<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix"><tt>ACK</tt><tt> </tt><tt> </tt><tt>Code review of this produced two new TRAC Tickets:</tt><tt> </tt> <ul> <li><tt>TRAC Ticket #502 - </tt><tt>Dogtag 10: Change pkidestroy "-w" option to require a password file rather than a raw password</tt></li> <li><tt>TRAC Ticket #503 - </tt><tt>Dogtag 10: Security Domain Issues</tt><tt> </tt><tt> </tt></li> </ul> <tt>These changes were tested using two scenarios as described in TRAC Ticket #503 - Dogtag 10: Security Domain Issues</tt><tt>.</tt><tt> </tt><tt> </tt><tt>-- Matt</tt><tt> </tt><tt> </tt><tt>On 02/04/13 17:39, Matthew Harmsen wrote:</tt><tt> </tt></div> <blockquote cite="mid:511062E1.5010603@redhat.com" type="cite"> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> <div class="moz-cite-prefix"><tt>On 02/01/13 11:54, Ade Lee wrote:</tt><tt> </tt> </div> <blockquote cite="mid:1359748449.2320.39.camel@aleeredhat.laptop" type="cite"> <pre wrap="">We want to use the admin interface for installation work. This patch moves the interfaces used in cloning from either the EE or agent interface to the admin one. See: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning">http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning</a> Specifically, 1. Change call to use /ca/admin/ca/getCertChain 2. Remove unneeded getTokenInfo servlet. The logic not to use this servlet has already been committed to dogtag 10. 3. Move updateNumberRange to the admin interface. For backward compatibility with old instances, the install code will call /ca/agent/updateNumberRange as a fallback. 4. Add updateDomainXML to admin interface. For backward compatibility, updateDomainXML will continue to be exposed on the agent interface with agent client auth. 5. Changed pkidestroy to get an install token and use the admin interface to update the security domain. For backward compatibility, the user and password and not specified as mandatory arguments - although we want to do that in future. Please review, Ade </pre> <tt> </tt> <fieldset class="mimeAttachmentHeader"></fieldset> <tt> </tt> <pre wrap="">_______________________________________________ Pki-devel mailing list <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a> <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre> </blockquote> <tt>Alee,</tt><tt> </tt> <tt> </tt> <tt>Sorry, but I require some additional information to properly test this patch for a CA and its clone using a single machine. Hopefully, I can address these issues relatively quickly tomorrow after obtaining your answers.</tt><tt> </tt> <tt> </tt> <tt>I have pulled a new tree after the meeting this morning (which does not include the patches added at 3:49 P. M. by edewata), created a branch, applied all five of your changes, and built and installed the packages on a fresh x86_64 Fedora 18 system (e. g. - 'foobar.example.com').</tt><tt> </tt> <tt> </tt> <tt>In order to test the code, I would like to perform the following two tests using a single machine:</tt><tt> </tt> <ol> <li><tt>pkispawn using the new configuration servlet for both the CA and the CA Clone</tt></li> <li><tt>pkispawn using the old GUI configuration (by specifying a DEFAULT value of pki_skip_configuration=True) for both CA and the CA Clone</tt></li> </ol> <tt>However, with the new interpolation model, I do not know every single value that needs to be overridden to have both the CA and CA Clone, as well as the two directory servers, on the same system.</tt><tt> </tt> <tt> </tt> <tt>I have the following:</tt><tt> </tt> <ul> <li><tt>installed a default directory server instance (e. g. - foobar) running on port 389</tt></li> <li><tt>installed a CA (e. g. - default configuration specifying backup keys in order to create the CA clone):</tt><tt> </tt> <tt>[DEFAULT]</tt><tt> </tt> <tt>pki_admin_password=XXXXXXXX</tt><tt> </tt> <tt>pki_backup_password=XXXXXXXX</tt><tt> </tt> <tt>pki_client_pkcs12_password=XXXXXXXX</tt><tt> </tt> <tt>pki_ds_password=XXXXXXXX</tt><tt> </tt> <tt>pki_security_domain_password=XXXXXXXX</tt><tt> </tt> <tt>pki_backup_keys=True</tt></li> <li><tt>successfully configured a browser, requested, enrolled, and issued a test certificate</tt><tt> </tt> </li> <li><tt>installed a second directory server instance (e. g. - foobar-clone) running on port 8389</tt></li> <li><tt>about to install a CA Clone using the following parameters:</tt><tt> </tt> <tt>[DEFAULT]</tt><tt> </tt> <tt>pki_admin_password=XXXXXXXX</tt><tt> </tt> <tt>pki_client_pkcs12_password=XXXXXXXX</tt><tt> </tt> <tt>pki_ds_password=XXXXXXXX</tt><tt> </tt> <tt>pki_security_domain_password=XXXXXXXX</tt><tt> </tt> <tt>pki_security_domain_hostname=foobar.example.com</tt><tt> </tt> <tt>pki_security_domain_https_port=8443</tt><tt> </tt> <tt>pki_ds_ldap_port=8389</tt><tt> </tt> <tt>pki_ds_ldaps_port=8636</tt><tt> </tt> <tt>[CA]</tt><tt> </tt> <tt>pki_ajp_port=17009</tt><tt> </tt> <tt>pki_clone=True</tt><tt> </tt> <tt>pki_clone_pkcs12_password=XXXXXXXX</tt><tt> </tt> <tt>pki_clone_pkcs12_path=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12</tt><tt> </tt> <tt>pki_clone_replicate_schema=True</tt><tt> </tt> <tt>pki_clone_replication_master_port=</tt><tt> </tt> <tt>pki_clone_replication_clone_port=</tt><tt> </tt> <tt>pki_clone_replication_security=None</tt><tt> </tt> <tt>pki_clone_uri=</tt><tt><a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://foobar.example.com:8443">http://foobar.example.com:8443</a></tt><tt> </tt> <tt>pki_http_port=17080</tt><tt> </tt> <tt>pki_https_port=17443</tt><tt> </tt> <tt>pki_instance_name=pki-tomcat-ca-clone</tt><tt> </tt> <tt>pki_tomcat_server_port=17005</tt><tt> </tt> </li> </ul> <tt>Questions:</tt><tt> </tt> <ul> <li><tt>Are the two tests specified above sufficient to test your patch, or do I need to check the other two test cases of mixing an old GUI configuration (CA) with new configuration servlet (CA clone), and vice-versa?</tt><tt> (I believe that this code will require re-testing under a separated ports model for versions of the product earlier than Dogtag 10).</tt><tt> </tt> </li> <li><tt>What parameter(s) do I need to add to the CA Clone configuration file under what sections to reference the 'foobar-clone' directory instance?</tt></li> <li><tt>What value, if any, do I need to supply to the 'pki_clone_replication_master_port'?</tt></li> <li><tt>What value, if any, do I need to supply to the 'pki_clone_replication_clone_port'?</tt></li> <li><tt>Should I leave 'pki_clone_replication_security=None'?</tt></li> <li><tt>Are there any other parameters that I am missing, and if so, under what section should they be defined?</tt></li> <li><tt>Are there any parameters specified that contain incorrect values?</tt><tt> </tt> </li> <li><tt>Are any parameters specified in the incorrect sections?</tt><tt> </tt> </li> </ul> <tt>Thanks in advance,</tt><tt> </tt> <tt>-- Matt</tt><tt> </tt> <tt> </tt> <fieldset class="mimeAttachmentHeader"></fieldset> <tt> </tt> <pre wrap="">_______________________________________________ Pki-devel mailing list <a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre> </blockquote> </body> </html>