<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt>This patch documents continued implementation of the PKI
Deployment Framework based upon the revised filesystem layout
documented here:<br>
</tt>
<ul>
<li><tt><a class="moz-txt-link-freetext"
href="http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_OCSP_.2F_RA_.2F_TKS_.2F_TPS">http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_OCSP_.2F_RA_.2F_TKS_.2F_TPS</a></tt></li>
</ul>
<tt>This patch addresses the following issues:<br>
</tt>
<ul>
<li><tt>TRAC Ticket #263 - Dogtag 10: Fix 'pkidestroy' problem of
sporadically "not" removing "/etc/sysconfig/{pki_instance_id}"
. . .</tt></li>
<li><tt>TRAC Ticket #264 - Dogtag 10: Enable various other
subsystems for configuration . . .</tt></li>
<li><tt>TRAC Ticket #261 - Dogtag 10: Revisit command-line options
of 'pkispawn' and 'pkidestroy' . . .</tt></li>
<li><tt>TRAC Ticket #268 - Dogtag 10: Create a parameter for
optional restart of configured PKI instance . . .</tt></li>
<li><tt>TRAC Ticket #270 - Dogtag 10: Add missing parameters to
'pkideployment.cfg' . . .</tt></li>
<li><tt>TRAC Ticket #265 - Dogtag 10: Provide configurable options
for PKI client information . . .</tt></li>
<li><tt>TRAC Ticket #275 - Dogtag 10: Add debug information
(comments) to Tomcat 7 "logging.properties"</tt></li>
<li><tt>TRAC Ticket #276 - Dogtag 10: Relocate all 'pin' data to
the 'sensitive' dictionary</tt></li>
<li><tt>TRAC Ticket #277 - Dogtag 10: Create an 'archive' for
'manifest' and 'pkideployment.cfg' files</tt></li>
</ul>
<p><tt><b>WARNING: Due to some of the changes to the command-line
parameters (mainly the introduction of a dependency on the
existence of a new symlink), instances previously created with
the old "pkispawn" will once again need to be removed by the
old "pkidestroy" PRIOR to the installation of this patch.</b><br>
</tt> <tt><br>
</tt><tt>Note: You will definitely need to establish the
following "passwords" in your copy of "pkideployment.cfg" in
order to install a "CA":<br>
</tt></p>
<blockquote>
<ul>
<li><tt>pki_admin_password</tt></li>
<li><tt>pki_client_pkcs12_password</tt></li>
<li><tt>pki_ds_password</tt></li>
<li><tt>pki_security_domain_password</tt></li>
</ul>
<tt>I ran the following command: pkispawn -s CA -f
/tmp/pki/pkideployment.cfg -vvv<br>
<br>
Unfortunately, for me, out-of-the-box installation failed with
the following problem:<br>
</tt>
<ul>
<li><tt>pkispawn : ERROR ....... port 8080 has invalid
selinux context http_cache_port_t</tt></li>
</ul>
<tt>This error occurred despite downloading the latest SELinux
policies on my 64-bit Fedora 17 box and compiling 'pki-selinux'
against them.<br>
<br>
The work-around that I used was to edit
"/usr/lib/python2.7/site-packages/pki/deployment/initialization.py"
and comment out the call to
"util.configuration_file.verify_selinux_ports()" in the
'spawn()' method.<br>
<br>
Re-running the command 'pkispawn -s CA -f
/tmp/pki/pkideployment.cfg -vvv' now produces the following
error:<br>
</tt>
<blockquote><tt>pkispawn : INFO ... populating
'pki.deployment.selinux_setup'<br>
Traceback (most recent call last):<br>
File "/bin/pkispawn", line 225, in <module><br>
main(sys.argv)<br>
File "/bin/pkispawn", line 212, in main<br>
rv = instance.spawn()<br>
File
"/usr/lib/python2.7/site-packages/pki/deployment/selinux_setup.py",
line 69, in spawn<br>
port1.add(port, "tcp", "s0",
config.PKI_PORT_SELINUX_CONTEXT)<br>
File "/usr/lib64/python2.7/site-packages/seobject.py", line
1045, in add<br>
self.__add(port, proto, serange, type)<br>
File "/usr/lib64/python2.7/site-packages/seobject.py", line
1002, in __add<br>
raise ValueError(_("Port %s/%s already defined") % (proto,
port))<br>
ValueError: Port tcp/8080 already defined<br>
</tt></blockquote>
<tt>My work-around to fix to this error is to remove the symlinks
which call the 'selinux_setup.py' scriptlet for both 'pkispawn'
and 'pkidestroy':<br>
</tt>
<ul>
<li><tt>rm /usr/share/pki/deployment/spawn/*/035_selinux_setup</tt></li>
<li><tt>rm /usr/share/pki/deployment/destroy/*/985_selinux_setup</tt></li>
</ul>
<tt>Unfortunately, at this stage, sufficient installation has been
made which prevents a new installation, and 'pkidestroy' in its
current incarnation<br>
will be unable to completely remove the instance. Therefore,
presuming an instance name of 'pki-tomcat', run the following
commands:<br>
</tt>
<ul>
<li><tt>rm -rf /var/lib/pki</tt></li>
<li><tt>rm -rf /etc/pki/pki-tomcat/</tt></li>
<li><tt>rm -rf /etc/sysconfig/pki</tt></li>
<li><tt>rm -rf /var/log/pki</tt></li>
<li><tt>rm /etc/sysconfig/pki-tomcat (this command will fail, as
it has not yet been created)<br>
</tt></li>
</ul>
</blockquote>
<blockquote><tt>Re-running the command 'pkispawn -s CA -f
/tmp/pki/pkideployment.cfg -vvv'should now run to successful
completion!<br>
<br>
To test this patch, run the test instructions documented in
earlier patches for installing the Admin Cert.<br>
</tt><tt>Note that the 'ca_admin_cert.p12' file is now located
under
'/var/lib/pki/{pki-instance-id}/conf/alias/ca_admin_cert.p12',
and since a browser may not<br>
have the appropriate permissions to traverse past the
'/var/lib/pki' directory, the administrator will need to make
this file available (i. e. - copy it to /tmp).<br>
<br>
<b>Please note, that although KRA, OCSP, and TKS installations
will run to completion, at the present time, a crash occurs in
the invocation of the java configuration<br>
client (quite possibly due to the specification of
incorrect/incomplete parameters for these subsystems).</b><br>
<br>
</tt></blockquote>
<tt>Thanks,<br>
-- Matt</tt><br>
</body>
</html>