[Pki-devel] [PATCH] PKI Deployment Framework PKI TRAC issues (07/28/2012)
Ade Lee
alee at redhat.com
Tue Jul 31 03:59:15 UTC 2012
ACK - pushed to master.
On Sat, 2012-07-28 at 22:40 -0700, Matthew Harmsen wrote:
> This patch documents continued implementation of the PKI Deployment
> Framework based upon the revised filesystem layout documented here:
> * http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_OCSP_.2F_RA_.2F_TKS_.2F_TPS
> This patch addresses the following issues:
> * TRAC Ticket #263 - Dogtag 10: Fix 'pkidestroy' problem of
> sporadically "not" removing
> "/etc/sysconfig/{pki_instance_id}" . . .
> * TRAC Ticket #264 - Dogtag 10: Enable various other subsystems
> for configuration . . .
> * TRAC Ticket #261 - Dogtag 10: Revisit command-line options of
> 'pkispawn' and 'pkidestroy' . . .
> * TRAC Ticket #268 - Dogtag 10: Create a parameter for optional
> restart of configured PKI instance . . .
> * TRAC Ticket #270 - Dogtag 10: Add missing parameters to
> 'pkideployment.cfg' . . .
> * TRAC Ticket #265 - Dogtag 10: Provide configurable options for
> PKI client information . . .
> * TRAC Ticket #275 - Dogtag 10: Add debug information (comments)
> to Tomcat 7 "logging.properties"
> * TRAC Ticket #276 - Dogtag 10: Relocate all 'pin' data to the
> 'sensitive' dictionary
> * TRAC Ticket #277 - Dogtag 10: Create an 'archive' for
> 'manifest' and 'pkideployment.cfg' files
>
> WARNING: Due to some of the changes to the command-line parameters
> (mainly the introduction of a dependency on the existence of a new
> symlink), instances previously created with the old "pkispawn" will
> once again need to be removed by the old "pkidestroy" PRIOR to the
> installation of this patch.
>
> Note: You will definitely need to establish the following "passwords"
> in your copy of "pkideployment.cfg" in order to install a "CA":
>
>
> * pki_admin_password
> * pki_client_pkcs12_password
> * pki_ds_password
> * pki_security_domain_password
> I ran the following command: pkispawn -s CA
> -f /tmp/pki/pkideployment.cfg -vvv
>
> Unfortunately, for me, out-of-the-box installation failed with
> the following problem:
> * pkispawn : ERROR ....... port 8080 has invalid
> selinux context http_cache_port_t
> This error occurred despite downloading the latest SELinux
> policies on my 64-bit Fedora 17 box and compiling
> 'pki-selinux' against them.
>
> The work-around that I used was to edit
> "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py" and comment out the call to "util.configuration_file.verify_selinux_ports()" in the 'spawn()' method.
>
> Re-running the command 'pkispawn -s CA
> -f /tmp/pki/pkideployment.cfg -vvv' now produces the following
> error:
> pkispawn : INFO ... populating
> 'pki.deployment.selinux_setup'
> Traceback (most recent call last):
> File "/bin/pkispawn", line 225, in <module>
> main(sys.argv)
> File "/bin/pkispawn", line 212, in main
> rv = instance.spawn()
> File
> "/usr/lib/python2.7/site-packages/pki/deployment/selinux_setup.py", line 69, in spawn
> port1.add(port, "tcp", "s0",
> config.PKI_PORT_SELINUX_CONTEXT)
> File
> "/usr/lib64/python2.7/site-packages/seobject.py", line
> 1045, in add
> self.__add(port, proto, serange, type)
> File
> "/usr/lib64/python2.7/site-packages/seobject.py", line
> 1002, in __add
> raise ValueError(_("Port %s/%s already defined") %
> (proto, port))
> ValueError: Port tcp/8080 already defined
> My work-around to fix to this error is to remove the symlinks
> which call the 'selinux_setup.py' scriptlet for both
> 'pkispawn' and 'pkidestroy':
> * rm /usr/share/pki/deployment/spawn/*/035_selinux_setup
> * rm /usr/share/pki/deployment/destroy/*/985_selinux_setup
> Unfortunately, at this stage, sufficient installation has been
> made which prevents a new installation, and 'pkidestroy' in
> its current incarnation
> will be unable to completely remove the instance. Therefore,
> presuming an instance name of 'pki-tomcat', run the following
> commands:
> * rm -rf /var/lib/pki
> * rm -rf /etc/pki/pki-tomcat/
> * rm -rf /etc/sysconfig/pki
> * rm -rf /var/log/pki
> * rm /etc/sysconfig/pki-tomcat (this command will fail,
> as it has not yet been created)
> Re-running the command 'pkispawn -s CA
> -f /tmp/pki/pkideployment.cfg -vvv'should now run to
> successful completion!
>
> To test this patch, run the test instructions documented in
> earlier patches for installing the Admin Cert.
> Note that the 'ca_admin_cert.p12' file is now located under
> '/var/lib/pki/{pki-instance-id}/conf/alias/ca_admin_cert.p12',
> and since a browser may not
> have the appropriate permissions to traverse past the
> '/var/lib/pki' directory, the administrator will need to make
> this file available (i. e. - copy it to /tmp).
>
> Please note, that although KRA, OCSP, and TKS installations
> will run to completion, at the present time, a crash occurs in
> the invocation of the java configuration
> client (quite possibly due to the specification of
> incorrect/incomplete parameters for these subsystems).
>
> Thanks,
> -- Matt
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list