3 files changed, 48 insertions, 15 deletions

diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 4d63d9bc1..159e4ac5a 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -23,8 +23,10 @@ import java.io.Console;
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
+import java.io.InputStreamReader;
 import java.lang.reflect.Field;
 import java.net.InetAddress;
+import java.net.URI;
 import java.net.UnknownHostException;
 import java.util.Collection;
 import java.util.HashSet;
@@ -39,6 +41,7 @@ import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
 import org.mozilla.jss.util.IncorrectPasswordException;
 import org.mozilla.jss.util.Password;
 
+import com.netscape.certsrv.ca.CAClient;
 import com.netscape.certsrv.client.ClientConfig;
 import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.client.PKIConnection;
@@ -269,6 +272,36 @@ public class MainCLI extends CLI {
         return promptForPassword("Enter Password: ");
     }
 
+    public static CAClient createCAClient(PKIClient client) throws Exception {
+
+        ClientConfig config = client.getConfig();
+        CAClient caClient = new CAClient(client);
+
+        while (!caClient.exists()) {
+            System.err.println("ERROR: CA subsystem not available");
+
+            URI serverURI = config.getServerURI();
+            String uri = serverURI.getScheme() + "://" + serverURI.getHost() + ":" + serverURI.getPort();
+
+            System.out.print("CA server URI [" + uri + "]: ");
+            System.out.flush();
+
+            BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
+            String line = reader.readLine().trim();
+            if (!line.equals("")) {
+                uri = line;
+            }
+
+            config = new ClientConfig(client.getConfig());
+            config.setServerURI(uri);
+
+            client = new PKIClient(config);
+            caClient = new CAClient(client);
+        }
+
+        return caClient;
+    }
+
     public void parseOptions(CommandLine cmd) throws Exception {
 
         verbose = cmd.hasOption("v");
@@ -465,13 +498,14 @@ public class MainCLI extends CLI {
         client = new PKIClient(config, null);
         client.setVerbose(verbose);
 
-        PKIConnection connection = client.getConnection();
-        connection.setRejectedCertStatuses(rejectedCertStatuses);
-        connection.setIgnoredCertStatuses(ignoredCertStatuses);
+        client.setRejectedCertStatuses(rejectedCertStatuses);
+        client.setIgnoredCertStatuses(ignoredCertStatuses);
 
         if (output != null) {
             File file = new File(output);
             file.mkdirs();
+
+            PKIConnection connection = client.getConnection();
             connection.setOutput(file);
         }
     }
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java
index 310a4c29c..b28271dd7 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java
@@ -48,17 +48,15 @@ public class SubsystemCLI extends CLI {
 
         init();
 
-        try {
-            // login if username or nickname is specified
-            ClientConfig config = getClient().getConfig();
-            if (config.getUsername() != null || config.getCertNickname() != null) {
-                login();
-            }
+        // login if username or nickname is specified
+        ClientConfig config = getClient().getConfig();
+        if (config.getUsername() != null || config.getCertNickname() != null) {
+            login();
+        }
 
-            super.execute(args);
+        super.execute(args);
 
-        } finally {
-            logout();
-        }
+        // logout if there is no failures
+        logout();
     }
 }
diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java
index 4425e7003..3e96c1dee 100644
--- a/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java
@@ -25,6 +25,7 @@ import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.Option;
 import org.apache.commons.io.FileUtils;
 
+import com.netscape.certsrv.ca.CAClient;
 import com.netscape.certsrv.cert.CertClient;
 import com.netscape.certsrv.cert.CertData;
 import com.netscape.certsrv.dbs.certdb.CertId;
@@ -114,8 +115,8 @@ public class UserCertAddCLI extends CLI {
                 System.out.println("Downloading certificate " + serialNumber + ".");
             }
 
-            client = parent.getClient();
-            CertClient certClient = new CertClient(client, "ca");
+            CAClient caClient = MainCLI.createCAClient(parent.getClient());
+            CertClient certClient = new CertClient(caClient);
 
             CertData certData = certClient.getCert(new CertId(serialNumber));
             encoded = certData.getEncoded();