Alon Bar-Lev has posted comments on this change.
Change subject: pki: use PKCS#12 format to store keys
......................................................................
Patch Set 5: (5 inline comments)
> if you preserve the "alias" concept
> Please take into account that the engine private key is used by the
> log-colloector, changing the name of the file will break it.
I created symlink... It was very odd that apache used SSH key... :) took me a
while to figure out what happening.
> The key material is used a lot by support people and users
I don't understand what you refer as key material.
---
Regarding the alias, I will revert this, although I think it is useless, I am
for going into url option, single argument... Something like:
pkcs12://:password@file?alias
jks://:password@file?alias
But more importantly, I don't like passwords and keystores to be moved
around... but this is for another day.
....................................................
File backend/manager/conf/ca/CreateCA.sh
Line 27: echo O = $2 >> cacert.conf
Line 28: echo CN = $3 >> cacert.conf
Line 29: cp cert.template cert.conf
Line 30:
Line 31: openssl genrsa -out private/ca.pem 2048 && openssl req -new -key
private/ca.pem -config cacert.conf -out requests/ca.csr && openssl ca -selfsign
-out ca.pem -in requests/ca.csr -keyfile private/ca.pem -days 3650 -startdate
$4 -config openssl.conf -extfile cacert.conf -extensions v3_ca -batch &&
openssl x509 -in ca.pem -out certs/ca.der
It was already long :)
But yes.
Line 32:
Line 33: exit $?
....................................................
File packaging/fedora/setup/basedefs.py
Line 81: FILE_IPTABLES_BACKUP="%s/ovirt-engine/conf/iptables.backup" %
DIR_USR_SHARE
Line 82: FILE_NFS_SYSCONFIG="%s/ovirt-engine/conf/nfs.sysconfig" % DIR_USR_SHARE
Line 83: FILE_NFS_BACKUP="%s/ovirt-engine/conf/nfs.backup" % DIR_USR_SHARE
Line 84: FILE_ETC_EXPORTS="/etc/exports"
Line 85: FILE_PRIVATE_KEY="%s/keys/engine.key.nopass"%(DIR_OVIRT_PKI)
At setup I also create the previous name linked to this one.
Line 86: FILE_YUM_VERSION_LOCK="/etc/yum/pluginconf.d/versionlock.list"
Line 87: FILE_ISOUPLOADER_CONF="/etc/ovirt-engine/isouploader.conf"
Line 88: FILE_LOGCOLLECTOR_CONF="/etc/ovirt-engine/logcollector.conf"
Line 89: FILE_PSQL_CONF="/var/lib/pgsql/data/postgresql.conf"
....................................................
File packaging/fedora/setup/engine-setup.py
Line 780: def _createCA():
Line 781:
Line 782: try:
Line 783: # Create new CA only if none available
Line 784: ksPath = os.path.join(basedefs.DIR_OVIRT_PKI, "ca.pem")
Removed the useless variable...
Line 785: if not os.path.exists(ksPath):
Line 786: _updateCaCrtTemplate()
Line 787:
Line 788: # time.timezone is in seconds
Line 834: "-in", os.path.join(basedefs.DIR_OVIRT_PKI, "keys",
"engine.p12"),
Line 835: "-passin", "pass:" + basedefs.CONST_KEY_PASS,
Line 836: "-nodes",
Line 837: "-nocerts",
Line 838: "-out", os.path.join(basedefs.DIR_OVIRT_PKI, "keys",
basedefs.FILE_PRIVATE_KEY),
Yes, see above.
Line 839: ]
Line 840:
Line 841: out, rc = utils.execCmd(cmdList=cmd, failOnError=True,
msg=output_messages.ERR_RC_CODE, maskList=[basedefs.CONST_CA_PASS])
Line 842:
Line 864: logging.error(traceback.format_exc())
Line 865: raise Exception(output_messages.ERR_EXP_CREATE_CA)
Line 866:
Line 867: def _changeCaPermissions(pkiDir):
Line 868: changeList = [os.path.join(pkiDir, "private")]
I used os.path.isdir() for now.
Line 869: for item in changeList:
Line 870: utils.chownToEngine(item)
Line 871: logging.debug("changing file permissions for %s to 0750" %
(item))
Line 872: os.chmod(item, 0750)
--
To view, visit http://gerrit.ovirt.org/6883
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I2abda5778477faff09798a43cf3dc96435efb272
Gerrit-PatchSet: 5
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Barak Azulay <[email protected]>
Gerrit-Reviewer: Doron Fediuck <[email protected]>
Gerrit-Reviewer: Itamar Heim <[email protected]>
Gerrit-Reviewer: Juan Hernandez <[email protected]>
Gerrit-Reviewer: Ofer Schreiber <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
