Bug 1740697 - [RFE] Provide a tool/mechanism to dynamically update the security domain info
Summary: [RFE] Provide a tool/mechanism to dynamically update the security domain info
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Endi Sukma Dewata
QA Contact: PKI QE
Depends On:
Blocks: 1740702
TreeView+ depends on / blocked
Reported: 2019-08-13 14:05 UTC by Thorsten Scherf
Modified: 2020-12-04 20:19 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-11-19 16:07:51 UTC
Type: Feature Request
Target Upstream Version:

Attachments (Terms of Use)

Description Thorsten Scherf 2019-08-13 14:05:45 UTC
Description of problem:
At the moment the security domain info is supposed to be updated automatically during installation & uninstallation. This leads to problems when CA systems are removed from IdM topology using ipa tools. There is a difference between the output from 'pki' and 'ipa' tools. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 2 Fraser Tweedale 2019-08-16 02:00:04 UTC
One additional point: LWCA entries may also contain references to
decomissioned servers.  This will, at worst, cause a delay in
lightweight CA key replication as the client attempts to contact
possibly nonexistant servers, until it hits a live one that.  So we
should probably include that along with the security domain work.

Comment 3 Alex Scheel 2020-09-28 13:14:30 UTC
Christian and Fraser, does this have higher importance for cloud based deployments? 

We have a few CLIs for managing security domains under PKI:

[ascheel@ascheel-p50 ~]$ pki securitydomain-host
 securitydomain-host-find          Find security domain hosts
 securitydomain-host-show          Show security domain host
 securitydomain-host-add           Add security domain host
 securitydomain-host-del           Remove security domain host

We could potentially use these as a workaround so customers see the same information in both places.

Would RHEL 8.5/RHEL 9 be viable for fixing this?

Comment 4 Fraser Tweedale 2020-09-28 23:03:26 UTC

Good question.  Yes, I think it does have higher importance in a context where installations
will be managed with more automation via operators.  But I don't think it is critical.
We could code the behaviour into the operator.

Comment 8 Alex Scheel 2020-11-19 16:07:51 UTC
That makes sense now, thanks :-)

The difference in output is due to bz#1481949 (see comment 15 there). I'm closing this because we already have the tools to correct this difference in PKI (see comment #3 in this BZ). As per comments 18 in bz#1481949 and the email thread on the subject, this is safe to correct manually. I'm not sure if IPA will automatically correct output when fixing that BZ.

Marking comment 3 as non-private since these tools already exist and should be sufficient.

Note You need to log in before you can comment on or make changes to this bug.