summaryrefslogtreecommitdiffstats
path: root/base/ocsp/src
diff options
context:
space:
mode:
authorJack Magne <jmagne@localhost.localdomain>2015-05-01 10:12:06 -0700
committerJack Magne <jmagne@localhost.localdomain>2015-05-01 15:20:13 -0700
commit31d96e0ba756fd05bad0c9a577bf27ef9041d490 (patch)
treedfa26d09c0d58d2f297462c076921a7a37db2893 /base/ocsp/src
parentdca532a48524ee6be1c7522cf11fef062c27f2bb (diff)
downloadpki-31d96e0ba756fd05bad0c9a577bf27ef9041d490.tar.gz
pki-31d96e0ba756fd05bad0c9a577bf27ef9041d490.tar.xz
pki-31d96e0ba756fd05bad0c9a577bf27ef9041d490.zip
OCSP and CA minor cloning fixes
Tickets #1294, #1058 The patch does the following: 1. Allows an OCSP clone to actually install and operate. It also sets a param appropriate for an OCSP clone. Ticket #1058 The controversial part of this one is the fact that I have disabled having OCSP clones register themselves to the CA as publishing target. The master is already getting the updates and we rely upon replication to keep the clones updated. The current downside is the master is on an island with respect to updates and could be considered a single point of failure. Thus my proposal for this simple patch is to get the OCSP clone working as in existing functionality. Then we come back and propose a ticket to allow the installer OCSP clones to set up the publishers in such a way that all clones and master are registered, but when it is actually time to publish, the CRL publisher has the smarts to know that members of a clone cluster are in a group and the first successfull publish should end the processing of that group. 2. Allows the CA clone to set some params to disable certain things that a clone should not do. This was listed as a set of misc post install tasks that we are trying to automate. Code tested to work. 1. OCSP clones can be installed and the CRL were checked to be in sync when an update occured to the master. 2. The CA clone has been seen to have the required params and it looks to come up just fine. Final review minor changes to tickets, 1294, and 1058.
Diffstat (limited to 'base/ocsp/src')
-rw-r--r--base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPInstallerService.java29
1 files changed, 27 insertions, 2 deletions
diff --git a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPInstallerService.java b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPInstallerService.java
index aaeeb346b..4b0fe0d2a 100644
--- a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPInstallerService.java
+++ b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPInstallerService.java
@@ -32,6 +32,8 @@ import com.netscape.cms.servlet.csadmin.ConfigurationUtils;
*/
public class OCSPInstallerService extends SystemConfigService {
+ private static final int DEF_REFRESH_IN_SECS_FOR_CLONE = 14400; // CRL Publishing schedule
+
public OCSPInstallerService() throws EBaseException {
}
@@ -47,17 +49,40 @@ public class OCSPInstallerService extends SystemConfigService {
// configure the CRL Publishing to OCSP in CA
if (!ca_host.equals("")) {
CMS.reinit(IOCSPAuthority.ID);
- ConfigurationUtils.importCACertToOCSP();
+ if (!request.isClone())
+ ConfigurationUtils.importCACertToOCSP();
+ else
+ CMS.debug("OCSPInstallerService: Skipping importCACertToOCSP for clone.");
if (!request.getStandAlone()) {
- ConfigurationUtils.updateOCSPConfig();
+
+ // For now don't register publishing with the CA for a clone.
+ // Preserves existing functionality
+ // Next we need to treat the publishing of clones as a group ,
+ // and fail over amongst them.
+ if (!request.isClone())
+ ConfigurationUtils.updateOCSPConfig();
+
ConfigurationUtils.setupClientAuthUser();
}
}
+ if (request.isClone()) {
+ configureCloneRefresh(request);
+ }
+
} catch (Exception e) {
CMS.debug(e);
throw new PKIException("Errors in configuring CA publishing to OCSP: " + e);
}
}
+
+ private void configureCloneRefresh(ConfigurationRequest request) {
+ if (request == null || !request.isClone())
+ return;
+
+ //Set well know default value for OCSP clone
+ cs.putInteger("ocsp.store.defStore.refreshInSec", DEF_REFRESH_IN_SECS_FOR_CLONE);
+
+ }
}