[Pki-devel] [PATCH] PKI Deployment Framework PKI TRAC issues (08/09/2012)

Ade Lee alee at redhat.com
Fri Aug 10 14:50:11 UTC 2012 

The patch works.  I was able to get a KRA installed.

Comments:
1. The logic in pkijython for determining whether to send the issuing CA
information is incorrect.  Specifically, all clones still need to
contact a CA to generate their server cert.

2.  The same logic applies to the code in pkiparser.py.  In fact, I
think we can simplify the logic there significantly.  There is no need
to distinguish in the subsystem name whether the server is a clone or
subordinate or external.  Just use "{subsystem_type} {hostname} {port}"
for all subsystems (apache and tomcat).

Its very difficult to follow the logic in that section. For the
parameters in that section the logic should be:

# for all subsystems
set_default(subsystem_name, "{subsystem_type} {hostname} {port}") 

if (root ca) {
   security_domain_type = "new"
   set_default(security_domain_name, "{dnsname} Security Domain")    
} else {
   security_domain_type = "existing"
   set_default(security_domain_host, "{pki_hostname}")
   set_default(security_domain_uri, "https:// {security_domain_host}:{security)_domain_port}")
}

where set_default() is defined as :

set_default(x, y) {
   if not len (master_dict[x]) {
       master_dict[x] = y
   }
}

I need to think about the conditional a bit to decide when we can say we
need a new vs. existing security domain.

Ade

On Thu, 2012-08-09 at 17:29 -0700, Matthew Harmsen wrote:
> This patch documents continued implementation of the PKI Deployment
> Framework based upon the revised filesystem layout documented here:
>       * http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_OCSP_.2F_RA_.2F_TKS_.2F_TPS
> This patch addresses the following issues:
>       * TRAC Ticket #184 - Dogtag 10: Update PKI Deployment to handle
>         cloning CA/KRA/OCSP/TKS . . .
>       * TRAC Ticket #285 - Dogtag 10: Fix installation issues for KRA,
>         OCSP, and TKS
> It has been tested and proven to work successfully to deploy a KRA as
> a separate instance on a 64-bit Fedora 17 machine (using the
> appropriate 'tomcatjss.jar').
> 
> P. S. -- Ade, as you are the most probable reviewer of this patch,
> please feel free to 'push' it to 'master' if you find it in order.
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list