From bob.lord at gmail.com Fri Sep 12 16:52:35 2008 From: bob.lord at gmail.com (bob.lord at gmail.com) Date: Fri, 12 Sep 2008 09:52:35 -0700 (PDT) Subject: [Pki-users] load balancers Message-ID: I'd like to put some load balancers in front of a set of TPS instances (acting as a single virtual TPS) and in front of the CAs that would issue the actual certs. The balancers would be more for reliability and uptime than performance. Are there any limitations I need to know about? Is it possible to have multiple TPS instances talk to a single TKS instance? /B -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2416 bytes Desc: S/MIME Cryptographic Signature URL: From cfu at redhat.com Fri Sep 12 17:47:29 2008 From: cfu at redhat.com (Christina Fu) Date: Fri, 12 Sep 2008 10:47:29 -0700 Subject: [Pki-users] load balancers In-Reply-To: References: Message-ID: <48CAAB31.3030303@redhat.com> bob.lord at gmail.com wrote: > I'd like to put some load balancers in front of a set of TPS instances > (acting as a single virtual TPS) and in front of the CAs that would > issue the actual certs. The balancers would be more for reliability > and uptime than performance. > Are there any limitations I need to know about? Is it possible to > have multiple TPS instances talk to a single TKS instance? > /B > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > You can have load balancers in front of TPS instances. Two things I'd like to call to your attention: 1. Between ESC and TPS, HTTP chunked encoding is used, so your load balancer needs to support that. 2. The phone home url on the ESC needs to point to the load balancer. Christina From bob.lord at gmail.com Fri Sep 12 20:25:09 2008 From: bob.lord at gmail.com (Bob Lord) Date: Fri, 12 Sep 2008 13:25:09 -0700 Subject: [Pki-users] load balancers In-Reply-To: <48CAAB31.3030303@redhat.com> References: <48CAAB31.3030303@redhat.com> Message-ID: On Fri, Sep 12, 2008 at 10:47 AM, Christina Fu wrote: > bob.lord at gmail.com wrote: > >> I'd like to put some load balancers in front of a set of TPS instances >> (acting as a single virtual TPS) and in front of the CAs that would issue >> the actual certs. The balancers would be more for reliability and uptime >> than performance. >> Are there any limitations I need to know about? Is it possible to have >> multiple TPS instances talk to a single TKS instance? /B >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> > You can have load balancers in front of TPS instances. Two things I'd like > to call to your attention: > > 1. Between ESC and TPS, HTTP chunked encoding is used, so your load > balancer needs to support that. > 2. The phone home url on the ESC needs to point to the load balancer. > The load balancers are (usually) transparent, so I'd still point them to tps.corp.example.com, and the load balancer would deal with the connection consistency, right? Let me know if I'm not thinking about this right. -Bob -------------- next part -------------- An HTML attachment was scrubbed... URL: From satish at suburbia.org.au Mon Sep 15 12:25:01 2008 From: satish at suburbia.org.au (Satish Chetty) Date: Mon, 15 Sep 2008 05:25:01 -0700 Subject: [Pki-users] load balancers In-Reply-To: References: <48CAAB31.3030303@redhat.com> Message-ID: <48CE541D.8040402@suburbia.org.au> Bob Lord wrote: > On Fri, Sep 12, 2008 at 10:47 AM, Christina Fu > wrote: > > bob.lord at gmail.com wrote: > > I'd like to put some load balancers in front of a set of TPS > instances (acting as a single virtual TPS) and in front of the > CAs that would issue the actual certs. The balancers would be > more for reliability and uptime than performance. > Are there any limitations I need to know about? Is it possible > to have multiple TPS instances talk to a single TKS instance? /B > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > You can have load balancers in front of TPS instances. Two things > I'd like to call to your attention: > > 1. Between ESC and TPS, HTTP chunked encoding is used, so your load > balancer needs to support that. > 2. The phone home url on the ESC needs to point to the load balancer. > > > The load balancers are (usually) transparent, so I'd still point them to > tps.corp.example.com , and the load > balancer would deal with the connection consistency, right? Let me know > if I'm not thinking about this right. Not sure if my scanrio is the same, but sometime ago, I tried to configure a load balancer between two CA instances. Ex the load balancer was trying to send traffic to ca1.example.com and ca2.example.com. The client saw it as a man in the middle attack (as the client was going to ca.example.com). Tried different things to make it work but without success. -Satish. > > -Bob > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From mpeck1 at gmail.com Thu Sep 18 13:28:10 2008 From: mpeck1 at gmail.com (Michael Peck) Date: Thu, 18 Sep 2008 09:28:10 -0400 Subject: [Pki-users] CMC support Message-ID: <248307980809180628o720f30b1ia438aebf89de89a3@mail.gmail.com> Hi - My question is a follow-on to the CMC enrollment thread from April 28. The earlier thread says CMC requests have to be inputted through the web based "certificate enrollment profiles" by filling in a form field with the request data. I noticed the Dogtag CA has servlets running at: /ee/ca/profileSubmitCMCFull /ee/ca/profileSubmitCMCSimple /ee/ca/CMCRevReq Is it possible for a client to send requests directly to those servlets instead of going through the web form -- and is there a way for the client to receive the CMC Response from the server as described in the RFC, rather than just the text message / base64 certificate returned by the web form after it is submitted? Also, do CMC requests always have to be signed by an authorized agent, or has there been any thought to allowing clients to rekey their own certificates directly with the CA? (e.g. authenticate a new certificate request using the old certificate with the same subject) Has interoperability been tested with any tools besides the ones described here http://pki.fedoraproject.org/wiki/PKI_Java_Tools (CMCEnroll/CMCRequest/etc.)? Do any other CMC clients actually exist? Thanks, Mike Peck -------------- next part -------------- An HTML attachment was scrubbed... URL: From pequenaxete at gmail.com Fri Sep 19 06:45:48 2008 From: pequenaxete at gmail.com (Nacho) Date: Fri, 19 Sep 2008 08:45:48 +0200 Subject: [Pki-users] PKI doesn't work when i reboot the computer Message-ID: <3e13dfae0809182345h5a260b2eld859d7a109b4bda7@mail.gmail.com> Hi all, I have mounted the Fedora PKI and all modules are installed correctly but as soon restart the machine no longer works at all. When i start the pki-ca and try to access to agent services, it asks me for authentication, then i enter the password correctly and it showed me the options of the pki-ca but in the middle it say "Invalid credentials". The same problem occurs in the other modules when i try to access. Anyone else have had the same ploblem??? The PKI is mounted in Fedora 8 and i had the problem in the configuration of the pki-ra of the packet nss-tools but this is already solved. Thanks, Nacho. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Fri Sep 19 16:23:55 2008 From: cfu at redhat.com (Christina Fu) Date: Fri, 19 Sep 2008 09:23:55 -0700 Subject: [Pki-users] CMC support In-Reply-To: <248307980809180628o720f30b1ia438aebf89de89a3@mail.gmail.com> References: <248307980809180628o720f30b1ia438aebf89de89a3@mail.gmail.com> Message-ID: <48D3D21B.9000201@redhat.com> Michael Peck wrote: > Hi - > > My question is a follow-on to the CMC enrollment thread from April 28. > > The earlier thread says CMC requests have to be inputted through the > web based "certificate enrollment profiles" by filling in a form field > with the request data. > > I noticed the Dogtag CA has servlets running at: > /ee/ca/profileSubmitCMCFull > /ee/ca/profileSubmitCMCSimple > /ee/ca/CMCRevReq > Is it possible for a client to send requests directly to those > servlets instead of going through the web form -- and is there a way > for the client to receive the CMC Response from the server as > described in the RFC, rather than just the text message / base64 > certificate returned by the web form after it is submitted? You don' t have to use a web form. Here is an example of how to use sslget to submit a request: https://www.redhat.com/docs/manuals/cert-system/tools/7.2/SSLGet-Usage.html While the example on the page is not the same servlet and request type, I imagine it's similar. Response can be xmloutput instead of a web form, as you can see in the example. Just make sure you tweak the enrollment profile "output" and "input" to fit your needs. You can learn about how to tweak/customize your profiles here: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Certificate_Profiles.html > > Also, do CMC requests always have to be signed by an authorized agent, > or has there been any thought to allowing clients to rekey their own > certificates directly with the CA? (e.g. authenticate a new > certificate request using the old certificate with the same subject) authentication and authorization can also be customized. You can eliminate the authz all together if that's what you wish. You can also write your own authorization or authentication plugins. You can copy one from existing plugins and work from there too. All the existing authentication plugins are in pki/base/common/src/com/netscape/cms/authentication and all the authorization plugins are in /home/cfu/dogtag/src4/pki/base/common/src/com/netscape/cms/authorization. You can customize the enrollment servlets too. Finally, if you feel that your plugins could be contributed bacl to Dogtag, we welcome you to submit it for review! Thanks! Christina > > Has interoperability been tested with any tools besides the ones > described here http://pki.fedoraproject.org/wiki/PKI_Java_Tools > (CMCEnroll/CMCRequest/etc.)? Do any other CMC clients actually exist? > > Thanks, > Mike Peck > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users >