[Pki-devel] [PATCH] PKI Deployment Framework PKI TRAC issues (07/28/2012)

Matthew Harmsen mharmsen at redhat.com
Sun Jul 29 05:40:27 UTC 2012 

This patch documents continued implementation of the PKI Deployment 
Framework based upon the revised filesystem layout documented here:

  * http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_OCSP_.2F_RA_.2F_TKS_.2F_TPS

This patch addresses the following issues:

  * TRAC Ticket #263 - Dogtag 10: Fix 'pkidestroy' problem of
    sporadically "not" removing "/etc/sysconfig/{pki_instance_id}" . . .
  * TRAC Ticket #264 - Dogtag 10: Enable various other subsystems for
    configuration . . .
  * TRAC Ticket #261 - Dogtag 10: Revisit command-line options of
    'pkispawn' and 'pkidestroy' . . .
  * TRAC Ticket #268 - Dogtag 10: Create a parameter for optional
    restart of configured PKI instance . . .
  * TRAC Ticket #270 - Dogtag 10: Add missing parameters to
    'pkideployment.cfg' . . .
  * TRAC Ticket #265 - Dogtag 10: Provide configurable options for PKI
    client information . . .
  * TRAC Ticket #275 - Dogtag 10: Add debug information (comments) to
    Tomcat 7 "logging.properties"
  * TRAC Ticket #276 - Dogtag 10: Relocate all 'pin' data to the
    'sensitive' dictionary
  * TRAC Ticket #277 - Dogtag 10: Create an 'archive' for 'manifest' and
    'pkideployment.cfg' files

*WARNING:  Due to some of the changes to the command-line parameters 
(mainly the introduction of a dependency on the existence of a new 
symlink), instances previously created with the old "pkispawn" will once 
again need to be removed by the old "pkidestroy" PRIOR to the 
installation of this patch.*

Note:  You will definitely need to establish the following "passwords" 
in your copy of "pkideployment.cfg" in order to install a "CA":

      * pki_admin_password
      * pki_client_pkcs12_password
      * pki_ds_password
      * pki_security_domain_password

    I ran the following command:  pkispawn -s CA -f
    /tmp/pki/pkideployment.cfg -vvv

    Unfortunately, for me, out-of-the-box installation failed with the
    following problem:

      * pkispawn    : ERROR    ....... port 8080 has invalid selinux
        context http_cache_port_t

    This error occurred despite downloading the latest SELinux policies
    on my 64-bit Fedora 17 box and compiling 'pki-selinux' against them.

    The work-around that I used was to edit
    "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py"
    and comment out the call to
    "util.configuration_file.verify_selinux_ports()" in the 'spawn()'
    method.

    Re-running the command 'pkispawn -s CA -f /tmp/pki/pkideployment.cfg
    -vvv' now produces the following error:

        pkispawn    : INFO     ... populating 'pki.deployment.selinux_setup'
        Traceback (most recent call last):
           File "/bin/pkispawn", line 225, in <module>
             main(sys.argv)
           File "/bin/pkispawn", line 212, in main
             rv = instance.spawn()
           File
        "/usr/lib/python2.7/site-packages/pki/deployment/selinux_setup.py",
        line 69, in spawn
             port1.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT)
           File "/usr/lib64/python2.7/site-packages/seobject.py", line
        1045, in add
             self.__add(port, proto, serange, type)
           File "/usr/lib64/python2.7/site-packages/seobject.py", line
        1002, in __add
             raise ValueError(_("Port %s/%s already defined") % (proto,
        port))
        ValueError: Port tcp/8080 already defined

    My work-around to fix to this error is to remove the symlinks which
    call the 'selinux_setup.py' scriptlet for both 'pkispawn' and
    'pkidestroy':

      * rm /usr/share/pki/deployment/spawn/*/035_selinux_setup
      * rm /usr/share/pki/deployment/destroy/*/985_selinux_setup

    Unfortunately, at this stage, sufficient installation has been made
    which prevents a new installation, and 'pkidestroy' in its current
    incarnation
    will be unable to completely remove the instance.  Therefore,
    presuming an instance name of 'pki-tomcat', run the following commands:

      * rm -rf /var/lib/pki
      * rm -rf /etc/pki/pki-tomcat/
      * rm -rf /etc/sysconfig/pki
      * rm -rf /var/log/pki
      * rm /etc/sysconfig/pki-tomcat (this command will fail, as it has
        not yet been created)

    Re-running the command 'pkispawn -s CA -f /tmp/pki/pkideployment.cfg
    -vvv'should now run to successful completion!

    To test this patch, run the test instructions documented in earlier
    patches for installing the Admin Cert.
    Note that the 'ca_admin_cert.p12' file is now located under
    '/var/lib/pki/{pki-instance-id}/conf/alias/ca_admin_cert.p12', and
    since a browser may not
    have the appropriate permissions to traverse past the '/var/lib/pki'
    directory, the administrator will need to make this file available
    (i. e. - copy it to /tmp).

    *Please note, that although KRA, OCSP, and TKS installations will
    run to completion, at the present time, a crash occurs in the
    invocation of the java configuration
    client (quite possibly due to the specification of
    incorrect/incomplete parameters for these subsystems).*

Thanks,
-- Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120728/acb8cebc/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20120728-PKI-Deployment-Scriptlets-Errata.patch
Type: text/x-patch
Size: 111147 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120728/acb8cebc/attachment.bin>

More information about the Pki-devel mailing list