<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix"><tt>A revised patch has been attached
        to this email which addresses all of the issues below.</tt><tt><br>
      </tt><tt><br>
      </tt><tt>All tests documented below have been run successfully
        against this patch.</tt><tt><br>
      </tt><tt><br>
      </tt><tt>NOTE:  The tests have been modified slightly to comply
        with the latest PKI source code.</tt><tt><br>
      </tt><tt><br>
      </tt><tt>On 12/05/12 10:32, Ade Lee wrote:</tt><tt><br>
      </tt></div>
    <blockquote cite="mid:1354732351.29745.18.camel@aleeredhat.laptop"
      type="cite">
      <pre wrap="">Comments:
1. In pkiparser, you add:
 if not len(config.pki_master_dict['pki_security_domain_name']):
     config.pki_master_dict['pki_security_domain_name'] =\
     "External CA Security Domain"

We no longer distinguish security domains like this. The default as
defined by interpolation is fine.

2. I think we can remove the comment:
  # always set 'pki_skip_installation' true using a 'string'
in initialization.py

3. In pkijython.py, you do:
        elif config.str2bool(self.master['pki_external']) and\
             config.str2bool(self.master['pki_external_step_two']):
            # always remove pki_external DS data from external CA step 1
            data.setRemoveData("true")

This means that we'll set up the database and then blow it away and set
it up again in step 2.  Even more troubling, the request for the CA cert
is probably stored in the database during step 1 and is blown away in
step 2.  

The better way to do this would be to modify the configuration servlet
to skip database population if we are doing external CA step 2.

4. In pkijython.py, you extract the pin from CS.cfg and overwrite the
existing pin.  But perhaps a better thing to do would be to move this
code to pkiparser where the original pin is generated.

Ade

On Tue, 2012-12-04 at 22:31 -0800, Matthew Harmsen wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">The attached patch addresses the following PKI issues:
      * TRAC Ticket #231 - Dogtag 10: Update PKI Deployment to handle
        external CA
This code has been successfully tested on a slightly earlier version
of the source tree, although the attached patch has been re-based to
the 'master'.

To test this code, the following procedure was followed on an x86_64
machine running 64-bit Fedora 18:
      * First, a standard CA was created to be used as an "External
        CA" using the following command and file ('# mv typescript
        typescript.external' once finished):
              * script -c 'pkispawn -s CA -f /tmp/pki/external.cfg
                -vvv'
                
                # cat external.cfg 
                [Common]
                pki_admin_password=<password>
                pki_backup_password=<password>
                pki_client_pkcs12_password=<password>
                pki_ds_password=<password>
                pki_security_domain_password=<password></pre>
      </blockquote>
    </blockquote>
    <tt>                      pki_http_port=18080</tt><tt><br>
    </tt><tt>                      pki_https_port=18443</tt><tt><br>
    </tt><tt>                      pki_instance_name=pki-external-tomcat</tt><tt><br>
    </tt>
    <blockquote cite="mid:1354732351.29745.18.camel@aleeredhat.laptop"
      type="cite">
      <blockquote type="cite">
        <pre wrap="">
                [Tomcat]
                pki_ajp_port=18009
                pki_tomcat_server_port=18005
                
      * Next, Step 1 for a CA which depended upon this External CA was
        created using the following command and file ('# mv typescript
        typescript.step_1' once finished):
              * script -c 'pkispawn -s CA -f /tmp/pki/ca_1.cfg -vvv'
                
                # cat ca_1.cfg 
                [Common]
                pki_admin_password=<password>
                pki_backup_password=<password>
                pki_client_pkcs12_password=<password>
                pki_ds_password=<password>
                pki_security_domain_password=<password>
                [CA]
                pki_external=True
                pki_external_csr_path=/tmp/pki/config/ca_signing.csr</pre>
      </blockquote>
    </blockquote>
    <tt>                      pki_ca_signing_subject_dn=CA Signing
      Certificate,o=%{pki_security_domain_name)s External</tt><tt><br>
    </tt>
    <blockquote cite="mid:1354732351.29745.18.camel@aleeredhat.laptop"
      type="cite">
      <blockquote type="cite">
        <pre wrap="">
                
      * Next, the CSR contained in the file '/tmp/pki/ca_signing.csr'
        was utilzed to create a certificate using the "External CA"
        using the following procedure:
              * External CA:
                
                EE:     Enrollment/Renewal Tab
                        * Use 'Manual Certificate Manager Signing
                Certificate Enrollment'
                
                AGENT:  Approve request by pressing 'submit'
                
                EE:     Retrieval Tab
                        * Use 'Check Request Status' to obtain the
                base 64 encoded certificate
                        * Store this blob into the file specified by
                the value of 'pki_external_ca_cert_path' in ca_2.cfg
                
                EE:     Retrieval Tab
                        * Use 'Import CA Certificate Chain' and select
                the radio button entitled 'Display certificates in the
                CA certificate chain for
                          importing individually into a server' to
                obtain the base 64 encoded certificate chain
                        * Store this blob into the file specified by
                the value of 'pki_external_ca_cert_chain_path' in
                ca_2.cfg
                
      * Finally, Step 2 for a CA which depended upon this External CA
        was created using the following command and file ('# mv
        typescript typescript.step_2' once finished):
              * script -c 'pkispawn -s CA -f /tmp/pki/ca_2.cfg -vvv'
                
                # cat ca_2.cfg 
                [Common]
                pki_admin_password=<password>
                pki_backup_password=<password>
                pki_client_pkcs12_password=<password>
                pki_ds_password=<password>
                pki_security_domain_password=<password>
                [CA]
                pki_external=True
                pki_external_ca_cert_chain_path=/tmp/pki/config/ca_signing_chain.cert
                pki_external_ca_cert_path=/tmp/pki/config/ca_signing.cert
                pki_external_step_two=True</pre>
      </blockquote>
    </blockquote>
    <tt>                      pki_ca_signing_subject_dn=CA Signing
      Certificate,o=%{pki_security_domain_name)s External</tt>
    <blockquote cite="mid:1354732351.29745.18.camel@aleeredhat.laptop"
      type="cite">
      <blockquote type="cite">
        <pre wrap="">
                
_______________________________________________
Pki-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a>
</pre>
      </blockquote>
      <pre wrap="">

</pre>
    </blockquote>
    <ul>
      <li><tt>Additionally, as a final sanity test, a default KRA was
          created re-utilizing the 'ca_1.cfg' file ('# mv typescript
          typescript.kra' once finished):</tt></li>
      <ul>
        <li><tt>script -c 'pkispawn -s KRA -f /tmp/pki/ca_1.cfg -vvv'</tt><tt><br>
          </tt></li>
      </ul>
    </ul>
    <br>
  </body>
</html>