<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Note:  This patch is intended for Dogtag 10.1.  Once approved, it
    will also need to be applied to the 'master' branch.<br>
    <div class="moz-forward-container"><br>
      <br>
      -------- Original Message --------
      <table class="moz-email-headers-table" border="0" cellpadding="0"
        cellspacing="0">
        <tbody>
          <tr>
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:
            </th>
            <td>[Pki-devel] [PATCH] TRAC Ticket #816 - pki-tomcat cannot
              be started after installation of ipa replica with ca
              [20140225]</td>
          </tr>
          <tr>
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
            <td>Tue, 25 Feb 2014 17:31:50 -0800</td>
          </tr>
          <tr>
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>
            <td>Matthew Harmsen <a class="moz-txt-link-rfc2396E" href="mailto:mharmsen@redhat.com"><mharmsen@redhat.com></a></td>
          </tr>
          <tr>
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
            <td>pki-devel <a class="moz-txt-link-rfc2396E" href="mailto:pki-devel@redhat.com"><pki-devel@redhat.com></a></td>
          </tr>
        </tbody>
      </table>
      <br>
      <br>
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <tt>This patch causes the 'sslserver' certificate for a CA clone
        to be signed by its associated master CA during configuration,
        and resolves the following bug:</tt><tt><br>
      </tt>
      <ul>
        <li><tt><a moz-do-not-send="true"
              href="https://fedorahosted.org/pki/ticket/816">Dogtag TRAC
              Ticket #816 - pki-tomcat cannot be started after
              installation of ipa replica with ca</a></tt><tt><br>
          </tt></li>
      </ul>
      <tt>This was necessary to avoid any changes which may have been
        made to the X500Name directory string encoding order (i. e. -
        creating a Cloned CA on Fedora 20 from a Master CA on Fedora
        19).</tt><tt><br>
      </tt><tt><br>
        The code was tested (applying the CAVEAT below) via end-to-end
        'pkispawn' installation and batch-based configuration; it has
        not yet been tested with GUI-based configuration.<br>
        <br>
      </tt><b><tt>CAVEAT:</tt></b><tt><br>
      </tt>
      <blockquote><tt>During the preparation of this patch it was
          discovered that an end-to-end test of functionality cannot be
          accomplished due to the <a moz-do-not-send="true"
            href="https://fedorahosted.org/389/ticket/47721">389 TRAC
            Ticket #47721 - Schema Replication Issue</a> which prevents
          the '99user.ldif' file from being properly replicated from the
          Master CA to the Cloned CA.  However, I verified that this
          code does work by shutting down DS on the cloned CA machine,
          manually replacing
          '/etc/dirsrv/slapd-<clone>/schema/99user.ldif' with
          '/etc/dirsrv/slapd-<master>/schema/99user.ldif,
          restarting DS and the Cloned CA, and successfully performing a
          test enrollment.</tt><br>
      </blockquote>
      <br>
    </div>
    <br>
  </body>
</html>