On Thu, 2011-09-01 at 08:21 -0400, Simo Sorce wrote:
> On Thu, 2011-09-01 at 08:10 -0400, Simo Sorce wrote:
> > On Wed, 2011-08-31 at 23:51 -0400, Rob Crittenden wrote:
> > > Simo Sorce wrote:
> > > > We use the new proxy code for dogtag now, so we do not need to open all
> > > > the CA ports as all connections go through the standard https port.
> > > >
> > > > Fixes https://fedorahosted.org/freeipa/ticket/1745
> > > >
> > > > Simo.
> > > 
> > > nack. dogtag replication still takes place over 7389.
> > 
> > Ouch, I am so glad we have a review process :-)
> 
> New patch.

After a quick convo with Rob on IRC I added a few ports that we should
always test.
80/443 is also necessary for CA replication but they are always checked
anyway because it is a basic services that should always be available.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From c3e18cbba6f6ac707cc148ba4977b0ad8fd8a6de Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Wed, 31 Aug 2011 14:07:56 -0400
Subject: [PATCH] conncheck: No need to check for CA ports anymore

Since we have the PKI proxy configuration all communication with the CA happens
on the standard 80/443 ports so we do not need to leave the old CA ports open.
These ports are still used locally but not over the network.
---
 install/tools/ipa-replica-conncheck |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index b48f7d891b24a564847f4cc39bd61da7a3d85549..817f305777cdf585a8077842cbbb657afeb68731 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -55,11 +55,6 @@ BASE_PORTS = [
 
 CA_PORTS  = [
                 CheckedPort(7389, True, "PKI-CA: Directory Service port"),
-                CheckedPort(9443, True, "PKI-CA: Agent secure port"),
-                CheckedPort(9444, True, "PKI-CA: EE secure port"),
-                CheckedPort(9445, True, "PKI-CA: Admin secure port"),
-                CheckedPort(9446, True, "PKI-CA: EE secure client auth port"),
-                CheckedPort(9180, True, "PKI-CA: Unsecure port"),
             ]
 
 def print_info(msg):
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to