[Pki-devel] [PATCH] fixes to move to admin port for cloning CA's (RHCS 8.x)
Ade Lee
alee at redhat.com
Thu Feb 14 16:37:02 UTC 2013
On Wed, 2013-02-13 at 18:34 -0800, Matthew Harmsen wrote:
> This code was reviewed by testing out PKI_8_1_ERRATA_BRANCH source
> code on RHEL 5.9 using Directory Server storage located on RHEL 6.3:
> * ACK with CAVEATS
> Presuming that the CAVEATS are addressed, the patches for
> PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH may be checked-in.
>
> CAVEAT 1:
> In TokenAuthentication.java, change line 166 from:
> c = sendAuthRequest(authHost, authAdminPort, authURL, content);
> to:
> c = sendAuthRequest(authHost, authEEPort, authURL, content);
Will be fixed prior to check in.
> CAVEAT 2:
> This was more of an observation that may be due to CAVEAT 1
> above, but in TEST SCENARIO 2 below, please note the comments
> in RED text.
See comments below.
> TEST SCENARIO 1: Pre-Patched CA Master, Pre-Patched KRA, Patched CA
> Clone
> * On a 64-bit x86_64 RHEL 6.3 machine:
> * cd /usr/sbin
> * ./setup-ds-admin (ds-master - 389)
> * ./setup-ds (ds-clone - 8389)
> * Stopped both servers
> * Turned syntax checking off in both DS servers --
> nsslapd-syntaxcheck: off
> * Restarted both servers
> * On the 64-bit x86_64 RHEL 5.9 machine:
> * svn co svn
> +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki
> * svn co
> https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat
> * Successfully built and installed a Master CA 'pki-ca'
> using the pre-patched source code
> * Using a fresh profile in a browser, successfully
> configured 'pki-ca' using ports in the default CA
> range and the 'ds-master' DS server
> * Successfully created, submitted, and approved a
> certificate:
> * 'Test PRE-PATCHED EE Master PRE-PATCHED Agent
> Master'
> * Successfully built and installed a KRA 'pki-kra' using
> the pre-patched source code
> * Successfully configured 'pki-kra' using ports in the
> default KRA range and the 'ds-master' DS server
> * Successfully created, submitted, and approved a
> certificate in which the keys were backed up to the
> DRM:
> * 'DRM Test PRE-PATCHED EE Master PRE-PATCHED
> Agent Master'
> * svn co svn
> +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki
> * svn co
> https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat
> * Saved 'cloning.8.errata.patch' from email attachment
> * cd pki
> * patch -p0 < ../cloning.8.errata.patch
> patching file
> base/ca/shared/webapps/ca/WEB-INF/web.xml
> patching file base/ca/shared/conf/acl.ldif
> patching file
> base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
> patching file base/setup/pkiremove
> patching file
> base/tks/shared/webapps/tks/WEB-INF/web.xml
> patching file
> base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
> patching file
> base/kra/shared/webapps/kra/WEB-INF/web.xml
> * Applied the change documented in CAVEAT 1 above
> * Successfully built and updated all CA and KRA packages
> * Restarted both CA and KRA instances
> * Successfully tested that CA still worked:
> * 'Test PATCHED EE Master PATCHED Agent Master'
> * Successfully tested that KRA still worked:
> * 'DRM Test PATCHED EE Master PATCHED Agent
> Master'
> * Successfully installed a CA Clone called
> 'pki-ca-clone' via 'pkicreate' using ports in the
> default+10000 range using the patched source code
> * Installed the PK12 file that contained all of the
> certs and keys backed up via configuration of 'pki-ca'
> into /var/lib/pki-ca-clone/alias and set all ownership
> permissions to be 'pkiuser':
>
> # ls -lZ /var/lib/pki-ca-clone/alias/*
> -rw-rw-r-- pkiuser pkiuser
> user_u:object_r:pki_ca_var_lib_t
> pki_ca_master_backup.p12
> -rw------- pkiuser pkiuser
> system_u:object_r:pki_ca_var_lib_t cert8.db
> -rw------- pkiuser pkiuser
> system_u:object_r:pki_ca_var_lib_t key3.db
> -rw------- pkiuser pkiuser
> system_u:object_r:pki_ca_var_lib_t secmod.db
>
> * Successfully configured 'pki-ca-clone' using ports in
> the default CA + 10000 range and the 'ds-clone' DS
> server
> * Successfully tested that CA Master and CA Clone worked
> together:
> * 'Test EE Master Agent Master'
> * 'Test EE Master Agent Clone'
> * 'Test EE Clone Agent Master'
> * 'Test EE Clone Agent Clone'
> * Successfully tested that CA Master, CA Clone, and KRA
> worked together:
> * 'DRM Test EE Master Agent Master'
> * 'DRM Test EE Master Agent Clone'
> * 'DRM Test EE Clone Agent Master'
> * 'DRM Test EE Clone Agent Clone'
> TEST SCENARIO 2: Patched CA Master, Patched KRA, Patched CA Clone
> * On a 64-bit x86_64 RHEL 6.3 machine:
> * cd /usr/sbin
> * ./setup-ds-admin (ds-master - 389)
> * ./setup-ds (ds-clone - 8389)
> * Stopped both servers
> * Turned syntax checking off in both DS servers --
> nsslapd-syntaxcheck: off
> * Restarted both servers
> * On the 64-bit x86_64 RHEL 5.9 machine:
> * svn co svn
> +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki
> * svn co
> https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat
> * Successfully built and installed a Master CA 'pki-ca'
> using the pre-patched source code
> * Using a fresh profile in a browser, successfully
> configured 'pki-ca' using ports in the default CA
> range and the 'ds-master' DS server
> * Successfully created, submitted, and approved a
> certificate:
> * 'Test PRE-PATCHED EE Master PRE-PATCHED Agent
> Master'
> * Successfully built and installed a KRA 'pki-kra' using
> the pre-patched source code
> * Successfully configured 'pki-kra' using ports in the
> default KRA range and the 'ds-master' DS server
> * Successfully created, submitted, and approved a
> certificate in which the keys were backed up to the
> DRM:
> * 'DRM Test PRE-PATCHED EE Master PRE-PATCHED
> Agent Master'
> * svn co svn
> +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki
> * svn co
> https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat
> * Saved 'cloning.8.errata.patch' from email attachment
> * cd pki
> * patch -p0 < ../cloning.8.errata.patch
> patching file
> base/ca/shared/webapps/ca/WEB-INF/web.xml
> patching file base/ca/shared/conf/acl.ldif
> patching file
> base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
> patching file
> base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
> patching file base/setup/pkiremove
> patching file
> base/tks/shared/webapps/tks/WEB-INF/web.xml
> patching file
> base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
> patching file
> base/kra/shared/webapps/kra/WEB-INF/web.xml
> * Applied the change documented in CAVEAT 1 above
> * Successfully built and installed a Master CA 'pki-ca'
> * Using a fresh profile in a browser, successfully
> configured 'pki-ca' using ports in the default CA
> range and the 'ds-master' DS server
> * Successfully created, submitted, and approved a
> certificate:
> * 'Test'
> * Successfully built and installed a KRA 'pki-kra'
> * Successfully configured 'pki-kra' using ports in the
> default KRA range and the 'ds-master' DS server
> * Successfully created, submitted, and approved a
> certificate in which the keys were backed up to the
> DRM:
> * 'DRM Test'
> * Successfully installed a CA Clone called
> 'pki-ca-clone' via 'pkicreate' using ports in the
> default+10000 range
> * Installed the PK12 file that contained all of the
> certs and keys backed up via configuration of 'pki-ca'
> into /var/lib/pki-ca-clone/alias and set all ownership
> permissions to be 'pkiuser':
>
> # ls -lZ /var/lib/pki-ca-clone/alias/*
> -rw-rw-r-- pkiuser pkiuser
> user_u:object_r:pki_ca_var_lib_t
> pki_ca_master_backup.p12
> -rw------- pkiuser pkiuser
> system_u:object_r:pki_ca_var_lib_t cert8.db
> -rw------- pkiuser pkiuser
> system_u:object_r:pki_ca_var_lib_t key3.db
> -rw------- pkiuser pkiuser
> system_u:object_r:pki_ca_var_lib_t secmod.db
>
> * Successfully configured 'pki-ca-clone' using ports in
> the default CA + 10000 range and the 'ds-clone' DS
> server
> * Per request, verified that 'admin' port was being used
> for CA Clone:
>
This is the incorrect verification. The verification that is supposed
to be done is to ensure that the master is not contacted on any port
other than the admin port during a configuration.
This means that you need to look at the access log for the master
(pki-ca) for the duration of the installation.
Looking at your logs, I see that the following interactions for the
master during the time of the clone configuration.
10.14.1.8 - - [14/Feb/2013:00:58:40 -0500] "POST /ca/admin/ca/getStatus HTTP/1.0" 200 96
10.14.1.8 - - [14/Feb/2013:00:58:45 -0500] "POST /ca/admin/ca/getStatus HTTP/1.0" 200 96
10.14.1.8 - - [14/Feb/2013:00:58:45 -0500] "POST /ca/admin/ca/getCertChain HTTP/1.0" 200 1490
10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/ca/securityDomainLogin?url=https%3A%2F%2Fpki-ip-host.dsdev.sjc.redhat.com%3A19445%2Fca%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D5%26subsystem%3DCA HTTP/1.1" 200 3904
10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki-base.css HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki.css HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki-360.css HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/account_loggedin.gif HTTP/1.1" 404 -
10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/bkgrnd_greydots.png HTTP/1.1" 404 -
10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/corner_mainnav_bottom_chopped.png HTTP/1.1" 404 -
10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/corner_mainnav_top_chopped.png HTTP/1.1" 404 -
10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "POST /ca/admin/ca/getCookie HTTP/1.1" 200 4093
10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /ca/img/logo_header.gif HTTP/1.1" 304 -
10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/bkgrnd_greydots.png HTTP/1.1" 404 -
10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/account_loggedin.gif HTTP/1.1" 404 -
10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/corner_mainnav_bottom_chopped.png HTTP/1.1" 404 -
10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/corner_mainnav_top_chopped.png HTTP/1.1" 404 -
10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/greybar_tr.gif HTTP/1.1" 404 -
10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/greybar_br.gif HTTP/1.1" 404 -
10.14.1.8 - - [14/Feb/2013:00:59:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
10.14.1.8 - - [14/Feb/2013:00:59:10 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
10.14.1.8 - - [14/Feb/2013:00:59:10 -0500] "POST /ca/admin/ca/getCertChain HTTP/1.0" 200 1490
10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138
10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 148
10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138
10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 148
10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138
10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 138
10.14.1.8 - - [14/Feb/2013:00:59:42 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138
10.14.1.8 - - [14/Feb/2013:00:59:42 -0500] "POST /ca/admin/ca/getConfigEntries HTTP/1.0" 200 18359
10.14.1.8 - - [14/Feb/2013:01:00:41 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
10.14.1.8 - - [14/Feb/2013:01:00:41 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138
10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/updateDomainXML HTTP/1.0" 200 83
10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 2063
In fact, we really only care about the interactions from 10.14.1.8. The
ones from 10.14.16.14 are actually the CA master talking to itself. All
of the above are on the admin port. So the verification is successful.
> # cd /var/log/pki-ca-clone
> # grep -i agent localhost_access_log.2013-02-14.txt
> # grep -i ee localhost_access_log.2013-02-14.txt
> 10.14.16.14 - - [14/Feb/2013:01:00:58 -0500]
> "GET /ca/ee/ca/getCAChain?op=download&mimeType=application/x-x509-ca-cert HTTP/1.1" 200 1035
> # grep -i admin localhost_access_log.2013-02-14.txt
> 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> "GET /ca/admin/console/config/login?pin=ZGWfUxpUzIfBcgW6UI6Q HTTP/1.1" 302 -
> 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> "GET /ca/admin/console/config/wizard HTTP/1.1" 200
> 8510
> 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> "GET /ca/admin/console/img/logo_header.gif HTTP/1.1"
> 200 1316
> 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1"
> 200 1787
> 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> "GET /ca/admin/console/img/favicon.ico HTTP/1.1" 200
> 318
> 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> "GET /ca/admin/console/img/icon-software.gif HTTP/1.1"
> 200 1146
> 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 11862
> 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500]
> "GET /ca/admin/console/img/clearpixel.gif HTTP/1.1"
> 200 43
> 10.14.16.14 - - [14/Feb/2013:00:58:40 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 10106
> 10.14.16.14 - - [14/Feb/2013:00:58:47 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 12566
> 10.14.16.14 - - [14/Feb/2013:00:58:52 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 302 -
> 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500]
> "POST /ca/admin/console/config/wizard?p=5&subsystem=CA
> HTTP/1.1" 200 8852
> 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500]
> "GET /ca/admin/console/img/logo_header.gif HTTP/1.1"
> 304 -
> 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500]
> "GET /ca/admin/console/img/icon-software.gif HTTP/1.1"
> 304 -
> 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500]
> "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1"
> 304 -
> 10.14.16.14 - - [14/Feb/2013:00:59:11 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 12557
> 10.14.16.14 - - [14/Feb/2013:00:59:14 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 8492
> 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 10006
> 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500]
> "GET /ca/admin/console/img/logo_header.gif HTTP/1.1"
> 304 -
> 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500]
> "GET /ca/admin/console/img/icon-software.gif HTTP/1.1"
> 304 -
> 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500]
> "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1"
> 304 -
> 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 32918
> 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500]
> "GET /ca/admin/console/img/logo_header.gif HTTP/1.1"
> 304 -
> 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500]
> "GET /ca/admin/console/img/icon-software.gif HTTP/1.1"
> 304 -
> 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500]
> "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1"
> 304 -
> 10.14.16.14 - - [14/Feb/2013:01:00:42 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 11690
> 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 68264
> 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500]
> "GET /ca/admin/console/img/certificate.png HTTP/1.1"
> 200 4663
> 10.14.16.14 - - [14/Feb/2013:01:00:52 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 8652
> 10.14.16.14 - - [14/Feb/2013:01:00:56 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 8215
> 10.14.16.14 - - [14/Feb/2013:01:01:02 -0500]
> "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> 7832
>
> * Successfully tested that CA Master and CA Clone worked
> together:
> * 'Test EE Master Agent Master'
> * 'Test EE Master Agent Clone'
> * 'Test EE Clone Agent Master'
> * 'Test EE Clone Agent Clone'
> * Successfully tested that CA Master, CA Clone, and KRA
> worked together:
> * 'DRM Test EE Master Agent Master'
> * 'DRM Test EE Master Agent Clone'
> * 'DRM Test EE Clone Agent Master'
> * 'DRM Test EE Clone Agent Clone'
> On 02/12/13 12:11, Ade Lee wrote:
>
> > We want to use the admin interface for installation work. This patch
> > moves the interfaces used in cloning from either the EE or agent
> > interface to the admin one. See:
> > http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning
> >
> > Specifically,
> > 1. Change call to use /ca/admin/ca/getCertChain
> > 2. Remove unneeded getTokenInfo servlet. The logic not to use this
> > servlet has already been committed to dogtag 10.
> > 3. Move updateNumberRange to the admin interface. For backward
> > compatibility with old instances, the install code will
> > call /ca/agent/updateNumberRange as a fallback.
> > 4. Add updateDomainXML to admin interface. For backward compatibility,
> > updateDomainXML will continue to be exposed on the agent interface with
> > agent client auth.
> > 5. Changed pkidestroy to get an install token and use the admin
> > interface to update the security domain. For backward compatibility,
> > the user and password and not specified as mandatory arguments -
> > although we want to do that in future.
> > 6. Added tokenAuthenticate to the admin interface.
> >
> > Note, existing subsystems will need to have config changes manually
> > added in order to use the new interfaces. Instructions will be added to
> > the link above. With new instances, you should be able to clone a CA
> > all on the admin interface.
> >
> > The patches are for the PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH
> >
> > Please review,
> > Ade
> >
> >
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list