[Freeipa-devel] [PATCH] - Add DRM to IPA
Petr Viktorin
pviktori at redhat.com
Wed Aug 20 13:02:06 UTC 2014
On 08/18/2014 07:36 PM, Ade Lee wrote:
[...]
>
> After discussion with Endi, I also removed some functions in dogtag.py
> (the plugin) which basically just wrapped calls to the keyclient. There
> is no need to do this wrapping and it is much more flexible for IPA code
> to call the keyclient directly. Accordingly, I have added a method to
> get the keyclient. Your test code would look like this now:
>
> from ipalib import api
> from pki.key import KeyClient
> api.bootstrap(context='server')
> api.finalize()
> keyclient = api.Backend.kra.get_keyclient()
> keyclient.archive_key('test', KeyClient.PASS_PHRASE_TYPE,'tkey')
>
> I added a couple of directives in the proxy file to allow it to progress
> further and it now fails in trying to do the archive_key due to
> authentication issues.
>
> It was never the intention of this patch to get the plugin completely
> working though. That was the goal of a follow on patch being written by
> Endi. This patch is already pretty long and touches a lot of code. I
> propose we let Endi fix the above issue.
I understand. However, I don't know another way to do a functional test.
Without the plugin the best I can do is look if there are some extra
entries in DS, and since I don't know KRA internals I can't check if
they're correct.
With the above script, I get:
>>> from ipalib import api
>>> from pki.key import KeyClient
>>> api.bootstrap(context='server')
>>> api.finalize()
>>> keyclient = api.Backend.kra.get_keyclient()
>>>
>>> keyclient.archive_key('test', KeyClient.PASS_PHRASE_TYPE,'tkey')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 253, in
handler
return fn_call(inst, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/pki/key.py", line 616, in
archive_key
key_size=key_size)
File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 253, in
handler
return fn_call(inst, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/pki/key.py", line 669, in
archive_encrypted_data
return self.create_request(request)
File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 253, in
handler
return fn_call(inst, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/pki/key.py", line 527, in
create_request
response = self.connection.post(url, key_request, self.headers)
File "/usr/lib/python2.7/site-packages/pki/client.py", line 70, in post
params=params)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line
377, in post
return self.request('POST', url, data=data, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line
335, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line
438, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line
331, in send
raise SSLError(e)
requests.exceptions.SSLError: [Errno 1] _ssl.c:1419: error:140943F2:SSL
routines:SSL3_READ_BYTES:sslv3 alert unexpected message
> I have squashed the drm-> kra changes and created just a single patch,
> which is attached. This is the only patch needed.
I didn't find any issues except the error above.
> I'm also starting a new COPR build, just to be sure we all have the most
> up-to-date dogtag build.
Things are working nicely for the most part. However I still did manage
to break my installation:
- Install master and replica, both with CA and KRA
- Remove KRA on both hosts
At this point, trying to instal KRA on the replica fails:
$ sudo ipa-kra-install replica-info-file.gpg
Usage: ipa-kra-install [options] [replica_file]
ipa-kra-install: error: Too many parameters provided. No replica file
is required.
$ sudo ipa-kra-install
Directory Manager password:
===================================================================
This program will setup Dogtag KRA for the FreeIPA Server.
Configuring KRA server (pki-tomcatd): Estimated time 2 minutes 6 seconds
[1/5]: configuring KRA instance
failed to configure KRA instance Command ''/usr/sbin/pkispawn' '-s'
'KRA' '-f' '/tmp/tmp_FKfkR'' returned non-zero exit status 1
Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.
Configuration of KRA failed
This seems to cripple the installation: ipa-kra-install --uninstall will
complain that KRA is not installed. Also, ipa-kra-install on the master
will complain that it wasn't given a replica file.
I understand this is an edge case, but we should handle it if we support
uninstallation.
I'd be okay with disabling --uninstall for now and filing a ticket for
later. (After all, ipa-ca-install doesn't have --uninstall at all.)
--
Petr³
More information about the Freeipa-devel
mailing list