[Pki-devel] [pki-devel][PATCH] 0030-OCSP-and-CA-minor-cloning-fixes.patch

John Magne jmagne at redhat.com
Fri May 1 22:21:32 UTC 2015


Based on review comments from cfu and alee,
and ACKS from both, pushed to master.
Tickets #1294, #1058

----- Original Message -----
From: "John Magne" <jmagne at redhat.com>
To: "pki-devel" <pki-devel at redhat.com>
Sent: Friday, May 1, 2015 10:25:43 AM
Subject: [Pki-devel] [pki-devel][PATCH]	0030-OCSP-and-CA-minor-cloning-fixes.patch

Tickets #1294, #1058

The patch does the following:

1. Allows an OCSP clone to actually install and operate.
It also sets a param appropriate for an OCSP clone. Ticket #1058

The controversial part of this one is the fact that I have disabled
having OCSP clones register themselves to the CA as publishing target.
The master is already getting the updates and we rely upon replication
to keep the clones updated. The current downside is the master is on an
island with respect to updates and could be considered a single point of failure.

Thus my proposal for this simple patch is to get the OCSP clone working as in existing
functionality. Then we come back and propose a ticket to allow the installer OCSP clones
to set up the publishers in such a way that all clones and master are registered, but when
it is actually time to publish, the CRL publisher has the smarts to know that members of a
clone cluster are in a group and the first successfull publish should end the processing of
that group.

2. Allows the CA clone to set some params to disable certain things that a clone should not do.
This was listed as a set of misc post install tasks that we are trying to automate.

Code tested to work.

1. OCSP clones can be installed and the CRL were checked to be in sync when an update occured to the master.
2. The CA clone has been seen to have the required params and it looks to come up just fine.
---

_______________________________________________
Pki-devel mailing list
Pki-devel at redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel




More information about the Pki-devel mailing list