Description of problem: Currently CS supports having its various subsystems listening on only two ports, one for secure access and one for non secure access. Previously , CS supported having the server listen on 3 different secure ports, one for EE,one for Agent, and one for admin. This fix will provide an option to the "pkicreate" utility, to set a server up with this configuration if desired. This feature to be available for the CA, KRA, OCSP, and TKS.
Created attachment 313719 [details] Fix for port separation
+ mharmsen attachment (id=313719) SUGGESTIONS for pkicreate: (1) change the comment at the top from this: # -secure_port=9543 || -agent_secure_port=9543 # -ee_secure_port=9544 # -admin_secure_port=9545 to something like this: # -secure_port=9543 || -agent_secure_port=9543 # -ee_secure_port=9544 # -admin_secure_port=9545 (2) change the "emit()" calls to be more specific; for example, change this: emit( "Failed to delete directory for port separation ...\n" ); to something like this: emit( "Failed to delete directory $ee_base_ui_instance_dir for port separation ...\n" ); (3) align ALL code that required indenting; for example, change: - # create instance symlink to "osutil.jar" - $result = create_symbolic_link( $osutil_jar_symlink_path, + $result = create_symbolic_link( $osutil_jar_symlink_path, $osutil_jar_file_path ); to: - # create instance symlink to "osutil.jar" - $result = create_symbolic_link( $osutil_jar_symlink_path, - $osutil_jar_file_path ); + $result = create_symbolic_link( $osutil_jar_symlink_path, + $osutil_jar_file_path ); SUGGESTIONS for CMSEngine: (1) Align the code that is inside the for() loop to be uniform.
Sending pki-ca.spec Transmitting file data . Committed revision 85. Sending pki-common.spec Transmitting file data . Committed revision 86. Sending pki-setup.spec Transmitting file data . Committed revision 87. Sending pki-tks.spec Transmitting file data . Committed revision 88 Sending pki-ocsp.spec Transmitting file data . Committed revision 89. Sending pki-kra.spec Transmitting file data . Committed revision 90. Sending web.xml Transmitting file data . Committed revision 91. Sending velocity.properties Transmitting file data . Committed revision 92. Sending server.xml Transmitting file data . Committed revision 93. Sending MainPageServlet.java Transmitting file data . Committed revision 94. Sending CMSEngine.java Transmitting file data . Committed revision 95. Sending pkicreate Transmitting file data . Committed revision 96. Sending pkicommon Transmitting file data . Committed revision 97. Sending velocity.properties Sending web.xml Transmitting file data .. Committed revision 98. Sending server.xml Transmitting file data . Committed revision 99. Sending velocity.properties Sending web.xml Transmitting file data .. Committed revision 100. Sending server.xml Transmitting file data . Committed revision 103.
The remainder of this bug is simply to create default instances using the port-separated logic for CA, DRM, OCSP, and TKS.
From Ade Lee's email: Here are the ports currently defined in selinux for the default instance. I've actually chosen to not define these in the pki-selinux rpm for the future and just have the startup scripts define them. But they are defined in the current rhel 5.3 selinux reference policy rpm - so we should just use them. pki_ca 9180 (non-ssl), 9701 (tomcat),9443 (ssl), 9444, 9445 pki_kra 10180 (non-ssl), 10701 (tomcat), 10443 (ssl), 10444, 10445 pki_ocsp 11180 (non-ssl), 11701 (tomcat), 11443(ssl), 11444, 11445 pki_ra 12888 (non-ssl), 12889 (ssl) pki_tks 13180 (non-ssl), 13701 (tomcat), 13443(ssl), 13444, 13445 pki_tps 7888 (non-ssl), 7889 (ssl) Additionally, Bugzilla Bug #485859 specifies the following additional ports: pki_ra 12890 (non_clientauth_ssl) pki-tps 7890 (non_clientauth_ssl)
Created attachment 333112 [details] PKI ports for default CA, DRM, OCSP, and TKS instances
attachment (id=333112) +awnuk
% svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M dogtag/ca/pki-ca.spec M dogtag/tks/pki-tks.spec M dogtag/ocsp/pki-ocsp.spec M dogtag/kra/pki-kra.spec M base/ca/setup/postinstall M base/tks/setup/postinstall M base/ocsp/setup/postinstall M base/kra/setup/postinstall % svn commit Sending base/ca/setup/postinstall Sending base/kra/setup/postinstall Sending base/ocsp/setup/postinstall Sending base/tks/setup/postinstall Sending dogtag/ca/pki-ca.spec Sending dogtag/kra/pki-kra.spec Sending dogtag/ocsp/pki-ocsp.spec Sending dogtag/tks/pki-tks.spec Transmitting file data ........ Committed revision 244.
Re-opening bug to provide NEW default security domain port in initial CS.cfg files.
Created attachment 333424 [details] Base diffs
Created attachment 333425 [details] Dogtag diffs
Attachments (id=333424,id=333425) +jmagne.
pki/base: % svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M ca/shared/conf/CS.cfg M common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java M common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java M common/src/com/netscape/cms/servlet/csadmin/ConfigJoinServlet.java M common/src/com/netscape/cms/servlet/csadmin/ConfigDatabaseServlet.java M common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java M common/src/com/netscape/cms/servlet/csadmin/AuthenticatePanel.java M tks/shared/conf/CS.cfg M ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm M ra/lib/perl/PKI/RA/wizard.pm M ra/lib/perl/PKI/RA/Login.pm M ra/lib/perl/PKI/RA/SecurityDomainPanel.pm M ocsp/shared/conf/CS.cfg M tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm M tps/lib/perl/PKI/TPS/wizard.pm M tps/lib/perl/PKI/TPS/Login.pm M tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm M kra/shared/conf/CS.cfg % svn commit Sending base/ca/shared/conf/CS.cfg Sending base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/AuthenticatePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/ConfigDatabaseServlet.java Sending base/common/src/com/netscape/cms/servlet/csadmin/ConfigJoinServlet.java Sending base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java Sending base/kra/shared/conf/CS.cfg Sending base/ocsp/shared/conf/CS.cfg Sending base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm Sending base/ra/lib/perl/PKI/RA/Login.pm Sending base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm Sending base/ra/lib/perl/PKI/RA/wizard.pm Sending base/tks/shared/conf/CS.cfg Sending base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm Sending base/tps/lib/perl/PKI/TPS/Login.pm Sending base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm Sending base/tps/lib/perl/PKI/TPS/wizard.pm Transmitting file data .................. Committed revision 259.
pki/dogtag: % svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M tps-ui/shared/docroot/tps/admin/console/config/securitydomainloginpanel.vm M tps-ui/dogtag-pki-tps-ui.spec M ca/pki-ca.spec M common/pki-common.spec M tks/pki-tks.spec M ra/pki-ra.spec M common-ui/dogtag-pki-common-ui.spec M common-ui/shared/admin/console/config/securitydomainloginpanel.vm M ocsp/pki-ocsp.spec M tps/pki-tps.spec M kra/pki-kra.spec M ra-ui/shared/docroot/ra/admin/console/config/securitydomainloginpanel.vm M ra-ui/dogtag-pki-ra-ui.spec % svn commit Sending dogtag/ca/pki-ca.spec Sending dogtag/common/pki-common.spec Sending dogtag/common-ui/dogtag-pki-common-ui.spec Sending dogtag/common-ui/shared/admin/console/config/securitydomainloginpanel.vm Sending dogtag/kra/pki-kra.spec Sending dogtag/ocsp/pki-ocsp.spec Sending dogtag/ra/pki-ra.spec Sending dogtag/ra-ui/dogtag-pki-ra-ui.spec Sending dogtag/ra-ui/shared/docroot/ra/admin/console/config/securitydomainloginpanel.vm Sending dogtag/tks/pki-tks.spec Sending dogtag/tps/pki-tps.spec Sending dogtag/tps-ui/dogtag-pki-tps-ui.spec Sending dogtag/tps-ui/shared/docroot/tps/admin/console/config/securitydomainloginpanel.vm Transmitting file data ............. Committed revision 260.
Verified with 06/03 nightly build. [root@sigma ~]# service pki-ca status ; service pki-kra status ; service pki-ocsp status ; service pki-tks status ; service pki-tps status; pki-ca (pid 6954) is running ... Unsecure Port = http://sigma.dsdev.sjc.redhat.com:9180/ca/ee/ca Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:9443/ca/agent/ca Secure EE Port = https://sigma.dsdev.sjc.redhat.com:9444/ca/ee/ca Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:9445/ca/services PKI Console Port = pkiconsole https://sigma.dsdev.sjc.redhat.com:9445/ca Tomcat Port = 9701 (for shutdown) pki-kra (pid 8992) is running ... Unsecure Port = http://sigma.dsdev.sjc.redhat.com:10180/kra/ee/kra Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:10443/kra/agent/kra Secure EE Port = https://sigma.dsdev.sjc.redhat.com:10444/kra/ee/kra Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:10445/kra/services PKI Console Port = pkiconsole https://sigma.dsdev.sjc.redhat.com:10445/kra Tomcat Port = 10701 (for shutdown) pki-ocsp (pid 9930) is running ... Unsecure Port = http://sigma.dsdev.sjc.redhat.com:11180/ocsp/ee/ocsp Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:11443/ocsp/agent/ocsp Secure EE Port = https://sigma.dsdev.sjc.redhat.com:11444/ocsp/ee/ocsp Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:11445/ocsp/services PKI Console Port = pkiconsole https://sigma.dsdev.sjc.redhat.com:11445/ocsp Tomcat Port = 11701 (for shutdown) pki-tks (pid 8035) is running ... Unsecure Port = http://sigma.dsdev.sjc.redhat.com:13180/tks/ee/tks Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:13443/tks/agent/tks Secure EE Port = https://sigma.dsdev.sjc.redhat.com:13444/tks/ee/tks Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:13445/tks/services PKI Console Port = pkiconsole https://sigma.dsdev.sjc.redhat.com:13445/tks Tomcat Port = 13701 (for shutdown) pki-tps (pid 12118) is running ... Unsecure Port = http://sigma.dsdev.sjc.redhat.com:7888/cgi-bin/so/enroll.cgi (ESC Security Officer Enrollment) Unsecure Port = http://sigma.dsdev.sjc.redhat.com:7888/cgi-bin/home/index.cgi (ESC Phone Home) Secure Clientauth Port = https://sigma.dsdev.sjc.redhat.com:7889/cgi-bin/sow/welcome.cgi (ESC Security Officer Workstation) Secure Clientauth Port = https://sigma.dsdev.sjc.redhat.com:7889/tus (TPS Roles - Operator/Administrator/Agent) Secure Non-Clientauth Port = https://sigma.dsdev.sjc.redhat.com:7890/cgi-bin/so/enroll.cgi (ESC Security Officer Enrollment) Secure Non-Clientauth Port = https://sigma.dsdev.sjc.redhat.com:7890/cgi-bin/home/index.cgi (ESC Phone Home) [root@sigma ~]#