[Pki-devel] [PATCH] fixes to move to admin port for cloning CA's (RHCS 8.x)
Ade Lee
alee at redhat.com
Thu Feb 14 17:03:56 UTC 2013
Checked into PKI_8_BRANCH and PKI_8_1_ERRATA_BRANCH:
PKI_8_BRANCH:
[vakwetu at alee-workpc pki]$ svn ci -m "Resolves #90295 - allow CA cloning using adin port only"
Sending base/ca/shared/conf/acl.ldif
Sending base/ca/shared/webapps/ca/WEB-INF/web.xml
Sending base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Sending base/kra/shared/webapps/kra/WEB-INF/web.xml
Sending base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
Sending base/setup/pkiremove
Sending base/tks/shared/webapps/tks/WEB-INF/web.xml
Transmitting file data ...............
Committed revision 2522.
PKI_8_1_ERRATA_BRANCH:
[vakwetu at alee-workpc pki]$ svn ci -m "Resolves #90295 - allow CA cloning using admin port only"
Sending base/ca/shared/conf/acl.ldif
Sending base/ca/shared/webapps/ca/WEB-INF/web.xml
Sending base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
Sending base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
Sending base/kra/shared/webapps/kra/WEB-INF/web.xml
Sending base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
Sending base/setup/pkiremove
Sending base/tks/shared/webapps/tks/WEB-INF/web.xml
Transmitting file data ...............
Committed revision 2523.
On Thu, 2013-02-14 at 11:37 -0500, Ade Lee wrote:
> On Wed, 2013-02-13 at 18:34 -0800, Matthew Harmsen wrote:
> > This code was reviewed by testing out PKI_8_1_ERRATA_BRANCH source
> > code on RHEL 5.9 using Directory Server storage located on RHEL 6.3:
> > * ACK with CAVEATS
> > Presuming that the CAVEATS are addressed, the patches for
> > PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH may be checked-in.
> >
> > CAVEAT 1:
> > In TokenAuthentication.java, change line 166 from:
> > c = sendAuthRequest(authHost, authAdminPort, authURL, content);
> > to:
> > c = sendAuthRequest(authHost, authEEPort, authURL, content);
>
> Will be fixed prior to check in.
>
> > CAVEAT 2:
> > This was more of an observation that may be due to CAVEAT 1
> > above, but in TEST SCENARIO 2 below, please note the comments
> > in RED text.
>
> See comments below.
>
> > TEST SCENARIO 1: Pre-Patched CA Master, Pre-Patched KRA, Patched CA
> > Clone
> > * On a 64-bit x86_64 RHEL 6.3 machine:
> > * cd /usr/sbin
> > * ./setup-ds-admin (ds-master - 389)
> > * ./setup-ds (ds-clone - 8389)
> > * Stopped both servers
> > * Turned syntax checking off in both DS servers --
> > nsslapd-syntaxcheck: off
> > * Restarted both servers
> > * On the 64-bit x86_64 RHEL 5.9 machine:
> > * svn co svn
> > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki
> > * svn co
> > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat
> > * Successfully built and installed a Master CA 'pki-ca'
> > using the pre-patched source code
> > * Using a fresh profile in a browser, successfully
> > configured 'pki-ca' using ports in the default CA
> > range and the 'ds-master' DS server
> > * Successfully created, submitted, and approved a
> > certificate:
> > * 'Test PRE-PATCHED EE Master PRE-PATCHED Agent
> > Master'
> > * Successfully built and installed a KRA 'pki-kra' using
> > the pre-patched source code
> > * Successfully configured 'pki-kra' using ports in the
> > default KRA range and the 'ds-master' DS server
> > * Successfully created, submitted, and approved a
> > certificate in which the keys were backed up to the
> > DRM:
> > * 'DRM Test PRE-PATCHED EE Master PRE-PATCHED
> > Agent Master'
> > * svn co svn
> > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki
> > * svn co
> > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat
> > * Saved 'cloning.8.errata.patch' from email attachment
> > * cd pki
> > * patch -p0 < ../cloning.8.errata.patch
> > patching file
> > base/ca/shared/webapps/ca/WEB-INF/web.xml
> > patching file base/ca/shared/conf/acl.ldif
> > patching file
> > base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
> > patching file base/setup/pkiremove
> > patching file
> > base/tks/shared/webapps/tks/WEB-INF/web.xml
> > patching file
> > base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
> > patching file
> > base/kra/shared/webapps/kra/WEB-INF/web.xml
> > * Applied the change documented in CAVEAT 1 above
> > * Successfully built and updated all CA and KRA packages
> > * Restarted both CA and KRA instances
> > * Successfully tested that CA still worked:
> > * 'Test PATCHED EE Master PATCHED Agent Master'
> > * Successfully tested that KRA still worked:
> > * 'DRM Test PATCHED EE Master PATCHED Agent
> > Master'
> > * Successfully installed a CA Clone called
> > 'pki-ca-clone' via 'pkicreate' using ports in the
> > default+10000 range using the patched source code
> > * Installed the PK12 file that contained all of the
> > certs and keys backed up via configuration of 'pki-ca'
> > into /var/lib/pki-ca-clone/alias and set all ownership
> > permissions to be 'pkiuser':
> >
> > # ls -lZ /var/lib/pki-ca-clone/alias/*
> > -rw-rw-r-- pkiuser pkiuser
> > user_u:object_r:pki_ca_var_lib_t
> > pki_ca_master_backup.p12
> > -rw------- pkiuser pkiuser
> > system_u:object_r:pki_ca_var_lib_t cert8.db
> > -rw------- pkiuser pkiuser
> > system_u:object_r:pki_ca_var_lib_t key3.db
> > -rw------- pkiuser pkiuser
> > system_u:object_r:pki_ca_var_lib_t secmod.db
> >
> > * Successfully configured 'pki-ca-clone' using ports in
> > the default CA + 10000 range and the 'ds-clone' DS
> > server
> > * Successfully tested that CA Master and CA Clone worked
> > together:
> > * 'Test EE Master Agent Master'
> > * 'Test EE Master Agent Clone'
> > * 'Test EE Clone Agent Master'
> > * 'Test EE Clone Agent Clone'
> > * Successfully tested that CA Master, CA Clone, and KRA
> > worked together:
> > * 'DRM Test EE Master Agent Master'
> > * 'DRM Test EE Master Agent Clone'
> > * 'DRM Test EE Clone Agent Master'
> > * 'DRM Test EE Clone Agent Clone'
> > TEST SCENARIO 2: Patched CA Master, Patched KRA, Patched CA Clone
> > * On a 64-bit x86_64 RHEL 6.3 machine:
> > * cd /usr/sbin
> > * ./setup-ds-admin (ds-master - 389)
> > * ./setup-ds (ds-clone - 8389)
> > * Stopped both servers
> > * Turned syntax checking off in both DS servers --
> > nsslapd-syntaxcheck: off
> > * Restarted both servers
> > * On the 64-bit x86_64 RHEL 5.9 machine:
> > * svn co svn
> > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki
> > * svn co
> > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat
> > * Successfully built and installed a Master CA 'pki-ca'
> > using the pre-patched source code
> > * Using a fresh profile in a browser, successfully
> > configured 'pki-ca' using ports in the default CA
> > range and the 'ds-master' DS server
> > * Successfully created, submitted, and approved a
> > certificate:
> > * 'Test PRE-PATCHED EE Master PRE-PATCHED Agent
> > Master'
> > * Successfully built and installed a KRA 'pki-kra' using
> > the pre-patched source code
> > * Successfully configured 'pki-kra' using ports in the
> > default KRA range and the 'ds-master' DS server
> > * Successfully created, submitted, and approved a
> > certificate in which the keys were backed up to the
> > DRM:
> > * 'DRM Test PRE-PATCHED EE Master PRE-PATCHED
> > Agent Master'
> > * svn co svn
> > +ssh://svn.fedorahosted.org/svn/pki/branches/PKI_8_1_ERRATA_BRANCH/pki pki
> > * svn co
> > https://svn.devel.redhat.com/repos/pki/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat pki/redhat
> > * Saved 'cloning.8.errata.patch' from email attachment
> > * cd pki
> > * patch -p0 < ../cloning.8.errata.patch
> > patching file
> > base/ca/shared/webapps/ca/WEB-INF/web.xml
> > patching file base/ca/shared/conf/acl.ldif
> > patching file
> > base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
> > patching file
> > base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
> > patching file base/setup/pkiremove
> > patching file
> > base/tks/shared/webapps/tks/WEB-INF/web.xml
> > patching file
> > base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
> > patching file
> > base/kra/shared/webapps/kra/WEB-INF/web.xml
> > * Applied the change documented in CAVEAT 1 above
> > * Successfully built and installed a Master CA 'pki-ca'
> > * Using a fresh profile in a browser, successfully
> > configured 'pki-ca' using ports in the default CA
> > range and the 'ds-master' DS server
> > * Successfully created, submitted, and approved a
> > certificate:
> > * 'Test'
> > * Successfully built and installed a KRA 'pki-kra'
> > * Successfully configured 'pki-kra' using ports in the
> > default KRA range and the 'ds-master' DS server
> > * Successfully created, submitted, and approved a
> > certificate in which the keys were backed up to the
> > DRM:
> > * 'DRM Test'
> > * Successfully installed a CA Clone called
> > 'pki-ca-clone' via 'pkicreate' using ports in the
> > default+10000 range
> > * Installed the PK12 file that contained all of the
> > certs and keys backed up via configuration of 'pki-ca'
> > into /var/lib/pki-ca-clone/alias and set all ownership
> > permissions to be 'pkiuser':
> >
> > # ls -lZ /var/lib/pki-ca-clone/alias/*
> > -rw-rw-r-- pkiuser pkiuser
> > user_u:object_r:pki_ca_var_lib_t
> > pki_ca_master_backup.p12
> > -rw------- pkiuser pkiuser
> > system_u:object_r:pki_ca_var_lib_t cert8.db
> > -rw------- pkiuser pkiuser
> > system_u:object_r:pki_ca_var_lib_t key3.db
> > -rw------- pkiuser pkiuser
> > system_u:object_r:pki_ca_var_lib_t secmod.db
> >
> > * Successfully configured 'pki-ca-clone' using ports in
> > the default CA + 10000 range and the 'ds-clone' DS
> > server
> > * Per request, verified that 'admin' port was being used
> > for CA Clone:
> >
> This is the incorrect verification. The verification that is supposed
> to be done is to ensure that the master is not contacted on any port
> other than the admin port during a configuration.
>
> This means that you need to look at the access log for the master
> (pki-ca) for the duration of the installation.
>
> Looking at your logs, I see that the following interactions for the
> master during the time of the clone configuration.
>
> 10.14.1.8 - - [14/Feb/2013:00:58:40 -0500] "POST /ca/admin/ca/getStatus HTTP/1.0" 200 96
> 10.14.1.8 - - [14/Feb/2013:00:58:45 -0500] "POST /ca/admin/ca/getStatus HTTP/1.0" 200 96
> 10.14.1.8 - - [14/Feb/2013:00:58:45 -0500] "POST /ca/admin/ca/getCertChain HTTP/1.0" 200 1490
> 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
> 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
> 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
> 10.14.1.8 - - [14/Feb/2013:00:58:51 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
> 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/ca/securityDomainLogin?url=https%3A%2F%2Fpki-ip-host.dsdev.sjc.redhat.com%3A19445%2Fca%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D5%26subsystem%3DCA HTTP/1.1" 200 3904
> 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki-base.css HTTP/1.1" 304 -
> 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/console/img/logo_header.gif HTTP/1.1" 304 -
> 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/admin/console/img/icon-software.gif HTTP/1.1" 304 -
> 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki.css HTTP/1.1" 304 -
> 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /ca/css/pki-360.css HTTP/1.1" 304 -
> 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/account_loggedin.gif HTTP/1.1" 404 -
> 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/bkgrnd_greydots.png HTTP/1.1" 404 -
> 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/corner_mainnav_bottom_chopped.png HTTP/1.1" 404 -
> 10.14.16.14 - - [14/Feb/2013:00:58:51 -0500] "GET /img/corner_mainnav_top_chopped.png HTTP/1.1" 404 -
> 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "POST /ca/admin/ca/getCookie HTTP/1.1" 200 4093
> 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /ca/img/logo_header.gif HTTP/1.1" 304 -
> 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/bkgrnd_greydots.png HTTP/1.1" 404 -
> 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/account_loggedin.gif HTTP/1.1" 404 -
> 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/corner_mainnav_bottom_chopped.png HTTP/1.1" 404 -
> 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/corner_mainnav_top_chopped.png HTTP/1.1" 404 -
> 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/greybar_tr.gif HTTP/1.1" 404 -
> 10.14.16.14 - - [14/Feb/2013:00:59:00 -0500] "GET /img/greybar_br.gif HTTP/1.1" 404 -
> 10.14.1.8 - - [14/Feb/2013:00:59:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
> 10.14.1.8 - - [14/Feb/2013:00:59:10 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
> 10.14.1.8 - - [14/Feb/2013:00:59:10 -0500] "POST /ca/admin/ca/getCertChain HTTP/1.0" 200 1490
> 10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138
> 10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 148
> 10.14.1.8 - - [14/Feb/2013:00:59:40 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138
> 10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 148
> 10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138
> 10.14.1.8 - - [14/Feb/2013:00:59:41 -0500] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 200 138
> 10.14.1.8 - - [14/Feb/2013:00:59:42 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138
> 10.14.1.8 - - [14/Feb/2013:00:59:42 -0500] "POST /ca/admin/ca/getConfigEntries HTTP/1.0" 200 18359
> 10.14.1.8 - - [14/Feb/2013:01:00:41 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
> 10.14.1.8 - - [14/Feb/2013:01:00:41 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
> 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1585
> 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/tokenAuthenticate HTTP/1.0" 200 138
> 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/updateDomainXML HTTP/1.0" 200 83
> 10.14.1.8 - - [14/Feb/2013:01:01:00 -0500] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 2063
>
> In fact, we really only care about the interactions from 10.14.1.8. The
> ones from 10.14.16.14 are actually the CA master talking to itself. All
> of the above are on the admin port. So the verification is successful.
>
> > # cd /var/log/pki-ca-clone
> > # grep -i agent localhost_access_log.2013-02-14.txt
> > # grep -i ee localhost_access_log.2013-02-14.txt
> > 10.14.16.14 - - [14/Feb/2013:01:00:58 -0500]
> > "GET /ca/ee/ca/getCAChain?op=download&mimeType=application/x-x509-ca-cert HTTP/1.1" 200 1035
> > # grep -i admin localhost_access_log.2013-02-14.txt
> > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> > "GET /ca/admin/console/config/login?pin=ZGWfUxpUzIfBcgW6UI6Q HTTP/1.1" 302 -
> > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> > "GET /ca/admin/console/config/wizard HTTP/1.1" 200
> > 8510
> > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1"
> > 200 1316
> > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1"
> > 200 1787
> > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> > "GET /ca/admin/console/img/favicon.ico HTTP/1.1" 200
> > 318
> > 10.14.16.14 - - [14/Feb/2013:00:58:31 -0500]
> > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1"
> > 200 1146
> > 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 11862
> > 10.14.16.14 - - [14/Feb/2013:00:58:35 -0500]
> > "GET /ca/admin/console/img/clearpixel.gif HTTP/1.1"
> > 200 43
> > 10.14.16.14 - - [14/Feb/2013:00:58:40 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 10106
> > 10.14.16.14 - - [14/Feb/2013:00:58:47 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 12566
> > 10.14.16.14 - - [14/Feb/2013:00:58:52 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 302 -
> > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500]
> > "POST /ca/admin/console/config/wizard?p=5&subsystem=CA
> > HTTP/1.1" 200 8852
> > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500]
> > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1"
> > 304 -
> > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500]
> > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1"
> > 304 -
> > 10.14.16.14 - - [14/Feb/2013:00:59:01 -0500]
> > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1"
> > 304 -
> > 10.14.16.14 - - [14/Feb/2013:00:59:11 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 12557
> > 10.14.16.14 - - [14/Feb/2013:00:59:14 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 8492
> > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 10006
> > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500]
> > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1"
> > 304 -
> > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500]
> > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1"
> > 304 -
> > 10.14.16.14 - - [14/Feb/2013:00:59:44 -0500]
> > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1"
> > 304 -
> > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 32918
> > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500]
> > "GET /ca/admin/console/img/logo_header.gif HTTP/1.1"
> > 304 -
> > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500]
> > "GET /ca/admin/console/img/icon-software.gif HTTP/1.1"
> > 304 -
> > 10.14.16.14 - - [14/Feb/2013:01:00:34 -0500]
> > "GET /ca/admin/console/img/bigrotation2.gif HTTP/1.1"
> > 304 -
> > 10.14.16.14 - - [14/Feb/2013:01:00:42 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 11690
> > 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 68264
> > 10.14.16.14 - - [14/Feb/2013:01:00:49 -0500]
> > "GET /ca/admin/console/img/certificate.png HTTP/1.1"
> > 200 4663
> > 10.14.16.14 - - [14/Feb/2013:01:00:52 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 8652
> > 10.14.16.14 - - [14/Feb/2013:01:00:56 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 8215
> > 10.14.16.14 - - [14/Feb/2013:01:01:02 -0500]
> > "POST /ca/admin/console/config/wizard HTTP/1.1" 200
> > 7832
> >
> > * Successfully tested that CA Master and CA Clone worked
> > together:
> > * 'Test EE Master Agent Master'
> > * 'Test EE Master Agent Clone'
> > * 'Test EE Clone Agent Master'
> > * 'Test EE Clone Agent Clone'
> > * Successfully tested that CA Master, CA Clone, and KRA
> > worked together:
> > * 'DRM Test EE Master Agent Master'
> > * 'DRM Test EE Master Agent Clone'
> > * 'DRM Test EE Clone Agent Master'
> > * 'DRM Test EE Clone Agent Clone'
> > On 02/12/13 12:11, Ade Lee wrote:
> >
> > > We want to use the admin interface for installation work. This patch
> > > moves the interfaces used in cloning from either the EE or agent
> > > interface to the admin one. See:
> > > http://pki.fedoraproject.org/wiki/8.1_installer_work_for_cloning
> > >
> > > Specifically,
> > > 1. Change call to use /ca/admin/ca/getCertChain
> > > 2. Remove unneeded getTokenInfo servlet. The logic not to use this
> > > servlet has already been committed to dogtag 10.
> > > 3. Move updateNumberRange to the admin interface. For backward
> > > compatibility with old instances, the install code will
> > > call /ca/agent/updateNumberRange as a fallback.
> > > 4. Add updateDomainXML to admin interface. For backward compatibility,
> > > updateDomainXML will continue to be exposed on the agent interface with
> > > agent client auth.
> > > 5. Changed pkidestroy to get an install token and use the admin
> > > interface to update the security domain. For backward compatibility,
> > > the user and password and not specified as mandatory arguments -
> > > although we want to do that in future.
> > > 6. Added tokenAuthenticate to the admin interface.
> > >
> > > Note, existing subsystems will need to have config changes manually
> > > added in order to use the new interfaces. Instructions will be added to
> > > the link above. With new instances, you should be able to clone a CA
> > > all on the admin interface.
> > >
> > > The patches are for the PKI_8_1_ERRATA_BRANCH and PKI_8_BRANCH
> > >
> > > Please review,
> > > Ade
> > >
> > >
> > > _______________________________________________
> > > Pki-devel mailing list
> > > Pki-devel at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-devel
> >
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list