[Freeipa-devel] [PATCH] Add DRM to IPA

Rob Crittenden rcritten at redhat.com
Tue Apr 8 13:52:49 UTC 2014

Martin Kosek wrote:
> On 04/07/2014 10:40 PM, Rob Crittenden wrote:
>> Ade Lee wrote:
>>>       This patch adds the capability of installing a Dogtag DRM
>>>       to an IPA instance.  With this patch, when ipa-server-install
>>>       is run, a Dogtag CA and a Dogtag DRM are created.  The DRM
>>>       shares the same tomcat instance and DS instance as the Dogtag CA.
>>>       Moreover, the same admin user/agent (and agent cert) can be used
>>>       for both subsystems.  Certmonger is also confgured to monitor the
>>>       new subsystem certificates.
>>>       It is also possible to clone the DRM.  When the IPA instance is
>>>       cloned, if --enable-ca and --enable-drm are specified, the DRM
>>>       is cloned as well.
>>>       Installing a DRM requires the user to have a Dogtag CA instance.
>>>       We can look into possibly relaxing that requirement in a later patch.
>>>       I am still working on patches for a ipa-drm-install script, which
>>>       would be used to add a DRM to an existing master (that includes
>>>       a dogtag CA), or an existing clone.
>>>      Please review,
>>>      Thanks,
>>>      Ade
>> Yikes, I wonder if the changes to ipaserver/install/cainstance.py should be
>> pushed ASAP.
> Oops, looks like a change that should go to IPA 3.3.x. What is the implication?
>> freeipa-spec.in needs a dependency on pki-kra.
> Let us stop here. Please see a following RFE I filed:
> https://fedorahosted.org/freeipa/ticket/4058
> I would prefer it KRA files and specifics would be in a new subpackage like
> freeipa-server-kra. Otherwise we will need to rework it again when we would be
> splitting CA to freeipa-server-pki in 4.1.

Yes, that is a question I didn't ask: Is the DRM going to be configured 
by default on all new installs?

> I would prefer to start the right modularization now as I do not think that
> every FreeIPA server needs to run CA/KRA, i.e. it  does not need to have the
> bits installed either.

I think the decision on a separate sub-package will be dependent upon 
whether it is default or not, otherwise we can get away with 
freeipa-server-ca and just lump everything in there.

> I am also quite worried about the duplication that the new drminstance.py
> introduces. There is a lot of functions which do more or less the same thing
> and have most of the handling code the same with only a very small and
> predictable pki/kra change. For example __http_proxy function seems to be
> exactly the same.
> It would be great to avoid this duplication and rather have some common ground
> utilized by both PKI and KRA. Otherwise it will be very difficult to maintain
> the new code.

I touched on some of that too, but some of this is just inevitable I 
think which is why I didn't pound on it too hard. An abstraction would 
be nice, but I'm not sure abstracting for two things, and only in the 
installer, is worth the effort. I could be wrong.


More information about the Freeipa-devel mailing list