<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix"><tt>On 07/18/12 09:13, Ade Lee wrote:<br>
</tt></div>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite">
<pre wrap=""><tt>Initial Comments:
1. As specified on #irc, please move the spawn or destroy log
into /var/log/pki (and also remove the code that cleans this location
when the last instance has been removed). This will make the selinux
rules cleaner.
</tt></pre>
</blockquote>
<tt><a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/225">https://fedorahosted.org/pki/ticket/225</a> Dogtag 10: Move
"pkispawn"/"pkidestroy" logs</tt>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite">
<pre wrap=""><tt>
2. Does CS.cfg include entries that are no longer needed because they
are used by pkicreate? Please file a trac task to remove these
post-alpha. Also, please check that the pkicreate* entries are not used
elsewhere in the code (and are correct if they are).</tt></pre>
</blockquote>
<tt><a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/222">https://fedorahosted.org/pki/ticket/222</a></tt><tt> Dogtag 10:
Scrub 'pkicreate'/'pkidestroy' entries from CS.cfg</tt>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite">
<pre wrap=""><tt>
3. Catalina.properties contains commented out jars for each of the
subsystems in the common.loader. These should be removed.
</tt></pre>
</blockquote>
<tt>It was determined that we could safely remove these commented
areas.<br>
This will be addressed in the current patch prior to being
re-submitted.<br>
</tt>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite">
<pre wrap=""><tt>
4. In server.xml:
After the line: <!-- DO NOT REMOVE - Begin define PKI secure port</tt><tt>
there is a line with a single 1 on it (and nothing else) What is that
for?
</tt></pre>
</blockquote>
<tt>It was determined that we could safely remove this line.<br>
This will be addressed in the current patch prior to being
re-submitted.</tt><br>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite">
<pre wrap=""><tt>
5. tomcat.conf. Tomcat is currently configured to not run under a
security manager. Please create a task to re-enable a security manager.
</tt></pre>
</blockquote>
<tt><a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/223">https://fedorahosted.org/pki/ticket/223</a></tt><tt> Dogtag 10:
Re-enable Security Manager in 'tomcat.conf' for Tomcat 7</tt>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite">
<pre wrap=""><tt>
6. We are still creating a default web.xml at common/shared/web.xml. Is
this something that is still needed? Can it be removed? </tt></pre>
</blockquote>
<tt><a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/230">https://fedorahosted.org/pki/ticket/230</a></tt><tt> Dogtag 10:
Investigate the need for a 'common/shared/web.xml' file</tt><br>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite">
<pre wrap=""><tt>
7. pkideployment.cfg contains an "[Optional]" section which contains
values which may be changed, but for which default values are provided
if needed. The user though has no way of knowing what these defaults
are, and so cannot determine if they should override them. Would it
make more sense to fill in these optional values with the defaults?
What distinguishes there parameters from other parameters in the file?</tt></pre>
</blockquote>
<tt><a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/227">https://fedorahosted.org/pki/ticket/227</a> Dogtag 10: Document
'pkideployment.cfg'<br>
<br>
Additionally, it was determined that we would move all parameters
from the [Mandatory] and [Optional]<br>
sections of this file to other more appropriate sections (e.g. -
[Common], [CA], [KRA], etc.),<br>
and these sections and all of their associated logic would be
removed from the 'pki-deploy' package.<br>
<br>
This will be addressed in the current patch prior to being
re-submitted.</tt>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite">
<pre wrap=""><tt>
8. In pkispawn and pkidestroy, why do we get the domain name? So, if
the domain name is not set, can we no longer do pkispawn/destroy? Under
what conditions will the subprocess throw an exception and exit?
</tt></pre>
</blockquote>
<tt>It was determined that prior to exiting, we would issue a log
message which warns the user<br>
that a machine must contain a valid domain in order to effectively
utilize PKI services.<br>
<br>
This will be addressed in the current patch prior to being
re-submitted.</tt>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite"> </blockquote>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite">
<pre wrap=""><tt>
9. pkijython.py -- construct_pki_configuration_data:
a) external CA does not require new security domain
b) is the subsystem name not configurable? The defaults should also
probably be more identifiable - say including host and port.
c) clone may not require hierarchy to be set to "root"
In general though, I find the structure of this function very confusing.
It would be better - or more easily maintainable - to break this into
separate functions for each subsystem type.
ie. configureRootCA(), configureSubordinateCA(),
configureClonedRootCA(), configureClonedSubordinateCA() etc.
and have them call functions like:
createSigningCertData(), createTrnasportCertData() and the like.
It may be more code to do this, but it will be clearer than a set of
nested if-then statements.
</tt></pre>
</blockquote>
<tt><a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/231">https://fedorahosted.org/pki/ticket/231</a> Dogtag 10: Update PKI
Deployment to handle external CA<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/224">https://fedorahosted.org/pki/ticket/224</a></tt><tt> Dogtag 10:
Modularize 'construct_pki_configuration_data' method in the
'rest_client' class in 'pkijython.py'<br>
<br>
Additionally, items 9.a) and 9.b) will be addressed </tt><tt>in
the current patch prior to being re-submitted.<br>
<br>
Further, it has been suggested that TRAC ticket #224 be addressed
PRIOR to addressing 9.c. above.<br>
</tt>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite">
<pre wrap=""><tt>
More comments after my lunch ..
Ade
</tt></pre>
</blockquote>
<tt>The following additional TRAC tickets came out of these
discussions:<br>
</tt>
<ul>
<li><tt><a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/226">https://fedorahosted.org/pki/ticket/226</a></tt><tt> Dogtag
10: Modularize 'compose_pki_master_dictionary' function in
'pkiparser.py'</tt></li>
<li><tt><a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/228">https://fedorahosted.org/pki/ticket/228</a> Dogtag 10:
Refactor 'pkispawn' and 'pkideploy'</tt></li>
<li><tt><a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/229">https://fedorahosted.org/pki/ticket/229</a> Dogtag 10:
Sanitize 'spec' files</tt></li>
<li><tt><a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/221">https://fedorahosted.org/pki/ticket/221</a></tt><tt> Dogtag
10: Create a PKCS #12 file containing the Admin Certificate<br>
(work complete sans smoke test; will be submitted as a
separate patch immediately following this patch) <br>
</tt></li>
</ul>
<blockquote cite="mid:1342628030.2801.130.camel@aleeredhat.laptop"
type="cite">
<pre wrap=""><tt>
On Mon, 2012-07-16 at 19:28 -0700, Matthew Harmsen wrote:
</tt></pre>
<blockquote type="cite">
<pre wrap=""><tt>This patch documents continued implementation of the PKI Deployment
Framework based upon the revised filesystem layout documented here:
* <a class="moz-txt-link-freetext" href="http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_OCSP_.2F_RA_.2F_TKS_.2F_TPS">http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_OCSP_.2F_RA_.2F_TKS_.2F_TPS</a>
The following patch adds/corrects functionality of the existing PKI
Deployment Framework including (but not limited to):
* Integration of Tomcat 7
* Introduction of dependency upon tomcatjss 7.0
* Removal of http filtering configuration mechanisms
* Introduction of additional slot substitution to support
revised filesystem layout
* Addition of 'pkiuser' uid:gid creation methods
* Inclusion of per instance '*.profile' files
* Introduction of configurable 'configurationRoot' parameter
* Introduction of default configuration of 'log4j' mechanism
(alee)
* Modify web.xml to use new Application classes to bootstrap
servers (alee)
* Introduction of "Wrapper" logic to support Tomcat 6 --> Tomcat
7 API change (jmagne)
* Added jython helper function to allow attaching a remote java
debugger (e. g. - eclipse)
Additionally, this patch has been re-based against the current
'master' and has been successfully executed to completion with regards
to installing a CA, enrolling for a certificate, and accepting a
certificate on a 64-bit Fedora 17 installation.
-- Matt
_______________________________________________
Pki-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a>
</tt></pre>
</blockquote>
<pre wrap=""><tt>
</tt></pre>
</blockquote>
<tt><br>
</tt><br>
</body>
</html>