Bug 1126559 - pki-silent documentation in RHCS 8.1 needs to be updated
Summary: pki-silent documentation in RHCS 8.1 needs to be updated
Status: NEW
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Batch Configuration (pkisilent)
Version: unspecified
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2014-08-04 19:08 UTC by dminnich
Modified: 2015-01-05 00:31 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description dminnich 2014-08-04 19:08:15 UTC
Description of problem:
I attempted to use 11.2. Silently Configuring Subsystems from Red_Hat_Certificate_System-8.1-Deploy_and_Install_Guide-en-US to do some silent configurations of RHCS components and ran into some problems.  

Example 11.3. Configuring a Subordinate CA
 - Uses ConfigureCA instead of ConfigureSubCA.  
 - Uses ca_hostname, ca_port, ca_ssl_port which don't seem to exist

11.5. Performing Silent Configuration Using an External CA
 - Has remove_data in both steps.  If you do this you run into a really bewildering problem where subsystem certs don't validate properly and the CA won't start up but things look mostly right in the install logs and in NSS dbs.  

11.4. Cloning a Subsystem Silently
 - Doesn't include the clone_uri (it also isn't in the options table) that is required to get past the securitydomain panel.  

I'm pretty sure I ran into other errors where options where given in examples that weren't appropriate for the type of the config or where options were missing where they were required.  These were easy to quickly fix, but the ones above took a closer eye and further troubleshooting.  I'd suggest just trying each of the examples verbatim and reviewing and updating Table 11.1. Parameters for pkisilent. 

Version-Release number of selected component (if applicable):
RHCS 8.1

How reproducible:

Steps to Reproduce:
1. Install a CA
2. Run the clone or subordinate examples

Actual results:
Various stacktraces or complaints about invalid or pki-silent missing options

Expected results:
Examples should configure the system correctly.  

Additional info:

Comment 1 dminnich 2014-08-11 13:03:22 UTC
One of the other big ones I forgot to mention is -ca_server_cert_subject_name.  In the examples in the docs you set the CN to something other than the hosts FQDN.  The issue with this is when other subsystems try to connect to the CA via SSL during their configuration they bomb out if the cert they are given by the CA doesn't have its CN set to its FQDN.  Perhaps some syntax checking on at least the CA's server cert would be useful.

Note You need to log in before you can comment on or make changes to this bug.