683172 – pkisilent needs to provide option to set nsDS5ReplicaTransportInfo to TLS in replication agreements when creating a clone

Bug 683172 - pkisilent needs to provide option to set nsDS5ReplicaTransportInfo to TLS in replication agreements when creating a clone

Summary: pkisilent needs to provide option to set nsDS5ReplicaTransportInfo to TLS in ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Matthew Harmsen
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	683173
TreeView+	depends on / blocked

Reported:	2011-03-08 18:21 UTC by Ade Lee
Modified:	2015-01-04 23:47 UTC (History)
CC List:	5 users (show)
Fixed In Version:	pki-core-9.0.3-9.el6 ipa-pki-theme-9.0.3-6.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	683173 (view as bug list)
Environment:
Last Closed:	2011-05-19 13:44:10 UTC
Target Upstream Version:

Attachments	(Terms of Use)
patch to fix (19.35 KB, patch) 2011-03-08 22:50 UTC, Ade Lee	awnuk: review+	Details \| Diff
patch to fix ui (1.62 KB, patch) 2011-03-08 22:51 UTC, Ade Lee	awnuk: review+	Details \| Diff
Patch + spec file changes (25.76 KB, patch) 2011-03-09 20:41 UTC, Matthew Harmsen	awnuk: review+	Details \| Diff
Patch + spec file changes (UI) (3.06 KB, patch) 2011-03-09 22:07 UTC, Matthew Harmsen	awnuk: review+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2011:0627	0	normal	SHIPPED_LIVE	new package: pki-core	2011-05-18 17:56:00 UTC

Description Ade Lee 2011-03-08 18:21:32 UTC

Description of problem:

pkisilent needs to provide an option to set nsDS5ReplicaTransportInfo to TLS in replication agreements when creating a clone.  Currently, there is no option which means the default (LDAP) is used.  This means replications are in the clear.

The change requires a change to pkisilent and to pki-common in the database panel.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Ade Lee 2011-03-08 22:50:08 UTC

Created attachment 483056 [details]
patch to fix

Comment 2 Ade Lee 2011-03-08 22:51:13 UTC

Created attachment 483057 [details]
patch to fix ui

Comment 3 Ade Lee 2011-03-09 07:03:15 UTC

6.1:

[vakwetu@dhcp231-121 pki]$ svn ci -m "Resolves #683172 - pkisilent needs to provide option to set nsDS5ReplicaTransportInfo to TLS in replication agreements when creating a clone"
Sending        base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
Sending        base/silent/src/ca/ConfigureCA.java
Sending        base/silent/src/drm/ConfigureDRM.java
Sending        base/silent/src/ocsp/ConfigureOCSP.java
Sending        base/silent/src/subca/ConfigureSubCA.java
Sending        base/silent/src/tks/ConfigureTKS.java
Sending        base/silent/templates/pki_silent.template
Sending        dogtag/common-ui/shared/admin/console/config/databasepanel.vm
Transmitting file data ........
Committed revision 1886.

Comment 4 Matthew Harmsen 2011-03-09 20:23:14 UTC

Extrapolating from Bugzilla Bug #682021:

    ./pki/scripts/pki_patch_maker 1880 1887 pki-core 9.0.3
        pki-core-9.0.3-r1886.patch

Comment 5 Matthew Harmsen 2011-03-09 20:41:51 UTC

Created attachment 483303 [details]
Patch + spec file changes

Comment 6 Matthew Harmsen 2011-03-09 20:46:51 UTC

IPA_v2_RHEL_6_1_ERRATA_BRANCH:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
A       patches/pki-core-9.0.3-r1886.patch
M       specs/pki-core.spec

# svn commit
Adding         patches/pki-core-9.0.3-r1886.patch
Sending        specs/pki-core.spec
Transmitting file data ..
Committed revision 1889.

Comment 7 Matthew Harmsen 2011-03-09 20:53:38 UTC

Published patch to http://pki.fedoraproject.org/pki/sources/pki-core/

Comment 8 Matthew Harmsen 2011-03-09 21:23:03 UTC

For 'ipa-pki-theme':

    ./pki/scripts/pki_patch_maker 1834 1887 ipa-pki-theme 9.0.3
        ipa-pki-theme-9.0.3-r1886.patch

Comment 9 Matthew Harmsen 2011-03-09 22:07:50 UTC

Created attachment 483319 [details]
Patch + spec file changes (UI)

Comment 10 Matthew Harmsen 2011-03-09 22:21:37 UTC

IPA_v2_RHEL_6_1_ERRATA_BRANCH:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
A       patches/ipa-pki-theme-9.0.3-r1886.patch
M       specs/ipa-pki-theme.spec

# svn commit
Adding         patches/ipa-pki-theme-9.0.3-r1886.patch
Sending        specs/ipa-pki-theme.spec
Transmitting file data ..
Committed revision 1891.

Comment 11 Matthew Harmsen 2011-03-09 22:43:05 UTC

Published patch to http://pki.fedoraproject.org/pki/sources/ipa-pki-theme/

Comment 13 Jenny Severance 2011-04-20 18:38:46 UTC

need official steps to reproduce? or will this suffice for verification?

IPA REPLICA Install pkicreate invocation (NOTE: -clone_start_tls true) :

011-04-20 13:55:55,748 DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname dhcp-100-18-11.testrelm -cs_port 9445 -client_certdb_dir /tmp/tmp-62GRKS -client_certdb_pwd 'XXXXXXXX' -preop_pin X7qm865z7jkMglDGvsne -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=TESTRELM" -ldap_host dhcp-100-18-11.testrelm -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=TESTRELM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=TESTRELM" -ca_server_cert_subject_name "CN=dhcp-100-18-11.testrelm,O=TESTRELM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=TESTRELM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=TESTRELM" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname dhcp-100-18-10.testrelm -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://dhcp-100-18-10.testrelm:9444



Configuration Agreement post install (NOTE: nsDS5ReplicaTransportInfo: TLS):

# cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca, replica, o\3Dipaca, mapping
  tree, config
dn: cn=cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca,cn=replica,cn=o\3Dipaca,
 cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaHost: dhcp-100-18-10.testrelm
nsDS5ReplicaPort: 7389
nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-dhcp-100-18-11.tes
 trelm-pki-ca,cn=config
nsDS5ReplicaBindMethod: Simple
nsDS5ReplicaTransportInfo: TLS
description: cloneAgreement1-dhcp-100-18-11.testrelm-pki-ca
nsDS5ReplicaCredentials: {DES}JDmnMc3VmYfPXXLKaB2LoA==
nsds50ruv: {replicageneration} 4daf12fb000000600000
nsds50ruv: {replica 96 ldap://dhcp-100-18-10.testrelm:7389} 4daf132f0000006000
 00 4daf1e2b000100600000
nsds50ruv: {replica 86 ldap://dhcp-100-18-11.testrelm:7389} 4daf1e0e0000005600
 00 4daf1efc000100560000
nsds50ruv: {replica 91 ldap://dhcp-100-18-11.testrelm:7389} 4daf19f70000005b00
 00 4daf1a4b0002005b0000
nsds50ruv: {replica 97 ldap://dhcp-100-18-11.testrelm:7389} 4daf13120000006100
 00 4daf1366000200610000
nsruvReplicaLastModified: {replica 96 ldap://dhcp-100-18-10.testrelm:7389} 000
 00000
nsruvReplicaLastModified: {replica 86 ldap://dhcp-100-18-11.testrelm:7389} 000
 00000
nsruvReplicaLastModified: {replica 91 ldap://dhcp-100-18-11.testrelm:7389} 000
 00000
nsruvReplicaLastModified: {replica 97 ldap://dhcp-100-18-11.testrelm:7389} 000
 00000
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20110420183048Z
nsds5replicaLastUpdateEnd: 20110420183048Z
nsds5replicaChangesSentSinceStartup:: ODY6MS8wIA==
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd
 ate succeeded
nsds5replicaUpdateInProgress: FALSE


Versions:
pki-silent-9.0.3-10.el6.noarch
ipa-server-2.0.0-23.el6.x86_64
pki-ca-9.0.3-10.el6.noarch
ds-replication-1.2.8.0-1.el6.x86_64

Comment 14 Jenny Severance 2011-04-20 18:43:59 UTC

marking verfied based on comment 13

Comment 15 errata-xmlrpc 2011-05-19 13:44:10 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0627.html

Note You need to log in before you can comment on or make changes to this bug.