Relocate SSNv2 range objects for new CA instances #4885
Conversation
|
@fmarco76 For SSNv2 we could use it like this: edewata@4a85681 |
| request_dn = self.mdict.get('pki_request_number_range_dn') | ||
| if request_dn: | ||
| subsystem.set_config('dbs.requestRangeDN', request_dn) | ||
|
|
There was a problem hiding this comment.
The dbs.requestRangeDNis assigned twice, here and on line 1188. Could we merge with something like:
request_dn = self.mdict.setdefault('pki_request_number_range_dn', 'ou=requests,ou=ranges')
subsystem.set_config('dbs.requestRangeDN', request_dn)
and remove the one in line 1188 so it is assigned only once.
There was a problem hiding this comment.
I decided not to add the pkispawn param for now due to complexity, so the subtree is always ou=ranges for SSNv1 and ou=ranges_v2 for SSNv2.
| serial_dn = self.mdict.get('pki_serial_number_range_dn') | ||
| if serial_dn: | ||
| subsystem.set_config('dbs.serialRangeDN', serial_dn) | ||
|
|
There was a problem hiding this comment.
Same as above. (I think we could use the same for the other configuration here)
| @@ -105,6 +109,21 @@ public void execute(CommandLine cmd) throws Exception { | |||
|
|
|||
| if (!cmd.hasOption("skip-containers")) { | |||
| ldapConfigurator.createContainers(subsystem); | |||
|
|
|||
| String requestRangeRDN = dbConfig.getRequestRangeDN(); | |||
| if (!StringUtils.isEmpty(requestRangeRDN)) { | |||
There was a problem hiding this comment.
If the id generator is legacy or legacy2 should we throw an exception if this is not configured?
There was a problem hiding this comment.
In the updated PR the param is guaranteed to exist in CA and KRA so it won't fail. The param will not exist in other subsystems so the code won't create the subtree.
| } | ||
|
|
||
| String serialRangeRDN = dbConfig.getSerialRangeDN(); | ||
| if (!StringUtils.isEmpty(serialRangeRDN)) { |
Since the DS was configurable from the start it is OK to add the possibility to configure. To move the |
With the new commit PR #4887 the current ranges tree is not modified so it is alwais possible to get the The option |
|
As mentioned in PR #4887 we are still modifying the same |
There should be no problem to move from ssnv1 to ssnv2 and going back. Certificates are serial and there is no overlap issue so the problem is to find the right values to avoid conflicts. In the worst case it is possible to read last serial released and start new range from that point. You could have a big gap but not issues. To move the nextRange in a different location additional configuration parameters could be needed. It is weird that looking at the repository object the nextRange is not used and maintain a wrong value while the new repository for nextRange actually it is not a repository. Therefore, I am also looking at the possibility to store the nextRange in a different place (e.g. the description field is not used, could it be used?) |
Yes, it might work just fine, but since we do not have a test for this, we don't really know whether there's any unforeseen issues. It's better to minimize the risk as much as possible, especially since we will not be able to assist directly during the actual migration of production environment.
In edewata@4a85681 I was actually trying to use |
edewata
changed the title
|
@fmarco76 Sorry for the delay. Please see the updated PR. I've changed the code to create SSNv2 range objects in |
pkispawn has been modified to create ou=ranges subtree for SSNv1 and optionally ou=ranges_v2 subtree for SSNv2 if it's enabled for new CA instances. The pki-server <subsystem>-db-init and <subsystem>-range-update commands have been updated to use the proper subtree to store the range objects. Hard-coded subtrees in the create.ldif have been removed. Similar changes are made to KRA as well, but since there are no tests for KRA with SSNv2 it's not officially supported yet.
The test scripts have been updated to use ou=ranges_v2 subtree for SSNv2 range objects.
|
|
@fmarco76 Thanks! |
pkispawnhas been modified to createou=rangessubtree for SSNv1 and optionallyou=ranges_v2subtree for SSNv2 if it's enabled for new CA instances. Thepki-server <subsystem>-db-initand<subsystem>-range-updatecommands have been updated to use the proper subtree to store the range objects. Hard-coded subtrees in thecreate.ldifhave been removed.Similar changes are made to KRA as well, but since there are no tests for KRA with SSNv2 it's not officially supported yet.
The test scripts have been updated to use
ou=ranges_v2subtree for SSNv2 range objects.