[Pki-devel] [PATCH] PKI Deployment Framework PKI TRAC issues (08/09/2012)

Matthew Harmsen mharmsen at redhat.com
Sat Aug 11 05:15:28 UTC 2012 

The attached patch (new code which has been combined with the previous 
patch) addresses Comments 1 and 2 below.

This code has been successfully tested on a 64-bit Fedora 17 machine for 
a CA, a Cloned CA, and a KRA.

NOTE:  While the logic in comment 2 is correct from a "configuration" 
viewpoint, the "security_domain_name" is also required by other sections 
of the "installation" code in
        generating various certificate subject DNs for non-root CA 
subsystems and will generate a "java.io.IOException: Bad AVA format: 
Missing attribute value" exception
        during "configuration" if it is not defined, thus why the 
altered code in 'pkiparser.py' does not match the proposed logic verbatim.

-- Matt

P. S. -- Ade, once again, as you are the most probable reviewer of this patch, please feel free to 'push' it to 'master' if you find it in order.

On 08/10/12 07:50, Ade Lee wrote:
> The patch works.  I was able to get a KRA installed.
>
> Comments:
> 1. The logic in pkijython for determining whether to send the issuing CA
> information is incorrect.  Specifically, all clones still need to
> contact a CA to generate their server cert.
>
> 2.  The same logic applies to the code in pkiparser.py.  In fact, I
> think we can simplify the logic there significantly.  There is no need
> to distinguish in the subsystem name whether the server is a clone or
> subordinate or external.  Just use "{subsystem_type} {hostname} {port}"
> for all subsystems (apache and tomcat).
>
> Its very difficult to follow the logic in that section. For the
> parameters in that section the logic should be:
>
> # for all subsystems
> set_default(subsystem_name, "{subsystem_type} {hostname} {port}")
>
> if (root ca) {
>     security_domain_type = "new"
>     set_default(security_domain_name, "{dnsname} Security Domain")
> } else {
>     security_domain_type = "existing"
>     set_default(security_domain_host, "{pki_hostname}")
>     set_default(security_domain_uri, "https:// {security_domain_host}:{security)_domain_port}")
> }
>
> where set_default() is defined as :
>
> set_default(x, y) {
>     if not len (master_dict[x]) {
>         master_dict[x] = y
>     }
> }
>
> I need to think about the conditional a bit to decide when we can say we
> need a new vs. existing security domain.
>
> Ade
>
> On Thu, 2012-08-09 at 17:29 -0700, Matthew Harmsen wrote:
>> This patch documents continued implementation of the PKI Deployment
>> Framework based upon the revised filesystem layout documented here:
>>        * http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_OCSP_.2F_RA_.2F_TKS_.2F_TPS
>> This patch addresses the following issues:
>>        * TRAC Ticket #184 - Dogtag 10: Update PKI Deployment to handle
>>          cloning CA/KRA/OCSP/TKS . . .
>>        * TRAC Ticket #285 - Dogtag 10: Fix installation issues for KRA,
>>          OCSP, and TKS
>> It has been tested and proven to work successfully to deploy a KRA as
>> a separate instance on a 64-bit Fedora 17 machine (using the
>> appropriate 'tomcatjss.jar').
>>
>> P. S. -- Ade, as you are the most probable reviewer of this patch,
>> please feel free to 'push' it to 'master' if you find it in order.
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20120810-PKI-Deployment-Scriptlets-KRA-Errata.patch
Type: text/x-patch
Size: 17635 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120810/c294ac6a/attachment.bin>

More information about the Pki-devel mailing list