[Freeipa-devel] [PATCH] 843 reduce dogtag install time
Martin Kosek
mkosek at redhat.com
Tue Aug 2 11:49:50 UTC 2011
On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote:
> Ade Lee from the dogtag team looked at our installer and found that we
> restarted the pki-cad process too many times. Re-arranging some code
> allows us to restart it just once. The new config time for dogtag is 3
> 1/2 minutes, down from about 5 1/2.
>
> Ade is working on improvements in pki-silent as well which can bring the
> overall install time to 90 seconds. If we can get a change in SELinux
> policy we're looking at 60 seconds.
>
> This patch just contains the reworked installer part. Once an updated
> dogtag is released we can update the spec file to pull it in.
>
> rob
This worked fine for standard dogtag installation + CA on a replica, but
it failed with external CA:
/var/log/ipaserver-install.log:
...
<response>
<panel>admin/console/config/backupkeycertpanel.vm</panel>
<res/>
<pwdagain/>
<dobackup>checked</dobackup>
<errorString>Failed to create pkcs12 file.</errorString>
<size>19</size>
<pwd/>
<title>Export Keys and Certificates</title>
<panels>
<Vector>
<Panel>
....
2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
vm-059.idm.lab.bos.redhat.com -cs_port 9445
-client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX'
-preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin
-admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM"
-ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn
"cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad
-token_name internal -ca_subsystem_cert_subject_name "CN=CA
Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP
Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name
"CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM"
-ca_audit_signing_cert_subject_name "CN=CA
Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name
"CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true
-ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt
-ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false'
returned non-zero exit status 255
2011-08-02 07:45:38,302 DEBUG Configuration of CA failed
...
Martin
More information about the Freeipa-devel
mailing list