[Freeipa-devel] [PATCH] - Add DRM to IPA

Petr Viktorin pviktori at redhat.com
Wed Aug 20 13:02:06 UTC 2014 

On 08/18/2014 07:36 PM, Ade Lee wrote:
[...]
>
> After discussion with Endi, I also removed some functions in dogtag.py
> (the plugin) which basically just wrapped calls to the keyclient.  There
> is no need to do this wrapping and it is much more flexible for IPA code
> to call the keyclient directly.  Accordingly, I have added a method to
> get the keyclient.  Your test code would look like this now:
>
> 	from ipalib import api
> 	from pki.key import KeyClient
> 	api.bootstrap(context='server')
> 	api.finalize()
> 	keyclient = api.Backend.kra.get_keyclient()
> 	keyclient.archive_key('test', KeyClient.PASS_PHRASE_TYPE,'tkey')
>
> I added a couple of directives in the proxy file to allow it to progress
> further and it now fails in trying to do the archive_key due to
> authentication issues.
>
> It was never the intention of this patch to get the plugin completely
> working though.  That was the goal of a follow on patch being written by
> Endi.  This patch is already pretty long and touches a lot of code.  I
> propose we let Endi fix the above issue.

I understand. However, I don't know another way to do a functional test.
Without the plugin the best I can do is look if there are some extra 
entries in DS, and since I don't know KRA internals I can't check if 
they're correct.

With the above script, I get:

 >>> from ipalib import api
 >>> from pki.key import KeyClient
 >>> api.bootstrap(context='server')
 >>> api.finalize()
 >>> keyclient = api.Backend.kra.get_keyclient()
 >>>
 >>> keyclient.archive_key('test', KeyClient.PASS_PHRASE_TYPE,'tkey')
Traceback (most recent call last):
   File "<stdin>", line 1, in <module>
   File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 253, in 
handler
     return fn_call(inst, *args, **kwargs)
   File "/usr/lib/python2.7/site-packages/pki/key.py", line 616, in 
archive_key
     key_size=key_size)
   File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 253, in 
handler
     return fn_call(inst, *args, **kwargs)
   File "/usr/lib/python2.7/site-packages/pki/key.py", line 669, in 
archive_encrypted_data
     return self.create_request(request)
   File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 253, in 
handler
     return fn_call(inst, *args, **kwargs)
   File "/usr/lib/python2.7/site-packages/pki/key.py", line 527, in 
create_request
     response = self.connection.post(url, key_request, self.headers)
   File "/usr/lib/python2.7/site-packages/pki/client.py", line 70, in post
     params=params)
   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 
377, in post
     return self.request('POST', url, data=data, **kwargs)
   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 
335, in request
     resp = self.send(prep, **send_kwargs)
   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 
438, in send
     r = adapter.send(request, **kwargs)
   File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 
331, in send
     raise SSLError(e)
requests.exceptions.SSLError: [Errno 1] _ssl.c:1419: error:140943F2:SSL 
routines:SSL3_READ_BYTES:sslv3 alert unexpected message


> I have squashed the drm-> kra changes and created just a single patch,
> which is attached.  This is the only patch needed.

I didn't find any issues except the error above.

> I'm also starting a new COPR build, just to be sure we all have the most
> up-to-date dogtag build.

Things are working nicely for the most part. However I still did manage 
to break my installation:


- Install master and replica, both with CA and KRA
- Remove KRA on both hosts

At this point, trying to instal KRA on the replica fails:

$ sudo ipa-kra-install replica-info-file.gpg
Usage: ipa-kra-install [options] [replica_file]

ipa-kra-install: error: Too many parameters provided.  No replica file 
is required.
$ sudo ipa-kra-install
Directory Manager password:


===================================================================
This program will setup Dogtag KRA for the FreeIPA Server.


Configuring KRA server (pki-tomcatd): Estimated time 2 minutes 6 seconds
   [1/5]: configuring KRA instance
failed to configure KRA instance Command ''/usr/sbin/pkispawn' '-s' 
'KRA' '-f' '/tmp/tmp_FKfkR'' returned non-zero exit status 1

Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

Configuration of KRA failed


This seems to cripple the installation: ipa-kra-install --uninstall will 
complain that KRA is not installed. Also, ipa-kra-install on the master 
will complain that it wasn't given a replica file.

I understand this is an edge case, but we should handle it if we support 
uninstallation.
I'd be okay with disabling --uninstall for now and filing a ticket for 
later. (After all, ipa-ca-install doesn't have --uninstall at all.)

-- 
Petr³

More information about the Freeipa-devel mailing list