Description of problem: When creating a clone from a clone the pkisilent argument -sd_hostname needs to point to the server that was installed first. This is in the context of IPA. I started by installing IPA on lion which in turn set up a dogtag instance. I created a clone on tiger, pointing to lion as the master. I created a clone on panther, pointing to tiger as the master. This installation failed. When I otherwise left everything else alone and just set -sd-hostname to lion the clone installed as expected. The working pkisilent invocation was: /usr/bin/pkisilent ConfigureCA -cs_hostname panther.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WVSbNZ -client_certdb_pwd XXXXXXXX -preop_pin 3edlfUfAPL1kaVvCYV2W -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host panther.example.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" -ca_server_cert_subject_name "CN=panther.example.com,O=IPA" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname lion.example.com -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password XXXXXXXX Version-Release number of selected component (if applicable): pki-native-tools-1.3.0-5.fc12.x86_64 pki-selinux-1.3.4-1.fc12.noarch pki-util-1.3.0-5.fc12.noarch pki-java-tools-1.3.1-1.fc12.noarch pki-ca-1.3.3-1.fc12.noarch pki-common-1.3.3-1.fc12.noarch pki-silent-1.3.2-1.fc12.noarch pki-setup-1.3.4-1.fc12.noarch pki-symkey-1.3.2-3.fc12.x86_64 pki-console-1.3.1-1.fc12.noarch
Created attachment 409191 [details] patch to fix patch contains changes needed to allow clone to be a domain master as well. With these changes, clone of a clone need not contact the original master. awnuk, please review.
attachment (id=409191) +awnuk
checked into 8.1 [builder@goofy-vm4 base]$ svn ci -m "Bug 577949 - clone from a clone requires contacting original security domain master" Sending base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java Sending base/common/src/com/netscape/cmscore/apps/CMSEngine.java Transmitting file data .... Committed revision 1079. checked into tip: [builder@dhcp231-70 base]$ svn ci -m "Bug 577949 - clone from a clone requires contacting original security domain master" Sending base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java Sending base/common/src/com/netscape/cmscore/apps/CMSEngine.java Transmitting file data .... Committed revision 1080.
On tip: [builder@dhcp231-70 dogtag]$ svn ci -m "update release numbers for 584917 and 577949" Sending dogtag/ca/pki-ca.spec Sending dogtag/common/pki-common.spec Sending dogtag/kra/pki-kra.spec Sending dogtag/ocsp/pki-ocsp.spec Sending dogtag/selinux/pki-selinux.spec Sending dogtag/tks/pki-tks.spec Transmitting file data ...... Committed revision 1081.
Able to select clone CA security domain url, while providing Subsystem Type details for clone of clone CA. But in the subject names of clone of clone CA, it is pointing to Master CA Security domain URL. Please find the screen shots attached.
Created attachment 412234 [details] Screen Shots
Created attachment 414955 [details] patch to fix part 2 fixes problem in dogtag (due to fix for latest 389 package) and well as hard-codedness in pkisilent. tested by Rob. awnuk, please review
attachment (id=414955) +awnuk
Created attachment 415045 [details] patch to fix part 3 Just fixed small UI issue reported by bhaskar. Simple fix added to WizardPanelBase.java, awnuk, please review
checked into dogtag: [builder@dhcp231-70 pki]$ svn ci -m "Bug 577949 - clone from a clone requires contacting original security domain master - additional fixes" Sending base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java Sending base/silent/src/ca/ConfigureCA.java Sending base/silent/templates/pki_silent.template Transmitting file data ... Committed revision 1103. checked into 8.1 [builder@goofy-vm4 pki]$ svn ci -m "Bug 577949 - clone from a clone requires contacting original security domain master - additional fixes" Sending base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java Sending base/silent/src/ca/ConfigureCA.java Sending base/silent/templates/pki_silent.template Transmitting file data ... Committed revision 1104.
Note to QE/ Docs: when creating a clone using pkisilent, the following parameter is now required: -clone_uri https://<hostname of ca to be cloned>:<EE port of ca to be cloned>
attachment (id=415045) +awnuk
Tested on RHEL5.4 and it is working fine. Version : pki-ca-8.1.0-1.el5pki redhat-pki-ca-ui-8.1.0-1.el5pki *+ 1 /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java 2 /usr/lib/jvm/jre1-4.2-gcj/bin/java Verification: Create a clone of a clone CA. Actual results: Able to select clone CA security domain url. Expected Results: Should be able to select Clone CA security domain url.