[Freeipa-devel] [PATCH] Add DRM to IPA

Rob Crittenden rcritten at redhat.com
Mon Apr 7 20:40:47 UTC 2014

Ade Lee wrote:
>      This patch adds the capability of installing a Dogtag DRM
>      to an IPA instance.  With this patch, when ipa-server-install
>      is run, a Dogtag CA and a Dogtag DRM are created.  The DRM
>      shares the same tomcat instance and DS instance as the Dogtag CA.
>      Moreover, the same admin user/agent (and agent cert) can be used
>      for both subsystems.  Certmonger is also confgured to monitor the
>      new subsystem certificates.
>      It is also possible to clone the DRM.  When the IPA instance is
>      cloned, if --enable-ca and --enable-drm are specified, the DRM
>      is cloned as well.
>      Installing a DRM requires the user to have a Dogtag CA instance.
>      We can look into possibly relaxing that requirement in a later patch.
>      I am still working on patches for a ipa-drm-install script, which
>      would be used to add a DRM to an existing master (that includes
>      a dogtag CA), or an existing clone.
>     Please review,
>     Thanks,
>     Ade

Yikes, I wonder if the changes to ipaserver/install/cainstance.py should 
be pushed ASAP.

freeipa-spec.in needs a dependency on pki-kra.

Is it necessary to check for pkispawn/destroy in check_inst()? That 
should be handled by the CA install, right?

You need to bump the version in ipa-pki-proxy.conf so that upgrades get 
the new configuration.

Rather than this:

+    if setup_drm:
+        fd.write("enable_drm=True\n")
+    else:
+        fd.write("enable_drm=False\n")

Why not:

     fd.write("enable_drm=%s\n" % setup_drm)

If o=ipadrm is a new root we'll need to backup/restore it right?

You should import PKI_USER and HTTPD_CONFD from cainstance.py rather 
than redefining them.

You should probably call the is_installed() from cainstance.py rather 
than redefining this. The function might be ok but I'd replace the 
contents with:

     ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
     return ca.is_installed()

If the DRM is already installed we don't have a way to uninstall it so 
we shouldn't recommend that as an option.

The value for pki_issuing_ca_uri doesn't create a valid URL (missing 
//). You should use this form instead:

config.set("KRA", "pki_issuing_ca_uri", "https://%s" % 
ipautil.format_netloc(self.fqdn, 443))

I think that update_people_entry() should probably be moved into 
installutils.py and used for both the CA and DRM instances.

It makes a certain amount of sense to use /etc/ipa/default.conf. It may 
be outside the scope here but it if we're including it, but would it be 
better to use that for everything rather than splitting between two files?

The install failed for me. I've attached the KRA debug log.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug.gz
Type: application/x-gzip
Size: 6055 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140407/4f30d71f/attachment.bin>

More information about the Freeipa-devel mailing list