On Thu, 2011-09-01 at 08:21 -0400, Simo Sorce wrote:
> On Thu, 2011-09-01 at 08:10 -0400, Simo Sorce wrote:
> > On Wed, 2011-08-31 at 23:51 -0400, Rob Crittenden wrote:
> > > Simo Sorce wrote:
> > > > We use the new proxy code for dogtag now, so we do not need to open all
> > > > the CA ports as all connections go through the standard https port.
> > > >
> > > > Fixes https://fedorahosted.org/freeipa/ticket/1745
> > > >
> > > > Simo.
> > >
> > > nack. dogtag replication still takes place over 7389.
> > Ouch, I am so glad we have a review process :-)
> New patch.
After a quick convo with Rob on IRC I added a few ports that we should
80/443 is also necessary for CA replication but they are always checked
anyway because it is a basic services that should always be available.
Simo Sorce * Red Hat, Inc * New York
>From c3e18cbba6f6ac707cc148ba4977b0ad8fd8a6de Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Wed, 31 Aug 2011 14:07:56 -0400
Subject: [PATCH] conncheck: No need to check for CA ports anymore
Since we have the PKI proxy configuration all communication with the CA happens
on the standard 80/443 ports so we do not need to leave the old CA ports open.
These ports are still used locally but not over the network.
install/tools/ipa-replica-conncheck | 5 -----
1 files changed, 0 insertions(+), 5 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index b48f7d891b24a564847f4cc39bd61da7a3d85549..817f305777cdf585a8077842cbbb657afeb68731 100755
@@ -55,11 +55,6 @@ BASE_PORTS = [
CA_PORTS = [
CheckedPort(7389, True, "PKI-CA: Directory Service port"),
- CheckedPort(9443, True, "PKI-CA: Agent secure port"),
- CheckedPort(9444, True, "PKI-CA: EE secure port"),
- CheckedPort(9445, True, "PKI-CA: Admin secure port"),
- CheckedPort(9446, True, "PKI-CA: EE secure client auth port"),
- CheckedPort(9180, True, "PKI-CA: Unsecure port"),
Freeipa-devel mailing list