Fix Bug 1809273 - CRL generation performs an unindexed search. #377
Conversation
|
@frasertweedale You might want to take a look at this as well since this is related to LWCA in PKI 10.9. |
There was a problem hiding this comment.
I think it's good that we can get this working as a standalone CLI (instead of as part of installation). However, I just remembered we already have something similar for KRA and TPS:
So KRA and TPS have several general purpose CLIs that can also be used to upgrade the database:
pki-server kra/tps-db-vlv-findfor listing existing VLVspki-server kra/tps-db-vlv-addfor creating VLVs defined in a filepki-server kra/tps-db-vlv-reindexfor running the VLV reindex taskpki-server kra/tps-db-vlv-delfor deleting existing VLVs
The problem is they are currently broken since Python OpenLDAP library does not support NSS anymore so they need to be rewritten in Java.
I think it would be better if we break apart the current patch into a set of CA CLIs like above instead of adding everything into pki-server ca-db-upgrade. Later we probably can reuse the code to replace the broken KRA/TPS CLIs above.
| print(' --action <action> update-vlv-indexes or:') | ||
| print(' fix-missing-issuer-names') | ||
| print(' (default: fix-missing-issuer-names)') | ||
| print(' --issuer_dn <Issuer DN> CA signing cert issuer dn') |
There was a problem hiding this comment.
This should be --issuer-dn.
|
So... I think we need something more general. I don't fully know what all I think it is in two parts:
Not every migration will be cheap (computationally, ...) -- I agree Java would be a good idea. Mine is really easy, we're just adding a new object if it doesn't already exist. But we might in the future want something more advanced like scanning certs in the database and adding them to a new index. Maybe that can be done with VLV indices, idk. I think we also want to be able to run some as part of server startup (add TPS auditor group should be really cheap) and others we want to be run manually... Using ldapjdk (if possible) I think would be best -- then we can use the existing LDAP credentials when possible.
|
Implemented with a modification to a CLI command, also calls this command from pkispawn to take care of new instances:
Example use of standalone command:
Which will work if the indexes in question have not been created already.
pki-server ca-db-upgrade --verbose --action update-vlv-indexes --vlv-file crlcaissuer.ldif --vlv-tasks-file crlcaissuertasks.ldif --issuer-dn "CN=CA Signing Certificate,OU=pki-tomcat,O=localhost.localdomain Security Domain"