[Pki-devel] [PATCH] Removed more inaccessible URLs from server.xml
John Magne
jmagne at redhat.com
Thu Aug 6 00:02:37 UTC 2015
The fixes here look good and to what is intended.
Allow me to counter propose though.
Those OCSP URLs, at least on my system with an OCSP responder actually
do something:
For instance:
http://host:8080/ee/ocsp/ee/<binary ocsp request> blob actually works.
It works with wget or with the browser if you append "/<binary ocsp request>"
on the end.
The server actually processes the request and send a file with the binary
ocsp response.
The proposal is: Can we just put the dummy <OCSP Request Blob> on the end
to tell the user that these URLs are in fact used to verify certificates?
For those that report that going to the URL with the browser results in an error,
I do not understand. On my box, if you go straight to the URL with no request on the end,
it just greets you with a blank page and does not error out.
----- Original Message -----
> From: "Matthew Harmsen" <mharmsen at redhat.com>
> To: "pki-devel" <pki-devel at redhat.com>
> Sent: Tuesday, August 4, 2015 3:43:19 PM
> Subject: [Pki-devel] [PATCH] Removed more inaccessible URLs from server.xml
>
> Please review the attached patch which addresses the following two tickets:
>
>
> * PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI
> subsystems which are not accessible
> * PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat
> shows an error page
>
>
> These were tested by installing four new instances and running 'pkidaemon
> status tomcat pki-tomcat'. The following four inaccessible URLs no longer
> showed up:
>
>
> * Unsecure URL = http://pki.example.com:8080/kra/ee/kra (1443)
> * Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp (1518)
> * Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp (1518)
> * Unsecure URL = http://pki.example.com:8080/tks/ee/tks (1443)
>
>
> Additionally, a test was run which showed that the upgrade code worked
> successfully:
>
>
> # pkidaemon status tomcat pki-tomcat
> Status for pki-tomcat: pki-tomcat is running ..
>
> [CA Status Definitions]
> Unsecure URL = http://pki.example.com:8080/ca/ee/ca
> Secure Agent URL = https://pki.example.com:8443/ca/agent/ca
> Secure EE URL = https://pki.example.com:8443/ca/ee/ca
> Secure Admin URL = https://pki.example.com:8443/ca/services
> PKI Console Command = pkiconsole https://pki.example.com:8443/ca
> Tomcat Port = 8005 (for shutdown)
>
> [DRM Status Definitions]
> Unsecure URL = http://pki.example.com:8080/kra/ee/kra
> Secure Agent URL = https://pki.example.com:8443/kra/agent/kra
> Secure Admin URL = https://pki.example.com:8443/kra/services
> PKI Console Command = pkiconsole https://pki.example.com:8443/kra
> Tomcat Port = 8005 (for shutdown)
>
> [OCSP Status Definitions]
> Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp
> Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp
> Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp
> Secure Admin URL = https://pki.example.com:8443/ocsp/services
> PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp
> Tomcat Port = 8005 (for shutdown)
>
> [TKS Status Definitions]
> Unsecure URL = http://pki.example.com:8080/tks/ee/tks
> Secure Agent URL = https://pki.example.com:8443/tks/agent/tks
> Secure Admin URL = https://pki.example.com:8443/tks/services
> PKI Console Command = pkiconsole https://pki.example.com:8443/tks
> Tomcat Port = 8005 (for shutdown)
>
> [CA Configuration Definitions]
> PKI Instance Name: pki-tomcat
>
> PKI Subsystem Type: Root CA (Security Domain)
>
> Registered PKI Security Domain Information:
> ==========================================================================
> Name: example.com Security Domain
> URL: https://pki.example.com:8443
> ==========================================================================
>
> [DRM Configuration Definitions]
> PKI Instance Name: pki-tomcat
>
> PKI Subsystem Type: DRM
>
> Registered PKI Security Domain Information:
> ==========================================================================
> Name: example.com Security Domain
> URL: https://pki.example.com:8443
> ==========================================================================
>
> [OCSP Configuration Definitions]
> PKI Instance Name: pki-tomcat
>
> PKI Subsystem Type: OCSP
>
> Registered PKI Security Domain Information:
> ==========================================================================
> Name: example.com Security Domain
> URL: https://pki.example.com:8443
> ==========================================================================
>
> [TKS Configuration Definitions]
> PKI Instance Name: pki-tomcat
>
> PKI Subsystem Type: TKS
>
> Registered PKI Security Domain Information:
> ==========================================================================
> Name: example.com Security Domain
> URL: https://pki.example.com:8443
> ==========================================================================
> After running the upgrade script, the inaccessible URLs were removed:
>
>
> # pkidaemon status tomcat pki-tomcat
> Status for pki-tomcat: pki-tomcat is running ..
>
> [CA Status Definitions]
> Unsecure URL = http://pki.example.com:8080/ca/ee/ca
> Secure Agent URL = https://pki.example.com:8443/ca/agent/ca
> Secure EE URL = https://pki.example.com:8443/ca/ee/ca
> Secure Admin URL = https://pki.example.com:8443/ca/services
> PKI Console Command = pkiconsole https://pki.example.com:8443/ca
> Tomcat Port = 8005 (for shutdown)
>
> [DRM Status Definitions]
> Secure Agent URL = https://pki.example.com:8443/kra/agent/kra
> Secure Admin URL = https://pki.example.com:8443/kra/services
> PKI Console Command = pkiconsole https://pki.example.com:8443/kra
> Tomcat Port = 8005 (for shutdown)
>
> [OCSP Status Definitions]
> Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp
> Secure Admin URL = https://pki.example.com:8443/ocsp/services
> PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp
> Tomcat Port = 8005 (for shutdown)
>
> [TKS Status Definitions]
> Secure Agent URL = https://pki.example.com:8443/tks/agent/tks
> Secure Admin URL = https://pki.example.com:8443/tks/services
> PKI Console Command = pkiconsole https://pki.example.com:8443/tks
> Tomcat Port = 8005 (for shutdown)
>
> [CA Configuration Definitions]
> PKI Instance Name: pki-tomcat
>
> PKI Subsystem Type: Root CA (Security Domain)
>
> Registered PKI Security Domain Information:
> ==========================================================================
> Name: example.com Security Domain
> URL: https://pki.example.com:8443
> ==========================================================================
>
> [DRM Configuration Definitions]
> PKI Instance Name: pki-tomcat
>
> PKI Subsystem Type: DRM
>
> Registered PKI Security Domain Information:
> ==========================================================================
> Name: example.com Security Domain
> URL: https://pki.example.com:8443
> ==========================================================================
>
> [OCSP Configuration Definitions]
> PKI Instance Name: pki-tomcat
>
> PKI Subsystem Type: OCSP
>
> Registered PKI Security Domain Information:
> ==========================================================================
> Name: example.com Security Domain
> URL: https://pki.example.com:8443
> ==========================================================================
>
> [TKS Configuration Definitions]
> PKI Instance Name: pki-tomcat
>
> PKI Subsystem Type: TKS
>
> Registered PKI Security Domain Information:
> ==========================================================================
> Name: example.com Security Domain
> URL: https://pki.example.com:8443
> ==========================================================================
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list