Bug 458337 - Provide separate listening ports for CS
Provide separate listening ports for CS
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: Other (Show other bugs)
1.0
All Linux
urgent Severity medium
: ---
: ---
Assigned To: Matthew Harmsen
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2008-08-07 13:17 EDT by Jack Magne
Modified: 2015-01-04 18:33 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:29:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix for port separation (68.37 KB, patch)
2008-08-07 13:20 EDT, Jack Magne
no flags Details | Diff
PKI ports for default CA, DRM, OCSP, and TKS instances (8.79 KB, patch)
2009-02-24 20:27 EST, Matthew Harmsen
no flags Details | Diff
Base diffs (10.97 KB, patch)
2009-02-26 21:38 EST, Matthew Harmsen
no flags Details | Diff
Dogtag diffs (11.99 KB, patch)
2009-02-26 21:39 EST, Matthew Harmsen
no flags Details | Diff

  None (edit)
Description Jack Magne 2008-08-07 13:17:22 EDT
Description of problem:

Currently CS supports having its various subsystems listening on only two ports, one for secure access and one for non secure access.

Previously , CS supported having the server listen on 3 different secure ports, one for EE,one for Agent, and one for admin.

This fix will provide an option to the "pkicreate" utility, to set a server up with this configuration if desired.

This feature to be available for the CA, KRA, OCSP, and TKS.
Comment 1 Jack Magne 2008-08-07 13:20:20 EDT
Created attachment 313719 [details]
Fix for port separation
Comment 2 Matthew Harmsen 2008-08-07 13:34:38 EDT
+ mharmsen attachment (id=313719)

SUGGESTIONS for pkicreate:

(1) change the comment at the top from this:

    #            -secure_port=9543 || -agent_secure_port=9543
    #            -ee_secure_port=9544
    #            -admin_secure_port=9545

    to something like this:

    #            -secure_port=9543 || -agent_secure_port=9543
    #                                 -ee_secure_port=9544
    #                                 -admin_secure_port=9545

(2) change the "emit()" calls to be more specific; for example, change this:

    emit( "Failed to delete directory  for port separation ...\n" );

    to something like this:

    emit( "Failed to delete directory $ee_base_ui_instance_dir for port
separation ...\n" );

(3) align ALL code that required indenting; for example, change:

    -        # create instance symlink to "osutil.jar"
    -        $result = create_symbolic_link( $osutil_jar_symlink_path,
    +            $result = create_symbolic_link( $osutil_jar_symlink_path,
                                             $osutil_jar_file_path );

    to:

    -        # create instance symlink to "osutil.jar"
    -        $result = create_symbolic_link( $osutil_jar_symlink_path,
    -                                        $osutil_jar_file_path );
    +            $result = create_symbolic_link( $osutil_jar_symlink_path,
    +                                            $osutil_jar_file_path );

SUGGESTIONS for CMSEngine:

(1) Align the code that is inside the for() loop to be uniform.
Comment 3 Jack Magne 2008-08-07 21:38:47 EDT
Sending        pki-ca.spec
Transmitting file data .
Committed revision 85.
Sending        pki-common.spec
Transmitting file data .
Committed revision 86.
Sending        pki-setup.spec
Transmitting file data .
Committed revision 87.
Sending        pki-tks.spec
Transmitting file data .
Committed revision 88
Sending        pki-ocsp.spec
Transmitting file data .
Committed revision 89.
Sending        pki-kra.spec
Transmitting file data .
Committed revision 90.
Sending        web.xml
Transmitting file data .
Committed revision 91.
Sending        velocity.properties
Transmitting file data .
Committed revision 92.
Sending        server.xml
Transmitting file data .
Committed revision 93.
Sending        MainPageServlet.java
Transmitting file data .
Committed revision 94.
Sending        CMSEngine.java
Transmitting file data .
Committed revision 95.
Sending        pkicreate
Transmitting file data .
Committed revision 96.
Sending        pkicommon
Transmitting file data .
Committed revision 97.
Sending        velocity.properties
Sending        web.xml
Transmitting file data ..
Committed revision 98.
Sending        server.xml
Transmitting file data .
Committed revision 99.
Sending        velocity.properties
Sending        web.xml
Transmitting file data ..
Committed revision 100.
Sending        server.xml
Transmitting file data .
Committed revision 103.
Comment 4 Matthew Harmsen 2009-02-24 20:00:27 EST
The remainder of this bug is simply to create default instances using the port-separated logic for CA, DRM, OCSP, and TKS.
Comment 5 Matthew Harmsen 2009-02-24 20:08:28 EST
From Ade Lee's email:

Here are the ports currently defined in selinux for the default
instance.  I've actually chosen to not define these in the pki-selinux
rpm for the future and just have the startup scripts define them.  But
they are defined in the current rhel 5.3 selinux reference policy rpm -
so we should just use them.

pki_ca   9180  (non-ssl), 9701 (tomcat),9443 (ssl), 9444, 9445
pki_kra  10180 (non-ssl), 10701 (tomcat), 10443 (ssl), 10444, 10445
pki_ocsp 11180 (non-ssl), 11701 (tomcat), 11443(ssl), 11444, 11445
pki_ra   12888 (non-ssl), 12889 (ssl)
pki_tks  13180 (non-ssl), 13701 (tomcat), 13443(ssl), 13444, 13445
pki_tps  7888  (non-ssl), 7889 (ssl)

Additionally, Bugzilla Bug #485859 specifies the following additional ports:
pki_ra   12890 (non_clientauth_ssl)
pki-tps  7890 (non_clientauth_ssl)
Comment 6 Matthew Harmsen 2009-02-24 20:27:34 EST
Created attachment 333112 [details]
PKI ports for default CA, DRM, OCSP, and TKS instances
Comment 7 Andrew Wnuk 2009-02-24 20:33:05 EST
attachment (id=333112) +awnuk
Comment 8 Matthew Harmsen 2009-02-24 21:00:05 EST
% svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M      dogtag/ca/pki-ca.spec
M      dogtag/tks/pki-tks.spec
M      dogtag/ocsp/pki-ocsp.spec
M      dogtag/kra/pki-kra.spec
M      base/ca/setup/postinstall
M      base/tks/setup/postinstall
M      base/ocsp/setup/postinstall
M      base/kra/setup/postinstall

% svn commit
Sending        base/ca/setup/postinstall
Sending        base/kra/setup/postinstall
Sending        base/ocsp/setup/postinstall
Sending        base/tks/setup/postinstall
Sending        dogtag/ca/pki-ca.spec
Sending        dogtag/kra/pki-kra.spec
Sending        dogtag/ocsp/pki-ocsp.spec
Sending        dogtag/tks/pki-tks.spec
Transmitting file data ........
Committed revision 244.
Comment 9 Matthew Harmsen 2009-02-25 19:58:22 EST
Re-opening bug to provide NEW default security domain port in initial CS.cfg files.
Comment 10 Matthew Harmsen 2009-02-26 21:38:27 EST
Created attachment 333424 [details]
Base diffs
Comment 11 Matthew Harmsen 2009-02-26 21:39:43 EST
Created attachment 333425 [details]
Dogtag diffs
Comment 13 Jack Magne 2009-02-26 21:52:16 EST
Attachments (id=333424,id=333425) +jmagne.
Comment 15 Matthew Harmsen 2009-02-26 21:56:04 EST
pki/base:

% svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M      ca/shared/conf/CS.cfg
M      common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java
M      common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java
M      common/src/com/netscape/cms/servlet/csadmin/ConfigJoinServlet.java
M      common/src/com/netscape/cms/servlet/csadmin/ConfigDatabaseServlet.java
M      common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
M      common/src/com/netscape/cms/servlet/csadmin/AuthenticatePanel.java
M      tks/shared/conf/CS.cfg
M      ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm
M      ra/lib/perl/PKI/RA/wizard.pm
M      ra/lib/perl/PKI/RA/Login.pm
M      ra/lib/perl/PKI/RA/SecurityDomainPanel.pm
M      ocsp/shared/conf/CS.cfg
M      tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm
M      tps/lib/perl/PKI/TPS/wizard.pm
M      tps/lib/perl/PKI/TPS/Login.pm
M      tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm
M      kra/shared/conf/CS.cfg

% svn commit
Sending        base/ca/shared/conf/CS.cfg
Sending        base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/AuthenticatePanel.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/ConfigDatabaseServlet.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/ConfigJoinServlet.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
Sending        base/kra/shared/conf/CS.cfg
Sending        base/ocsp/shared/conf/CS.cfg
Sending        base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm
Sending        base/ra/lib/perl/PKI/RA/Login.pm
Sending        base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm
Sending        base/ra/lib/perl/PKI/RA/wizard.pm
Sending        base/tks/shared/conf/CS.cfg
Sending        base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm
Sending        base/tps/lib/perl/PKI/TPS/Login.pm
Sending        base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm
Sending        base/tps/lib/perl/PKI/TPS/wizard.pm
Transmitting file data ..................
Committed revision 259.
Comment 16 Matthew Harmsen 2009-02-26 21:59:39 EST
pki/dogtag:

% svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M      tps-ui/shared/docroot/tps/admin/console/config/securitydomainloginpanel.vm
M      tps-ui/dogtag-pki-tps-ui.spec
M      ca/pki-ca.spec
M      common/pki-common.spec
M      tks/pki-tks.spec
M      ra/pki-ra.spec
M      common-ui/dogtag-pki-common-ui.spec
M      common-ui/shared/admin/console/config/securitydomainloginpanel.vm
M      ocsp/pki-ocsp.spec
M      tps/pki-tps.spec
M      kra/pki-kra.spec
M      ra-ui/shared/docroot/ra/admin/console/config/securitydomainloginpanel.vm
M      ra-ui/dogtag-pki-ra-ui.spec

% svn commit
Sending        dogtag/ca/pki-ca.spec
Sending        dogtag/common/pki-common.spec
Sending        dogtag/common-ui/dogtag-pki-common-ui.spec
Sending        dogtag/common-ui/shared/admin/console/config/securitydomainloginpanel.vm
Sending        dogtag/kra/pki-kra.spec
Sending        dogtag/ocsp/pki-ocsp.spec
Sending        dogtag/ra/pki-ra.spec
Sending        dogtag/ra-ui/dogtag-pki-ra-ui.spec
Sending        dogtag/ra-ui/shared/docroot/ra/admin/console/config/securitydomainloginpanel.vm
Sending        dogtag/tks/pki-tks.spec
Sending        dogtag/tps/pki-tps.spec
Sending        dogtag/tps-ui/dogtag-pki-tps-ui.spec
Sending        dogtag/tps-ui/shared/docroot/tps/admin/console/config/securitydomainloginpanel.vm
Transmitting file data .............
Committed revision 260.
Comment 18 Chandrasekar Kannan 2009-06-03 19:59:56 EDT
Verified with 06/03 nightly build.

[root@sigma ~]# service pki-ca status ; service pki-kra status ; service pki-ocsp status ; service pki-tks status ; service pki-tps status;
pki-ca (pid 6954) is running ...

    Unsecure Port     = http://sigma.dsdev.sjc.redhat.com:9180/ca/ee/ca
    Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:9443/ca/agent/ca
    Secure EE Port    = https://sigma.dsdev.sjc.redhat.com:9444/ca/ee/ca
    Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:9445/ca/services
    PKI Console Port  = pkiconsole https://sigma.dsdev.sjc.redhat.com:9445/ca
    Tomcat Port       = 9701 (for shutdown)

pki-kra (pid 8992) is running ...

    Unsecure Port     = http://sigma.dsdev.sjc.redhat.com:10180/kra/ee/kra
    Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:10443/kra/agent/kra
    Secure EE Port    = https://sigma.dsdev.sjc.redhat.com:10444/kra/ee/kra
    Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:10445/kra/services
    PKI Console Port  = pkiconsole https://sigma.dsdev.sjc.redhat.com:10445/kra
    Tomcat Port       = 10701 (for shutdown)

pki-ocsp (pid 9930) is running ...

    Unsecure Port     = http://sigma.dsdev.sjc.redhat.com:11180/ocsp/ee/ocsp
    Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:11443/ocsp/agent/ocsp
    Secure EE Port    = https://sigma.dsdev.sjc.redhat.com:11444/ocsp/ee/ocsp
    Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:11445/ocsp/services
    PKI Console Port  = pkiconsole https://sigma.dsdev.sjc.redhat.com:11445/ocsp
    Tomcat Port       = 11701 (for shutdown)

pki-tks (pid 8035) is running ...

    Unsecure Port     = http://sigma.dsdev.sjc.redhat.com:13180/tks/ee/tks
    Secure Agent Port = https://sigma.dsdev.sjc.redhat.com:13443/tks/agent/tks
    Secure EE Port    = https://sigma.dsdev.sjc.redhat.com:13444/tks/ee/tks
    Secure Admin Port = https://sigma.dsdev.sjc.redhat.com:13445/tks/services
    PKI Console Port  = pkiconsole https://sigma.dsdev.sjc.redhat.com:13445/tks
    Tomcat Port       = 13701 (for shutdown)

pki-tps (pid 12118) is running ...

    Unsecure Port              = http://sigma.dsdev.sjc.redhat.com:7888/cgi-bin/so/enroll.cgi
                                 (ESC Security Officer Enrollment)
    Unsecure Port              = http://sigma.dsdev.sjc.redhat.com:7888/cgi-bin/home/index.cgi
                                 (ESC Phone Home)
    Secure Clientauth Port     = https://sigma.dsdev.sjc.redhat.com:7889/cgi-bin/sow/welcome.cgi
                                 (ESC Security Officer Workstation)
    Secure Clientauth Port     = https://sigma.dsdev.sjc.redhat.com:7889/tus
                                 (TPS Roles - Operator/Administrator/Agent)
    Secure Non-Clientauth Port = https://sigma.dsdev.sjc.redhat.com:7890/cgi-bin/so/enroll.cgi
                                 (ESC Security Officer Enrollment)
    Secure Non-Clientauth Port = https://sigma.dsdev.sjc.redhat.com:7890/cgi-bin/home/index.cgi
                                 (ESC Phone Home)

[root@sigma ~]#

Note You need to log in before you can comment on or make changes to this bug.