[Pki-devel] [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

Adam Young ayoung at redhat.com
Tue Aug 23 02:42:02 UTC 2011 

With this version, and Ade's patch posted to the PKI list, we have a 
functioning proxy.

I still need to do some cleanup in the /etc/httpd/conf.d directory: the 
modifications to nss.conf are not removed in uninstall, nor is the 
symlink to /etc/pki-ca/proxy.conf.

We also need to limit the number of suburls of the PKI CA that the proxy 
exposes.  This version exposes all of the.  I think we need a very 
limited subset.

I've created a replica  --no-pki and successfully requested a 
certificate on it.


On 08/19/2011 01:57 PM, Dmitri Pal wrote:
> On 08/19/2011 01:19 PM, Adam Young wrote:
>> The complete solution for this patch requires changes in Dogtag that 
>> Ade Lee is working on right now.  In order to test, I have provided a 
>> couple of files that I have been using:
>>
>>
>> 1.  Apply patch, build and install IPA rpms, run ipaserver-install as 
>> per usual.
>> 2.  Move the dogtag.conf file into /etc/httpd/conf.d directorys
>> 3.  Run the proxy_dogtag.py script   to modify the Dogtag instance to 
>> accept AJP connections from httpd so httpd can act as a proxy
>> 4. Restart IPA
>>
>>
>> To test:
>>
>> 1. add a host.
>> 2.  Generate a csr: 
>> http://freeipa.org/page/Certificate_Authority#Request_a_certificate
>> 3.  request a certificate for the newly added host.
>> 4.  Optionally, Revoke the certificate for the host
>>
>
>
> Please do not forget to test the proxy test when replica does not have 
> the CA installed and has to forward the request to the one that has.
>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20110822/30df5279/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-admiyo-0283-1-enable-proxy-for-dogtag.patch
Type: text/x-patch
Size: 9680 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20110822/30df5279/attachment.bin>

More information about the Pki-devel mailing list