[Freeipa-devel] [PATCH] 843 reduce dogtag install time

Martin Kosek mkosek at redhat.com
Tue Aug 2 11:49:50 UTC 2011 

On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote:
> Ade Lee from the dogtag team looked at our installer and found that we 
> restarted the pki-cad process too many times. Re-arranging some code 
> allows us to restart it just once. The new config time for dogtag is 3 
> 1/2 minutes, down from about 5 1/2.
> 
> Ade is working on improvements in pki-silent as well which can bring the 
> overall install time to 90 seconds. If we can get a change in SELinux 
> policy we're looking at 60 seconds.
> 
> This patch just contains the reworked installer part. Once an updated 
> dogtag is released we can update the spec file to pull it in.
> 
> rob

This worked fine for standard dogtag installation + CA on a replica, but
it failed with external CA:

/var/log/ipaserver-install.log:
...
<response>
  <panel>admin/console/config/backupkeycertpanel.vm</panel>
  <res/>
  <pwdagain/>
  <dobackup>checked</dobackup>
  <errorString>Failed to create pkcs12 file.</errorString>
  <size>19</size>
  <pwd/>
  <title>Export Keys and Certificates</title>
  <panels>
    <Vector>
      <Panel>
....
2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
vm-059.idm.lab.bos.redhat.com -cs_port 9445
-client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX'
-preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin
-admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM"
-ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn
"cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad
-token_name internal -ca_subsystem_cert_subject_name "CN=CA
Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP
Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name
"CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM"
-ca_audit_signing_cert_subject_name "CN=CA
Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name
"CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true
-ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt
-ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false'
returned non-zero exit status 255
2011-08-02 07:45:38,302 DEBUG Configuration of CA failed
...

Martin

More information about the Freeipa-devel mailing list