Alon Bar-Lev has posted comments on this change.
Change subject: pki: use PKCS#12 format to store keys
......................................................................
Patch Set 7: (1 inline comment)
....................................................
File packaging/fedora/setup/engine-upgrade.py
Line 644: logging.error("PKI: cannot symlink '%s'->'%s'" %
(basedefs.FILE_PRIVATE_SSH_KEY, basedefs.FILE_ENGINE_PRIVATE_KEY) )
Line 645: raise
Line 646:
Line 647: def rollback(self):
Line 648: if os.path.exists(self.JKSKEYSTORE):
Hi,
Not sure I understand...
The scenario is as follows: The JKSKEYSTORE is the existing state. The
FILE_ENGINE_KEYSTORE is the new state.
When rolling back we need to keep JKSKEYSTORE if available to keep old state,
we can always reproduce the FILE_ENGINE_KEYSTORE in this state.
However, if it does not exist, it suggests that upgrade was already performed
once, so protect our-selves and do not delete anything.
The FILE_ENGINE_PRIVATE_KEY is a copy of FILE_PRIVATE_SSH_KEY, the change is to
create symlink FILE_PRIVATE_SSH_KEY->FILE_ENGINE_PRIVATE_KEY.
During prepare we copy FILE_PRIVATE_SSH_KEY->FILE_ENGINE_PRIVATE_KEY, during
rollback we just remove the FILE_ENGINE_PRIVATE_KEY, during commit we remove
the FILE_PRIVATE_SSH_KEY and perform the symlink.
Input:
- JKSKEYSTORE - JKS store.
- FILE_PRIVATE_SSH_KEY - PKCS#8 private key not protected by password, strange
thing is that apache uses it, so "SSH" is confusing.
Output:
- FILE_ENGINE_KEYSTORE - PKCS#12 engine key store.
- FILE_ENGINE_PRIVATE_KEY - PKCS#8 private key not protected by password.
- FILE_PRIVATE_SSH_KEY - link to FILE_ENGINE_PRIVATE_KEY, backward
compatibility for the log collector.
Currently all keys are really *SAME* key.
Usage matrix:
- FILE_ENGINE_KEYSTORE - jboss TLS server, TLS client certificate for vdsm
communication, SSH identity.
- FILE_ENGINE_PRIVATE_KEY - apache TLS server.
- FILE_PRIVATE_SSH_KEY - log collector
In future we should:
- make log collector use the PKCS#12 engine id and remove the
FILE_PRIVATE_SSH_KEY.
- generate different keystore for TLS server (jboss and apache).
Alon.
Line 649: for f in (basedefs.FILE_ENGINE_KEYSTORE,
basedefs.FILE_ENGINE_PRIVATE_KEY):
Line 650: try:
Line 651: os.remove(f)
Line 652: except OSError:
--
To view, visit http://gerrit.ovirt.org/6883
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I2abda5778477faff09798a43cf3dc96435efb272
Gerrit-PatchSet: 7
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Alex Lourie <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Barak Azulay <[email protected]>
Gerrit-Reviewer: Doron Fediuck <[email protected]>
Gerrit-Reviewer: Juan Hernandez <[email protected]>
Gerrit-Reviewer: Ofer Schreiber <[email protected]>
Gerrit-Reviewer: oVirt Jenkins CI Server
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
