Bug 458337
| Summary: | Provide separate listening ports for CS | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Jack Magne <jmagne> | ||||||||||
| Component: | Other | Assignee: | Matthew Harmsen <mharmsen> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||||||
| Severity: | medium | Docs Contact: | |||||||||||
| Priority: | urgent | ||||||||||||
| Version: | 1.0 | CC: | alee, awnuk, benl, bob.lord, cfu, jmagne, mharmsen | ||||||||||
| Target Milestone: | --- | ||||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2009-07-22 23:29:32 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Bug Depends On: | |||||||||||||
| Bug Blocks: | 443788 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Jack Magne
2008-08-07 17:17:22 UTC
Created attachment 313719 [details]
Fix for port separation
+ mharmsen attachment (id=313719)
SUGGESTIONS for pkicreate:
(1) change the comment at the top from this:
# -secure_port=9543 || -agent_secure_port=9543
# -ee_secure_port=9544
# -admin_secure_port=9545
to something like this:
# -secure_port=9543 || -agent_secure_port=9543
# -ee_secure_port=9544
# -admin_secure_port=9545
(2) change the "emit()" calls to be more specific; for example, change this:
emit( "Failed to delete directory for port separation ...\n" );
to something like this:
emit( "Failed to delete directory $ee_base_ui_instance_dir for port
separation ...\n" );
(3) align ALL code that required indenting; for example, change:
- # create instance symlink to "osutil.jar"
- $result = create_symbolic_link( $osutil_jar_symlink_path,
+ $result = create_symbolic_link( $osutil_jar_symlink_path,
$osutil_jar_file_path );
to:
- # create instance symlink to "osutil.jar"
- $result = create_symbolic_link( $osutil_jar_symlink_path,
- $osutil_jar_file_path );
+ $result = create_symbolic_link( $osutil_jar_symlink_path,
+ $osutil_jar_file_path );
SUGGESTIONS for CMSEngine:
(1) Align the code that is inside the for() loop to be uniform.
Sending pki-ca.spec Transmitting file data . Committed revision 85. Sending pki-common.spec Transmitting file data . Committed revision 86. Sending pki-setup.spec Transmitting file data . Committed revision 87. Sending pki-tks.spec Transmitting file data . Committed revision 88 Sending pki-ocsp.spec Transmitting file data . Committed revision 89. Sending pki-kra.spec Transmitting file data . Committed revision 90. Sending web.xml Transmitting file data . Committed revision 91. Sending velocity.properties Transmitting file data . Committed revision 92. Sending server.xml Transmitting file data . Committed revision 93. Sending MainPageServlet.java Transmitting file data . Committed revision 94. Sending CMSEngine.java Transmitting file data . Committed revision 95. Sending pkicreate Transmitting file data . Committed revision 96. Sending pkicommon Transmitting file data . Committed revision 97. Sending velocity.properties Sending web.xml Transmitting file data .. Committed revision 98. Sending server.xml Transmitting file data . Committed revision 99. Sending velocity.properties Sending web.xml Transmitting file data .. Committed revision 100. Sending server.xml Transmitting file data . Committed revision 103. The remainder of this bug is simply to create default instances using the port-separated logic for CA, DRM, OCSP, and TKS. From Ade Lee's email: Here are the ports currently defined in selinux for the default instance. I've actually chosen to not define these in the pki-selinux rpm for the future and just have the startup scripts define them. But they are defined in the current rhel 5.3 selinux reference policy rpm - so we should just use them. pki_ca 9180 (non-ssl), 9701 (tomcat),9443 (ssl), 9444, 9445 pki_kra 10180 (non-ssl), 10701 (tomcat), 10443 (ssl), 10444, 10445 pki_ocsp 11180 (non-ssl), 11701 (tomcat), 11443(ssl), 11444, 11445 pki_ra 12888 (non-ssl), 12889 (ssl) pki_tks 13180 (non-ssl), 13701 (tomcat), 13443(ssl), 13444, 13445 pki_tps 7888 (non-ssl), 7889 (ssl) Additionally, Bugzilla Bug #485859 specifies the following additional ports: pki_ra 12890 (non_clientauth_ssl) pki-tps 7890 (non_clientauth_ssl) Created attachment 333112 [details]
PKI ports for default CA, DRM, OCSP, and TKS instances
attachment (id=333112) +awnuk % svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M dogtag/ca/pki-ca.spec M dogtag/tks/pki-tks.spec M dogtag/ocsp/pki-ocsp.spec M dogtag/kra/pki-kra.spec M base/ca/setup/postinstall M base/tks/setup/postinstall M base/ocsp/setup/postinstall M base/kra/setup/postinstall % svn commit Sending base/ca/setup/postinstall Sending base/kra/setup/postinstall Sending base/ocsp/setup/postinstall Sending base/tks/setup/postinstall Sending dogtag/ca/pki-ca.spec Sending dogtag/kra/pki-kra.spec Sending dogtag/ocsp/pki-ocsp.spec Sending dogtag/tks/pki-tks.spec Transmitting file data ........ Committed revision 244. Re-opening bug to provide NEW default security domain port in initial CS.cfg files. Created attachment 333424 [details]
Base diffs
Created attachment 333425 [details]
Dogtag diffs
Attachments (id=333424,id=333425) +jmagne. pki/base: % svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M ca/shared/conf/CS.cfg M common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java M common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java M common/src/com/netscape/cms/servlet/csadmin/ConfigJoinServlet.java M common/src/com/netscape/cms/servlet/csadmin/ConfigDatabaseServlet.java M common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java M common/src/com/netscape/cms/servlet/csadmin/AuthenticatePanel.java M tks/shared/conf/CS.cfg M ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm M ra/lib/perl/PKI/RA/wizard.pm M ra/lib/perl/PKI/RA/Login.pm M ra/lib/perl/PKI/RA/SecurityDomainPanel.pm M ocsp/shared/conf/CS.cfg M tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm M tps/lib/perl/PKI/TPS/wizard.pm M tps/lib/perl/PKI/TPS/Login.pm M tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm M kra/shared/conf/CS.cfg % svn commit Sending base/ca/shared/conf/CS.cfg Sending base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/AuthenticatePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/ConfigDatabaseServlet.java Sending base/common/src/com/netscape/cms/servlet/csadmin/ConfigJoinServlet.java Sending base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java Sending base/kra/shared/conf/CS.cfg Sending base/ocsp/shared/conf/CS.cfg Sending base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm Sending base/ra/lib/perl/PKI/RA/Login.pm Sending base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm Sending base/ra/lib/perl/PKI/RA/wizard.pm Sending base/tks/shared/conf/CS.cfg Sending base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm Sending base/tps/lib/perl/PKI/TPS/Login.pm Sending base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm Sending base/tps/lib/perl/PKI/TPS/wizard.pm Transmitting file data .................. Committed revision 259. pki/dogtag: % svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M tps-ui/shared/docroot/tps/admin/console/config/securitydomainloginpanel.vm M tps-ui/dogtag-pki-tps-ui.spec M ca/pki-ca.spec M common/pki-common.spec M tks/pki-tks.spec M ra/pki-ra.spec M common-ui/dogtag-pki-common-ui.spec M common-ui/shared/admin/console/config/securitydomainloginpanel.vm M ocsp/pki-ocsp.spec M tps/pki-tps.spec M kra/pki-kra.spec M ra-ui/shared/docroot/ra/admin/console/config/securitydomainloginpanel.vm M ra-ui/dogtag-pki-ra-ui.spec % svn commit Sending dogtag/ca/pki-ca.spec Sending dogtag/common/pki-common.spec Sending dogtag/common-ui/dogtag-pki-common-ui.spec Sending dogtag/common-ui/shared/admin/console/config/securitydomainloginpanel.vm Sending dogtag/kra/pki-kra.spec Sending dogtag/ocsp/pki-ocsp.spec Sending dogtag/ra/pki-ra.spec Sending dogtag/ra-ui/dogtag-pki-ra-ui.spec Sending dogtag/ra-ui/shared/docroot/ra/admin/console/config/securitydomainloginpanel.vm Sending dogtag/tks/pki-tks.spec Sending dogtag/tps/pki-tps.spec Sending dogtag/tps-ui/dogtag-pki-tps-ui.spec Sending dogtag/tps-ui/shared/docroot/tps/admin/console/config/securitydomainloginpanel.vm Transmitting file data ............. Committed revision 260. Verified with 06/03 nightly build.
[root@sigma ~]# service pki-ca status ; service pki-kra status ; service pki-ocsp status ; service pki-tks status ; service pki-tps status;
pki-ca (pid 6954) is running ...
Unsecure Port = http://sigma.dsdev.sjc.redhat.com:9180/ca/ee/ca
Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:9443/ca/agent/ca
Secure EE Port = https://sigma.dsdev.sjc.redhat.com:9444/ca/ee/ca
Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:9445/ca/services
PKI Console Port = pkiconsole https://sigma.dsdev.sjc.redhat.com:9445/ca
Tomcat Port = 9701 (for shutdown)
pki-kra (pid 8992) is running ...
Unsecure Port = http://sigma.dsdev.sjc.redhat.com:10180/kra/ee/kra
Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:10443/kra/agent/kra
Secure EE Port = https://sigma.dsdev.sjc.redhat.com:10444/kra/ee/kra
Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:10445/kra/services
PKI Console Port = pkiconsole https://sigma.dsdev.sjc.redhat.com:10445/kra
Tomcat Port = 10701 (for shutdown)
pki-ocsp (pid 9930) is running ...
Unsecure Port = http://sigma.dsdev.sjc.redhat.com:11180/ocsp/ee/ocsp
Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:11443/ocsp/agent/ocsp
Secure EE Port = https://sigma.dsdev.sjc.redhat.com:11444/ocsp/ee/ocsp
Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:11445/ocsp/services
PKI Console Port = pkiconsole https://sigma.dsdev.sjc.redhat.com:11445/ocsp
Tomcat Port = 11701 (for shutdown)
pki-tks (pid 8035) is running ...
Unsecure Port = http://sigma.dsdev.sjc.redhat.com:13180/tks/ee/tks
Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:13443/tks/agent/tks
Secure EE Port = https://sigma.dsdev.sjc.redhat.com:13444/tks/ee/tks
Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:13445/tks/services
PKI Console Port = pkiconsole https://sigma.dsdev.sjc.redhat.com:13445/tks
Tomcat Port = 13701 (for shutdown)
pki-tps (pid 12118) is running ...
Unsecure Port = http://sigma.dsdev.sjc.redhat.com:7888/cgi-bin/so/enroll.cgi
(ESC Security Officer Enrollment)
Unsecure Port = http://sigma.dsdev.sjc.redhat.com:7888/cgi-bin/home/index.cgi
(ESC Phone Home)
Secure Clientauth Port = https://sigma.dsdev.sjc.redhat.com:7889/cgi-bin/sow/welcome.cgi
(ESC Security Officer Workstation)
Secure Clientauth Port = https://sigma.dsdev.sjc.redhat.com:7889/tus
(TPS Roles - Operator/Administrator/Agent)
Secure Non-Clientauth Port = https://sigma.dsdev.sjc.redhat.com:7890/cgi-bin/so/enroll.cgi
(ESC Security Officer Enrollment)
Secure Non-Clientauth Port = https://sigma.dsdev.sjc.redhat.com:7890/cgi-bin/home/index.cgi
(ESC Phone Home)
[root@sigma ~]#
|