On Thu, 2011-09-01 at 08:21 -0400, Simo Sorce wrote: > On Thu, 2011-09-01 at 08:10 -0400, Simo Sorce wrote: > > On Wed, 2011-08-31 at 23:51 -0400, Rob Crittenden wrote: > > > Simo Sorce wrote: > > > > We use the new proxy code for dogtag now, so we do not need to open all > > > > the CA ports as all connections go through the standard https port. > > > > > > > > Fixes https://fedorahosted.org/freeipa/ticket/1745 > > > > > > > > Simo. > > > > > > nack. dogtag replication still takes place over 7389. > > > > Ouch, I am so glad we have a review process :-) > > New patch.
After a quick convo with Rob on IRC I added a few ports that we should always test. 80/443 is also necessary for CA replication but they are always checked anyway because it is a basic services that should always be available. Simo. -- Simo Sorce * Red Hat, Inc * New York
>From c3e18cbba6f6ac707cc148ba4977b0ad8fd8a6de Mon Sep 17 00:00:00 2001 From: Simo Sorce <sso...@redhat.com> Date: Wed, 31 Aug 2011 14:07:56 -0400 Subject: [PATCH] conncheck: No need to check for CA ports anymore Since we have the PKI proxy configuration all communication with the CA happens on the standard 80/443 ports so we do not need to leave the old CA ports open. These ports are still used locally but not over the network. --- install/tools/ipa-replica-conncheck | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index b48f7d891b24a564847f4cc39bd61da7a3d85549..817f305777cdf585a8077842cbbb657afeb68731 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -55,11 +55,6 @@ BASE_PORTS = [ CA_PORTS = [ CheckedPort(7389, True, "PKI-CA: Directory Service port"), - CheckedPort(9443, True, "PKI-CA: Agent secure port"), - CheckedPort(9444, True, "PKI-CA: EE secure port"), - CheckedPort(9445, True, "PKI-CA: Admin secure port"), - CheckedPort(9446, True, "PKI-CA: EE secure client auth port"), - CheckedPort(9180, True, "PKI-CA: Unsecure port"), ] def print_info(msg): -- 1.7.6
_______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel