[Pki-devel] [PATCH 0010] Added instance and subsystem validation for pki-server subsystem-* commands.

[Abhijeet Kasurde]

Hi All,

Please review the patch.

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

From 4660a338745020cf773e8e22d6da3552cb014cc2 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Sat, 2 Jul 2016 11:03:53 +0530
Subject: [PATCH] Added instance and subsystem validation for pki-server
 subsystem-* commands.

The pki-server subsystem-* commands have been updated to validate
the instance and subsystem before proceeding with the operation.

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

Signed-off-by: Abhijeet Kasurde 
---
 base/server/python/pki/server/cli/subsystem.py | 66 +-
 1 file changed, 53 insertions(+), 13 deletions(-)

diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index 49215cf46a56ac984bdd5b8ad54e618a7b04393e..a44243a6788fc21d705055ec6bf4f1bc9e372475 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -177,6 +177,10 @@ class SubsystemShowCLI(pki.cli.CLI):
 instance.load()
 
 subsystem = instance.get_subsystem(subsystem_name)
+if not subsystem:
+print('ERROR: No %s subsystem in instance '
+  '%s.' % (subsystem_name, instance_name))
+sys.exit(1)
 
 SubsystemCLI.print_subsystem(subsystem)
 
@@ -240,9 +244,17 @@ class SubsystemEnableCLI(pki.cli.CLI):
 instance.load()
 
 subsystem = instance.get_subsystem(subsystem_name)
-subsystem.enable()
+if not subsystem:
+print('ERROR: No %s subsystem in instance '
+  '%s.' % (subsystem_name, instance_name))
+sys.exit(1)
 
-self.print_message('Enabled "%s" subsystem' % subsystem_name)
+if subsystem.is_enabled():
+self.print_message('Subsystem "%s" is already '
+   'enabled' % subsystem_name)
+else:
+subsystem.enable()
+self.print_message('Enabled "%s" subsystem' % subsystem_name)
 
 SubsystemCLI.print_subsystem(subsystem)
 
@@ -308,9 +320,17 @@ class SubsystemDisableCLI(pki.cli.CLI):
 instance.load()
 
 subsystem = instance.get_subsystem(subsystem_name)
-subsystem.disable()
+if not subsystem:
+print('ERROR: No %s subsystem in instance '
+  '%s.' % (subsystem_name, instance_name))
+sys.exit(1)
 
-self.print_message('Disabled "%s" subsystem' % subsystem_name)
+if not subsystem.is_enabled():
+self.print_message('Subsystem "%s" is already '
+   'disabled' % subsystem_name)
+else:
+subsystem.disable()
+self.print_message('Disabled "%s" subsystem' % subsystem_name)
 
 SubsystemCLI.print_subsystem(subsystem)
 
@@ -403,6 +423,10 @@ class SubsystemCertFindCLI(pki.cli.CLI):
 instance.load()
 
 subsystem = instance.get_subsystem(subsystem_name)
+if not subsystem:
+print('ERROR: No %s subsystem in instance '
+  '%s.' % (subsystem_name, instance_name))
+sys.exit(1)
 results = subsystem.find_system_certs()
 
 self.print_message('%s entries matched' % len(results))
@@ -436,7 +460,7 @@ class SubsystemCertShowCLI(pki.cli.CLI):
 
 try:
 opts, args = getopt.gnu_getopt(argv, 'i:v', [
-'instance=',  'show-all',
+'instance=', 'show-all',
 'verbose', 'help'])
 
 except getopt.GetoptError as e:
@@ -471,7 +495,6 @@ class SubsystemCertShowCLI(pki.cli.CLI):
 self.usage()
 sys.exit(1)
 
-
 if len(args) < 2:
 print('ERROR: missing cert ID')
 self.usage()
@@ -489,6 +512,10 @@ class SubsystemCertShowCLI(pki.cli.CLI):
 instance.load()
 
 subsystem = instance.get_subsystem(subsystem_name)
+if not subsystem:
+print('ERROR: No %s subsystem in instance '
+  '%s.' % (subsystem_name, instance_name))
+sys.exit(1)
 cert = subsystem.get_subsystem_cert(cert_id)
 
 SubsystemCertCLI.print_subsystem_cert(cert, show_all)
@@ -611,6 +638,10 @@ class SubsystemCertExportCLI(pki.cli.CLI):
 instance.load()
 
 subsystem = instance.get_subsystem(subsystem_name)
+if not subsystem:
+print('ERROR: No %s subsystem in instance '
+  '%s.' % (subsystem_name, instance_name))
+sys.exit(1)
 subsystem_cert = None
 
 if len(args) >= 2:
@@ -732,6 +763,10 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
 instance.load()
 
 subsystem = instance.get_subsystem(subsystem_name)
+if not subsystem:
+print('ERROR: No %s subsystem in instance '
+  '%s.' % (subsyste

Re: [Pki-devel] [pki-devel][PATCH] 0073-Separated-TPS-does-not-automatically-receive-shared-.patch

[John Magne]

ACKED verbally by cfu, with some very minor changes.

Pushed to master:


commit 0f056221d096a30307834265ecd1c527087bb0f7
Author: Jack Magne 
Date:   Mon Jun 13 11:27:59 2016 -0700

Separated TPS does not automatically receive shared secret from remote TKS.



Closing ticket # 2349




- Original Message -
From: "John Magne" 
To: "pki-devel" 
Sent: Thursday, June 23, 2016 3:33:44 PM
Subject: [pki-devel][PATCH] 
0073-Separated-TPS-does-not-automatically-receive-shared-.patch



[PATCH] Separated TPS does not automatically receive shared secret
 from remote TKS.

Support to allow the TPS to do the following:

1. Request that the TKS creates a shared secret with the proper ID, pointing to 
the TPS.
2. Have the TKS securely return the shared secret back to the TPS during the 
end of configuration.
3. The TPS then imports the wrapped shared secret into it's own internal NSS db 
permanenty and.
4. Given a name that is mapped to the TPS's id string.

Additional fixes:

1. The TKS was modified to actually be able to use multiple shared secrets 
registered by
multiple TPS instances.

Caveat:

At this point if the same remote TPS instance is created over and over again, 
the TPS's user
in the TKS will accumulate "userCert" attributes, making the exportation of teh 
shared secret
not functional. At this point we need to assume that the TPS user has ONE 
"userCert" registered
at this time.


Tested with a remote TPS talking to a shared TMS system consisting of a TPS, 
TKS, and KRA .

The shared secret was imported successfully after manually deleting the user 
representing the TPS from previous installs.
This way I was assured one cert stored for the user, since it had to be created 
fresh.

Also tested that the TKS can work successfully with the new TPS AND the prior 
shared TPS on the original instance.
The TKS can now host more than one shared secret in it's db and address the 
correct one when a given TPS makes a request of it.

Please forgive some spurious changes that happened when formatting a couple of 
the files in question. Every legit change is related to the shared secret and 
can be found easily.

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH] 0075-Generting-Symmetric-key-fails-with-key-generate-when.patch

[John Magne]

Pushed to master, ACK from mharmsen

Closing #1114


commit cfab57d057c7ada71ea9c360c278249d14e018d9
Author: Jack Magne 
Date:   Fri Jun 24 17:04:15 2016 -0700

Generting Symmetric key fails with key-generate when --usages verify is 
passed

Ticket #1114

Minor adjustment to the man page for the key management commands to say
which usages are appropriate for sym keys and those appropriate for asym 
keys.



- Original Message -
From: "Matthew Harmsen" 
To: "John Magne" , "pki-devel" 
Sent: Thursday, June 30, 2016 2:54:29 PM
Subject: Re: [Pki-devel] [pki-devel][PATCH] 
0075-Generting-Symmetric-key-fails-with-key-generate-when.patch

On 06/24/2016 06:23 PM, John Magne wrote:
> Generting Symmetric key fails with key-generate when --usages verify is passed
>  
>  Ticket #1114
>  
>  Minor adjustment to the man page for the key management commands to say
>  which usages are appropriate for sym keys and those appropriate for asym 
> keys.
>  
>
>
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
ACK

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [Patch] Add HSM information

[John Magne]

Tried it out the man pages, looks good.

ACK



- Original Message -
> From: "Matthew Harmsen" 
> To: "pki-devel" 
> Sent: Friday, July 1, 2016 1:52:02 PM
> Subject: [Pki-devel] [Patch] Add HSM information
> 
> Please review the attached patch which addresses the following ticket:
> 
> 
> * PKI TRAC Ticket #1405 - [MAN] Add additional HSM details to
> 'pki_default.cfg' & 'pkispawn' man pages
> 
> 
> This ticket adds text to the pki_default.cfg.5 and pkispawn.8 man pages to
> more adequatey describe the
> use of hardware security modules (HSM) with PKI subsystems.
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [Patch] Add HSM information

[Matthew Harmsen]

Please review the attached patch which addresses the following ticket:

 * PKI TRAC Ticket #1405 - [MAN] Add additional HSM details to
   'pki_default.cfg' & 'pkispawn' man pages
   

This ticket adds text to the pki_default.cfg.5 and pkispawn.8 man pages 
to more adequatey describe the

use of hardware security modules (HSM) with PKI subsystems.

From 4d7daa7ba5116ceb19c1df71ce749c3db7944f49 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen 
Date: Fri, 1 Jul 2016 14:45:57 -0600
Subject: [PATCH] Add HSM information

- PKI TRAC Ticket #1405 - Add additional HSM details to 'pki_default.cfg' &
  'pkispawn' man pages
---
 base/server/man/man5/pki_default.cfg.5 |   8 +-
 base/server/man/man8/pkispawn.8| 173 +
 2 files changed, 180 insertions(+), 1 deletion(-)

diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5
index 550e2aa..aaf7b53 100644
--- a/base/server/man/man5/pki_default.cfg.5
+++ b/base/server/man/man5/pki_default.cfg.5
@@ -184,7 +184,10 @@ Location for the PKCS #12 file containing the administrative user's certificate
 .B pki_backup_keys, pki_backup_password
 .IP
 Set to True to back up the subsystem certificates and keys to a PKCS #12 file.  This file will be located in \fI/var/lib/pki//alias\fP.  pki_backup_password is the password of the PKCS#12 file.
-  
+.TP
+\fBImportant:\fP
+Since HSM keys are stored in the HSM (hardware), they cannot be backed up to a PKCS #12 file (software).  Therefore, if \fBpki_hsm_enable\fP is set to True, \fBpki_backup_keys\fP should be set to False and \fBpki_backup_password\fP should be left unset (the default values in \fB/etc/pki/default.cfg\fP).  Failure to do so will result in \fBpkispawn\fP reporting this error and exiting.
+
 .SS CLIENT DIRECTORY PARAMETERS
 .TP
 .B pki_client_dir
@@ -295,6 +298,9 @@ Installs a clone, rather than original, subsystem.
 .IP
 Location and password of the PKCS #12 file containing the system certificates for the master subsystem being cloned.  This file should be readable by the user that the Certificate Server is running as (default of pkiuser), and have the correct selinux context (pki_tomcat_cert_t).  This can be achieved by placing the file in \fI/var/lib/pki//alias\fP.
 .TP
+\fBImportant:\fP
+Since HSM keys are stored in the HSM (hardware), they cannot be copied to a PKCS #12 file (software).  For the case of clones using an HSM, this means that the HSM keys must be shared between the master and its clones.  Therefore, if \fBpki_hsm_enable\fP is set to True, both \fBpki_clone_pkcs12_path\fP and \fBpki_clone_pkcs12_password\fP should be left unset (the default values in \fB/etc/pki/default.cfg\fP).  Failure to do so will result in \fBpkispawn\fP reporting this error and exiting.
+.TP
 .B pki_clone_setup_replication
 .IP
 Defaults to True.  If set to False, the installer does not set up replication agreements from the master to the clone as part of the subsystem configuration.  In this case, it is expected that the top level suffix already exists, and that the data has already been replicated.  This option is useful if you want to use other tools to create and manage your replication topology, or if the baseDN is already replicated as part of a top-level suffix.
diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
index 3ad6fdb..3678cff 100644
--- a/base/server/man/man8/pkispawn.8
+++ b/base/server/man/man8/pkispawn.8
@@ -756,6 +756,179 @@ conn.tks1.tksSharedSymKeyName=sharedSecret
 .PP
 Finally, restart the TPS instance.
 
+.SS Installing a CA, KRA, OCSP, TKS, or TPS using a Hardware Security Module (HSM)
+.BR
+.PP
+This section provides sample \fBmyconfig.txt\fP files when an HSM is being utilized in a shared PKI instance.
+
+.PP
+For this example, assume that a new CA instance has been installed by
+executing the following command:
+.IP
+\x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR
+.PP
+where \fImyconfig.txt\fP contains the following text:
+.IP
+.nf
+[DEFAULT]
+pki_admin_password=\fISecret123\fP
+pki_client_pkcs12_password=\fISecret123\fP
+pki_ds_password=\fISecret123\fP
+# Optionally keep client databases
+pki_client_database_purge=False
+# Provide HSM parameters
+pki_hsm_enable=True
+pki_hsm_libfile=
+pki_hsm_modulename=
+pki_token_name=
+pki_token_password=
+# Provide PKI-specific HSM token names
+pki_audit_signing_token=
+pki_ssl_server_token=
+pki_subsystem_token=
+[CA]
+# Provide CA-specific HSM token names
+pki_ca_signing_token=
+pki_ocsp_signing_token=
+.if
+
+.PP
+To install a shared KRA in the same instance used by the CA execute
+the following command:
+.IP
+\x'-1'\fBpkispawn \-s KRA \-f myconfig.txt\fR
+.PP
+where \fImyconfig.txt\fP contains the following text:
+.IP
+.nf
+[DEFAULT]
+pki_admin_password=\fISecret123\fP
+pki_client_database_password=\fISecret123\fP
+pki_client_pkcs12_password=\fISecret123\fP
+pki_ds_password=\fISecret123\fP
+pki_security_domain_password=\fIS

Re: [Pki-devel] [PATCH 0009] More misc. fixes for pki-server commands

[Endi Sukma Dewata]

On 7/1/2016 5:03 AM, Abhijeet Kasurde wrote:

Hi All,

Please find the patch for review.

Partially fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde


Thanks! Pushed to master with some changes:

1. The instance.subsystems contains non-empty elements, so "not 
subsystem" will always be False. The db-schema-upgrade command requires 
that there is at least one subsystem in the instance, so the check is 
changed to "not instance.subsystems".


2. The bind password prompt is a nice addition. I moved it down after 
checking the instance and subsystem so we don't have to enter the 
password if the instance/subsystem is invalid.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH 0005-0008] Misc. fixes for pki-server commands

[Endi Sukma Dewata]

On 7/1/2016 4:25 AM, Abhijeet Kasurde wrote:

Hi All,

Please find the updated PATCH 0005.

On 07/01/2016 11:02 AM, Abhijeet Kasurde wrote:


Hi All,

Please review these patches.

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295


Thanks! Pushed to master with some changes:

1. We haven't defined how to use the Signed-off-by field, so for now I 
removed them from patch descriptions.


2. The exception handler in patch #5 was changed to handle all LDAP 
errors and return error code 1.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands.

[Endi Sukma Dewata]

On 6/30/2016 11:13 PM, Fraser Tweedale wrote:

ACK; pushed to master (f8310a4ff306d28cf25ec71693a2e89c5323564d).

There are still lots of pki-server commands that fail if invalid
subsystem given, e.g.:

# pki-server subsystem-cert-find kra

AttributeError: 'NoneType' object has no attribute 'find_system_certs'

But that can be addressed separately in future patch.

Thanks,
Fraser


Thanks! I'll be looking at Abhijeet's patches.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 780 Fixed pki-server subsystem-cert-update.

[Endi Sukma Dewata]

On 6/30/2016 11:07 PM, Fraser Tweedale wrote:

ACK; pushed to master (67bbdc5edd1404f89e638037599b4231f50490f8).


Thanks!

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH 0009] More misc. fixes for pki-server commands

[Abhijeet Kasurde]

Hi All,

Please find the patch for review.

Partially fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

From e26d2115863d394c16bd5d1d4f53bc5cc8d4a4f4 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Fri, 1 Jul 2016 15:08:09 +0530
Subject: [PATCH] Updated notification message for DB subsystem command

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

Signed-off-by: Abhijeet Kasurde 
---
 base/server/python/pki/server/cli/db.py | 20 +++-
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py
index 6555e4078af1a1e85c5e972a0247115ebd52e6f1..4ed885053f2e994ab0fb08c41a079b0d7faf23e2 100644
--- a/base/server/python/pki/server/cli/db.py
+++ b/base/server/python/pki/server/cli/db.py
@@ -25,6 +25,7 @@ import ldap
 import nss.nss as nss
 import subprocess
 import sys
+import getpass
 
 import pki.cli
 
@@ -94,24 +95,30 @@ class DBSchemaUpgrade(pki.cli.CLI):
 self.usage()
 sys.exit(1)
 
+if not bind_password:
+bind_password = getpass.getpass(prompt='Enter password : ')
+
 instance = pki.server.PKIInstance(instance_name)
 if not instance.is_valid():
-print("ERROR: Instance name '%s' not found" % instance)
+print("ERROR: Instance name '%s' not found" % instance_name)
 sys.exit(1)
 instance.load()
 
+subsystem = instance.subsystems[0]
+if not subsystem:
+print("ERROR: No subsystem found.")
+sys.exit(1)
+
 try:
-self.update_schema(instance, bind_dn, bind_password)
-
+self.update_schema(subsystem, bind_dn, bind_password)
 except subprocess.CalledProcessError as e:
 print("ERROR: " + e.output)
 sys.exit(e.returncode)
 
 self.print_message('Upgrade complete')
 
-def update_schema(self, instance, bind_dn, bind_password):
+def update_schema(self, subsystem, bind_dn, bind_password):
 # TODO(alee) re-implement this using open_database
-subsystem = instance.subsystems[0]
 host = subsystem.config['internaldb.ldapconn.host']
 port = subsystem.config['internaldb.ldapconn.port']
 secure = subsystem.config['internaldb.ldapconn.secureConn']
@@ -174,6 +181,9 @@ class DBUpgrade(pki.cli.CLI):
 nss.nss_init_nodb()
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print("ERROR: Instance name '%s' not found" % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('ca')
-- 
2.7.4

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH 0005-0008] Misc. fixes for pki-server commands

[Abhijeet Kasurde]

Hi All,

Please find the updated PATCH 0005.

On 07/01/2016 11:02 AM, Abhijeet Kasurde wrote:


Hi All,

Please review these patches.

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

From 8b36e0a63c2c960e4fc399e1d611ad8774501a09 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Fri, 1 Jul 2016 10:05:05 +0530
Subject: [PATCH 5/5] Updated notification message for kra-db-vlv* command

Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

Signed-off-by: Abhijeet Kasurde 
---
 base/server/python/pki/server/cli/kra.py | 32 ++--
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
index 17611a82b0e6c5eff910c2b4556e783da348d32f..10e2eb4bcb500d4486633190119e113997d09877 100644
--- a/base/server/python/pki/server/cli/kra.py
+++ b/base/server/python/pki/server/cli/kra.py
@@ -361,14 +361,15 @@ class KRADBVLVAddCLI(pki.cli.CLI):
 print('ERROR: Invalid instance %s.' % instance_name)
 sys.exit(1)
 instance.load()
-self.add_vlv(instance, bind_dn, bind_password)
 
-def add_vlv(self, instance, bind_dn, bind_password):
 subsystem = instance.get_subsystem('kra')
 if not subsystem:
-print('No KRA subsystem available.')
-return
+print('ERROR: No KRA subsystem in instance %s.' % instance_name)
+sys.exit(1)
 
+self.add_vlv(subsystem, bind_dn, bind_password)
+
+def add_vlv(self, subsystem, bind_dn, bind_password):
 if self.out_file:
 subsystem.customize_file(KRA_VLV_PATH, self.out_file)
 print('KRA VLVs written to ' + self.out_file)
@@ -386,11 +387,15 @@ class KRADBVLVAddCLI(pki.cli.CLI):
 for dn, entry in parser.all_records:
 add_modlist = ldap.modlist.addModlist(entry)
 conn.ldap.add_s(dn, add_modlist)
+except ldap.ALREADY_EXISTS as e:# pylint: disable=W0612
+print("KRA VLVs already exists in the database "
+  "for " + subsystem.instance.name)
+return
 finally:
 os.unlink(ldif_file.name)
 conn.close()
 
-print('KRA VLVs added to the database for ' + instance.name)
+print('KRA VLVs added to the database for ' + subsystem.instance.name)
 
 
 class KRADBVLVDeleteCLI(pki.cli.CLI):
@@ -581,16 +586,17 @@ class KRADBVLVReindexCLI(pki.cli.CLI):
 print('ERROR: Invalid instance %s.' % instance_name)
 sys.exit(1)
 instance.load()
-self.reindex_vlv(instance, bind_dn, bind_password)
 
-def reindex_vlv(self, instance, bind_dn, bind_password):
 subsystem = instance.get_subsystem('kra')
 if not subsystem:
-if self.verbose:
-print('reindex_vlv: No KRA subsystem available.  '
-  'Skipping ...')
-return
+print('ERROR: No KRA subsystem in instance %s.' % instance_name)
+sys.exit(1)
 
+self.reindex_vlv(subsystem, bind_dn, bind_password)
+
+print('KRA VLV reindex completed for ' + instance_name)
+
+def reindex_vlv(self, subsystem, bind_dn, bind_password):
 if self.out_file:
 subsystem.customize_file(KRA_VLV_TASKS_PATH, self.out_file)
 print('KRA VLV reindex task written to ' + self.out_file)
@@ -602,7 +608,7 @@ class KRADBVLVReindexCLI(pki.cli.CLI):
 conn = subsystem.open_database(bind_dn=bind_dn,
bind_password=bind_password)
 
-print('Initiating KRA VLV reindex for ' + instance.name)
+print('Initiating KRA VLV reindex for ' + subsystem.instance.name)
 
 try:
 parser = ldif.LDIFRecordList(open(ldif_file.name, "rb"))
@@ -630,5 +636,3 @@ class KRADBVLVReindexCLI(pki.cli.CLI):
 finally:
 os.unlink(ldif_file.name)
 conn.close()
-
-print('KRA VLV reindex completed for ' + instance.name)
-- 
2.7.4

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel