > values? > * Are any parameters specified in the incorrect sections? > Thanks in advance, > -- Matt Matt, Here is the configuration I have for a master CA and a clone. Master: [DEFAULT] pki_admin_password=XXXXXX pki_backup_password=XXXXXX pki_client_pkcs12_password=XXXXXX pki_ds_password=XXXXXX pki_security_domain_password=XXXXXX pki_ds_ldap_port=55389 pki_ds_ldaps_port=55636 pki_security_domain_https_port=8623 pki_http_port=8620 pki_https_port=8623 pki_instance_name=pki-tomcat62 pki_client_database_purge=True [Tomcat] pki_ajp_port=8629 pki_tomcat_server_port=8625 Clone: [DEFAULT] pki_admin_password=XXXXXX pki_backup_password=XXXXXX pki_client_pkcs12_password=XXXXXX pki_ds_password=XXXXXX pki_security_domain_password=XXXXXX pki_ds_ldap_port=7489 pki_ds_ldaps_port=7436 pki_security_domain_hostname=alee-workpc.redhat.com pki_security_domain_https_port=8623 pki_http_port=8650 pki_https_port=8653 pki_instance_name=pki-tomcat65 pki_client_database_purge=True pki_security_domain_user=caadmin [Tomcat] pki_ajp_port=8659 pki_tomcat_server_port=8655 [CA] pki_clone=True pki_clone_pkcs12_password=XXXXXX pki_clone_pkcs12_path=/tmp/pki-tomcat62.p12 pki_clone_uri=https://alee-workpc.redhat.com:8623 pki_ds_base_dn=o=pki-tomcat62-CA pki_ds_database=pki-tomcat62-CA [KRA] pki_clone=True pki_clone_pkcs12_password=XXXXXX pki_clone_pkcs12_path=/tmp/pki-tomcat62.p12 pki_clone_uri=https://alee-workpc.redhat.com:8623 pki_ds_base_dn=o=pki-tomcat62-KRA pki_ds_database=pki-tomcat62-KRA These are the only parameters you absolutely need. With these configs, I did the following: 1. Installed a CA and a KRA in the master. 2. Installed a CA clone. 3. Installed a KRA clone. (or tried to .. There are issues in installing a KRA clone that are independent of this patch and for which I will be opening a ticket). Also, please make sure that syntax-checking is disabled in your DS. There is an issue in storing the security domain token on the master if syntax checking is enabled. I will open a ticket. To completely test, you really need to do all the steps above. I did step 3 as far as it went until it failed - but it was clear that the patch was working correctly. In addition, I also performed the above steps in the case where the master CA/KRA was an older instance - ie prior to this patch. In this case, I was testing the "fallback" options. Note that because the changes require config file changes (to web.xml) and a migration script has not yet been written, older instances that are running on newer PKI software will not expose the new servlets. So, they will act like old instances. Ade The From edewata at redhat.com Wed Feb 6 20:02:24 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Feb 2013 14:02:24 -0600 Subject: [Pki-devel] [PATCH] 208 Additional output attributes for cert-find. Message-ID: <5112B6D0.20901@redhat.com> The cert-find command has been modified to include some additional attributes including certificate type and version, key algorithm name and length, validity dates, creation time and issuer. Ticket #498 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0208-Additional-output-attributes-for-cert-find.patch Type: text/x-patch Size: 17947 bytes Desc: not available URL: From mharmsen at redhat.com Wed Feb 6 20:57:44 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 06 Feb 2013 12:57:44 -0800 Subject: [Pki-devel] [PATCH] 113-117 changes to install scripts to move calls to admin interface In-Reply-To: <511062E1.5010603@redhat.com> References: <1359748449.2320.39.camel@aleeredhat.laptop> <511062E1.5010603@redhat.com> Message-ID: <5112C3C8.1010208@redhat.com> ACK Code review of this produced two new TRAC Tickets: * TRAC Ticket #502 - Dogtag 10: Change pkidestroy "-w" option to require a password file rather than a raw password * TRAC Ticket #503 - Dogtag 10: Security Domain Issues These changes were tested using two scenarios as described in TRAC Ticket #503 - Dogtag 10: Security Domain Issues. -- Matt On 02/04/13 17:39, Matthew Harmsen wrote: > On 02/01/13 11:54, Ade Lee wrote: >> We want to use the admin interface for installation work. This patch >> moves the interfaces used in cloning from either the EE or agent >> interface to the admin one. See: >> http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning >> >> Specifically, >> 1. Change call to use /ca/admin/ca/getCertChain >> 2. Remove unneeded getTokenInfo servlet. The logic not to use this >> servlet has already been committed to dogtag 10. >> 3. Move updateNumberRange to the admin interface. For backward >> compatibility with old instances, the install code will >> call /ca/agent/updateNumberRange as a fallback. >> 4. Add updateDomainXML to admin interface. For backward compatibility, >> updateDomainXML will continue to be exposed on the agent interface with >> agent client auth. >> 5. Changed pkidestroy to get an install token and use the admin >> interface to update the security domain. For backward compatibility, >> the user and password and not specified as mandatory arguments - >> although we want to do that in future. >> >> Please review, >> Ade >> >> >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > Alee, > > Sorry, but I require some additional information to properly test this > patch for a CA and its clone using a single machine. Hopefully, I can > address these issues relatively quickly tomorrow after obtaining your > answers. > > I have pulled a new tree after the meeting this morning (which does > not include the patches added at 3:49 P. M. by edewata), created a > branch, applied all five of your changes, and built and installed the > packages on a fresh x86_64 Fedora 18 system (e. g. - > 'foobar.example.com'). > > In order to test the code, I would like to perform the following two > tests using a single machine: > > 1. pkispawn using the new configuration servlet for both the CA and > the CA Clone > 2. pkispawn using the old GUI configuration (by specifying a DEFAULT > value of pki_skip_configuration=True) for both CA and the CA Clone > > However, with the new interpolation model, I do not know every single > value that needs to be overridden to have both the CA and CA Clone, as > well as the two directory servers, on the same system. > > I have the following: > > * installed a default directory server instance (e. g. - foobar) > running on port 389 > * installed a CA (e. g. - default configuration specifying backup > keys in order to create the CA clone): > *[DEFAULT]* > pki_admin_password=XXXXXXXX > pki_backup_password=XXXXXXXX > pki_client_pkcs12_password=XXXXXXXX > pki_ds_password=XXXXXXXX > pki_security_domain_password=XXXXXXXX > pki_backup_keys=True > * successfully configured a browser, requested, enrolled, and issued > a test certificate > * installed a second directory server instance (e. g. - > foobar-clone) running on port 8389 > * about to install a CA Clone using the following parameters: > *[DEFAULT]* > pki_admin_password=XXXXXXXX > pki_client_pkcs12_password=XXXXXXXX > pki_ds_password=XXXXXXXX > pki_security_domain_password=XXXXXXXX > pki_security_domain_hostname=foobar.example.com > pki_security_domain_https_port=8443 > pki_ds_ldap_port=8389 > pki_ds_ldaps_port=8636 > *[CA]* > pki_ajp_port=17009 > pki_clone=True > pki_clone_pkcs12_password=XXXXXXXX > pki_clone_pkcs12_path=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12 > pki_clone_replicate_schema=True > pki_clone_replication_master_port= > pki_clone_replication_clone_port= > pki_clone_replication_security=None > pki_clone_uri=http://foobar.example.com:8443 > pki_http_port=17080 > pki_https_port=17443 > pki_instance_name=pki-tomcat-ca-clone > pki_tomcat_server_port=17005 > > Questions: > > * Are the two tests specified above sufficient to test your patch, > or do I need to check the other two test cases of mixing an old > GUI configuration (CA) with new configuration servlet (CA clone), > and vice-versa?(I believe that this code will require re-testing > under a separated ports model for versions of the product earlier > than Dogtag 10). > * What parameter(s) do I need to add to the CA Clone configuration > file under what sections to reference the 'foobar-clone' directory > instance? > * What value, if any, do I need to supply to the > 'pki_clone_replication_master_port'? > * What value, if any, do I need to supply to the > 'pki_clone_replication_clone_port'? > * Should I leave 'pki_clone_replication_security=None'? > * Are there any other parameters that I am missing, and if so, under > what section should they be defined? > * Are there any parameters specified that contain incorrect values? > * Are any parameters specified in the incorrect sections? > > Thanks in advance, > -- Matt > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Feb 6 21:48:00 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Feb 2013 15:48:00 -0600 Subject: [Pki-devel] [PATCH] 209 Fixed conflicting security domain hosts. Message-ID: <5112CF90.1050905@redhat.com> The SecurityDomainProcessor has been modified to generate the host ID from the subsystem type, hostname, and secure port instead of relying on the user-configurable SubsystemName attribute. Ticket #503 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0209-Fixed-conflicting-security-domain-hosts.patch Type: text/x-patch Size: 14181 bytes Desc: not available URL: From edewata at redhat.com Thu Feb 7 01:15:22 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Feb 2013 19:15:22 -0600 Subject: [Pki-devel] [PATCH] 210 Fixed validity duration options for cert-find. Message-ID: <5113002A.3030205@redhat.com> The cert-find command has been fixed to show better error messages on missing validity duration options. The validity duration unit has been changed to take "day", "week", "month", or "year" and convert it into milliseconds. Ticket #291, #500 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0210-Fixed-validity-duration-options-for-cert-find.patch Type: text/x-patch Size: 9853 bytes Desc: not available URL: From alee at redhat.com Thu Feb 7 04:54:33 2013 From: alee at redhat.com (Ade Lee) Date: Wed, 06 Feb 2013 23:54:33 -0500 Subject: [Pki-devel] [PATCH] 207 Fixed date format for cert-find parameters. In-Reply-To: <51104D57.2030306@redhat.com> References: <51104D57.2030306@redhat.com> Message-ID: <1360212874.2320.71.camel@aleeredhat.laptop> ACK. There are a couple of other places in FilterBuilder where we ignore NumberFormatExceptions as well. We should go ahead and address those in this patch too. Ade On Mon, 2013-02-04 at 18:07 -0600, Endi Sukma Dewata wrote: > All date parameters for cert-find have been modified to use the > YYYY-MM-DD date format. Date parsing code in FilterBuilder has > been modified not to ignore parsing errors. > > Ticket #497 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Thu Feb 7 05:05:18 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 07 Feb 2013 00:05:18 -0500 Subject: [Pki-devel] [PATCH] 208 Additional output attributes for cert-find. In-Reply-To: <5112B6D0.20901@redhat.com> References: <5112B6D0.20901@redhat.com> Message-ID: <1360213519.2320.74.camel@aleeredhat.laptop> 1. In CertDataInfo.java, getKeyLength() needs a @XmlElement annotation. 2. The code setting the key in CertService.java in createCertDataInfo() is specific to RSA keys. What about ECC keys? Ade On Wed, 2013-02-06 at 14:02 -0600, Endi Sukma Dewata wrote: > The cert-find command has been modified to include some additional > attributes including certificate type and version, key algorithm > name and length, validity dates, creation time and issuer. > > Ticket #498 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Thu Feb 7 05:16:09 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 07 Feb 2013 00:16:09 -0500 Subject: [Pki-devel] [PATCH] 207 Fixed date format for cert-find parameters. In-Reply-To: <1360212874.2320.71.camel@aleeredhat.laptop> References: <51104D57.2030306@redhat.com> <1360212874.2320.71.camel@aleeredhat.laptop> Message-ID: <1360214170.2320.75.camel@aleeredhat.laptop> Looks like these were addressed in 210. ACK On Wed, 2013-02-06 at 23:54 -0500, Ade Lee wrote: > ACK. There are a couple of other places in FilterBuilder where we > ignore NumberFormatExceptions as well. We should go ahead and address > those in this patch too. > > Ade > > On Mon, 2013-02-04 at 18:07 -0600, Endi Sukma Dewata wrote: > > All date parameters for cert-find have been modified to use the > > YYYY-MM-DD date format. Date parsing code in FilterBuilder has > > been modified not to ignore parsing errors. > > > > Ticket #497 > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Thu Feb 7 05:20:51 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 07 Feb 2013 00:20:51 -0500 Subject: [Pki-devel] [PATCH] 209 Fixed conflicting security domain hosts. In-Reply-To: <5112CF90.1050905@redhat.com> References: <5112CF90.1050905@redhat.com> Message-ID: <1360214451.2320.76.camel@aleeredhat.laptop> ACK On Wed, 2013-02-06 at 15:48 -0600, Endi Sukma Dewata wrote: > The SecurityDomainProcessor has been modified to generate the host > ID from the subsystem type, hostname, and secure port instead of > relying on the user-configurable SubsystemName attribute. > > Ticket #503 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Thu Feb 7 05:21:13 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 07 Feb 2013 00:21:13 -0500 Subject: [Pki-devel] [PATCH] 210 Fixed validity duration options for cert-find. In-Reply-To: <5113002A.3030205@redhat.com> References: <5113002A.3030205@redhat.com> Message-ID: <1360214474.2320.77.camel@aleeredhat.laptop> ACK On Wed, 2013-02-06 at 19:15 -0600, Endi Sukma Dewata wrote: > The cert-find command has been fixed to show better error messages > on missing validity duration options. The validity duration unit > has been changed to take "day", "week", "month", or "year" and > convert it into milliseconds. > > Ticket #291, #500 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Thu Feb 7 16:04:48 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Feb 2013 10:04:48 -0600 Subject: [Pki-devel] [PATCH] 207 Fixed date format for cert-find parameters. In-Reply-To: <1360214170.2320.75.camel@aleeredhat.laptop> References: <51104D57.2030306@redhat.com> <1360212874.2320.71.camel@aleeredhat.laptop> <1360214170.2320.75.camel@aleeredhat.laptop> Message-ID: <5113D0A0.8080205@redhat.com> On 2/6/2013 11:16 PM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Feb 7 16:05:02 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Feb 2013 10:05:02 -0600 Subject: [Pki-devel] [PATCH] 209 Fixed conflicting security domain hosts. In-Reply-To: <1360214451.2320.76.camel@aleeredhat.laptop> References: <5112CF90.1050905@redhat.com> <1360214451.2320.76.camel@aleeredhat.laptop> Message-ID: <5113D0AE.9070601@redhat.com> On 2/6/2013 11:20 PM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Feb 7 16:05:12 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Feb 2013 10:05:12 -0600 Subject: [Pki-devel] [PATCH] 210 Fixed validity duration options for cert-find. In-Reply-To: <1360214474.2320.77.camel@aleeredhat.laptop> References: <5113002A.3030205@redhat.com> <1360214474.2320.77.camel@aleeredhat.laptop> Message-ID: <5113D0B8.9010507@redhat.com> On 2/6/2013 11:21 PM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Feb 7 17:10:46 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Feb 2013 11:10:46 -0600 Subject: [Pki-devel] [PATCH] 208 Additional output attributes for cert-find. In-Reply-To: <1360213519.2320.74.camel@aleeredhat.laptop> References: <5112B6D0.20901@redhat.com> <1360213519.2320.74.camel@aleeredhat.laptop> Message-ID: <5113E016.8080107@redhat.com> On 2/6/2013 11:05 PM, Ade Lee wrote: > 1. In CertDataInfo.java, getKeyLength() needs a @XmlElement annotation. This will be fixed before push. > 2. The code setting the key in CertService.java in createCertDataInfo() > is specific to RSA keys. What about ECC keys? Christina, the code in ListCerts.fillX509RecordIntoArg() (which the patch was adapted from) doesn't seem to handle ECC keys, is it correct? Do we need to add a support for ECC keys here? -- Endi S. Dewata From edewata at redhat.com Thu Feb 7 22:16:29 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Feb 2013 16:16:29 -0600 Subject: [Pki-devel] [PATCH] 208 Additional output attributes for cert-find. In-Reply-To: <5113E016.8080107@redhat.com> References: <5112B6D0.20901@redhat.com> <1360213519.2320.74.camel@aleeredhat.laptop> <5113E016.8080107@redhat.com> Message-ID: <511427BD.10102@redhat.com> On 2/7/2013 11:10 AM, Endi Sukma Dewata wrote: > On 2/6/2013 11:05 PM, Ade Lee wrote: >> 1. In CertDataInfo.java, getKeyLength() needs a @XmlElement annotation. > > This will be fixed before push. > >> 2. The code setting the key in CertService.java in createCertDataInfo() >> is specific to RSA keys. What about ECC keys? > > Christina, the code in ListCerts.fillX509RecordIntoArg() (which the > patch was adapted from) doesn't seem to handle ECC keys, is it correct? > Do we need to add a support for ECC keys here? As discussed over IRC, this will be added in a separate ticket. ACKed by Ade. Pushed the revised patch to master. -- Endi S. Dewata From edewata at redhat.com Thu Feb 7 22:16:47 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Feb 2013 16:16:47 -0600 Subject: [Pki-devel] [PATCH] 211 Added certificate status option for cert-find. Message-ID: <511427CF.2080809@redhat.com> The cert-find command has been modified to provide an option to search by certificate status. Ticket #501 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0211-Added-certificate-status-option-for-cert-find.patch Type: text/x-patch Size: 4132 bytes Desc: not available URL: From edewata at redhat.com Sat Feb 9 22:31:57 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 09 Feb 2013 16:31:57 -0600 Subject: [Pki-devel] Customization Message-ID: <5116CE5D.6080808@redhat.com> Hi, This is a proposal to restructure the deployment to support customization while still allowing automatic upgrades: http://pki.fedoraproject.org/wiki/Customization Please have a look and let me know if you have any comments or questions. Thanks! -- Endi S. Dewata From alee at redhat.com Mon Feb 11 16:24:40 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 11 Feb 2013 11:24:40 -0500 Subject: [Pki-devel] [PATCH] 113-117 changes to install scripts to move calls to admin interface In-Reply-To: <5112C3C8.1010208@redhat.com> References: <1359748449.2320.39.camel@aleeredhat.laptop> <511062E1.5010603@redhat.com> <5112C3C8.1010208@redhat.com> Message-ID: <1360599881.18568.0.camel@aleeredhat.laptop> Thanks, Pushed to master. On Wed, 2013-02-06 at 12:57 -0800, Matthew Harmsen wrote: > ACK > > Code review of this produced two new TRAC Tickets: > * TRAC Ticket #502 - Dogtag 10: Change pkidestroy "-w" option to > require a password file rather than a raw password > * TRAC Ticket #503 - Dogtag 10: Security Domain Issues > > These changes were tested using two scenarios as described in TRAC > Ticket #503 - Dogtag 10: Security Domain Issues. > > -- Matt > > On 02/04/13 17:39, Matthew Harmsen wrote: > > > On 02/01/13 11:54, Ade Lee wrote: > > > > > We want to use the admin interface for installation work. This patch > > > moves the interfaces used in cloning from either the EE or agent > > > interface to the admin one. See: > > > http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning > > > > > > Specifically, > > > 1. Change call to use /ca/admin/ca/getCertChain > > > 2. Remove unneeded getTokenInfo servlet. The logic not to use this > > > servlet has already been committed to dogtag 10. > > > 3. Move updateNumberRange to the admin interface. For backward > > > compatibility with old instances, the install code will > > > call /ca/agent/updateNumberRange as a fallback. > > > 4. Add updateDomainXML to admin interface. For backward compatibility, > > > updateDomainXML will continue to be exposed on the agent interface with > > > agent client auth. > > > 5. Changed pkidestroy to get an install token and use the admin > > > interface to update the security domain. For backward compatibility, > > > the user and password and not specified as mandatory arguments - > > > although we want to do that in future. > > > > > > Please review, > > > Ade > > > > > > > > > > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-devel > > Alee, > > > > Sorry, but I require some additional information to properly test > > this patch for a CA and its clone using a single machine. > > Hopefully, I can address these issues relatively quickly tomorrow > > after obtaining your answers. > > > > I have pulled a new tree after the meeting this morning (which does > > not include the patches added at 3:49 P. M. by edewata), created a > > branch, applied all five of your changes, and built and installed > > the packages on a fresh x86_64 Fedora 18 system (e. g. - > > 'foobar.example.com'). > > > > In order to test the code, I would like to perform the following two > > tests using a single machine: > > 1. pkispawn using the new configuration servlet for both the CA > > and the CA Clone > > 2. pkispawn using the old GUI configuration (by specifying a > > DEFAULT value of pki_skip_configuration=True) for both CA > > and the CA Clone > > However, with the new interpolation model, I do not know every > > single value that needs to be overridden to have both the CA and CA > > Clone, as well as the two directory servers, on the same system. > > > > I have the following: > > * installed a default directory server instance (e. g. - > > foobar) running on port 389 > > * installed a CA (e. g. - default configuration specifying > > backup keys in order to create the CA clone): > > [DEFAULT] > > pki_admin_password=XXXXXXXX > > pki_backup_password=XXXXXXXX > > pki_client_pkcs12_password=XXXXXXXX > > pki_ds_password=XXXXXXXX > > pki_security_domain_password=XXXXXXXX > > pki_backup_keys=True > > * successfully configured a browser, requested, enrolled, and > > issued a test certificate > > * installed a second directory server instance (e. g. - > > foobar-clone) running on port 8389 > > * about to install a CA Clone using the following parameters: > > [DEFAULT] > > pki_admin_password=XXXXXXXX > > pki_client_pkcs12_password=XXXXXXXX > > pki_ds_password=XXXXXXXX > > pki_security_domain_password=XXXXXXXX > > pki_security_domain_hostname=foobar.example.com > > pki_security_domain_https_port=8443 > > pki_ds_ldap_port=8389 > > pki_ds_ldaps_port=8636 > > [CA] > > pki_ajp_port=17009 > > pki_clone=True > > pki_clone_pkcs12_password=XXXXXXXX > > pki_clone_pkcs12_path=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12 > > pki_clone_replicate_schema=True > > pki_clone_replication_master_port= > > pki_clone_replication_clone_port= > > pki_clone_replication_security=None > > pki_clone_uri=http://foobar.example.com:8443 > > pki_http_port=17080 > > pki_https_port=17443 > > pki_instance_name=pki-tomcat-ca-clone > > pki_tomcat_server_port=17005 > > Questions: > > * Are the two tests specified above sufficient to test your > > patch, or do I need to check the other two test cases of > > mixing an old GUI configuration (CA) with new configuration > > servlet (CA clone), and vice-versa? (I believe that this > > code will require re-testing under a separated ports model > > for versions of the product earlier than Dogtag 10). > > * What parameter(s) do I need to add to the CA Clone > > configuration file under what sections to reference the > > 'foobar-clone' directory instance? > > * What value, if any, do I need to supply to the > > 'pki_clone_replication_master_port'? > > * What value, if any, do I need to supply to the > > 'pki_clone_replication_clone_port'? > > * Should I leave 'pki_clone_replication_security=None'? > > * Are there any other parameters that I am missing, and if so, > > under what section should they be defined? > > * Are there any parameters specified that contain incorrect > > values? > > * Are any parameters specified in the incorrect sections? > > Thanks in advance, > > -- Matt > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > From alee at redhat.com Tue Feb 12 15:58:22 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 12 Feb 2013 10:58:22 -0500 Subject: [Pki-devel] [PATCH] 118 - Add token authenticate to admin interface Message-ID: <1360684702.18568.6.camel@aleeredhat.laptop> This is an add on patch to allow tokenAuthentication to take place on the admin interface. The ee interface is kept for legacy sake. Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0118-Added-tokenAuthenticate-to-admin-interface-as-well.patch Type: text/x-patch Size: 7399 bytes Desc: not available URL: From alee at redhat.com Tue Feb 12 20:11:18 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 12 Feb 2013 15:11:18 -0500 Subject: [Pki-devel] [PATCH] fixes to move to admin port for cloning CA's (RHCS 8.x) Message-ID: <1360699878.18568.19.camel@aleeredhat.laptop> We want to use the admin interface for installation work. This patch moves the interfaces used in cloning from either the EE or agent interface to the admin one. See: http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning Specifically, 1. Change call to use /ca/admin/ca/getCertChain 2. Remove unneeded getTokenInfo servlet. The logic not to use this servlet has already been committed to dogtag 10. 3. Move updateNumberRange to the admin interface. For backward compatibility with old instances, the install code will call /ca/agent/updateNumberRange as a fallback. 4. Add updateDomainXML to admin interface. For backward compatibility, updateDomainXML will continue to be exposed on the agent interface with agent client auth. 5. Changed pkidestroy to get an install token and use the admin interface to update the security domain. For backward compatibility, the user and password and not specified as mandatory arguments - although we want to do that in future. 6. Added tokenAuthenticate to the admin interface. Note, existing subsystems will need to have config changes manually added in order to use the new interfaces. Instructions will be added to the link above. With new instances, you should be able to clone a CA all on the admin interface. The patches are for the PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: cloning.8.errata.patch Type: text/x-patch Size: 100259 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: cloning.PKI_8_BRANCH.patch Type: text/x-patch Size: 100749 bytes Desc: not available URL: From alee at redhat.com Tue Feb 12 20:35:20 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 12 Feb 2013 15:35:20 -0500 Subject: [Pki-devel] [PATCH] 211 Added certificate status option for cert-find. In-Reply-To: <511427CF.2080809@redhat.com> References: <511427CF.2080809@redhat.com> Message-ID: <1360701321.18568.20.camel@aleeredhat.laptop> ACK On Thu, 2013-02-07 at 16:16 -0600, Endi Sukma Dewata wrote: > The cert-find command has been modified to provide an option to > search by certificate status. > > Ticket #501 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Wed Feb 13 03:21:15 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Feb 2013 21:21:15 -0600 Subject: [Pki-devel] [PATCH] 211 Added certificate status option for cert-find. In-Reply-To: <1360701321.18568.20.camel@aleeredhat.laptop> References: <511427CF.2080809@redhat.com> <1360701321.18568.20.camel@aleeredhat.laptop> Message-ID: <511B06AB.8010200@redhat.com> On 2/12/2013 2:35 PM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Wed Feb 13 03:21:22 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Feb 2013 21:21:22 -0600 Subject: [Pki-devel] [PATCH] 206 Added AuthMapping annotation. In-Reply-To: <510E838F.9050004@redhat.com> References: <510E838F.9050004@redhat.com> Message-ID: <511B06B2.9040202@redhat.com> On 2/3/2013 9:34 AM, Endi Sukma Dewata wrote: > Attached is a patch for ticket #477. The code is done, but since the > patch renames one of the files in the deployed webapps there probably > needs to be a migration script. This needs to be discussed further. New patch attached. Renamed the classes and properties files as discussed. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0206-1-Added-authentication-method-validation.patch Type: text/x-patch Size: 38671 bytes Desc: not available URL: From edewata at redhat.com Wed Feb 13 16:12:22 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 13 Feb 2013 10:12:22 -0600 Subject: [Pki-devel] [PATCH] 206 Added AuthMapping annotation. In-Reply-To: <511B06B2.9040202@redhat.com> References: <510E838F.9050004@redhat.com> <511B06B2.9040202@redhat.com> Message-ID: <511BBB66.50304@redhat.com> On 2/12/2013 9:21 PM, Endi Sukma Dewata wrote: > On 2/3/2013 9:34 AM, Endi Sukma Dewata wrote: >> Attached is a patch for ticket #477. The code is done, but since the >> patch renames one of the files in the deployed webapps there probably >> needs to be a migration script. This needs to be discussed further. > > New patch attached. Renamed the classes and properties files as discussed. New patch attached. Removed unused references to the properties file. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0206-2-Added-authentication-method-validation.patch Type: text/x-patch Size: 40573 bytes Desc: not available URL: From edewata at redhat.com Wed Feb 13 18:33:31 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 13 Feb 2013 12:33:31 -0600 Subject: [Pki-devel] [PATCH] 212 Added CLI to manage user membership. Message-ID: <511BDC7B.6080205@redhat.com> New CLI's have been added to search, add, and remove user membership. The group member management code has been refactored into a processor to allow reuse. Ticket #190 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0212-Added-CLI-to-manage-user-membership.patch Type: text/x-patch Size: 67450 bytes Desc: not available URL: From mharmsen at redhat.com Thu Feb 14 02:34:48 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 13 Feb 2013 18:34:48 -0800 Subject: [Pki-devel] [PATCH] fixes to move to admin port for cloning CA's (RHCS 8.x) In-Reply-To: <1360699878.18568.19.camel@aleeredhat.laptop> References: <1360699878.18568.19.camel@aleeredhat.laptop> Message-ID: <511C4D48.8070202@redhat.com> This code was reviewed by testing out PKI_8_1_ERRATA_BRANCH source code on RHEL 5.9 using Directory Server storage located on RHEL 6.3: * ACKwith CAVEATS Presuming that the CAVEATS are addressed, the patches for PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH may be checked-in. *CAVEAT 1:* In TokenAuthentication.java, change line 166 from: c = sendAuthRequest(authHost, authAdminPort, authURL, content); to: c = sendAuthRequest(authHost, authEEPort, authURL, content); *CAVEAT 2: * This was more of an observation that may be due to *CAVEAT 1* above, but in *T**EST SCENARIO 2* below, please note the *comments in RED text*. *TEST SCENARIO 1: Pre-Patched CA Master, Pre-Patched KRA, Patched CA Clone* * On a 64-bit x86_64 RHEL 6.3 machine: o cd /usr/sbin o ./setup-ds-admin(ds-master - 389) o ./setup-ds (ds-clone - 8389) o Stopped both servers o Turned syntax checking off in both DS servers -- nsslapd-syntaxcheck: off o Restarted both servers * On the 64-bit x86_64 RHEL 5.9 machine: o svn co svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki o svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhatpki/redhat o Successfully built and installed aMaster CA 'pki-ca' using the pre-patchedsource code o Using a fresh profile in a browser, successfully configured 'pki-ca' using ports in the defaultCA range and the 'ds-master' DS server o Successfully created, submitted, and approved a certificate: + 'Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master' o Successfully built and installed a KRA'pki-kra' using the pre-patched source code o Successfully configured 'pki-kra' using ports in the default KRArange and the 'ds-master' DS server o Successfully created, submitted, and approved a certificatein which the keys were backed up to the DRM: + 'DRM Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master' o svn co svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki o svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhatpki/redhat o Saved 'cloning.8.errata.patch' from email attachment o cd pki o patch -p0 < ../cloning.8.errata.patch patching file base/ca/shared/webapps/ca/WEB-INF/web.xml patching file base/ca/shared/conf/acl.ldif patching file base/common/src/com/netscape/cms/authentication/TokenAuthentication.java patching file base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java patching file base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java patching file base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java patching file base/setup/pkiremove patching file base/tks/shared/webapps/tks/WEB-INF/web.xml patching file base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml patching file base/kra/shared/webapps/kra/WEB-INF/web.xml o Applied the change documented in *CAVEAT 1* above o Successfully built and updated all CA and KRA packages o Restarted both CA and KRAinstances o Successfully tested that CA still worked: + 'Test PATCHEDEE Master PATCHEDAgent Master' o Successfully tested that KRA still worked: + 'DRM Test PATCHED EE Master PATCHED Agent Master' o Successfully installed a CA Clone called 'pki-ca-clone' via 'pkicreate' using ports in thedefault+10000range using the patched source code o Installed the PK12 file that contained all of the certs and keys backed up via configuration of 'pki-ca' into /var/lib/pki-ca-clone/alias and set all ownership permissions to be 'pkiuser': # ls -lZ /var/lib/pki-ca-clone/alias/* -rw-rw-r-- pkiuser pkiuser user_u:object_r:pki_ca_var_lib_t pki_ca_master_backup.p12 -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t cert8.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t key3.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t secmod.db o Successfully configured 'pki-ca-clone' using ports in the default CA + 10000range and the 'ds-clone' DS server o Successfully tested that CA MasterandCACloneworked together: + 'Test EE Master Agent Master' + 'Test EE Master Agent Clone' + 'Test EE Clone Agent Master' + 'Test EE Clone Agent Clone' o Successfully tested that CA Master, CA Clone, andKRA worked together: + 'DRM Test EE Master Agent Master' + 'DRM Test EE Master Agent Clone' + 'DRM Test EE Clone Agent Master' + 'DRM Test EE Clone Agent Clone' *TEST SCENARIO 2: Patched CA Master, Patched KRA, Patched CA Clone** *** * On a 64-bit x86_64 RHEL 6.3 machine: o cd /usr/sbin o ./setup-ds-admin(ds-master - 389) o ./setup-ds (ds-clone - 8389) o Stopped both servers o Turned syntax checking off in both DS servers -- nsslapd-syntaxcheck: off o Restarted both servers * On the 64-bit x86_64 RHEL 5.9 machine: o svn co svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki o svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhatpki/redhat o Successfully built and installed aMaster CA 'pki-ca' using the pre-patchedsource code o Using a fresh profile in a browser, successfully configured 'pki-ca' using ports in the defaultCA range and the 'ds-master' DS server o Successfully created, submitted, and approved a certificate: + 'Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master' o Successfully built and installed a KRA'pki-kra' using the pre-patched source code o Successfully configured 'pki-kra' using ports in the default KRArange and the 'ds-master' DS server o Successfully created, submitted, and approved a certificatein which the keys were backed up to the DRM: + 'DRM Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master' o svn co svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki o svn co https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhatpki/redhat o Saved 'cloning.8.errata.patch' from email attachment o cd pki o patch -p0 < ../cloning.8.errata.patch patching file base/ca/shared/webapps/ca/WEB-INF/web.xml patching file base/ca/shared/conf/acl.ldif patching file base/common/src/com/netscape/cms/authentication/TokenAuthentication.java patching file base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java patching file base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java patching file base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java patching file base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java patching file base/setup/pkiremove patching file base/tks/shared/webapps/tks/WEB-INF/web.xml patching file base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml patching file base/kra/shared/webapps/kra/WEB-INF/web.xml o Applied the change documented in *CAVEAT **1* above o Successfully built and installed aMaster CA 'pki-ca' o Using a fresh profile in a browser, successfully configured 'pki-ca' using ports in the defaultCA range and the 'ds-master' DS server o Successfully created, submitted, and approved a certificate: + 'Test' o Successfully built and installed a KRA'pki-kra' o Successfully configured 'pki-kra' using ports in the default KRArange and the 'ds-master' DS server o Successfully created, submitted, and approved a certificatein which the keys were backed up to the DRM: + 'DRM Test' o Successfully installed a CA Clone called 'pki-ca-clone' via 'pkicreate' using ports in thedefault+10000range o Installed the PK12 file that contained all of the certs and keys backed up via configuration of 'pki-ca' into /var/lib/pki-ca-clone/alias and set all ownership permissions to be 'pkiuser': # ls -lZ /var/lib/pki-ca-clone/alias/* -rw-rw-r-- pkiuser pkiuser user_u:object_r:pki_ca_var_lib_t pki_ca_master_backup.p12 -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t cert8.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t key3.db -rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t secmod.db o Successfully configured 'pki-ca-clone' using ports in the default CA + 10000range and the 'ds-clone' DS server o Per request, verified that 'admin' port was being used for CA Clone: # cd /var/log/pki-ca-clone # grep -i agent localhost_access_log.2013-02-14.txt *# grep -i ee localhost_access_log.2013-02-14.txt** **10.14.16.14 - - [14/Feb/2013:01:00:58 -0500] "GET /ca/ee/ca/getCAChain?op=download&mimeType=application/x-x509-ca-cert HTTP/1.1" 200 1035* # grep -i admin localhost_access_log.2013-02-14.txt 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/config/login?pin=ZGWfUxpUzIfBcgW6UI6Q HTTP/1.1" 302 - 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/config/wizard HTTP/1.1" 200 8510 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 200 1316 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 200 1787 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/favicon.ico HTTP/1.1" 200 318 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 200 1146 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 11862 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] "GET /ca/admin/console/img/clearpixel.gif HTTP/1.1" 200 43 10.14.16.14 - - [14/Feb/2013:00:58:40 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 10106 10.14.16.14 - - [14/Feb/2013:00:58:47 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 12566 10.14.16.14 - - [14/Feb/2013:00:58:52 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 302 - 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "POST /ca/admin/console/config/wizard?p=5&subsystem=CA HTTP/1.1" 200 8852 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:11 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 12557 10.14.16.14 - - [14/Feb/2013:00:59:14 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 8492 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 10006 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 32918 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:01:00:42 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 11690 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 68264 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] "GET /ca/admin/console/img/certificate.png HTTP/1.1" 200 4663 10.14.16.14 - - [14/Feb/2013:01:00:52 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 8652 10.14.16.14 - - [14/Feb/2013:01:00:56 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 8215 10.14.16.14 - - [14/Feb/2013:01:01:02 -0500] "POST /ca/admin/console/config/wizard HTTP/1.1" 200 7832 o Successfully tested that CA MasterandCACloneworked together: + 'Test EE Master Agent Master' + 'Test EE Master Agent Clone' + 'Test EE Clone Agent Master' + 'Test EE Clone Agent Clone' o Successfully tested that CA Master, CA Clone, andKRA worked together: + 'DRM Test EE Master Agent Master' + 'DRM Test EE Master Agent Clone' + 'DRM Test EE Clone Agent Master' + 'DRM Test EE Clone Agent Clone' On 02/12/13 12:11, Ade Lee wrote: > We want to use the admin interface for installation work. This patch > moves the interfaces used in cloning from either the EE or agent > interface to the admin one. See: > http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning > > Specifically, > 1. Change call to use /ca/admin/ca/getCertChain > 2. Remove unneeded getTokenInfo servlet. The logic not to use this > servlet has already been committed to dogtag 10. > 3. Move updateNumberRange to the admin interface. For backward > compatibility with old instances, the install code will > call /ca/agent/updateNumberRange as a fallback. > 4. Add updateDomainXML to admin interface. For backward compatibility, > updateDomainXML will continue to be exposed on the agent interface with > agent client auth. > 5. Changed pkidestroy to get an install token and use the admin > interface to update the security domain. For backward compatibility, > the user and password and not specified as mandatory arguments - > although we want to do that in future. > 6. Added tokenAuthenticate to the admin interface. > > Note, existing subsystems will need to have config changes manually > added in order to use the new interfaces. Instructions will be added to > the link above. With new instances, you should be able to clone a CA > all on the admin interface. > > The patches are for the PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH > > Please review, > Ade > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Thu Feb 14 16:37:02 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 14 Feb 2013 11:37:02 -0500 Subject: [Pki-devel] [PATCH] fixes to move to admin port for cloning CA's (RHCS 8.x) In-Reply-To: <511C4D48.8070202@redhat.com> References: <1360699878.18568.19.camel@aleeredhat.laptop> <511C4D48.8070202@redhat.com> Message-ID: <1360859823.2368.7.camel@aleeredhat.laptop> On Wed, 2013-02-13 at 18:34 -0800, Matthew Harmsen wrote: > This code was reviewed by testing out PKI_8_1_ERRATA_BRANCH source > code on RHEL 5.9 using Directory Server storage located on RHEL 6.3: > * ACK with CAVEATS > Presuming that the CAVEATS are addressed, the patches for > PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH may be checked-in. > > CAVEAT 1: > In TokenAuthentication.java, change line 166 from: > c = sendAuthRequest(authHost, authAdminPort, authURL, content); > to: > c = sendAuthRequest(authHost, authEEPort, authURL, content); Will be fixed prior to check in. > CAVEAT 2: > This was more of an observation that may be due to CAVEAT 1 > above, but in TEST SCENARIO 2 below, please note the comments > in RED text. See comments below. > TEST SCENARIO 1: Pre-Patched CA Master, Pre-Patched KRA, Patched CA > Clone > * On a 64-bit x86_64 RHEL 6.3 machine: > * cd /usr/sbin > * ./setup-ds-admin (ds-master - 389) > * ./setup-ds (ds-clone - 8389) > * Stopped both servers > * Turned syntax checking off in both DS servers -- > nsslapd-syntaxcheck: off > * Restarted both servers > * On the 64-bit x86_64 RHEL 5.9 machine: > * svn co svn > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki > * svn co > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat > * Successfully built and installed a Master CA 'pki-ca' > using the pre-patched source code > * Using a fresh profile in a browser, successfully > configured 'pki-ca' using ports in the default CA > range and the 'ds-master' DS server > * Successfully created, submitted, and approved a > certificate: > * 'Test PRE-PATCHED EE Master PRE-PATCHED Agent > Master' > * Successfully built and installed a KRA 'pki-kra' using > the pre-patched source code > * Successfully configured 'pki-kra' using ports in the > default KRA range and the 'ds-master' DS server > * Successfully created, submitted, and approved a > certificate in which the keys were backed up to the > DRM: > * 'DRM Test PRE-PATCHED EE Master PRE-PATCHED > Agent Master' > * svn co svn > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki > * svn co > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat > * Saved 'cloning.8.errata.patch' from email attachment > * cd pki > * patch -p0 < ../cloning.8.errata.patch > patching file > base/ca/shared/webapps/ca/WEB-INF/web.xml > patching file base/ca/shared/conf/acl.ldif > patching file > base/common/src/com/netscape/cms/authentication/TokenAuthentication.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java > patching file base/setup/pkiremove > patching file > base/tks/shared/webapps/tks/WEB-INF/web.xml > patching file > base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml > patching file > base/kra/shared/webapps/kra/WEB-INF/web.xml > * Applied the change documented in CAVEAT 1 above > * Successfully built and updated all CA and KRA packages > * Restarted both CA and KRA instances > * Successfully tested that CA still worked: > * 'Test PATCHED EE Master PATCHED Agent Master' > * Successfully tested that KRA still worked: > * 'DRM Test PATCHED EE Master PATCHED Agent > Master' > * Successfully installed a CA Clone called > 'pki-ca-clone' via 'pkicreate' using ports in the > default+10000 range using the patched source code > * Installed the PK12 file that contained all of the > certs and keys backed up via configuration of 'pki-ca' > into /var/lib/pki-ca-clone/alias and set all ownership > permissions to be 'pkiuser': > > # ls -lZ /var/lib/pki-ca-clone/alias/* > -rw-rw-r-- pkiuser pkiuser > user_u:object_r:pki_ca_var_lib_t > pki_ca_master_backup.p12 > -rw------- pkiuser pkiuser > system_u:object_r:pki_ca_var_lib_t cert8.db > -rw------- pkiuser pkiuser > system_u:object_r:pki_ca_var_lib_t key3.db > -rw------- pkiuser pkiuser > system_u:object_r:pki_ca_var_lib_t secmod.db > > * Successfully configured 'pki-ca-clone' using ports in > the default CA + 10000 range and the 'ds-clone' DS > server > * Successfully tested that CA Master and CA Clone worked > together: > * 'Test EE Master Agent Master' > * 'Test EE Master Agent Clone' > * 'Test EE Clone Agent Master' > * 'Test EE Clone Agent Clone' > * Successfully tested that CA Master, CA Clone, and KRA > worked together: > * 'DRM Test EE Master Agent Master' > * 'DRM Test EE Master Agent Clone' > * 'DRM Test EE Clone Agent Master' > * 'DRM Test EE Clone Agent Clone' > TEST SCENARIO 2: Patched CA Master, Patched KRA, Patched CA Clone > * On a 64-bit x86_64 RHEL 6.3 machine: > * cd /usr/sbin > * ./setup-ds-admin (ds-master - 389) > * ./setup-ds (ds-clone - 8389) > * Stopped both servers > * Turned syntax checking off in both DS servers -- > nsslapd-syntaxcheck: off > * Restarted both servers > * On the 64-bit x86_64 RHEL 5.9 machine: > * svn co svn > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki > * svn co > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat > * Successfully built and installed a Master CA 'pki-ca' > using the pre-patched source code > * Using a fresh profile in a browser, successfully > configured 'pki-ca' using ports in the default CA > range and the 'ds-master' DS server > * Successfully created, submitted, and approved a > certificate: > * 'Test PRE-PATCHED EE Master PRE-PATCHED Agent > Master' > * Successfully built and installed a KRA 'pki-kra' using > the pre-patched source code > * Successfully configured 'pki-kra' using ports in the > default KRA range and the 'ds-master' DS server > * Successfully created, submitted, and approved a > certificate in which the keys were backed up to the > DRM: > * 'DRM Test PRE-PATCHED EE Master PRE-PATCHED > Agent Master' > * svn co svn > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki > * svn co > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat > * Saved 'cloning.8.errata.patch' from email attachment > * cd pki > * patch -p0 < ../cloning.8.errata.patch > patching file > base/ca/shared/webapps/ca/WEB-INF/web.xml > patching file base/ca/shared/conf/acl.ldif > patching file > base/common/src/com/netscape/cms/authentication/TokenAuthentication.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java > patching file > base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java > patching file base/setup/pkiremove > patching file > base/tks/shared/webapps/tks/WEB-INF/web.xml > patching file > base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml > patching file > base/kra/shared/webapps/kra/WEB-INF/web.xml > * Applied the change documented in CAVEAT 1 above > * Successfully built and installed a Master CA 'pki-ca' > * Using a fresh profile in a browser, successfully > configured 'pki-ca' using ports in the default CA > range and the 'ds-master' DS server > * Successfully created, submitted, and approved a > certificate: > * 'Test' > * Successfully built and installed a KRA 'pki-kra' > * Successfully configured 'pki-kra' using ports in the > default KRA range and the 'ds-master' DS server > * Successfully created, submitted, and approved a > certificate in which the keys were backed up to the > DRM: > * 'DRM Test' > * Successfully installed a CA Clone called > 'pki-ca-clone' via 'pkicreate' using ports in the > default+10000 range > * Installed the PK12 file that contained all of the > certs and keys backed up via configuration of 'pki-ca' > into /var/lib/pki-ca-clone/alias and set all ownership > permissions to be 'pkiuser': > > # ls -lZ /var/lib/pki-ca-clone/alias/* > -rw-rw-r-- pkiuser pkiuser > user_u:object_r:pki_ca_var_lib_t > pki_ca_master_backup.p12 > -rw------- pkiuser pkiuser > system_u:object_r:pki_ca_var_lib_t cert8.db > -rw------- pkiuser pkiuser > system_u:object_r:pki_ca_var_lib_t key3.db > -rw------- pkiuser pkiuser > system_u:object_r:pki_ca_var_lib_t secmod.db > > * Successfully configured 'pki-ca-clone' using ports in > the default CA + 10000 range and the 'ds-clone' DS > server > * Per request, verified that 'admin' port was being used > for CA Clone: > This is the incorrect verification. The verification that is supposed to be done is to ensure that the master is not contacted on any port other than the admin port during a configuration. This means that you need to look at the access log for the master (pki-ca) for the duration of the installation. Looking at your logs, I see that the following interactions for the master during the time of the clone configuration. 10.14.1.8 - - [14/Feb/2013:00:58:40 -0500] "POST /ca/admin/ca/getStatus HTTP/1.0" 200 96 10.14.1.8 - - [14/Feb/2013:00:58:45 -0500] "POST /ca/admin/ca/getStatus HTTP/1.0" 200 96 10.14.1.8 - - [14/Feb/2013:00:58:45 -0500] "POST /ca/admin/ca/getCertChain HTTP/1.0" 200 1490 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/ca/securityDomainLogin?url=https%3A%2F%2Fpki-ip-host.dsdev.sjc.redhat.com%3A19445%2Fca%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D5%26subsystem%3DCA HTTP/1.1" 200 3904 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki-base.css HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki.css HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki-360.css HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/account_loggedin.gif HTTP/1.1" 404 - 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/bkgrnd_greydots.png HTTP/1.1" 404 - 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/corner_mainnav_bottom_chopped.png HTTP/1.1" 404 - 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/corner_mainnav_top_chopped.png HTTP/1.1" 404 - 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "POST /ca/admin/ca/getCookie HTTP/1.1" 200 4093 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /ca/img/logo_header.gif HTTP/1.1" 304 - 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/bkgrnd_greydots.png HTTP/1.1" 404 - 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/account_loggedin.gif HTTP/1.1" 404 - 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/corner_mainnav_bottom_chopped.png HTTP/1.1" 404 - 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/corner_mainnav_top_chopped.png HTTP/1.1" 404 - 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/greybar_tr.gif HTTP/1.1" 404 - 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/greybar_br.gif HTTP/1.1" 404 - 10.14.1.8 - - [14/Feb/2013:00:59:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 10.14.1.8 - - [14/Feb/2013:00:59:10 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 10.14.1.8 - - [14/Feb/2013:00:59:10 -0500] "POST /ca/admin/ca/getCertChain HTTP/1.0" 200 1490 10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138 10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 148 10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138 10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 148 10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138 10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 138 10.14.1.8 - - [14/Feb/2013:00:59:42 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138 10.14.1.8 - - [14/Feb/2013:00:59:42 -0500] "POST /ca/admin/ca/getConfigEntries HTTP/1.0" 200 18359 10.14.1.8 - - [14/Feb/2013:01:00:41 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 10.14.1.8 - - [14/Feb/2013:01:00:41 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/updateDomainXML HTTP/1.0" 200 83 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 2063 In fact, we really only care about the interactions from 10.14.1.8. The ones from 10.14.16.14 are actually the CA master talking to itself. All of the above are on the admin port. So the verification is successful. > # cd /var/log/pki-ca-clone > # grep -i agent localhost_access_log.2013-02-14.txt > # grep -i ee localhost_access_log.2013-02-14.txt > 10.14.16.14 - - [14/Feb/2013:01:00:58 -0500] > "GET /ca/ee/ca/getCAChain?op=download&mimeType=application/x-x509-ca-cert HTTP/1.1" 200 1035 > # grep -i admin localhost_access_log.2013-02-14.txt > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > "GET /ca/admin/console/config/login?pin=ZGWfUxpUzIfBcgW6UI6Q HTTP/1.1" 302 - > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > "GET /ca/admin/console/config/wizard HTTP/1.1" 200 > 8510 > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" > 200 1316 > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" > 200 1787 > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > "GET /ca/admin/console/img/favicon.ico HTTP/1.1" 200 > 318 > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" > 200 1146 > 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 11862 > 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] > "GET /ca/admin/console/img/clearpixel.gif HTTP/1.1" > 200 43 > 10.14.16.14 - - [14/Feb/2013:00:58:40 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 10106 > 10.14.16.14 - - [14/Feb/2013:00:58:47 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 12566 > 10.14.16.14 - - [14/Feb/2013:00:58:52 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 302 - > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] > "POST /ca/admin/console/config/wizard?p=5&subsystem=CA > HTTP/1.1" 200 8852 > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" > 304 - > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" > 304 - > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" > 304 - > 10.14.16.14 - - [14/Feb/2013:00:59:11 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 12557 > 10.14.16.14 - - [14/Feb/2013:00:59:14 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 8492 > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 10006 > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" > 304 - > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" > 304 - > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" > 304 - > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 32918 > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" > 304 - > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" > 304 - > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" > 304 - > 10.14.16.14 - - [14/Feb/2013:01:00:42 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 11690 > 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 68264 > 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] > "GET /ca/admin/console/img/certificate.png HTTP/1.1" > 200 4663 > 10.14.16.14 - - [14/Feb/2013:01:00:52 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 8652 > 10.14.16.14 - - [14/Feb/2013:01:00:56 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 8215 > 10.14.16.14 - - [14/Feb/2013:01:01:02 -0500] > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > 7832 > > * Successfully tested that CA Master and CA Clone worked > together: > * 'Test EE Master Agent Master' > * 'Test EE Master Agent Clone' > * 'Test EE Clone Agent Master' > * 'Test EE Clone Agent Clone' > * Successfully tested that CA Master, CA Clone, and KRA > worked together: > * 'DRM Test EE Master Agent Master' > * 'DRM Test EE Master Agent Clone' > * 'DRM Test EE Clone Agent Master' > * 'DRM Test EE Clone Agent Clone' > On 02/12/13 12:11, Ade Lee wrote: > > > We want to use the admin interface for installation work. This patch > > moves the interfaces used in cloning from either the EE or agent > > interface to the admin one. See: > > http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning > > > > Specifically, > > 1. Change call to use /ca/admin/ca/getCertChain > > 2. Remove unneeded getTokenInfo servlet. The logic not to use this > > servlet has already been committed to dogtag 10. > > 3. Move updateNumberRange to the admin interface. For backward > > compatibility with old instances, the install code will > > call /ca/agent/updateNumberRange as a fallback. > > 4. Add updateDomainXML to admin interface. For backward compatibility, > > updateDomainXML will continue to be exposed on the agent interface with > > agent client auth. > > 5. Changed pkidestroy to get an install token and use the admin > > interface to update the security domain. For backward compatibility, > > the user and password and not specified as mandatory arguments - > > although we want to do that in future. > > 6. Added tokenAuthenticate to the admin interface. > > > > Note, existing subsystems will need to have config changes manually > > added in order to use the new interfaces. Instructions will be added to > > the link above. With new instances, you should be able to clone a CA > > all on the admin interface. > > > > The patches are for the PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH > > > > Please review, > > Ade > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Thu Feb 14 17:03:56 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 14 Feb 2013 12:03:56 -0500 Subject: [Pki-devel] [PATCH] fixes to move to admin port for cloning CA's (RHCS 8.x) In-Reply-To: <1360859823.2368.7.camel@aleeredhat.laptop> References: <1360699878.18568.19.camel@aleeredhat.laptop> <511C4D48.8070202@redhat.com> <1360859823.2368.7.camel@aleeredhat.laptop> Message-ID: <1360861437.2368.9.camel@aleeredhat.laptop> Checked into PKI_8_BRANCH and PKI_8_1_ERRATA_BRANCH: PKI_8_BRANCH: [vakwetu at alee-workpc pki]$ svn ci -m "Resolves #90295 - allow CA cloning using adin port only" Sending base/ca/shared/conf/acl.ldif Sending base/ca/shared/webapps/ca/WEB-INF/web.xml Sending base/common/src/com/netscape/cms/authentication/TokenAuthentication.java Sending base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java Sending base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Sending base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java Sending base/kra/shared/webapps/kra/WEB-INF/web.xml Sending base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml Sending base/setup/pkiremove Sending base/tks/shared/webapps/tks/WEB-INF/web.xml Transmitting file data ............... Committed revision 2522. PKI_8_1_ERRATA_BRANCH: [vakwetu at alee-workpc pki]$ svn ci -m "Resolves #90295 - allow CA cloning using admin port only" Sending base/ca/shared/conf/acl.ldif Sending base/ca/shared/webapps/ca/WEB-INF/web.xml Sending base/common/src/com/netscape/cms/authentication/TokenAuthentication.java Sending base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java Sending base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Sending base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java Sending base/kra/shared/webapps/kra/WEB-INF/web.xml Sending base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml Sending base/setup/pkiremove Sending base/tks/shared/webapps/tks/WEB-INF/web.xml Transmitting file data ............... Committed revision 2523. On Thu, 2013-02-14 at 11:37 -0500, Ade Lee wrote: > On Wed, 2013-02-13 at 18:34 -0800, Matthew Harmsen wrote: > > This code was reviewed by testing out PKI_8_1_ERRATA_BRANCH source > > code on RHEL 5.9 using Directory Server storage located on RHEL 6.3: > > * ACK with CAVEATS > > Presuming that the CAVEATS are addressed, the patches for > > PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH may be checked-in. > > > > CAVEAT 1: > > In TokenAuthentication.java, change line 166 from: > > c = sendAuthRequest(authHost, authAdminPort, authURL, content); > > to: > > c = sendAuthRequest(authHost, authEEPort, authURL, content); > > Will be fixed prior to check in. > > > CAVEAT 2: > > This was more of an observation that may be due to CAVEAT 1 > > above, but in TEST SCENARIO 2 below, please note the comments > > in RED text. > > See comments below. > > > TEST SCENARIO 1: Pre-Patched CA Master, Pre-Patched KRA, Patched CA > > Clone > > * On a 64-bit x86_64 RHEL 6.3 machine: > > * cd /usr/sbin > > * ./setup-ds-admin (ds-master - 389) > > * ./setup-ds (ds-clone - 8389) > > * Stopped both servers > > * Turned syntax checking off in both DS servers -- > > nsslapd-syntaxcheck: off > > * Restarted both servers > > * On the 64-bit x86_64 RHEL 5.9 machine: > > * svn co svn > > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki > > * svn co > > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat > > * Successfully built and installed a Master CA 'pki-ca' > > using the pre-patched source code > > * Using a fresh profile in a browser, successfully > > configured 'pki-ca' using ports in the default CA > > range and the 'ds-master' DS server > > * Successfully created, submitted, and approved a > > certificate: > > * 'Test PRE-PATCHED EE Master PRE-PATCHED Agent > > Master' > > * Successfully built and installed a KRA 'pki-kra' using > > the pre-patched source code > > * Successfully configured 'pki-kra' using ports in the > > default KRA range and the 'ds-master' DS server > > * Successfully created, submitted, and approved a > > certificate in which the keys were backed up to the > > DRM: > > * 'DRM Test PRE-PATCHED EE Master PRE-PATCHED > > Agent Master' > > * svn co svn > > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki > > * svn co > > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat > > * Saved 'cloning.8.errata.patch' from email attachment > > * cd pki > > * patch -p0 < ../cloning.8.errata.patch > > patching file > > base/ca/shared/webapps/ca/WEB-INF/web.xml > > patching file base/ca/shared/conf/acl.ldif > > patching file > > base/common/src/com/netscape/cms/authentication/TokenAuthentication.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java > > patching file base/setup/pkiremove > > patching file > > base/tks/shared/webapps/tks/WEB-INF/web.xml > > patching file > > base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml > > patching file > > base/kra/shared/webapps/kra/WEB-INF/web.xml > > * Applied the change documented in CAVEAT 1 above > > * Successfully built and updated all CA and KRA packages > > * Restarted both CA and KRA instances > > * Successfully tested that CA still worked: > > * 'Test PATCHED EE Master PATCHED Agent Master' > > * Successfully tested that KRA still worked: > > * 'DRM Test PATCHED EE Master PATCHED Agent > > Master' > > * Successfully installed a CA Clone called > > 'pki-ca-clone' via 'pkicreate' using ports in the > > default+10000 range using the patched source code > > * Installed the PK12 file that contained all of the > > certs and keys backed up via configuration of 'pki-ca' > > into /var/lib/pki-ca-clone/alias and set all ownership > > permissions to be 'pkiuser': > > > > # ls -lZ /var/lib/pki-ca-clone/alias/* > > -rw-rw-r-- pkiuser pkiuser > > user_u:object_r:pki_ca_var_lib_t > > pki_ca_master_backup.p12 > > -rw------- pkiuser pkiuser > > system_u:object_r:pki_ca_var_lib_t cert8.db > > -rw------- pkiuser pkiuser > > system_u:object_r:pki_ca_var_lib_t key3.db > > -rw------- pkiuser pkiuser > > system_u:object_r:pki_ca_var_lib_t secmod.db > > > > * Successfully configured 'pki-ca-clone' using ports in > > the default CA + 10000 range and the 'ds-clone' DS > > server > > * Successfully tested that CA Master and CA Clone worked > > together: > > * 'Test EE Master Agent Master' > > * 'Test EE Master Agent Clone' > > * 'Test EE Clone Agent Master' > > * 'Test EE Clone Agent Clone' > > * Successfully tested that CA Master, CA Clone, and KRA > > worked together: > > * 'DRM Test EE Master Agent Master' > > * 'DRM Test EE Master Agent Clone' > > * 'DRM Test EE Clone Agent Master' > > * 'DRM Test EE Clone Agent Clone' > > TEST SCENARIO 2: Patched CA Master, Patched KRA, Patched CA Clone > > * On a 64-bit x86_64 RHEL 6.3 machine: > > * cd /usr/sbin > > * ./setup-ds-admin (ds-master - 389) > > * ./setup-ds (ds-clone - 8389) > > * Stopped both servers > > * Turned syntax checking off in both DS servers -- > > nsslapd-syntaxcheck: off > > * Restarted both servers > > * On the 64-bit x86_64 RHEL 5.9 machine: > > * svn co svn > > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki > > * svn co > > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat > > * Successfully built and installed a Master CA 'pki-ca' > > using the pre-patched source code > > * Using a fresh profile in a browser, successfully > > configured 'pki-ca' using ports in the default CA > > range and the 'ds-master' DS server > > * Successfully created, submitted, and approved a > > certificate: > > * 'Test PRE-PATCHED EE Master PRE-PATCHED Agent > > Master' > > * Successfully built and installed a KRA 'pki-kra' using > > the pre-patched source code > > * Successfully configured 'pki-kra' using ports in the > > default KRA range and the 'ds-master' DS server > > * Successfully created, submitted, and approved a > > certificate in which the keys were backed up to the > > DRM: > > * 'DRM Test PRE-PATCHED EE Master PRE-PATCHED > > Agent Master' > > * svn co svn > > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki > > * svn co > > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat > > * Saved 'cloning.8.errata.patch' from email attachment > > * cd pki > > * patch -p0 < ../cloning.8.errata.patch > > patching file > > base/ca/shared/webapps/ca/WEB-INF/web.xml > > patching file base/ca/shared/conf/acl.ldif > > patching file > > base/common/src/com/netscape/cms/authentication/TokenAuthentication.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java > > patching file > > base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java > > patching file base/setup/pkiremove > > patching file > > base/tks/shared/webapps/tks/WEB-INF/web.xml > > patching file > > base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml > > patching file > > base/kra/shared/webapps/kra/WEB-INF/web.xml > > * Applied the change documented in CAVEAT 1 above > > * Successfully built and installed a Master CA 'pki-ca' > > * Using a fresh profile in a browser, successfully > > configured 'pki-ca' using ports in the default CA > > range and the 'ds-master' DS server > > * Successfully created, submitted, and approved a > > certificate: > > * 'Test' > > * Successfully built and installed a KRA 'pki-kra' > > * Successfully configured 'pki-kra' using ports in the > > default KRA range and the 'ds-master' DS server > > * Successfully created, submitted, and approved a > > certificate in which the keys were backed up to the > > DRM: > > * 'DRM Test' > > * Successfully installed a CA Clone called > > 'pki-ca-clone' via 'pkicreate' using ports in the > > default+10000 range > > * Installed the PK12 file that contained all of the > > certs and keys backed up via configuration of 'pki-ca' > > into /var/lib/pki-ca-clone/alias and set all ownership > > permissions to be 'pkiuser': > > > > # ls -lZ /var/lib/pki-ca-clone/alias/* > > -rw-rw-r-- pkiuser pkiuser > > user_u:object_r:pki_ca_var_lib_t > > pki_ca_master_backup.p12 > > -rw------- pkiuser pkiuser > > system_u:object_r:pki_ca_var_lib_t cert8.db > > -rw------- pkiuser pkiuser > > system_u:object_r:pki_ca_var_lib_t key3.db > > -rw------- pkiuser pkiuser > > system_u:object_r:pki_ca_var_lib_t secmod.db > > > > * Successfully configured 'pki-ca-clone' using ports in > > the default CA + 10000 range and the 'ds-clone' DS > > server > > * Per request, verified that 'admin' port was being used > > for CA Clone: > > > This is the incorrect verification. The verification that is supposed > to be done is to ensure that the master is not contacted on any port > other than the admin port during a configuration. > > This means that you need to look at the access log for the master > (pki-ca) for the duration of the installation. > > Looking at your logs, I see that the following interactions for the > master during the time of the clone configuration. > > 10.14.1.8 - - [14/Feb/2013:00:58:40 -0500] "POST /ca/admin/ca/getStatus HTTP/1.0" 200 96 > 10.14.1.8 - - [14/Feb/2013:00:58:45 -0500] "POST /ca/admin/ca/getStatus HTTP/1.0" 200 96 > 10.14.1.8 - - [14/Feb/2013:00:58:45 -0500] "POST /ca/admin/ca/getCertChain HTTP/1.0" 200 1490 > 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 > 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 > 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 > 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 > 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/ca/securityDomainLogin?url=https%3A%2F%2Fpki-ip-host.dsdev.sjc.redhat.com%3A19445%2Fca%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D5%26subsystem%3DCA HTTP/1.1" 200 3904 > 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki-base.css HTTP/1.1" 304 - > 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 - > 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 - > 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki.css HTTP/1.1" 304 - > 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki-360.css HTTP/1.1" 304 - > 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/account_loggedin.gif HTTP/1.1" 404 - > 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/bkgrnd_greydots.png HTTP/1.1" 404 - > 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/corner_mainnav_bottom_chopped.png HTTP/1.1" 404 - > 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/corner_mainnav_top_chopped.png HTTP/1.1" 404 - > 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "POST /ca/admin/ca/getCookie HTTP/1.1" 200 4093 > 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /ca/img/logo_header.gif HTTP/1.1" 304 - > 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/bkgrnd_greydots.png HTTP/1.1" 404 - > 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/account_loggedin.gif HTTP/1.1" 404 - > 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/corner_mainnav_bottom_chopped.png HTTP/1.1" 404 - > 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/corner_mainnav_top_chopped.png HTTP/1.1" 404 - > 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/greybar_tr.gif HTTP/1.1" 404 - > 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/greybar_br.gif HTTP/1.1" 404 - > 10.14.1.8 - - [14/Feb/2013:00:59:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 > 10.14.1.8 - - [14/Feb/2013:00:59:10 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 > 10.14.1.8 - - [14/Feb/2013:00:59:10 -0500] "POST /ca/admin/ca/getCertChain HTTP/1.0" 200 1490 > 10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138 > 10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 148 > 10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138 > 10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 148 > 10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138 > 10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 138 > 10.14.1.8 - - [14/Feb/2013:00:59:42 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138 > 10.14.1.8 - - [14/Feb/2013:00:59:42 -0500] "POST /ca/admin/ca/getConfigEntries HTTP/1.0" 200 18359 > 10.14.1.8 - - [14/Feb/2013:01:00:41 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 > 10.14.1.8 - - [14/Feb/2013:01:00:41 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 > 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585 > 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138 > 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/updateDomainXML HTTP/1.0" 200 83 > 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 2063 > > In fact, we really only care about the interactions from 10.14.1.8. The > ones from 10.14.16.14 are actually the CA master talking to itself. All > of the above are on the admin port. So the verification is successful. > > > # cd /var/log/pki-ca-clone > > # grep -i agent localhost_access_log.2013-02-14.txt > > # grep -i ee localhost_access_log.2013-02-14.txt > > 10.14.16.14 - - [14/Feb/2013:01:00:58 -0500] > > "GET /ca/ee/ca/getCAChain?op=download&mimeType=application/x-x509-ca-cert HTTP/1.1" 200 1035 > > # grep -i admin localhost_access_log.2013-02-14.txt > > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > > "GET /ca/admin/console/config/login?pin=ZGWfUxpUzIfBcgW6UI6Q HTTP/1.1" 302 - > > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > > "GET /ca/admin/console/config/wizard HTTP/1.1" 200 > > 8510 > > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" > > 200 1316 > > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" > > 200 1787 > > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > > "GET /ca/admin/console/img/favicon.ico HTTP/1.1" 200 > > 318 > > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] > > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" > > 200 1146 > > 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 11862 > > 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] > > "GET /ca/admin/console/img/clearpixel.gif HTTP/1.1" > > 200 43 > > 10.14.16.14 - - [14/Feb/2013:00:58:40 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 10106 > > 10.14.16.14 - - [14/Feb/2013:00:58:47 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 12566 > > 10.14.16.14 - - [14/Feb/2013:00:58:52 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 302 - > > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] > > "POST /ca/admin/console/config/wizard?p=5&subsystem=CA > > HTTP/1.1" 200 8852 > > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] > > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" > > 304 - > > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] > > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" > > 304 - > > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] > > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" > > 304 - > > 10.14.16.14 - - [14/Feb/2013:00:59:11 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 12557 > > 10.14.16.14 - - [14/Feb/2013:00:59:14 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 8492 > > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 10006 > > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] > > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" > > 304 - > > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] > > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" > > 304 - > > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] > > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" > > 304 - > > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 32918 > > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] > > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" > > 304 - > > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] > > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" > > 304 - > > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] > > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1" > > 304 - > > 10.14.16.14 - - [14/Feb/2013:01:00:42 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 11690 > > 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 68264 > > 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] > > "GET /ca/admin/console/img/certificate.png HTTP/1.1" > > 200 4663 > > 10.14.16.14 - - [14/Feb/2013:01:00:52 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 8652 > > 10.14.16.14 - - [14/Feb/2013:01:00:56 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 8215 > > 10.14.16.14 - - [14/Feb/2013:01:01:02 -0500] > > "POST /ca/admin/console/config/wizard HTTP/1.1" 200 > > 7832 > > > > * Successfully tested that CA Master and CA Clone worked > > together: > > * 'Test EE Master Agent Master' > > * 'Test EE Master Agent Clone' > > * 'Test EE Clone Agent Master' > > * 'Test EE Clone Agent Clone' > > * Successfully tested that CA Master, CA Clone, and KRA > > worked together: > > * 'DRM Test EE Master Agent Master' > > * 'DRM Test EE Master Agent Clone' > > * 'DRM Test EE Clone Agent Master' > > * 'DRM Test EE Clone Agent Clone' > > On 02/12/13 12:11, Ade Lee wrote: > > > > > We want to use the admin interface for installation work. This patch > > > moves the interfaces used in cloning from either the EE or agent > > > interface to the admin one. See: > > > http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning > > > > > > Specifically, > > > 1. Change call to use /ca/admin/ca/getCertChain > > > 2. Remove unneeded getTokenInfo servlet. The logic not to use this > > > servlet has already been committed to dogtag 10. > > > 3. Move updateNumberRange to the admin interface. For backward > > > compatibility with old instances, the install code will > > > call /ca/agent/updateNumberRange as a fallback. > > > 4. Add updateDomainXML to admin interface. For backward compatibility, > > > updateDomainXML will continue to be exposed on the agent interface with > > > agent client auth. > > > 5. Changed pkidestroy to get an install token and use the admin > > > interface to update the security domain. For backward compatibility, > > > the user and password and not specified as mandatory arguments - > > > although we want to do that in future. > > > 6. Added tokenAuthenticate to the admin interface. > > > > > > Note, existing subsystems will need to have config changes manually > > > added in order to use the new interfaces. Instructions will be added to > > > the link above. With new instances, you should be able to clone a CA > > > all on the admin interface. > > > > > > The patches are for the PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH > > > > > > Please review, > > > Ade > > > > > > > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From mharmsen at redhat.com Fri Feb 15 20:28:29 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 15 Feb 2013 12:28:29 -0800 Subject: [Pki-devel] [PATCH] 118 - Add token authenticate to admin interface In-Reply-To: <1360684702.18568.6.camel@aleeredhat.laptop> References: <1360684702.18568.6.camel@aleeredhat.laptop> Message-ID: <511E9A6D.1070002@redhat.com> ACK (with CAVEAT) *CAVEAT:* In addition, after applying the patch, change the following lines in 'base/common/src/com/netscape/cms/authentication/TokenAuthentication.java': Change line 164 from: + c = sendAuthRequest(authHost, authAdminPort, authURL, content); to: + c = sendAuthRequest(authHost, authEEPort, authURL, content); Change line 167 from: + + authHost + ":" + authAdminPort + " " + e1); to: + + authHost + ":" + authEEPort + " " + e1); *TEST:* As a very similar patch was already tested on RHCS 8.1, the testing of this patch was minimal: * applied patch + CAVEAT to source, built on x86_64 Fedora 18 machine, and installed packages * performed a pkispawn of a CA (skipping configuration) * performed a firefox browser GUI configuration of the CA * successfully tested the CA * performed a pkispawn of a CA clone (skipping configuration) * performed a firefox browser GUI configuration of the CA clone * successfully tested interactions between the CA master and CA clone: o EE master AGENT master o EE master AGENT clone o EE clone AGENT master o EE clone AGENT clone On 02/12/13 07:58, Ade Lee wrote: > This is an add on patch to allow tokenAuthentication to take place on > the admin interface. The ee interface is kept for legacy sake. > > Please review, > Ade > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Mon Feb 18 15:54:23 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 18 Feb 2013 10:54:23 -0500 Subject: [Pki-devel] [PATCH] 212 Added CLI to manage user membership. In-Reply-To: <511BDC7B.6080205@redhat.com> References: <511BDC7B.6080205@redhat.com> Message-ID: <1361202864.2317.7.camel@aleeredhat.laptop> ACK On Wed, 2013-02-13 at 12:33 -0600, Endi Sukma Dewata wrote: > New CLI's have been added to search, add, and remove user membership. > The group member management code has been refactored into a processor > to allow reuse. > > Ticket #190 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Mon Feb 18 16:01:16 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 18 Feb 2013 10:01:16 -0600 Subject: [Pki-devel] [PATCH] 212 Added CLI to manage user membership. In-Reply-To: <1361202864.2317.7.camel@aleeredhat.laptop> References: <511BDC7B.6080205@redhat.com> <1361202864.2317.7.camel@aleeredhat.laptop> Message-ID: <5122504C.7050700@redhat.com> On 2/18/2013 9:54 AM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From awnuk at redhat.com Tue Feb 19 01:34:00 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Mon, 18 Feb 2013 17:34:00 -0800 Subject: [Pki-devel] [PATCH] random certificate serial numbers Message-ID: <5122D688.7070808@redhat.com> This patch adds support for random certificate serial numbers. Bug 912554. -------------- next part -------------- Index: pki/dogtag/console-ui/CMSAdminRS.properties =================================================================== --- pki/dogtag/console-ui/CMSAdminRS.properties (revision 2521) +++ pki/dogtag/console-ui/CMSAdminRS.properties (working copy) @@ -378,6 +378,12 @@ CAGENERAL_COMBOBOX_ALGORITHM_VALUE_3=SHA256 with RSA CAGENERAL_COMBOBOX_ALGORITHM_VALUE_4=SHA512 with RSA CAGENERAL_COMBOBOX_ALGORITHM_VALUE_5=SHA1 with DSA +CAGENERAL_BORDER_MANAGEMENT_LABEL=Serial Number Management +CAGENERAL_CHECKBOX_MANAGEMENT_LABEL=Enable serial number management +CAGENERAL_CHECKBOXL_MANAGEMENT_TTIP=Allow CA to manage serial numbers automatically +CAGENERAL_BORDER_RANDOM_LABEL=Random Certificate Serial Numbers +CAGENERAL_CHECKBOX_RANDOM_LABEL=Enable random certificate serial numbers +CAGENERAL_CHECKBOXL_RANDOM_TTIP=Allow CA to generate random certificate serial numbers CAGENERAL_BORDER_SERIAL_LABEL=Certificate Serial Number CAGENERAL_LABEL_SERIAL_LABEL=Next Serial Number: (0x) CAGENERAL_LABEL_SERIAL_TTIP=Specify the next serial number of the certificate that the CA issues @@ -387,6 +393,9 @@ CAGENERAL_BORDER_VALIDITY_LABEL=Certificate Validity CAGENERAL_CHECKBOX_VALIDITY_LABEL=Override validity nesting requirement CAGENERAL_CHECKBOXL_VALIDITY_TTIP=Allow CA to issue certificates with validity beyond that of the CA's signing certificate +CAGENERAL_BORDER_RANDOM_VALIDITY_LABEL=Randomize Certificate Validity +CAGENERAL_CHECKBOX_RANDOM_VALIDITY_LABEL=Randomize certificate validity +CAGENERAL_CHECKBOXL_RANDOM_VALIDITY_TTIP=Allow CA to issue certificates with randomized validity CAGENERAL_DIALOG_NUMBERFORMAT_MESSAGE=You must specify a numeric value CAGENERAL_DIALOG_NUMBERFORMAT_TITLE=Error CAGENERAL_CHECKBOX_RA_LABEL=Enable registration authority interaction Index: pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java =================================================================== --- pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java (revision 2521) +++ pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java (working copy) @@ -1479,6 +1479,10 @@ getSigningAlgConfig(params); getSerialConfig(params); getMaxSerialConfig(params); + params.add(Constants.PR_SN_MANAGEMENT, + Boolean.toString(mCA.getDBSubsystem().getEnableSerialMgmt())); + params.add(Constants.PR_RANDOM_SN, + Boolean.toString(mCA.getCertificateRepository().getEnableRandomSerialNumbers())); sendResponse(SUCCESS, null, params, resp); } @@ -1555,6 +1559,11 @@ mCA.setStartSerial(value); } else if (key.equals(Constants.PR_MAXSERIAL)) { mCA.setMaxSerial(value); + } else if (key.equals(Constants.PR_SN_MANAGEMENT)) { + mCA.getDBSubsystem().setEnableSerialMgmt(Boolean.valueOf(value)); + //mCA.getCertificateRepository().setEnableSerialMgmt(Boolean.valueOf(value)); + } else if (key.equals(Constants.PR_RANDOM_SN)) { + mCA.getCertificateRepository().setEnableRandomSerialNumbers(Boolean.valueOf(value), true); } } Index: pki/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java =================================================================== --- pki/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java (revision 2521) +++ pki/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java (working copy) @@ -33,6 +33,7 @@ import com.netscape.certsrv.policy.*; import com.netscape.certsrv.security.*; import com.netscape.certsrv.publish.*; +import com.netscape.certsrv.dbs.*; import com.netscape.certsrv.dbs.certdb.*; import com.netscape.certsrv.dbs.crldb.*; import com.netscape.certsrv.dbs.replicadb.*; @@ -465,6 +466,13 @@ public IService getCAService(); /** + * Retrieves the DB subsystem managing internal data storage. + * + * @return DB subsystem object + */ + public IDBSubsystem getDBSubsystem(); + + /** * Returns the in-memory count of the processed OCSP requests. * * @return number of processed OCSP requests in memory Index: pki/base/common/src/com/netscape/certsrv/common/Constants.java =================================================================== --- pki/base/common/src/com/netscape/certsrv/common/Constants.java (revision 2521) +++ pki/base/common/src/com/netscape/certsrv/common/Constants.java (working copy) @@ -341,10 +341,14 @@ * Certificate Authority *========================================================*/ public final static String PR_VALIDITY = "validity"; + //public final static String PR_RANDOM_VALIDITY = "randomValidity"; + //public final static String PR_RANDOM_VALIDITY_BITS = "randomValidityBits"; public final static String PR_DEFAULT_ALGORITHM = "defaultSigningAlgorithm"; public final static String PR_ALL_ALGORITHMS = "allSigningAlgorithms"; public final static String PR_SERIAL = "startSerialNumber"; public final static String PR_MAXSERIAL = "maxSerialNumber"; + public final static String PR_SN_MANAGEMENT = "serialNumberManagement"; + public final static String PR_RANDOM_SN = "randomSerialNumbers"; /*======================================================== * Access Control Index: pki/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java =================================================================== --- pki/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java (revision 2521) +++ pki/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java (working copy) @@ -37,6 +37,7 @@ public final static String ATTR_SERIALNO = "serialNo"; public final static String ATTR_PUB_STATUS = "publishingStatus"; + public final static String ATTR_DESCRIPTION = "description"; /** * Retrieves serial number. @@ -46,4 +47,6 @@ public BigInteger getSerialNumber(); public String getPublishingStatus(); + + public String getDescription(); } Index: pki/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java =================================================================== --- pki/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java (revision 2521) +++ pki/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java (working copy) @@ -205,6 +205,39 @@ public void setEnableSerialMgmt(boolean value) throws EBaseException; /** + * Gets replica ID + * + * @return replica ID + */ + public int getReplicaID(); + + /** + * Gets internal DB configuration store + * + * @return internal DB configuration store + */ + public IConfigStore getConfigStore(); + + /** + * Gets DB subsystem configuration store + * + * @return DB subsystem configuration store + */ + public IConfigStore getDBConfigStore(); + + /** + * Gets attribute value for specified entry + * + * @param dn entry's distinguished name + * @param attrName attribute's name + * @param defaultValue attribute's default value + * @param errorValue attribute's error value + * @return attribute value + */ + public String getEntryAttribute(String dn, String attrName, + String defaultValue, String errorValue); + + /** * Returns LDAP connection to connection pool. * * @param conn connection to be returned Index: pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java =================================================================== --- pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java (revision 2521) +++ pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java (working copy) @@ -508,5 +508,22 @@ */ public void removeCertRecords(BigInteger beginS, BigInteger endS) throws EBaseException; + /** + * Retrieves serial number management mode. + * + * @return serial number management mode, + * "true" indicates random serial number management, + * "false" indicates sequential serial number management. + */ + public boolean getEnableRandomSerialNumbers(); + + /** + * Sets serial number management mode for certificates.. + * + * @param random "true" sets random serial number management, "false" sequential + * @param updateMode "true" updates "description" attribute in certificate repository + */ + public void setEnableRandomSerialNumbers(boolean random, boolean updateMode); + public void shutdown(); } Index: pki/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java (revision 2521) +++ pki/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java (working copy) @@ -59,6 +59,7 @@ private DBRegistry mRegistry = null; private String mBaseDN = null; private ISubsystem mOwner = null; + private int mReplicaID = -1; private Hashtable[] mRepos = null; @@ -141,8 +142,6 @@ private static final String PROP_INCREMENT_NAME = "increment_name"; private static final String PROP_RANGE_DN="rangeDN"; - private static final BigInteger BI_ONE = new BigInteger("1"); - private ILogger mLogger = null; // singleton enforcement @@ -212,6 +211,10 @@ mEnableSerialMgmt = v; } + public int getReplicaID() { + return mReplicaID; + } + public BigInteger getNextSerialConfig() { return mNextSerialConfig; } @@ -437,7 +440,7 @@ conn.modify( dn, mods ); // Add new range object - String endRange = nextRangeNo.add(incrementNo).subtract(BI_ONE).toString(); + String endRange = nextRangeNo.add(incrementNo).subtract(BigInteger.ONE).toString(); LDAPAttributeSet attrs = new LDAPAttributeSet(); attrs.add(new LDAPAttribute("objectClass", "top")); attrs.add(new LDAPAttribute("objectClass", "pkiRange")); @@ -449,6 +452,8 @@ String dn2 = "cn=" + nextRange + "," + rangeDN; LDAPEntry rangeEntry = new LDAPEntry(dn2, attrs); conn.add(rangeEntry); + CMS.debug("DBSubsystem: getNextRange Next range has been added: " + + nextRange + " - " + endRange); } catch (Exception e) { CMS.debug("DBSubsystem: getNextRange. Unable to provide next range :" + e); e.printStackTrace(); @@ -547,6 +552,7 @@ PROP_NEXT_SERIAL_NUMBER, "0"), 16); mEnableSerialMgmt = mDBConfig.getBoolean(PROP_ENABLE_SERIAL_MGMT, false); + CMS.debug("DBSubsystem: init() mEnableSerialMgmt="+mEnableSerialMgmt); // populate the certs hash entry Hashtable certs = new Hashtable(); @@ -800,14 +806,72 @@ reg.registerAttribute(IRepositoryRecord.ATTR_PUB_STATUS, new StringMapper(RepositorySchema.LDAP_ATTR_PUB_STATUS)); } + if (!reg.isAttributeRegistered(IRepositoryRecord.ATTR_DESCRIPTION)) { + reg.registerAttribute(IRepositoryRecord.ATTR_DESCRIPTION, + new StringMapper(RepositorySchema.LDAP_ATTR_DESCRIPTION)); + } } catch (EBaseException e) { if (CMS.isPreOpMode()) return; throw e; } + + if (!CMS.isPreOpMode()) { + String dn = null; + try { + dn = "cn=replica,cn=\""+mBaseDN+"\",cn=mapping tree,cn=config"; + mReplicaID = Integer.parseInt(getEntryAttribute(dn, "nsDS5ReplicaId", "0", "-1")); + CMS.debug("DBSubsystem: init() mReplicaID="+mReplicaID); + } catch (Exception e) { + CMS.debug("DBSubsystem: init(). Unable to identify replica ID:" + e.getMessage()); + } + } } + public String getEntryAttribute(String dn, String attrName, + String defaultValue, String errorValue) { + LDAPConnection conn = null; + String attrValue = null; + //CMS.debug("DBSubsystem: getEntryAttribute: dn="+dn+" attrName="+attrName+ + // " defaultValue="+defaultValue+" errorValue="+errorValue); + try { + conn = mLdapConnFactory.getConn(); + String[] attrs = { attrName }; + LDAPEntry entry = conn.read(dn, attrs); + if (entry != null) { + LDAPAttribute attr = entry.getAttribute(attrName); + if (attr != null) { + attrValue = (String) attr.getStringValues().nextElement(); + } else { + attrValue = defaultValue; + } + } else { + attrValue = errorValue; + } + } catch (LDAPException e) { + CMS.debug("DBSubsystem: getEntryAttribute LDAPException code="+e.getLDAPResultCode()); + if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) { + attrValue = defaultValue; + } + } catch (Exception e) { + CMS.debug("DBSubsystem: getEntryAttribute. Unable to retrieve '"+attrName+"': "+ e); + attrValue = errorValue; + } finally { + try { + if ((conn != null) && (mLdapConnFactory != null)) { + CMS.debug("Releasing ldap connection"); + mLdapConnFactory.returnConn(conn); + } + } catch (Exception e) { + CMS.debug("Error releasing the ldap connection" + e.toString()); + } + } + CMS.debug("DBSubsystem: getEntryAttribute: dn="+dn+" attr="+attrName+":"+attrValue+";"); + + return attrValue; + } + /** * Starts up this service. */ @@ -815,13 +879,20 @@ } /** - * Retrieves configuration store. + * Retrieves internal DB configuration store. */ public IConfigStore getConfigStore() { return mConfig; } /** + * Retrieves DB subsystem configuration store. + */ + public IConfigStore getDBConfigStore() { + return mDBConfig; + } + + /** * Retrieves base DN of backend database. */ public String getBaseDN() { Index: pki/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java (revision 2521) +++ pki/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java (working copy) @@ -41,11 +41,13 @@ private BigInteger mSerialNo = null; private String mPublishingStatus = null; + private String mDescription = null; protected static Vector mNames = new Vector(); static { mNames.addElement(IRepositoryRecord.ATTR_SERIALNO); mNames.addElement(IRepositoryRecord.ATTR_PUB_STATUS); + mNames.addElement(IRepositoryRecord.ATTR_DESCRIPTION); } /** @@ -63,6 +65,8 @@ mSerialNo = (BigInteger) obj; } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_PUB_STATUS)) { mPublishingStatus = (String) obj; + } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_DESCRIPTION)) { + mDescription = (String) obj; } else { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); } @@ -76,6 +80,8 @@ return mSerialNo; } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_PUB_STATUS)) { return mPublishingStatus; + } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_DESCRIPTION)) { + return mDescription; } else { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); } @@ -109,4 +115,8 @@ public String getPublishingStatus() { return mPublishingStatus; } + + public String getDescription() { + return mDescription; + } } Index: pki/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java (revision 2521) +++ pki/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java (working copy) @@ -41,4 +41,5 @@ public static final String LDAP_OC_REPOSITORY = "repository"; public static final String LDAP_ATTR_SERIALNO = "serialno"; public static final String LDAP_ATTR_PUB_STATUS = "publishingStatus"; + public final static String LDAP_ATTR_DESCRIPTION = "description"; } Index: pki/base/common/src/com/netscape/cmscore/dbs/Repository.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/Repository.java (revision 2521) +++ pki/base/common/src/com/netscape/cmscore/dbs/Repository.java (working copy) @@ -48,9 +48,7 @@ public abstract class Repository implements IRepository { - private static final BigInteger BI_ONE = new BigInteger("1"); private BigInteger BI_INCREMENT = null; - private static final BigInteger BI_ZERO = new BigInteger("0"); // (the next serialNo to be issued) - 1 private BigInteger mSerialNo = null; // the serialNo attribute stored in db @@ -61,8 +59,10 @@ private String mNextMaxSerial = null; private String mNextMinSerial = null; - private BigInteger mMinSerialNo = null; - private BigInteger mMaxSerialNo = null; + protected boolean mEnableRandomSerialNumbers = false; + protected BigInteger mCounter = null; + protected BigInteger mMinSerialNo = null; + protected BigInteger mMaxSerialNo = null; private BigInteger mNextMinSerialNo = null; private BigInteger mNextMaxSerialNo = null; @@ -152,6 +152,7 @@ } BigInteger serial = rec.getSerialNumber(); + CMS.debug("Repository: getSerialNumber serial="+serial); if (!mInit) { // cms may crash after issue a cert but before update @@ -161,7 +162,7 @@ serial + "," + mBaseDN); if (obj != null) { - serial = serial.add(BI_ONE); + serial = serial.add(BigInteger.ONE); setSerialNumber(serial); } }catch (EBaseException e) { @@ -249,6 +250,9 @@ return mMinSerial; } + protected void setLastSerialNo(BigInteger lastSN) { + mLastSerialNo = lastSN; + } /** * init serial number cache @@ -323,6 +327,11 @@ } + protected void initCacheIfNeeded() throws EBaseException { + if (mLastSerialNo == null) + initCache(); + } + /** * get the next serial number in cache */ @@ -331,7 +340,7 @@ CMS.debug("Repository:In getTheSerialNumber " ); if (mLastSerialNo == null) initCache(); - BigInteger serial = new BigInteger((mLastSerialNo.add(BI_ONE)).toString()); + BigInteger serial = mLastSerialNo.add(BigInteger.ONE); if (mMaxSerialNo != null && serial.compareTo(mMaxSerialNo) > 0) return null; @@ -360,7 +369,7 @@ // < BI_INCREMENT and server restart right afterwards. mDB.setNextSerialConfig(num); - mSerialNo = num.subtract(BI_ONE); + mSerialNo = num.subtract(BigInteger.ONE); mNext = num.add(BI_INCREMENT); setSerialNumber(mNext); } @@ -379,23 +388,43 @@ if (mLastSerialNo == null) { initCache(); - - mLastSerialNo = mLastSerialNo.add(BI_ONE); - - - } else { - mLastSerialNo = mLastSerialNo.add(BI_ONE); } - - if( mLastSerialNo == null ) { + if (mLastSerialNo == null) { CMS.debug( "Repository::getNextSerialNumber() " + "- mLastSerialNo is null!" ); throw new EBaseException( "mLastSerialNo is null" ); } + mLastSerialNo = mLastSerialNo.add(BigInteger.ONE); + + checkRange(); + + BigInteger retSerial = new BigInteger(mLastSerialNo.toString()); + + CMS.debug("Repository: getNextSerialNumber: returning retSerial " + retSerial); + return retSerial; + } + + /** + * Checks to see if range needs to be switched. + * + * @exception EBaseException thrown when next range is not allocated + */ + protected void checkRange() throws EBaseException + { // check if we have reached the end of the range // if so, move to next range - if (mLastSerialNo.compareTo( mMaxSerialNo ) > 0 ) { + BigInteger randomLimit = null; + if ((this instanceof ICertificateRepository) && + mDB.getEnableSerialMgmt() && mEnableRandomSerialNumbers) { + randomLimit = mMaxSerialNo.subtract(mMinSerialNo).add(BigInteger.ONE); + randomLimit = randomLimit.subtract(mLowWaterMarkNo.shiftRight(1)); + CMS.debug("Repository: checkRange randomLimit="+randomLimit); + } + CMS.debug("Repository: checkRange mLastSerialNo="+mLastSerialNo); + if (mLastSerialNo.compareTo( mMaxSerialNo ) > 0 || + (randomLimit != null && mCounter.compareTo(randomLimit) > 0)) { + if (mDB.getEnableSerialMgmt()) { CMS.debug("Reached the end of the range. Attempting to move to next range"); mMinSerialNo = mNextMinSerialNo; @@ -409,8 +438,8 @@ } // persist the changes - mDB.setMinSerialConfig(mRepo, mMinSerialNo.toString()); - mDB.setMaxSerialConfig(mRepo, mMaxSerialNo.toString()); + mDB.setMinSerialConfig(mRepo, mMinSerialNo.toString(mRadix)); + mDB.setMaxSerialConfig(mRepo, mMaxSerialNo.toString(mRadix)); mDB.setNextMinSerialConfig(mRepo, null); mDB.setNextMaxSerialConfig(mRepo, null); } else { @@ -418,11 +447,6 @@ mLastSerialNo.toString())); } } - - BigInteger retSerial = new BigInteger(mLastSerialNo.toString()); - - CMS.debug("Repository: getNextSerialNumber: returning retSerial " + retSerial); - return retSerial; } /** @@ -445,13 +469,19 @@ if (mLastSerialNo == null) initCache(); - BigInteger numsInRange = mMaxSerialNo.subtract(mLastSerialNo); + BigInteger numsInRange = null; + if ((this instanceof ICertificateRepository) && + mDB.getEnableSerialMgmt() && mEnableRandomSerialNumbers) { + numsInRange = (mMaxSerialNo.subtract(mMinSerialNo)).subtract(mCounter); + } else { + numsInRange = mMaxSerialNo.subtract(mLastSerialNo); + } BigInteger numsInNextRange = null; BigInteger numsAvail = null; CMS.debug("Serial numbers left in range: " + numsInRange.toString()); CMS.debug("Last Serial Number: " + mLastSerialNo.toString()); if ((mNextMaxSerialNo != null) && (mNextMinSerialNo != null)) { - numsInNextRange = mNextMaxSerialNo.subtract(mNextMinSerialNo); + numsInNextRange = mNextMaxSerialNo.subtract(mNextMinSerialNo).add(BigInteger.ONE); numsAvail = numsInRange.add(numsInNextRange); CMS.debug("Serial Numbers in next range: " + numsInNextRange.toString()); CMS.debug("Serial Numbers available: " + numsAvail.toString()); @@ -467,7 +497,7 @@ CMS.debug("Next Range not available"); } else { CMS.debug("nNextMinSerialNo has been set to " + mNextMinSerialNo.toString(mRadix)); - mNextMaxSerialNo = mNextMinSerialNo.add(mIncrementNo); + mNextMaxSerialNo = mNextMinSerialNo.add(mIncrementNo).subtract(BigInteger.ONE); numsAvail = numsAvail.add(mIncrementNo); mDB.setNextMinSerialConfig(mRepo, mNextMinSerialNo.toString(mRadix)); mDB.setNextMaxSerialConfig(mRepo, mNextMaxSerialNo.toString(mRadix)); Index: pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (revision 2521) +++ pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (working copy) @@ -52,7 +52,15 @@ public class CertificateRepository extends Repository implements ICertificateRepository { - public final String CERT_X509ATTRIBUTE = "x509signedcert"; + private static final String PROP_ENABLE_RANDOM_SERIAL_NUMBERS = "enableRandomSerialNumbers"; + private static final String PROP_RANDOM_SERIAL_NUMBER_COUNTER = "randomSerialNumberCounter"; + private static final String PROP_FORCE_MODE_CHANGE = "forceModeChange"; + private static final String PROP_RANDOM_MODE = "random"; + private static final String PROP_SEQUENTIAL_MODE = "sequential"; + private static final String PROP_COLLISION_RECOVERY_STEPS = "collisionRecoverySteps"; + private static final String PROP_COLLISION_RECOVERY_REGENERATIONS = "collisionRecoveryRegenerations"; + private static final BigInteger BI_MINUS_ONE = (BigInteger.ZERO).subtract(BigInteger.ONE); + private final int REPLICA_BITS = 16; private IDBSubsystem mDBService; private String mBaseDN; @@ -66,6 +74,18 @@ private int mTransitMaxRecords = 1000000; private int mTransitRecordPageSize = 200; + private Random mRandom = null; + private int mBitLength = 0; + private BigInteger mRangeSize = null; + private BigInteger mRandomRangeSize = null; + private BigInteger mReplicaID = null; + private int mMinRandomBitLength = 4; + private int mReplicaBitLength = REPLICA_BITS; + private int mMaxCollisionRecoverySteps = 10; + private int mMaxCollisionRecoveryRegenerations = 3; + private IConfigStore mDBConfig = null; + private boolean mForceModeChange = false; + /** * Constructs a certificate repository. */ @@ -75,17 +95,297 @@ mBaseDN = certRepoBaseDN; mDBService = dbService; - - // registers CMS database attributes - IDBRegistry reg = dbService.getRegistry(); - - IConfigStore cfg = mDBService.getConfigStore(); + mDBConfig = mDBService.getDBConfigStore(); } public ICertRecord createCertRecord(BigInteger id, Certificate cert, MetaInfo meta) { return new CertRecord(id, cert, meta); } + public boolean getEnableRandomSerialNumbers() { + return mEnableRandomSerialNumbers; + } + + public void setEnableRandomSerialNumbers(boolean random, boolean updateMode) { + if (mEnableRandomSerialNumbers ^ random) { + mEnableRandomSerialNumbers = random; + CMS.debug("CertificateRepository: setEnableRandomSerialNumbers switching to " + + ((random)?PROP_RANDOM_MODE:PROP_SEQUENTIAL_MODE) + " mode"); + if (updateMode) { + setCertificateRepositoryMode((mEnableRandomSerialNumbers)? PROP_RANDOM_MODE: PROP_SEQUENTIAL_MODE); + } + mDBConfig.putBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, mEnableRandomSerialNumbers); + + BigInteger lastSerialNumber = null; + try { + lastSerialNumber = getLastSerialNumberInRange(mMinSerialNo,mMaxSerialNo); + } catch (Exception e) { + } + if (lastSerialNumber != null) { + super.setLastSerialNo(lastSerialNumber); + if (mEnableRandomSerialNumbers) { + mCounter = lastSerialNumber.subtract(mMinSerialNo).add(BigInteger.ONE); + CMS.debug("CertificateRepository: setEnableRandomSerialNumbers mCounter="+ + mCounter+"="+lastSerialNumber+"-"+mMinSerialNo+"+1"); + long t = System.currentTimeMillis(); + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()+","+t); + } else { + mCounter = BI_MINUS_ONE; + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()); + } + } + + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + } + } + } + + private BigInteger getRandomNumber() throws EBaseException { + BigInteger randomNumber = null; + + if (mRandom == null) { + mRandom = new Random(); + } + super.initCacheIfNeeded(); + + if (mRangeSize == null || mReplicaID == null) { + mRangeSize = (mMaxSerialNo.subtract(mMinSerialNo)).add(BigInteger.ONE); + mBitLength = mRangeSize.bitLength(); + int rid = mDBService.getReplicaID(); + rid = -1; // shared ranges using replica IDs are postponed + if (rid > -1) { + mReplicaID = new BigInteger((new Integer(rid)).toString()); + } else { + mReplicaBitLength = 0; + } + mRandomRangeSize = mRangeSize.shiftRight(mReplicaBitLength); + } + if (mBitLength - mReplicaBitLength < mMinRandomBitLength) { + CMS.debug("CertificateRepository: getRandomNumber: Range size is too small to support random certificate serial numbers."); + throw new EBaseException ("Range size is too small to support random certificate serial numbers."); + } + randomNumber = new BigInteger((mBitLength-mReplicaBitLength), mRandom); + randomNumber = (randomNumber.multiply(mRandomRangeSize)).shiftRight(mBitLength-mReplicaBitLength); + CMS.debug("CertificateRepository: getRandomNumber randomNumber="+randomNumber); + + return randomNumber; + } + + private BigInteger getRandomSerialNumber(BigInteger randomNumber) throws EBaseException { + BigInteger nextSerialNumber = null; + + if (mReplicaBitLength > 0) { + nextSerialNumber = (randomNumber.shiftLeft(mReplicaBitLength)).add(mReplicaID); + } else { + nextSerialNumber = randomNumber; + } + nextSerialNumber = (nextSerialNumber.add(mMinSerialNo)).subtract(BigInteger.ONE); + CMS.debug("CertificateRepository: getRandomSerialNumber nextSerialNumber="+nextSerialNumber); + + return nextSerialNumber; + } + + private BigInteger checkSerialNumbers(BigInteger randomNumber, BigInteger serialNumber) throws EBaseException { + BigInteger nextSerialNumber = null; + BigInteger initialRandomNumber = randomNumber; + BigInteger delta = BigInteger.ZERO; + int i = 0; + int n = mMaxCollisionRecoverySteps; + + do { + CMS.debug("CertificateRepository: checkSerialNumbers checking("+(i+1)+")="+serialNumber); + try { + if (readCertificateRecord(serialNumber) != null) { + CMS.debug("CertificateRepository: checkSerialNumbers collision detected for serialNumber="+serialNumber); + } + } catch (EDBRecordNotFoundException nfe) { + CMS.debug("CertificateRepository: checkSerialNumbers serial number "+serialNumber+" is available"); + nextSerialNumber = serialNumber; + } catch (Exception e) { + CMS.debug("CertificateRepository: checkSerialNumbers Exception="+e.getMessage()); + } + + if (nextSerialNumber == null) { + if (i%2 == 0) { + delta = delta.add(BigInteger.ONE); + serialNumber = getRandomSerialNumber(initialRandomNumber.add(delta)); + + if (mMaxSerialNo != null && serialNumber.compareTo(mMaxSerialNo) > 0) { + serialNumber = getRandomSerialNumber(initialRandomNumber.subtract(delta)); + i++; + n++; + } + } else { + serialNumber = getRandomSerialNumber(initialRandomNumber.subtract(delta)); + if (mMinSerialNo != null && serialNumber.compareTo(mMinSerialNo) < 0) { + delta = delta.add(BigInteger.ONE); + serialNumber = getRandomSerialNumber(initialRandomNumber.add(delta)); + i++; + n++; + } + } + i++; + } + } while (nextSerialNumber == null && i < n); + + return nextSerialNumber; + } + + private Object nextSerialNumberMonitor = new Object(); + + public BigInteger getNextSerialNumber() throws + EBaseException { + + BigInteger nextSerialNumber = null; + BigInteger randomNumber = null; + + synchronized (nextSerialNumberMonitor) { + CMS.debug("CertificateRepository: getNextSerialNumber mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers); + + if (mEnableRandomSerialNumbers) { + int i = 0; + do { + if (i > 0) { + CMS.debug("CertificateRepository: getNextSerialNumber regenerating serial number"); + } + randomNumber = getRandomNumber(); + nextSerialNumber = getRandomSerialNumber(randomNumber); + nextSerialNumber = checkSerialNumbers(randomNumber, nextSerialNumber); + i++; + } while (nextSerialNumber == null && i < mMaxCollisionRecoveryRegenerations); + + if (nextSerialNumber == null) { + CMS.debug("CertificateRepository: in getNextSerialNumber nextSerialNumber is null"); + throw new EBaseException( "nextSerialNumber is null" ); + } + + if (mCounter.compareTo(BigInteger.ZERO) >= 0 && + mMinSerialNo != null && mMaxSerialNo != null && + nextSerialNumber != null && + nextSerialNumber.compareTo(mMinSerialNo) >= 0 && + nextSerialNumber.compareTo(mMaxSerialNo) <= 0) { + mCounter = mCounter.add(BigInteger.ONE); + } + CMS.debug("CertificateRepository: getNextSerialNumber nextSerialNumber="+ + nextSerialNumber+" mCounter="+mCounter); + + super.checkRange(); + } else { + nextSerialNumber = super.getNextSerialNumber(); + } + } + + return nextSerialNumber; + } + + private void updateCounter() { + CMS.debug("CertificateRepository: updateCounter mEnableRandomSerialNumbers="+ + mEnableRandomSerialNumbers+" mCounter="+mCounter); + try { + super.initCacheIfNeeded(); + } catch (Exception e) { + CMS.debug("CertificateRepository: updateCounter Exception from initCacheIfNeeded: "+e.getMessage()); + } + + String crMode = mDBService.getEntryAttribute(mBaseDN, IRepositoryRecord.ATTR_DESCRIPTION, "", null); + + boolean modeChange = (mEnableRandomSerialNumbers && crMode != null && crMode.equals(PROP_SEQUENTIAL_MODE)) || + ((!mEnableRandomSerialNumbers) && crMode != null && crMode.equals(PROP_RANDOM_MODE)); + CMS.debug("CertificateRepository: updateCounter modeChange="+modeChange); + if (modeChange) { + if (mForceModeChange) { + setEnableRandomSerialNumbers(mEnableRandomSerialNumbers, true); + } else { + setEnableRandomSerialNumbers(!mEnableRandomSerialNumbers, false); + } + } else if (mEnableRandomSerialNumbers && mCounter != null && + mCounter.compareTo(BigInteger.ZERO) >= 0) { + long t = System.currentTimeMillis(); + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()+","+t); + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + CMS.debug("CertificateRepository: updateCounter Exception committing ConfigStore="+e.getMessage()); + } + } + CMS.debug("CertificateRepository: UpdateCounter mEnableRandomSerialNumbers="+ + mEnableRandomSerialNumbers+" mCounter="+mCounter); + } + + private BigInteger getInRangeCount(String fromTime, BigInteger minSerialNo, BigInteger maxSerialNo) + throws EBaseException { + BigInteger count = BigInteger.ZERO; + String filter = null; + + if (fromTime != null && fromTime.length() > 0) { + filter = "(certCreateTime >= "+fromTime+")"; + } else { + filter = "(&("+ICertRecord.ATTR_ID+">="+minSerialNo+")("+ + ICertRecord.ATTR_ID+"<="+maxSerialNo+"))"; + } + CMS.debug("CertificateRepository: getInRangeCount filter="+filter+ + " minSerialNo="+minSerialNo+" maxSerialNo="+maxSerialNo); + + Enumeration e = findCertRecs(filter, new String[] {ICertRecord.ATTR_ID, "objectclass"}); + while (e != null && e.hasMoreElements()) { + ICertRecord rec = (ICertRecord) e.nextElement(); + if (rec != null) { + BigInteger sn = rec.getSerialNumber(); + if (fromTime == null || fromTime.length() == 0 || + (minSerialNo != null && maxSerialNo != null && + sn != null && sn.compareTo(minSerialNo) >= 0 && + sn.compareTo(maxSerialNo) <= 0)) { + count = count.add(BigInteger.ONE); + } + } + } + CMS.debug("CertificateRepository: getInRangeCount count=" + count); + + return count; + } + + private BigInteger getInRangeCounter(BigInteger minSerialNo, BigInteger maxSerialNo) + throws EBaseException { + String c = null; + String t = null; + String s = (mDBConfig.getString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, "-1")).trim(); + CMS.debug("CertificateRepository: getInRangeCounter: saved counter string="+s); + int i = s.indexOf(','); + int n = s.length(); + if (i > -1) { + if (i > 0) { + c = s.substring(0, i); + if (i < n) { + t = s.substring(i+1); + } + } else { + c = "-1"; + } + } else { + c = s; + } + CMS.debug("CertificateRepository: getInRangeCounter: c=" + c + ((t != null)?(" t="+t):"")); + + BigInteger counter = new BigInteger(c); + BigInteger count = BigInteger.ZERO; + if (t != null) { + count = getInRangeCount(t, minSerialNo, maxSerialNo); + if (count.compareTo(BigInteger.ZERO) > 0) { + counter = counter.add(count); + } + } else if (s.equals("-2")) { + count = getInRangeCount(t, minSerialNo, maxSerialNo); + if (count.compareTo(BigInteger.ZERO) >= 0) { + counter = count; + } + } + CMS.debug("CertificateRepository: getInRangeCounter: counter=" + counter); + + return counter; + } + public BigInteger getLastSerialNumberInRange(BigInteger serial_low_bound, BigInteger serial_upper_bound) throws EBaseException { @@ -97,8 +397,42 @@ } - String ldapfilter = "(" + "certstatus" + "=*" + ")"; + mEnableRandomSerialNumbers = mDBConfig.getBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, false); + mForceModeChange = mDBConfig.getBoolean(PROP_FORCE_MODE_CHANGE, false); + String crMode = mDBService.getEntryAttribute(mBaseDN, IRepositoryRecord.ATTR_DESCRIPTION, "", null); + mMaxCollisionRecoverySteps = mDBConfig.getInteger(PROP_COLLISION_RECOVERY_STEPS, 10); + mMaxCollisionRecoveryRegenerations = mDBConfig.getInteger(PROP_COLLISION_RECOVERY_REGENERATIONS, 3); + boolean modeChange = (mEnableRandomSerialNumbers && crMode != null && crMode.equals(PROP_SEQUENTIAL_MODE)) || + ((!mEnableRandomSerialNumbers) && crMode != null && crMode.equals(PROP_RANDOM_MODE)); + CMS.debug("CertificateRepository: getLastSerialNumberInRange"+ + " mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers+ + " CollisionRecovery="+mMaxCollisionRecoveryRegenerations+","+mMaxCollisionRecoverySteps); + CMS.debug("CertificateRepository: getLastSerialNumberInRange modeChange="+modeChange+ + " mForceModeChange="+mForceModeChange+((crMode != null)?(" mode="+crMode):"")); + if (modeChange) { + if (mForceModeChange) { + setCertificateRepositoryMode((mEnableRandomSerialNumbers)? PROP_RANDOM_MODE: PROP_SEQUENTIAL_MODE); + mForceModeChange = false; + mDBConfig.remove(PROP_FORCE_MODE_CHANGE); + } else { + mEnableRandomSerialNumbers = !mEnableRandomSerialNumbers; + mDBConfig.putBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, mEnableRandomSerialNumbers); + } + } + if (mEnableRandomSerialNumbers && mCounter == null) { + mCounter = getInRangeCounter(serial_low_bound, serial_upper_bound); + } else { + mCounter = BI_MINUS_ONE; + } + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()); + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + } + CMS.debug("CertificateRepository: getLastSerialNumberInRange mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers); + String ldapfilter = "("+ICertRecord.ATTR_CERT_STATUS+"=*"+")"; + String[] attrs = null; ICertRecordList recList = findCertRecordsInList(ldapfilter,attrs,serial_upper_bound.toString(10),"serialno", 5 * -1); @@ -112,7 +446,7 @@ BigInteger ret = new BigInteger(serial_low_bound.toString(10)); - ret = ret.add(new BigInteger("-1")); + ret = ret.subtract(BigInteger.ONE); CMS.debug("CertificateRepository:getLastCertRecordSerialNo: returning " + ret); return ret; } @@ -151,7 +485,7 @@ BigInteger ret = new BigInteger(serial_low_bound.toString(10)); - ret = ret.add(new BigInteger("-1")); + ret = ret.subtract(BigInteger.ONE); CMS.debug("CertificateRepository:getLastCertRecordSerialNo: returning " + ret); return ret; @@ -279,6 +613,7 @@ transitRevokedExpiredCertificates(); CMS.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_OTHER, CMS.getLogMessage("CMSCORE_DBS_FINISH_REVOKED_EXPIRED_SEARCH")); + updateCounter(); } /** @@ -653,6 +988,50 @@ return rec; } + public boolean checkCertificateRecord(BigInteger serialNo) + throws EBaseException { + IDBSSession s = mDBService.createSession(); + CertRecord rec = null; + boolean exists = true; + + try { + String name = "cn" + "=" + + serialNo.toString() + "," + getDN(); + String attrs[] = { "DN" }; + + rec = (CertRecord) s.read(name, attrs); + if (rec == null) exists = false; + } catch (EDBRecordNotFoundException e) { + exists = false; + } catch (Exception e) { + throw new EBaseException(e.getMessage()); + } finally { + if (s != null) + s.close(); + } + return exists; + } + + private void setCertificateRepositoryMode(String mode) { + IDBSSession s = null; + + CMS.debug("CertificateRepository: setCertificateRepositoryMode setting mode: "+mode); + try { + s = mDBService.createSession(); + ModificationSet mods = new ModificationSet(); + String name = getDN(); + mods.add(IRepositoryRecord.ATTR_DESCRIPTION, Modification.MOD_REPLACE, mode); + s.modify(name, mods); + } catch (Exception e) { + CMS.debug("CertificateRepository: setCertificateRepositoryMode Exception: "+e.getMessage()); + } + try { + if (s != null) s.close(); + } catch (Exception e) { + CMS.debug("CertificateRepository: setCertificateRepositoryMode Exception: "+e.getMessage()); + } + } + public synchronized void modifyCertificateRecord(BigInteger serialNo, ModificationSet mods) throws EBaseException { IDBSSession s = mDBService.createSession(); @@ -1191,7 +1570,7 @@ String fromVal = "0"; try { if (from != null) { - int fv = Integer.parseInt(from); + new BigInteger(from); fromVal = from; } } catch (Exception e1) { Index: pki/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java =================================================================== --- pki/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java (revision 2521) +++ pki/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java (working copy) @@ -47,6 +47,10 @@ private JTextField mSerialNumber; private JTextField mMaxSerialNumber; private JCheckBox mValidity; + private JCheckBox mRandomValidity; + private JTextField mRandomBits; + private JCheckBox mEnableSerialNumberManagement; + private JCheckBox mEnableRandomSerialNumbers; private Vector mGroupData; private static final String HELPINDEX = "configuration-ca-general-help"; @@ -139,11 +143,11 @@ gb1.setConstraints(mOCSPEnable, gbc); adminPanel.add(mOCSPEnable); - // add validity block + // add validity block CMSAdminUtil.resetGBC(gbc); mValidity = makeJCheckBox("VALIDITY"); gbc.anchor = gbc.CENTER; - //gbc.gridwidth = gbc.REMAINDER; + //gbc.gridwidth = gbc.REMAINDER; remove this comment when adding random validity //gbc.gridheight = gbc.REMAINDER; //gbc.weightx = 1.0; gbc.weighty = 1.0; @@ -151,6 +155,20 @@ validityPanel.add(mValidity); CMSAdminUtil.resetGBC(gbc); + mRandomValidity = makeJCheckBox("RANDOM_VALIDITY"); + gbc.anchor = gbc.CENTER; + gbc.weighty = 1.0; + gb4.setConstraints(mRandomValidity, gbc); + //validityPanel.add(mRandomValidity); + + CMSAdminUtil.resetGBC(gbc); + mRandomBits = makeJTextField(10); + gbc.anchor = gbc.CENTER; + gbc.weighty = 1.0; + gb4.setConstraints(mRandomBits, gbc); + //validityPanel.add(mRandomBits); + + CMSAdminUtil.resetGBC(gbc); JLabel dummy4 = new JLabel(" "); gbc.anchor = gbc.NORTHWEST; gbc.gridwidth = gbc.REMAINDER; @@ -189,49 +207,86 @@ gb2.setConstraints(dummy1, gbc); signingPanel.add(dummy1); + // add serial number management + CMSAdminUtil.resetGBC(gbc); + mEnableSerialNumberManagement = makeJCheckBox("MANAGEMENT"); + //mEnableSerialNumberManagement.setEnabled(false); + gbc.anchor = gbc.CENTER; + gbc.gridwidth = gbc.REMAINDER; + gbc.gridheight = 1; + gbc.weightx = 1.0; + gbc.weighty = 1.0; + gbc.gridx = 0; + gbc.gridy = 0; + gb3.setConstraints(mEnableSerialNumberManagement, gbc); + serialPanel.add(mEnableSerialNumberManagement); + + // add random serial numbers + CMSAdminUtil.resetGBC(gbc); + mEnableRandomSerialNumbers = makeJCheckBox("RANDOM"); + gbc.anchor = gbc.CENTER; + gbc.gridwidth = gbc.REMAINDER; + gbc.gridheight = gbc.REMAINDER; //1; + gbc.weightx = 1.0; + gbc.weighty = 1.0; + gbc.gridx = 0; + gbc.gridy = 1; + gb3.setConstraints(mEnableRandomSerialNumbers, gbc); + serialPanel.add(mEnableRandomSerialNumbers); + // add serial number block CMSAdminUtil.resetGBC(gbc); JLabel serialLabel = makeJLabel("SERIAL"); + serialLabel.setEnabled(false); gbc.anchor = gbc.CENTER; gb3.setConstraints(serialLabel, gbc); + gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.weightx = 0.0; gbc.weighty = 1.0; - //gbc.insets = new Insets(COMPONENT_SPACE,0,COMPONENT_SPACE,0); - serialPanel.add(serialLabel); + gbc.gridx = 0; + gbc.gridy = 2; + //serialPanel.add(serialLabel); CMSAdminUtil.resetGBC(gbc); mSerialNumber = makeJTextField(17); mSerialNumber.setEnabled(false); gbc.anchor = gbc.NORTHWEST; - //gbc.gridwidth = gbc.REMAINDER; - //gbc.gridheight = gbc.REMAINDER; - //gbc.weightx = 1.0; + gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.weightx = 0.0; gbc.weighty = 1.0; + gbc.gridx = 1; + gbc.gridy = 2; gb3.setConstraints(mSerialNumber, gbc); - serialPanel.add(mSerialNumber); + //serialPanel.add(mSerialNumber); // add end serial number block CMSAdminUtil.resetGBC(gbc); JLabel maxSerialLabel = makeJLabel("MAXSERIAL"); - gbc.anchor = gbc.EAST; - //gbc.insets = new Insets(COMPONENT_SPACE,DIFFERENT_COMPONENT_SPACE,0,0); + maxSerialLabel.setEnabled(false); + gbc.anchor = gbc.CENTER; + gbc.gridwidth = 1; + gbc.gridheight = 1; gbc.weightx = 0.0; - gbc.gridwidth = 1; + gbc.weighty = 1.0; gbc.gridx = 0; + gbc.gridy = 3; gb3.setConstraints(maxSerialLabel, gbc); - //gbc.weighty = 1.0; - serialPanel.add(maxSerialLabel); + //serialPanel.add(maxSerialLabel); CMSAdminUtil.resetGBC(gbc); mMaxSerialNumber = makeJTextField(17); mMaxSerialNumber.setEnabled(false); - gbc.anchor = gbc.NORTHWEST; - gbc.gridy = 1; - //gbc.gridwidth = gbc.REMAINDER; - //gbc.gridheight = gbc.REMAINDER; - //gbc.weightx = 1.0; + gbc.anchor = gbc.CENTER; + gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.weightx = 0.0; gbc.weighty = 1.0; + gbc.gridx = 1; + gbc.gridy = 3; gb3.setConstraints(mMaxSerialNumber, gbc); - serialPanel.add(mMaxSerialNumber); + //serialPanel.add(mMaxSerialNumber); CMSAdminUtil.resetGBC(gbc); JLabel dummy2 = new JLabel(" "); @@ -249,13 +304,17 @@ public void refresh() { mModel.progressStart(); NameValuePairs nvps = new NameValuePairs(); - nvps.add(Constants.PR_EE_ENABLED, ""); + //nvps.add(Constants.PR_EE_ENABLED, ""); //nvps.add(Constants.PR_RA_ENABLED, ""); nvps.add(Constants.PR_DEFAULT_ALGORITHM, ""); nvps.add(Constants.PR_ALL_ALGORITHMS, ""); nvps.add(Constants.PR_SERIAL, ""); nvps.add(Constants.PR_MAXSERIAL, ""); nvps.add(Constants.PR_VALIDITY, ""); + //nvps.add(Constants.PR_RANDOM_VALIDITY, ""); + //nvps.add(Constants.PR_RANDOM_VALIDITY_BITS, ""); + nvps.add(Constants.PR_SN_MANAGEMENT, ""); + nvps.add(Constants.PR_RANDOM_SN, ""); try { NameValuePairs val = mAdmin.read(DestDef.DEST_CA_ADMIN, @@ -268,6 +327,7 @@ } mModel.progressStop(); clearDirtyFlag(); + enableFields(); } protected void populate(NameValuePairs nvps) { @@ -275,16 +335,21 @@ for (int i=0; i References: <5122D688.7070808@redhat.com> Message-ID: <5122EB4B.4050202@redhat.com> ACK I received a thorough demo of the attached code. On 02/18/13 17:34, Andrew Wnuk wrote: > This patch adds support for random certificate serial numbers. > > Bug 912554. > > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Feb 19 16:02:41 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Feb 2013 10:02:41 -0600 Subject: [Pki-devel] [PATCH] 206 Added AuthMapping annotation. In-Reply-To: <511BBB66.50304@redhat.com> References: <510E838F.9050004@redhat.com> <511B06B2.9040202@redhat.com> <511BBB66.50304@redhat.com> Message-ID: <5123A221.4040608@redhat.com> On 2/13/2013 10:12 AM, Endi Sukma Dewata wrote: >>> Attached is a patch for ticket #477. The code is done, but since the >>> patch renames one of the files in the deployed webapps there probably >>> needs to be a migration script. This needs to be discussed further. >> >> New patch attached. Renamed the classes and properties files as >> discussed. > > New patch attached. Removed unused references to the properties file. New patch attached. Hard-coded auth method list, restored auth.properties. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0206-3-Added-authentication-method-validation.patch Type: text/x-patch Size: 35931 bytes Desc: not available URL: From cfu at redhat.com Tue Feb 19 19:26:19 2013 From: cfu at redhat.com (Christina Fu) Date: Tue, 19 Feb 2013 11:26:19 -0800 Subject: [Pki-devel] Request for review: ECC support for pkisilent (CA, subCA, DRM, TKS, TPS, OCSP) Message-ID: <5123D1DB.8040607@redhat.com> This is a request for code review for the following feature bug: *Bug 810967* -[RFE] ECC support for pkisilent the code changes can be found here: https://bugzilla.redhat.com/attachment.cgi?id=699587&action=diff&context=patch&collapsed=&headers=1&format=raw The 5 new templates and one readme instruction file can be found the the bug attachment. thanks! Christina -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Tue Feb 19 20:04:34 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 19 Feb 2013 15:04:34 -0500 Subject: [Pki-devel] Request for review: ECC support for pkisilent (CA, subCA, DRM, TKS, TPS, OCSP) In-Reply-To: <5123D1DB.8040607@redhat.com> References: <5123D1DB.8040607@redhat.com> Message-ID: <1361304274.27926.15.camel@aleeredhat.laptop> Comments: In general, the code changes look fine. Just a couple of nitpicks .. 1. The variable save_p12 should be a boolean rather than a string. 2. In ComCrypto.java, you define setTokenName(). What about getTokenName()? 3. In ComCrypto.java,on line 448, you cast token to (PK11Token) and on 450, there is no cast. Why the discrepancy? Is the cast needed? 4. The exception handling in ComCrypto.java for lines 448/450 is pretty wonky. It seems like token could return null. Could we improve the exception handling in this case? Ade On Tue, 2The 013-02-19 at 11:26 -0800, Christina Fu wrote: > This is a request for code review for the following feature bug: > Bug 810967 - [RFE] ECC support for pkisilent > > the code changes can be found here: > https://bugzilla.redhat.com/attachment.cgi?id=699587&action=diff&context=patch&collapsed=&headers=1&format=raw > > The 5 new templates and one readme instruction file can be found the > the bug attachment. > > thanks! > Christina > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Wed Feb 20 02:04:39 2013 From: cfu at redhat.com (Christina Fu) Date: Tue, 19 Feb 2013 18:04:39 -0800 Subject: [Pki-devel] Request for review: ECC support for pkisilent (CA, subCA, DRM, TKS, TPS, OCSP) In-Reply-To: <1361304274.27926.15.camel@aleeredhat.laptop> References: <5123D1DB.8040607@redhat.com> <1361304274.27926.15.camel@aleeredhat.laptop> Message-ID: <51242F37.3090008@redhat.com> Ade, Thank you for the review. Per our discussion. The agreed changes can now be found at: https://bugzilla.redhat.com/attachment.cgi?id=699762&action=diff&context=patch&collapsed=&headers=1&format=raw In addition, I have added changes to the admin cert profile to accept ECC: https://bugzilla.redhat.com/attachment.cgi?id=699763&action=diff&context=patch&collapsed=&headers=1&format=raw Also, I have now put the ECC setup instruction at this location: http://pki.fedoraproject.org/wiki/ECC_Setup_Instructions So the silentEC_readme.txt now only contains link to it: https://bugzilla.redhat.com/attachment.cgi?id=699764 thanks! Christina On 02/19/2013 12:04 PM, Ade Lee wrote: > Comments: > > In general, the code changes look fine. Just a couple of nitpicks .. > > 1. The variable save_p12 should be a boolean rather than a string. > > 2. In ComCrypto.java, you define setTokenName(). What about > getTokenName()? > > 3. In ComCrypto.java,on line 448, you cast token to (PK11Token) and on > 450, there is no cast. Why the discrepancy? Is the cast needed? > > 4. The exception handling in ComCrypto.java for lines 448/450 is pretty > wonky. It seems like token could return null. Could we improve the > exception handling in this case? > > Ade > > On Tue, 2The 013-02-19 at 11:26 -0800, Christina Fu wrote: >> This is a request for code review for the following feature bug: >> Bug 810967 - [RFE] ECC support for pkisilent >> >> the code changes can be found here: >> https://bugzilla.redhat.com/attachment.cgi?id=699587&action=diff&context=patch&collapsed=&headers=1&format=raw >> >> The 5 new templates and one readme instruction file can be found the >> the bug attachment. >> >> thanks! >> Christina >> >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Wed Feb 20 03:28:44 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 19 Feb 2013 22:28:44 -0500 Subject: [Pki-devel] Request for review: ECC support for pkisilent (CA, subCA, DRM, TKS, TPS, OCSP) In-Reply-To: <51242F37.3090008@redhat.com> References: <5123D1DB.8040607@redhat.com> <1361304274.27926.15.camel@aleeredhat.laptop> <51242F37.3090008@redhat.com> Message-ID: <1361330924.2739.4.camel@aleeredhat.laptop> Christina, The changes you have put in ComCrypto.java look great. I did notice, however, that you do a similar token assignment around line 710, but still have the unnecessary cast, no check for null and wonky exception handling. Please fix this instance too. Once that is done, we can ACK the patch. Ade On Tue, 2013-02-19 at 18:04 -0800, Christina Fu wrote: > Ade, > > Thank you for the review. > > Per our discussion. The agreed changes can now be found at: > https://bugzilla.redhat.com/attachment.cgi?id=699762&action=diff&context=patch&collapsed=&headers=1&format=raw > > In addition, I have added changes to the admin cert profile to accept ECC: > https://bugzilla.redhat.com/attachment.cgi?id=699763&action=diff&context=patch&collapsed=&headers=1&format=raw > > Also, I have now put the ECC setup instruction at this location: > http://pki.fedoraproject.org/wiki/ECC_Setup_Instructions > So the silentEC_readme.txt now only contains link to it: > https://bugzilla.redhat.com/attachment.cgi?id=699764 > > thanks! > Christina > > On 02/19/2013 12:04 PM, Ade Lee wrote: > > Comments: > > > > In general, the code changes look fine. Just a couple of nitpicks .. > > > > 1. The variable save_p12 should be a boolean rather than a string. > > > > 2. In ComCrypto.java, you define setTokenName(). What about > > getTokenName()? > > > > 3. In ComCrypto.java,on line 448, you cast token to (PK11Token) and on > > 450, there is no cast. Why the discrepancy? Is the cast needed? > > > > 4. The exception handling in ComCrypto.java for lines 448/450 is pretty > > wonky. It seems like token could return null. Could we improve the > > exception handling in this case? > > > > Ade > > > > On Tue, 2The 013-02-19 at 11:26 -0800, Christina Fu wrote: > >> This is a request for code review for the following feature bug: > >> Bug 810967 - [RFE] ECC support for pkisilent > >> > >> the code changes can be found here: > >> https://bugzilla.redhat.com/attachment.cgi?id=699587&action=diff&context=patch&collapsed=&headers=1&format=raw > >> > >> The 5 new templates and one readme instruction file can be found the > >> the bug attachment. > >> > >> thanks! > >> Christina > >> > >> > >> _______________________________________________ > >> Pki-devel mailing list > >> Pki-devel at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-devel > From edewata at redhat.com Wed Feb 20 17:17:20 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Feb 2013 11:17:20 -0600 Subject: [Pki-devel] [PATCH] 213 Added DS info validation. Message-ID: <51250520.5040807@redhat.com> The installer script has been modified to validate DS info in both interactive and silent installation. Ticket #472 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0213-Added-DS-info-validation.patch Type: text/x-patch Size: 7585 bytes Desc: not available URL: From cfu at redhat.com Wed Feb 20 21:04:06 2013 From: cfu at redhat.com (Christina Fu) Date: Wed, 20 Feb 2013 13:04:06 -0800 Subject: [Pki-devel] Request for review: ECC support for pkisilent (CA, subCA, DRM, TKS, TPS, OCSP) In-Reply-To: <1361330924.2739.4.camel@aleeredhat.laptop> References: <5123D1DB.8040607@redhat.com> <1361304274.27926.15.camel@aleeredhat.laptop> <51242F37.3090008@redhat.com> <1361330924.2739.4.camel@aleeredhat.laptop> Message-ID: <51253A46.7010202@redhat.com> Hi Ade, Please find the following changes as discussed: https://bugzilla.redhat.com/attachment.cgi?id=700248&action=diff&context=patch&collapsed=&headers=1&format=raw https://bugzilla.redhat.com/attachment.cgi?id=700250&action=diff&context=patch&collapsed=&headers=1&format=raw thanks! Christina On 02/19/2013 07:28 PM, Ade Lee wrote: > Christina, > > The changes you have put in ComCrypto.java look great. I did notice, > however, that you do a similar token assignment around line 710, but > still have the unnecessary cast, no check for null and wonky exception > handling. Please fix this instance too. > > Once that is done, we can ACK the patch. > > Ade > > On Tue, 2013-02-19 at 18:04 -0800, Christina Fu wrote: >> Ade, >> >> Thank you for the review. >> >> Per our discussion. The agreed changes can now be found at: >> https://bugzilla.redhat.com/attachment.cgi?id=699762&action=diff&context=patch&collapsed=&headers=1&format=raw >> >> In addition, I have added changes to the admin cert profile to accept ECC: >> https://bugzilla.redhat.com/attachment.cgi?id=699763&action=diff&context=patch&collapsed=&headers=1&format=raw >> >> Also, I have now put the ECC setup instruction at this location: >> http://pki.fedoraproject.org/wiki/ECC_Setup_Instructions >> So the silentEC_readme.txt now only contains link to it: >> https://bugzilla.redhat.com/attachment.cgi?id=699764 >> >> thanks! >> Christina >> >> On 02/19/2013 12:04 PM, Ade Lee wrote: >>> Comments: >>> >>> In general, the code changes look fine. Just a couple of nitpicks .. >>> >>> 1. The variable save_p12 should be a boolean rather than a string. >>> >>> 2. In ComCrypto.java, you define setTokenName(). What about >>> getTokenName()? >>> >>> 3. In ComCrypto.java,on line 448, you cast token to (PK11Token) and on >>> 450, there is no cast. Why the discrepancy? Is the cast needed? >>> >>> 4. The exception handling in ComCrypto.java for lines 448/450 is pretty >>> wonky. It seems like token could return null. Could we improve the >>> exception handling in this case? >>> >>> Ade >>> >>> On Tue, 2The 013-02-19 at 11:26 -0800, Christina Fu wrote: >>>> This is a request for code review for the following feature bug: >>>> Bug 810967 - [RFE] ECC support for pkisilent >>>> >>>> the code changes can be found here: >>>> https://bugzilla.redhat.com/attachment.cgi?id=699587&action=diff&context=patch&collapsed=&headers=1&format=raw >>>> >>>> The 5 new templates and one readme instruction file can be found the >>>> the bug attachment. >>>> >>>> thanks! >>>> Christina >>>> >>>> >>>> _______________________________________________ >>>> Pki-devel mailing list >>>> Pki-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-devel > From awnuk at redhat.com Thu Feb 21 01:40:48 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Wed, 20 Feb 2013 17:40:48 -0800 Subject: [Pki-devel] [PATCH] CA system certificates with random serial numbers Message-ID: <51257B20.6010006@redhat.com> This patch adds support for CA system certificates with random serial numbers. Bug 913313 (updates bug 912554). -------------- next part -------------- Index: pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java =================================================================== --- pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java (revision 2524) +++ pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java (working copy) @@ -41,6 +41,16 @@ public interface ICertificateRepository extends IRepository { /** + * Retrieves the next certificate serial number, and also increases + * the serial number by one in case of sequential number assignmen. + * + * @return serial number + * @exception EBaseException failed to retrieve next serial number + */ + public BigInteger getNextSerialNumber() + throws EBaseException; + + /** * Adds a certificate record to the repository. Each certificate * record contains four parts: certificate, meta-attributes, * issue information and reovcation information. Index: pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (revision 2524) +++ pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (working copy) @@ -242,6 +242,7 @@ BigInteger randomNumber = null; synchronized (nextSerialNumberMonitor) { + super.initCacheIfNeeded(); CMS.debug("CertificateRepository: getNextSerialNumber mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers); if (mEnableRandomSerialNumbers) { From mharmsen at redhat.com Thu Feb 21 01:48:24 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 20 Feb 2013 17:48:24 -0800 Subject: [Pki-devel] [PATCH] CA system certificates with random serial numbers In-Reply-To: <51257B20.6010006@redhat.com> References: <51257B20.6010006@redhat.com> Message-ID: <51257CE8.4080007@redhat.com> On 02/20/13 17:40, Andrew Wnuk wrote: > This patch adds support for CA system certificates with random serial > numbers. > > Bug 913313 (updates bug 912554). > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK with CAVEAT CAVEAT: Fix the "assignmen" typo to be "assignment" in the comment. I received a demo of this code change. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Feb 21 22:11:21 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Feb 2013 16:11:21 -0600 Subject: [Pki-devel] [PATCH] 214 Added cert-request-show command. Message-ID: <51269B89.6070305@redhat.com> A new cert-request-show command has been added to allow EE users to check certificate request status. Ticket #511 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0214-Added-cert-request-show-command.patch Type: text/x-patch Size: 10604 bytes Desc: not available URL: From edewata at redhat.com Fri Feb 22 17:12:04 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Feb 2013 11:12:04 -0600 Subject: [Pki-devel] [PATCH] 215 Added security domain info validation. Message-ID: <5127A6E4.4050302@redhat.com> The installer script has been modified to validate security domain info in both interactive and silent installation. A basic Python API has been added to access the REST interface. Ticket #473 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0215-Added-security-domain-info-validation.patch Type: text/x-patch Size: 19898 bytes Desc: not available URL: