Bug 683172

Created attachment 483056 [details]
patch to fix

Created attachment 483057 [details]
patch to fix ui

6.1:

[vakwetu@dhcp231-121 pki]$ svn ci -m "Resolves #683172 - pkisilent needs to provide option to set nsDS5ReplicaTransportInfo to TLS in replication agreements when creating a clone"
Sending        base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
Sending        base/silent/src/ca/ConfigureCA.java
Sending        base/silent/src/drm/ConfigureDRM.java
Sending        base/silent/src/ocsp/ConfigureOCSP.java
Sending        base/silent/src/subca/ConfigureSubCA.java
Sending        base/silent/src/tks/ConfigureTKS.java
Sending        base/silent/templates/pki_silent.template
Sending        dogtag/common-ui/shared/admin/console/config/databasepanel.vm
Transmitting file data ........
Committed revision 1886.

Extrapolating from Bugzilla Bug #682021:

    ./pki/scripts/pki_patch_maker 1880 1887 pki-core 9.0.3
        pki-core-9.0.3-r1886.patch

Created attachment 483303 [details]
Patch + spec file changes

IPA_v2_RHEL_6_1_ERRATA_BRANCH:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
A       patches/pki-core-9.0.3-r1886.patch
M       specs/pki-core.spec

# svn commit
Adding         patches/pki-core-9.0.3-r1886.patch
Sending        specs/pki-core.spec
Transmitting file data ..
Committed revision 1889.

Published patch to http://pki.fedoraproject.org/pki/sources/pki-core/

For 'ipa-pki-theme':

    ./pki/scripts/pki_patch_maker 1834 1887 ipa-pki-theme 9.0.3
        ipa-pki-theme-9.0.3-r1886.patch

Created attachment 483319 [details]
Patch + spec file changes (UI)

IPA_v2_RHEL_6_1_ERRATA_BRANCH:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
A       patches/ipa-pki-theme-9.0.3-r1886.patch
M       specs/ipa-pki-theme.spec

# svn commit
Adding         patches/ipa-pki-theme-9.0.3-r1886.patch
Sending        specs/ipa-pki-theme.spec
Transmitting file data ..
Committed revision 1891.

Published patch to http://pki.fedoraproject.org/pki/sources/ipa-pki-theme/

need official steps to reproduce? or will this suffice for verification?

IPA REPLICA Install pkicreate invocation (NOTE: -clone_start_tls true) :

011-04-20 13:55:55,748 DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname dhcp-100-18-11.testrelm -cs_port 9445 -client_certdb_dir /tmp/tmp-62GRKS -client_certdb_pwd 'XXXXXXXX' -preop_pin X7qm865z7jkMglDGvsne -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=TESTRELM" -ldap_host dhcp-100-18-11.testrelm -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=TESTRELM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=TESTRELM" -ca_server_cert_subject_name "CN=dhcp-100-18-11.testrelm,O=TESTRELM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=TESTRELM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=TESTRELM" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname dhcp-100-18-10.testrelm -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://dhcp-100-18-10.testrelm:9444



Configuration Agreement post install (NOTE: nsDS5ReplicaTransportInfo: TLS):

# cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca, replica, o\3Dipaca, mapping
  tree, config
dn: cn=cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca,cn=replica,cn=o\3Dipaca,
 cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaHost: dhcp-100-18-10.testrelm
nsDS5ReplicaPort: 7389
nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-dhcp-100-18-11.tes
 trelm-pki-ca,cn=config
nsDS5ReplicaBindMethod: Simple
nsDS5ReplicaTransportInfo: TLS
description: cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca
nsDS5ReplicaCredentials: {DES}JDmnMc3VmYfPXXLKaB2LoA==
nsds50ruv: {replicageneration} 4daf12fb000000600000
nsds50ruv: {replica 96 ldap://dhcp-100-18-10.testrelm:7389} 4daf132f0000006000
 00 4daf1e2b000100600000
nsds50ruv: {replica 86 ldap://dhcp-100-18-11.testrelm:7389} 4daf1e0e0000005600
 00 4daf1efc000100560000
nsds50ruv: {replica 91 ldap://dhcp-100-18-11.testrelm:7389} 4daf19f70000005b00
 00 4daf1a4b0002005b0000
nsds50ruv: {replica 97 ldap://dhcp-100-18-11.testrelm:7389} 4daf13120000006100
 00 4daf1366000200610000
nsruvReplicaLastModified: {replica 96 ldap://dhcp-100-18-10.testrelm:7389} 000
 00000
nsruvReplicaLastModified: {replica 86 ldap://dhcp-100-18-11.testrelm:7389} 000
 00000
nsruvReplicaLastModified: {replica 91 ldap://dhcp-100-18-11.testrelm:7389} 000
 00000
nsruvReplicaLastModified: {replica 97 ldap://dhcp-100-18-11.testrelm:7389} 000
 00000
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20110420183048Z
nsds5replicaLastUpdateEnd: 20110420183048Z
nsds5replicaChangesSentSinceStartup:: ODY6MS8wIA==
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd
 ate succeeded
nsds5replicaUpdateInProgress: FALSE


Versions:
pki-silent-9.0.3-10.el6.noarch
ipa-server-2.0.0-23.el6.x86_64
pki-ca-9.0.3-10.el6.noarch
ds-replication-1.2.8.0-1.el6.x86_64

marking verfied based on comment 13

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0627.html