Ade Lee wrote:
     This patch adds the capability of installing a Dogtag DRM
     to an IPA instance.  With this patch, when ipa-server-install
     is run, a Dogtag CA and a Dogtag DRM are created.  The DRM
     shares the same tomcat instance and DS instance as the Dogtag CA.
     Moreover, the same admin user/agent (and agent cert) can be used
     for both subsystems.  Certmonger is also confgured to monitor the
     new subsystem certificates.

     It is also possible to clone the DRM.  When the IPA instance is
     cloned, if --enable-ca and --enable-drm are specified, the DRM
     is cloned as well.

     Installing a DRM requires the user to have a Dogtag CA instance.
     We can look into possibly relaxing that requirement in a later patch.

     I am still working on patches for a ipa-drm-install script, which
     would be used to add a DRM to an existing master (that includes
     a dogtag CA), or an existing clone.

    Please review,


Yikes, I wonder if the changes to ipaserver/install/ should be pushed ASAP. needs a dependency on pki-kra.

Is it necessary to check for pkispawn/destroy in check_inst()? That should be handled by the CA install, right?

You need to bump the version in ipa-pki-proxy.conf so that upgrades get the new configuration.

Rather than this:

+    if setup_drm:
+        fd.write("enable_drm=True\n")
+    else:
+        fd.write("enable_drm=False\n")

Why not:

    fd.write("enable_drm=%s\n" % setup_drm)

If o=ipadrm is a new root we'll need to backup/restore it right?

You should import PKI_USER and HTTPD_CONFD from rather than redefining them.

You should probably call the is_installed() from rather than redefining this. The function might be ok but I'd replace the contents with:

    ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
    return ca.is_installed()

If the DRM is already installed we don't have a way to uninstall it so we shouldn't recommend that as an option.

The value for pki_issuing_ca_uri doesn't create a valid URL (missing //). You should use this form instead:

config.set("KRA", "pki_issuing_ca_uri", "https://%s"; % ipautil.format_netloc(self.fqdn, 443))

I think that update_people_entry() should probably be moved into and used for both the CA and DRM instances.

It makes a certain amount of sense to use /etc/ipa/default.conf. It may be outside the scope here but it if we're including it, but would it be better to use that for everything rather than splitting between two files?

The install failed for me. I've attached the KRA debug log.


Attachment: debug.gz
Description: GNU Zip compressed data

Freeipa-devel mailing list

Reply via email to