[Pki-devel] [PATCH] 113-117 changes to install scripts to move calls to admin interface

Matthew Harmsen mharmsen at redhat.com
Wed Feb 6 20:57:44 UTC 2013 

ACK

Code review of this produced two new TRAC Tickets:

  * TRAC Ticket #502 - Dogtag 10: Change pkidestroy "-w" option to
    require a password file rather than a raw password
  * TRAC Ticket #503 - Dogtag 10: Security Domain Issues

These changes were tested using two scenarios as described in TRAC 
Ticket #503 - Dogtag 10: Security Domain Issues.

-- Matt

On 02/04/13 17:39, Matthew Harmsen wrote:
> On 02/01/13 11:54, Ade Lee wrote:
>> We want to use the admin interface for installation work.  This patch
>> moves the interfaces used in cloning from either the EE or agent
>> interface to the admin one.  See:
>> http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning
>>
>> Specifically,
>> 1. Change call to use /ca/admin/ca/getCertChain
>> 2. Remove unneeded getTokenInfo servlet.  The logic not to use this
>> servlet has already been committed to dogtag 10.
>> 3. Move updateNumberRange to the admin interface.  For backward
>> compatibility with old instances, the install code will
>> call /ca/agent/updateNumberRange as a fallback.
>> 4. Add updateDomainXML to admin interface.  For backward compatibility,
>> updateDomainXML will continue to be exposed on the agent interface with
>> agent client auth.
>> 5. Changed pkidestroy to get an install token and use the admin
>> interface to update the security domain.  For backward compatibility,
>> the user and password and not specified as mandatory arguments -
>> although we want to do that in future.
>>
>> Please review,
>> Ade
>>    
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
> Alee,
>
> Sorry, but I require some additional information to properly test this 
> patch for a CA and its clone using a single machine.  Hopefully, I can 
> address these issues relatively quickly tomorrow after obtaining your 
> answers.
>
> I have pulled a new tree after the meeting this morning (which does 
> not include the patches added at 3:49 P. M. by edewata), created a 
> branch, applied all five of your changes, and built and installed the 
> packages on a fresh x86_64 Fedora 18 system (e. g. - 
> 'foobar.example.com').
>
> In order to test the code, I would like to perform the following two 
> tests using a single machine:
>
>  1. pkispawn using the new configuration servlet for both the CA and
>     the CA Clone
>  2. pkispawn using the old GUI configuration (by specifying a DEFAULT
>     value of pki_skip_configuration=True) for both CA and the CA Clone
>
> However, with the new interpolation model, I do not know every single 
> value that needs to be overridden to have both the CA and CA Clone, as 
> well as the two directory servers, on the same system.
>
> I have the following:
>
>   * installed a default directory server instance (e. g. - foobar)
>     running on port 389
>   * installed a CA (e. g. - default configuration specifying backup
>     keys in order to create the CA clone):
>     *[DEFAULT]*
>     pki_admin_password=XXXXXXXX
>     pki_backup_password=XXXXXXXX
>     pki_client_pkcs12_password=XXXXXXXX
>     pki_ds_password=XXXXXXXX
>     pki_security_domain_password=XXXXXXXX
>     pki_backup_keys=True
>   * successfully configured a browser, requested, enrolled, and issued
>     a test certificate
>   * installed a second directory server instance (e. g. -
>     foobar-clone) running on port 8389
>   * about to install a CA Clone using the following parameters:
>     *[DEFAULT]*
>     pki_admin_password=XXXXXXXX
>     pki_client_pkcs12_password=XXXXXXXX
>     pki_ds_password=XXXXXXXX
>     pki_security_domain_password=XXXXXXXX
>     pki_security_domain_hostname=foobar.example.com
>     pki_security_domain_https_port=8443
>     pki_ds_ldap_port=8389
>     pki_ds_ldaps_port=8636
>     *[CA]*
>     pki_ajp_port=17009
>     pki_clone=True
>     pki_clone_pkcs12_password=XXXXXXXX
>     pki_clone_pkcs12_path=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12
>     pki_clone_replicate_schema=True
>     pki_clone_replication_master_port=
>     pki_clone_replication_clone_port=
>     pki_clone_replication_security=None
>     pki_clone_uri=http://foobar.example.com:8443
>     pki_http_port=17080
>     pki_https_port=17443
>     pki_instance_name=pki-tomcat-ca-clone
>     pki_tomcat_server_port=17005
>
> Questions:
>
>   * Are the two tests specified above sufficient to test your patch,
>     or do I need to check the other two test cases of mixing an old
>     GUI configuration (CA) with new configuration servlet (CA clone),
>     and vice-versa?(I believe that this code will require re-testing
>     under a separated ports model for versions of the product earlier
>     than Dogtag 10).
>   * What parameter(s) do I need to add to the CA Clone configuration
>     file under what sections to reference the 'foobar-clone' directory
>     instance?
>   * What value, if any, do I need to supply to the
>     'pki_clone_replication_master_port'?
>   * What value, if any, do I need to supply to the
>     'pki_clone_replication_clone_port'?
>   * Should I leave 'pki_clone_replication_security=None'?
>   * Are there any other parameters that I am missing, and if so, under
>     what section should they be defined?
>   * Are there any parameters specified that contain incorrect values?
>   * Are any parameters specified in the incorrect sections?
>
> Thanks in advance,
> -- Matt
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20130206/ccc18db0/attachment.htm>

More information about the Pki-devel mailing list