<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/22/15 12:51, John Magne wrote:<br>
</div>
<blockquote
cite="mid:740290619.3737847.1432320700271.JavaMail.zimbra@redhat.com"
type="cite">
<pre wrap="">Good we can get this feature going.
A couple of comments:
1. I'm sure we have done a bunch of testing to get the hsm case working,
if not done, it might be good to try a basic software case to make sure that
still works.</pre>
</blockquote>
Done.<br>
<br>
Successfully build and installed software master/clone, and
enrolled/approved all four possibilities:<br>
<ul>
<li>master/master</li>
<li>clone/clone</li>
<li>master/clone</li>
<li>clone/master<br>
</li>
</ul>
<blockquote
cite="mid:740290619.3737847.1432320700271.JavaMail.zimbra@redhat.com"
type="cite">
<pre wrap="">
2. In SystemConfigService.java line: 1120
I think we may replace:
throw new BadRequestException("HSM clones must share their HSM master's private keys");
with:
if (data.getP12File() != null) {
throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys");
}
if (data.getP12Password() != null) {
throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys");
}
Because I think the only time the situation is fatal is when we have a clone on the HSM, BUT provide the pkcs12 file data.
</pre>
</blockquote>
Fixed<br>
<blockquote
cite="mid:740290619.3737847.1432320700271.JavaMail.zimbra@redhat.com"
type="cite">
<pre wrap="">
3.
Ran a quck pycharm on the python and it reported a couple of PEP warnings at lines 563 and 579, something about indentation. Sounds like easy fix.
</pre>
</blockquote>
Fixed<br>
<blockquote
cite="mid:740290619.3737847.1432320700271.JavaMail.zimbra@redhat.com"
type="cite">
<pre wrap="">
----- Original Message -----
From: "Matthew Harmsen" <a class="moz-txt-link-rfc2396E" href="mailto:mharmsen@redhat.com"><mharmsen@redhat.com></a>
To: "pki-devel" <a class="moz-txt-link-rfc2396E" href="mailto:pki-devel@redhat.com"><pki-devel@redhat.com></a>
Sent: Thursday, May 21, 2015 4:40:21 PM
Subject: [Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM
Please review the attached patch which addresses the following ticket:
* PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys
This was tested as a successful installation of a Master CA and Cloned CA using a LunaSA HSM.
_______________________________________________
Pki-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a>
</pre>
</blockquote>
New patch attached.<br>
<br>
<br>
</body>
</html>