[Pki-devel] patch for review : https://bugzilla.redhat.com/show_bug.cgi?id=712931
Matthew Harmsen
mharmsen at redhat.com
Mon Aug 22 19:17:09 UTC 2011
On 08/21/11 18:47, Ade Lee wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=712931 - CS requires too
> many ports to be opened in firewall.
>
> This patch provides configuration to run the ca behind an apache proxy.
>
> For IPA, once you apply the patch, you will need to update pki-ca,
> pki-common, pki-setup, pki-selinux, pki-common-javadoc. The UI changes
> are just to remove some annoying 404's in the httpd logs.
>
> Then, you need to call pkicreate with the additional option
> -enable_proxy. This will configure the system to run behind a proxy
> with ajp port 9447, proxy secure port 443 and proxy unsecure port 80.
>
> Pkisilent can run as before. After pkisilent is complete, the
> file /etc/<instance_name/conf/proxy.conf will exist.
>
> Make a symbolic link of this file to /etc/httpd/conf.d/dogtag.conf
> Restart httpd and you should be able to browse from httpd.
>
> Adam, please test IPA install and also install of a replica. Remember
> that the replica security domain should be at port 443.
>
> Ade
>
>
>
>
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>
ACK - with Caveats:
(1) fix 'base/selinux/src/pki.if' line to use subsystem variable rather than 'pki_ca_t'
(2) clone bug to provide 'proxy.conf' file for KRA, OCSP, and TKS subsystems
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20110822/ee62d09d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5150 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20110822/ee62d09d/attachment.p7s>
More information about the Pki-devel
mailing list