[Pki-devel] [PATCH] fixes to move to admin port for cloning CA's (RHCS 8.x)
Matthew Harmsen
mharmsen at redhat.com
Thu Feb 14 02:34:48 UTC 2013
This code was reviewed by testing out PKI_8_1_ERRATA_BRANCH source code
on RHEL 5.9 using Directory Server storage located on RHEL 6.3:
* ACKwith CAVEATS
Presuming that the CAVEATS are addressed, the patches for
PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH may be checked-in.
*CAVEAT 1:*
In TokenAuthentication.java, change line 166 from:
c = sendAuthRequest(authHost, authAdminPort, authURL, content);
to:
c = sendAuthRequest(authHost, authEEPort, authURL, content);
*CAVEAT 2:
*
This was more of an observation that may be due to *CAVEAT 1* above,
but in *T**EST SCENARIO 2* below, please note the *comments in RED
text*.
*TEST SCENARIO 1: Pre-Patched CA Master, Pre-Patched KRA, Patched CA Clone*
* On a 64-bit x86_64 RHEL 6.3 machine:
o cd /usr/sbin
o ./setup-ds-admin(ds-master - 389)
o ./setup-ds (ds-clone - 8389)
o Stopped both servers
o Turned syntax checking off in both DS servers --
nsslapd-syntaxcheck: off
o Restarted both servers
* On the 64-bit x86_64 RHEL 5.9 machine:
o svn co
svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki
pki
o svn co
https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhatpki/redhat
o Successfully built and installed aMaster CA 'pki-ca' using the
pre-patchedsource code
o Using a fresh profile in a browser, successfully configured
'pki-ca' using ports in the defaultCA range and the 'ds-master'
DS server
o Successfully created, submitted, and approved a certificate:
+ 'Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master'
o Successfully built and installed a KRA'pki-kra' using the
pre-patched source code
o Successfully configured 'pki-kra' using ports in the default
KRArange and the 'ds-master' DS server
o Successfully created, submitted, and approved a certificatein
which the keys were backed up to the DRM:
+ 'DRM Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master'
o svn co
svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki
pki
o svn co
https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhatpki/redhat
o Saved 'cloning.8.errata.patch' from email attachment
o cd pki
o patch -p0 < ../cloning.8.errata.patch
patching file base/ca/shared/webapps/ca/WEB-INF/web.xml
patching file base/ca/shared/conf/acl.ldif
patching file
base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
patching file base/setup/pkiremove
patching file base/tks/shared/webapps/tks/WEB-INF/web.xml
patching file base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
patching file base/kra/shared/webapps/kra/WEB-INF/web.xml
o Applied the change documented in *CAVEAT 1* above
o Successfully built and updated all CA and KRA packages
o Restarted both CA and KRAinstances
o Successfully tested that CA still worked:
+ 'Test PATCHEDEE Master PATCHEDAgent Master'
o Successfully tested that KRA still worked:
+ 'DRM Test PATCHED EE Master PATCHED Agent Master'
o Successfully installed a CA Clone called 'pki-ca-clone' via
'pkicreate' using ports in thedefault+10000range using the
patched source code
o Installed the PK12 file that contained all of the certs and keys
backed up via configuration of 'pki-ca' into
/var/lib/pki-ca-clone/alias and set all ownership permissions to
be 'pkiuser':
# ls -lZ /var/lib/pki-ca-clone/alias/*
-rw-rw-r-- pkiuser pkiuser user_u:object_r:pki_ca_var_lib_t
pki_ca_master_backup.p12
-rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t
cert8.db
-rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t
key3.db
-rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t
secmod.db
o Successfully configured 'pki-ca-clone' using ports in the
default CA + 10000range and the 'ds-clone' DS server
o Successfully tested that CA MasterandCACloneworked together:
+ 'Test EE Master Agent Master'
+ 'Test EE Master Agent Clone'
+ 'Test EE Clone Agent Master'
+ 'Test EE Clone Agent Clone'
o Successfully tested that CA Master, CA Clone, andKRA worked
together:
+ 'DRM Test EE Master Agent Master'
+ 'DRM Test EE Master Agent Clone'
+ 'DRM Test EE Clone Agent Master'
+ 'DRM Test EE Clone Agent Clone'
*TEST SCENARIO 2: Patched CA Master, Patched KRA, Patched CA Clone**
***
* On a 64-bit x86_64 RHEL 6.3 machine:
o cd /usr/sbin
o ./setup-ds-admin(ds-master - 389)
o ./setup-ds (ds-clone - 8389)
o Stopped both servers
o Turned syntax checking off in both DS servers --
nsslapd-syntaxcheck: off
o Restarted both servers
* On the 64-bit x86_64 RHEL 5.9 machine:
o svn co
svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki
pki
o svn co
https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhatpki/redhat
o Successfully built and installed aMaster CA 'pki-ca' using the
pre-patchedsource code
o Using a fresh profile in a browser, successfully configured
'pki-ca' using ports in the defaultCA range and the 'ds-master'
DS server
o Successfully created, submitted, and approved a certificate:
+ 'Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master'
o Successfully built and installed a KRA'pki-kra' using the
pre-patched source code
o Successfully configured 'pki-kra' using ports in the default
KRArange and the 'ds-master' DS server
o Successfully created, submitted, and approved a certificatein
which the keys were backed up to the DRM:
+ 'DRM Test PRE-PATCHEDEE Master PRE-PATCHEDAgent Master'
o svn co
svn+ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki
pki
o svn co
https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhatpki/redhat
o Saved 'cloning.8.errata.patch' from email attachment
o cd pki
o patch -p0 < ../cloning.8.errata.patch
patching file base/ca/shared/webapps/ca/WEB-INF/web.xml
patching file base/ca/shared/conf/acl.ldif
patching file
base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
patching file
base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
patching file base/setup/pkiremove
patching file base/tks/shared/webapps/tks/WEB-INF/web.xml
patching file base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
patching file base/kra/shared/webapps/kra/WEB-INF/web.xml
o Applied the change documented in *CAVEAT **1* above
o Successfully built and installed aMaster CA 'pki-ca'
o Using a fresh profile in a browser, successfully configured
'pki-ca' using ports in the defaultCA range and the 'ds-master'
DS server
o Successfully created, submitted, and approved a certificate:
+ 'Test'
o Successfully built and installed a KRA'pki-kra'
o Successfully configured 'pki-kra' using ports in the default
KRArange and the 'ds-master' DS server
o Successfully created, submitted, and approved a certificatein
which the keys were backed up to the DRM:
+ 'DRM Test'
o Successfully installed a CA Clone called 'pki-ca-clone' via
'pkicreate' using ports in thedefault+10000range
o Installed the PK12 file that contained all of the certs and keys
backed up via configuration of 'pki-ca' into
/var/lib/pki-ca-clone/alias and set all ownership permissions to
be 'pkiuser':
# ls -lZ /var/lib/pki-ca-clone/alias/*
-rw-rw-r-- pkiuser pkiuser user_u:object_r:pki_ca_var_lib_t
pki_ca_master_backup.p12
-rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t
cert8.db
-rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t
key3.db
-rw------- pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t
secmod.db
o Successfully configured 'pki-ca-clone' using ports in the
default CA + 10000range and the 'ds-clone' DS server
o Per request, verified that 'admin' port was being used for CA Clone:
# cd /var/log/pki-ca-clone
# grep -i agent localhost_access_log.2013-02-14.txt
*# grep -i ee localhost_access_log.2013-02-14.txt**
**10.14.16.14 - - [14/Feb/2013:01:00:58 -0500] "GET
/ca/ee/ca/getCAChain?op=download&mimeType=application/x-x509-ca-cert
HTTP/1.1" 200 1035*
# grep -i admin localhost_access_log.2013-02-14.txt
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/config/login?pin=ZGWfUxpUzIfBcgW6UI6Q
HTTP/1.1" 302 -
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/config/wizard HTTP/1.1" 200 8510
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/img/logo_header.gif HTTP/1.1" 200 1316
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/img/bigrotation2.gif HTTP/1.1" 200 1787
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/img/favicon.ico HTTP/1.1" 200 318
10.14.16.14 - - [14/Feb/2013:00:58:31 -0500] "GET
/ca/admin/console/img/icon-software.gif HTTP/1.1" 200 1146
10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 11862
10.14.16.14 - - [14/Feb/2013:00:58:35 -0500] "GET
/ca/admin/console/img/clearpixel.gif HTTP/1.1" 200 43
10.14.16.14 - - [14/Feb/2013:00:58:40 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 10106
10.14.16.14 - - [14/Feb/2013:00:58:47 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 12566
10.14.16.14 - - [14/Feb/2013:00:58:52 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 302 -
10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "POST
/ca/admin/console/config/wizard?p=5&subsystem=CA HTTP/1.1" 200 8852
10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET
/ca/admin/console/img/logo_header.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET
/ca/admin/console/img/icon-software.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:59:01 -0500] "GET
/ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:59:11 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 12557
10.14.16.14 - - [14/Feb/2013:00:59:14 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 8492
10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 10006
10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET
/ca/admin/console/img/logo_header.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET
/ca/admin/console/img/icon-software.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:59:44 -0500] "GET
/ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 32918
10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET
/ca/admin/console/img/logo_header.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET
/ca/admin/console/img/icon-software.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:01:00:34 -0500] "GET
/ca/admin/console/img/bigrotation2.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:01:00:42 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 11690
10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 68264
10.14.16.14 - - [14/Feb/2013:01:00:49 -0500] "GET
/ca/admin/console/img/certificate.png HTTP/1.1" 200 4663
10.14.16.14 - - [14/Feb/2013:01:00:52 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 8652
10.14.16.14 - - [14/Feb/2013:01:00:56 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 8215
10.14.16.14 - - [14/Feb/2013:01:01:02 -0500] "POST
/ca/admin/console/config/wizard HTTP/1.1" 200 7832
o Successfully tested that CA MasterandCACloneworked together:
+ 'Test EE Master Agent Master'
+ 'Test EE Master Agent Clone'
+ 'Test EE Clone Agent Master'
+ 'Test EE Clone Agent Clone'
o Successfully tested that CA Master, CA Clone, andKRA worked
together:
+ 'DRM Test EE Master Agent Master'
+ 'DRM Test EE Master Agent Clone'
+ 'DRM Test EE Clone Agent Master'
+ 'DRM Test EE Clone Agent Clone'
On 02/12/13 12:11, Ade Lee wrote:
> We want to use the admin interface for installation work. This patch
> moves the interfaces used in cloning from either the EE or agent
> interface to the admin one. See:
> http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning
>
> Specifically,
> 1. Change call to use /ca/admin/ca/getCertChain
> 2. Remove unneeded getTokenInfo servlet. The logic not to use this
> servlet has already been committed to dogtag 10.
> 3. Move updateNumberRange to the admin interface. For backward
> compatibility with old instances, the install code will
> call /ca/agent/updateNumberRange as a fallback.
> 4. Add updateDomainXML to admin interface. For backward compatibility,
> updateDomainXML will continue to be exposed on the agent interface with
> agent client auth.
> 5. Changed pkidestroy to get an install token and use the admin
> interface to update the security domain. For backward compatibility,
> the user and password and not specified as mandatory arguments -
> although we want to do that in future.
> 6. Added tokenAuthenticate to the admin interface.
>
> Note, existing subsystems will need to have config changes manually
> added in order to use the new interfaces. Instructions will be added to
> the link above. With new instances, you should be able to clone a CA
> all on the admin interface.
>
> The patches are for the PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH
>
> Please review,
> Ade
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20130213/011ed889/attachment.htm>
More information about the Pki-devel
mailing list