[Freeipa-devel] [PATCH] Add DRM to IPA
rcritten at redhat.com
Mon Apr 7 20:40:47 UTC 2014
Ade Lee wrote:
> This patch adds the capability of installing a Dogtag DRM
> to an IPA instance. With this patch, when ipa-server-install
> is run, a Dogtag CA and a Dogtag DRM are created. The DRM
> shares the same tomcat instance and DS instance as the Dogtag CA.
> Moreover, the same admin user/agent (and agent cert) can be used
> for both subsystems. Certmonger is also confgured to monitor the
> new subsystem certificates.
> It is also possible to clone the DRM. When the IPA instance is
> cloned, if --enable-ca and --enable-drm are specified, the DRM
> is cloned as well.
> Installing a DRM requires the user to have a Dogtag CA instance.
> We can look into possibly relaxing that requirement in a later patch.
> I am still working on patches for a ipa-drm-install script, which
> would be used to add a DRM to an existing master (that includes
> a dogtag CA), or an existing clone.
> Please review,
Yikes, I wonder if the changes to ipaserver/install/cainstance.py should
be pushed ASAP.
freeipa-spec.in needs a dependency on pki-kra.
Is it necessary to check for pkispawn/destroy in check_inst()? That
should be handled by the CA install, right?
You need to bump the version in ipa-pki-proxy.conf so that upgrades get
the new configuration.
Rather than this:
+ if setup_drm:
fd.write("enable_drm=%s\n" % setup_drm)
If o=ipadrm is a new root we'll need to backup/restore it right?
You should import PKI_USER and HTTPD_CONFD from cainstance.py rather
than redefining them.
You should probably call the is_installed() from cainstance.py rather
than redefining this. The function might be ok but I'd replace the
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
If the DRM is already installed we don't have a way to uninstall it so
we shouldn't recommend that as an option.
The value for pki_issuing_ca_uri doesn't create a valid URL (missing
//). You should use this form instead:
config.set("KRA", "pki_issuing_ca_uri", "https://%s" %
I think that update_people_entry() should probably be moved into
installutils.py and used for both the CA and DRM instances.
It makes a certain amount of sense to use /etc/ipa/default.conf. It may
be outside the scope here but it if we're including it, but would it be
better to use that for everything rather than splitting between two files?
The install failed for me. I've attached the KRA debug log.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6055 bytes
Desc: not available
More information about the Freeipa-devel