From bd1c60334a5f989c8a648b27b8be8b3661c3f6fd Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 11 Dec 2023 09:02:04 +0700 Subject: [PATCH 1/2] Update test for CA cloning with replicated DS The test for CA cloning with replicated DS has been updated to import the primary CA's system certs and keys into the secondary CA's NSS database prior to running pkispawn so it's no longer necessary to specify the PKCS #12 path and password for pkispawn. The ConfigurationFile.verify_predefined_configuration_file_data() and initialization.py have been modified such that the PKCS #12 path and password are no longer mandatory for cloning. --- .../workflows/ca-clone-replicated-ds-test.yml | 51 +++++++++++-------- .../python/pki/server/deployment/pkihelper.py | 10 ---- .../deployment/scriptlets/initialization.py | 16 ++---- 3 files changed, 35 insertions(+), 42 deletions(-) diff --git a/.github/workflows/ca-clone-replicated-ds-test.yml b/.github/workflows/ca-clone-replicated-ds-test.yml index 016c3594a2c..be7b57b40a0 100644 --- a/.github/workflows/ca-clone-replicated-ds-test.yml +++ b/.github/workflows/ca-clone-replicated-ds-test.yml @@ -69,6 +69,15 @@ jobs: --pkcs12-password Secret.123 docker exec primary pki -n caadmin ca-user-show caadmin + - name: Export system certs and keys from primary CA + run: | + docker exec primary pki-server ca-clone-prepare \ + --pkcs12-file $SHARED/ca-certs.p12 \ + --pkcs12-password Secret.123 + + docker exec primary pki-server cert-export ca_signing \ + --cert-file $SHARED/ca_signing.crt + - name: Set up secondary DS container run: | tests/bin/ds-container-create.sh secondaryds @@ -80,6 +89,28 @@ jobs: - name: Connect secondary DS container to network run: docker network connect example secondaryds --alias secondaryds.example.com + - name: Set up secondary PKI container + run: | + tests/bin/runner-init.sh secondary + env: + HOSTNAME: secondary.example.com + + - name: Connect secondary PKI container to network + run: docker network connect example secondary --alias secondary.example.com + + - name: Create secondary PKI server + run: | + docker exec secondary pki-server create + docker exec secondary pki-server nss-create --no-password + + - name: Import system certs and keys into secondary CA + run: | + docker exec secondary pki \ + -d /etc/pki/pki-tomcat/alias \ + pkcs12-import \ + --pkcs12 $SHARED/ca-certs.p12 \ + --password Secret.123 + # https://github.com/dogtagpki/389-ds-base/wiki/Configuring-DS-Replication-with-DS-Tools - name: Preparing DS backend run: | @@ -218,24 +249,6 @@ jobs: diff primaryds.dn secondaryds.dn - - name: Export certs and keys from primary CA - run: | - docker exec primary pki-server ca-clone-prepare \ - --pkcs12-file $SHARED/ca-certs.p12 \ - --pkcs12-password Secret.123 - - docker exec primary pki-server cert-export ca_signing \ - --cert-file $SHARED/ca_signing.crt - - - name: Set up secondary PKI container - run: | - tests/bin/runner-init.sh secondary - env: - HOSTNAME: secondary.example.com - - - name: Connect secondary PKI container to network - run: docker network connect example secondary --alias secondary.example.com - # https://github.com/dogtagpki/pki/wiki/Installing-CA-Clone-with-Existing-DS - name: Install secondary CA run: | @@ -246,8 +259,6 @@ jobs: -f /usr/share/pki/server/examples/installation/ca-clone.cfg \ -s CA \ -D pki_cert_chain_path=$SHARED/ca_signing.crt \ - -D pki_clone_pkcs12_path=$SHARED/ca-certs.p12 \ - -D pki_clone_pkcs12_password=Secret.123 \ -D pki_ds_url=ldap://secondaryds.example.com:3389 \ -D pki_ds_setup=False \ -v diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 2fbf13831a4..c6ea03c56f5 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -464,16 +464,6 @@ def verify_predefined_configuration_file_data(self): self.confirm_data_exists("pki_https_port") self.confirm_data_exists("pki_tomcat_server_port") - # Check clone parameters for non-HSM clone - if not config.str2bool(self.mdict['pki_hsm_enable']): - - # If system certificates are already provided via - # pki_server_pkcs12, there's no need to provide - # pki_clone_pkcs12. - if not self.mdict['pki_server_pkcs12_path']: - self.confirm_data_exists("pki_clone_pkcs12_path") - self.confirm_file_exists("pki_clone_pkcs12_path") - self.confirm_data_exists("pki_clone_replication_security") elif self.external: diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py index 107553f8b3f..a67f6e2886a 100644 --- a/base/server/python/pki/server/deployment/scriptlets/initialization.py +++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py @@ -73,19 +73,11 @@ def verify_sensitive_data(self, deployer): if configuration_file.clone: - # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones) - if not config.str2bool(deployer.mdict['pki_hsm_enable']): - - # If system certificates are already provided via - # pki_server_pkcs12, there's no need to provide - # pki_clone_pkcs12. - if not deployer.mdict['pki_server_pkcs12_path']: - configuration_file.confirm_data_exists('pki_clone_pkcs12_password') - # Verify absence of all PKCS #12 clone parameters for HSMs - elif (os.path.exists(deployer.mdict['pki_clone_pkcs12_path']) or - ('pki_clone_pkcs12_password' in deployer.mdict and - len(deployer.mdict['pki_clone_pkcs12_password']))): + if config.str2bool(deployer.mdict['pki_hsm_enable']) and \ + (os.path.exists(deployer.mdict['pki_clone_pkcs12_path']) or + ('pki_clone_pkcs12_password' in deployer.mdict and + len(deployer.mdict['pki_clone_pkcs12_password']))): logger.error(log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS) raise Exception( log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS) From 68567fab05340309a9cca53fa75f804eee7e6927 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 11 Dec 2023 09:02:08 +0700 Subject: [PATCH 2/2] Add pki-server -db-repl-agmt-init The pki-server -db-repl-agmt-init has been added to start initializing the replication agreement and wait until it's complete. The SubsystemDBReplicationSetupCLI has been modified to no longer include initializing the replication agreement. The test for CA cloning with replicated DS has been updated to use the new command. --- .../workflows/ca-clone-replicated-ds-test.yml | 93 +++++++---- base/server/python/pki/server/cli/db.py | 155 ++++++++++++++++++ .../python/pki/server/deployment/__init__.py | 35 ++++ base/server/python/pki/server/subsystem.py | 29 ++++ .../SubsystemDBReplicationAgreementCLI.java | 23 +++ ...ubsystemDBReplicationAgreementInitCLI.java | 98 +++++++++++ .../server/cli/SubsystemDBReplicationCLI.java | 1 + .../cli/SubsystemDBReplicationSetupCLI.java | 3 - 8 files changed, 403 insertions(+), 34 deletions(-) create mode 100644 base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationAgreementCLI.java create mode 100644 base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationAgreementInitCLI.java diff --git a/.github/workflows/ca-clone-replicated-ds-test.yml b/.github/workflows/ca-clone-replicated-ds-test.yml index be7b57b40a0..e20810c0797 100644 --- a/.github/workflows/ca-clone-replicated-ds-test.yml +++ b/.github/workflows/ca-clone-replicated-ds-test.yml @@ -103,6 +103,10 @@ jobs: docker exec secondary pki-server create docker exec secondary pki-server nss-create --no-password + - name: Create secondary CA subsystem + run: | + docker exec secondary pki-server ca-create -v + - name: Import system certs and keys into secondary CA run: | docker exec secondary pki \ @@ -143,6 +147,22 @@ jobs: --bind-dn="cn=Replication Manager,cn=config" \ --bind-passwd=Secret.123 + # check replication manager + docker exec primaryds ldapsearch \ + -H ldap://primaryds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -x \ + -b "cn=Replication Manager,cn=config" + + # check replica object + docker exec primaryds ldapsearch \ + -H ldap://primaryds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -x \ + -b "cn=replica,cn=dc\3Dca\2Cdc\3Dpki\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" + - name: Enable replication on secondary DS run: | docker exec secondaryds dsconf \ @@ -156,7 +176,23 @@ jobs: --bind-dn="cn=Replication Manager,cn=config" \ --bind-passwd=Secret.123 - - name: Create replication manager on primary DS + # check replication manager + docker exec secondaryds ldapsearch \ + -H ldap://secondaryds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -x \ + -b "cn=Replication Manager,cn=config" + + # check replica object + docker exec secondaryds ldapsearch \ + -H ldap://secondaryds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -x \ + -b "cn=replica,cn=dc\3Dca\2Cdc\3Dpki\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" + + - name: Create replication agreement on primary DS run: | docker exec primaryds dsconf \ -D "cn=Directory Manager" \ @@ -172,7 +208,16 @@ jobs: --bind-method=SIMPLE \ primaryds-to-secondaryds - - name: Create replication manager on secondary DS + # check replication agreement + docker exec primaryds ldapsearch \ + -H ldap://primaryds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -x \ + -b "cn=primaryds-to-secondaryds,cn=replica,cn=dc\3Dca\2Cdc\3Dpki\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" \ + dn + + - name: Create replication agreement on secondary DS run: | docker exec secondaryds dsconf \ -D "cn=Directory Manager" \ @@ -188,38 +233,24 @@ jobs: --bind-method=SIMPLE \ secondaryds-to-primaryds - - name: Initializing replication agreement - run: | - # start initialization - docker exec primaryds dsconf \ + # check replication agreement + docker exec secondaryds ldapsearch \ + -H ldap://secondaryds.example.com:3389 \ -D "cn=Directory Manager" \ -w Secret.123 \ - ldap://primaryds.example.com:3389 \ - repl-agmt init \ - --suffix=dc=ca,dc=pki,dc=example,dc=com \ - primaryds-to-secondaryds + -x \ + -b "cn=secondaryds-to-primaryds,cn=replica,cn=dc\3Dca\2Cdc\3Dpki\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" \ + dn - # wait for initialization to complete - counter=0 - while [[ "$counter" -lt 30 ]]; do - sleep 1 - - docker exec primaryds dsconf \ - -D "cn=Directory Manager" \ - -w Secret.123 \ - ldap://primaryds.example.com:3389 \ - repl-agmt init-status \ - --suffix=dc=ca,dc=pki,dc=example,dc=com \ - primaryds-to-secondaryds \ - > >(tee stdout) 2> >(tee stderr >&2) || true - - STDOUT=$(cat stdout) - if [ "$STDOUT" = "Agreement successfully initialized." ]; then - break - fi - - counter=$((counter+1)) - done + - name: Initializing replication agreement + run: | + docker exec secondary pki-server ca-db-repl-agmt-init \ + --url ldap://primaryds.example.com:3389 \ + --bind-dn "cn=Directory Manager" \ + --bind-password Secret.123 \ + --suffix dc=ca,dc=pki,dc=example,dc=com \ + -v \ + primaryds-to-secondaryds - name: Check entries in primary DS and secondary DS run: | diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py index f7f961591db..be126ebf098 100644 --- a/base/server/python/pki/server/cli/db.py +++ b/base/server/python/pki/server/cli/db.py @@ -27,6 +27,7 @@ import subprocess import sys import textwrap +import urllib.parse import pki.cli import pki.server.instance @@ -220,6 +221,7 @@ def __init__(self, parent): self.add_module(SubsystemDBAccessCLI(self)) self.add_module(SubsystemDBIndexCLI(self)) + self.add_module(SubsystemDBReplicationCLI(self)) self.add_module(SubsystemDBVLVCLI(self)) @staticmethod @@ -1325,6 +1327,159 @@ def execute(self, argv): subsystem.rebuild_indexes() +class SubsystemDBReplicationCLI(pki.cli.CLI): + ''' + {subsystem} replication management commands + ''' + + def __init__(self, parent): + super(SubsystemDBReplicationCLI, self).__init__( + 'repl', + inspect.cleandoc(self.__class__.__doc__).format( + subsystem=parent.parent.name.upper())) + + self.parent = parent + self.add_module(SubsystemDBReplicationAgreementCLI(self)) + + +class SubsystemDBReplicationAgreementCLI(pki.cli.CLI): + ''' + {subsystem} replication agreement management commands + ''' + + def __init__(self, parent): + super(SubsystemDBReplicationAgreementCLI, self).__init__( + 'agmt', + inspect.cleandoc(self.__class__.__doc__).format( + subsystem=parent.parent.name.upper())) + + self.parent = parent + self.add_module(SubsystemDBReplicationAgreementInitCLI(self)) + + +class SubsystemDBReplicationAgreementInitCLI(pki.cli.CLI): + ''' + Initialize {subsystem} replication agreement + ''' + + help = '''\ + Usage: pki-server {subsystem}-db-repl-agmt-init [OPTIONS] + + -i, --instance Instance ID (default: pki-tomcat) + --url Database URL + --bind-dn Database bind DN + --bind-password Database bind password + --suffix Database suffix + -v, --verbose Run in verbose mode. + --debug Run in debug mode. + --help Show help message. + ''' + + def __init__(self, parent): + super(SubsystemDBReplicationAgreementInitCLI, self).__init__( + 'init', + inspect.cleandoc(self.__class__.__doc__).format( + subsystem=parent.parent.parent.parent.name.upper())) + + self.parent = parent + + def print_help(self): + print(textwrap.dedent(self.__class__.help).format( + subsystem=self.parent.parent.parent.parent.name)) + + def execute(self, argv): + try: + opts, args = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', + 'url=', 'bind-dn=', 'bind-password=', 'suffix=', + 'verbose', 'debug', 'help']) + + except getopt.GetoptError as e: + logger.error(e) + self.print_help() + sys.exit(1) + + instance_name = 'pki-tomcat' + subsystem_name = self.parent.parent.parent.parent.name + url = None + bind_dn = None + bind_password = None + suffix = None + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o == '--url': + url = urllib.parse.urlparse(a) + + elif o == '--bind-dn': + bind_dn = a + + elif o == '--bind-password': + bind_password = a + + elif o == '--suffix': + suffix = a + + elif o in ('-v', '--verbose'): + logging.getLogger().setLevel(logging.INFO) + + elif o == '--debug': + logging.getLogger().setLevel(logging.DEBUG) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + logger.error('Invalid option: %s', o) + self.print_help() + sys.exit(1) + + if len(args) < 1: + logger.error('Missing replication agreement name') + self.print_help() + sys.exit(1) + + name = args[0] + + instance = pki.server.instance.PKIInstance(instance_name) + + if not instance.exists(): + logger.error('Invalid instance: %s', instance_name) + sys.exit(1) + + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + + if not subsystem: + logger.error('No %s subsystem in instance %s.', + subsystem_name.upper(), instance_name) + sys.exit(1) + + ldap_config = {} + + if url.scheme == 'ldaps': + ldap_config['ldapconn.secureConn'] = 'true' + else: + ldap_config['ldapconn.secureConn'] = 'false' + + ldap_config['ldapconn.host'] = url.hostname + ldap_config['ldapconn.port'] = str(url.port) + + ldap_config['ldapauth.authtype'] = 'BasicAuth' + ldap_config['ldapauth.bindDN'] = bind_dn + ldap_config['ldapauth.bindPassword'] = bind_password + + ldap_config['basedn'] = suffix + + subsystem.init_replication_agreement( + name, + ldap_config) + + class SubsystemDBVLVCLI(pki.cli.CLI): def __init__(self, parent): diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index ab709121f32..7d4b0165870 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -1598,6 +1598,41 @@ def setup_database(self, subsystem, master_config): replica_replication_port=replica_replication_port, replication_security=replication_security) + logger.info('Initializing replication agreement') + + hostname = self.mdict['pki_hostname'] + agreement_name = 'masterAgreement1-%s-%s' % (hostname, self.instance.name) + + # get master's database config + ldap_config = {} + for name in master_config['Properties']: + + match = re.match(r'internaldb\.(.*)$', name) + + if not match: + continue + + new_name = match.group(1) # strip internaldb prefix + + if new_name == 'replication.password': # unused + continue + + elif new_name == 'ldapauth.bindPWPrompt': # unused + continue + + elif new_name.startswith('_'): # comments + continue + + elif new_name == 'ldapauth.password': # rename + new_name = 'ldapauth.bindPassword' + + value = master_config['Properties'][name] + ldap_config[new_name] = value + + subsystem.init_replication_agreement( + agreement_name, + ldap_config) + # For security a PKI subsystem can be configured to use a database user # that only has a limited access to the database (instead of cn=Directory # Manager that has a full access to the database). diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py index 453a0ee372f..ab1dfe14afa 100644 --- a/base/server/python/pki/server/subsystem.py +++ b/base/server/python/pki/server/subsystem.py @@ -1326,6 +1326,35 @@ def setup_replication( finally: shutil.rmtree(tmpdir) + def init_replication_agreement( + self, + name, + ldap_config): + + tmpdir = tempfile.mkdtemp() + try: + ldap_config_file = os.path.join(tmpdir, 'ldap.conf') + pki.util.store_properties(ldap_config_file, ldap_config) + pki.util.chown(tmpdir, self.instance.uid, self.instance.gid) + + cmd = [self.name + '-db-repl-agmt-init'] + + if ldap_config_file: + cmd.extend(['--ldap-config', ldap_config_file]) + + if logger.isEnabledFor(logging.DEBUG): + cmd.append('--debug') + + elif logger.isEnabledFor(logging.INFO): + cmd.append('--verbose') + + cmd.append(name) + + self.run(cmd) + + finally: + shutil.rmtree(tmpdir) + def find_vlv(self, as_current_user=False): cmd = [self.name + '-db-vlv-find'] diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationAgreementCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationAgreementCLI.java new file mode 100644 index 00000000000..b2b6e67b945 --- /dev/null +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationAgreementCLI.java @@ -0,0 +1,23 @@ +// +// Copyright Red Hat, Inc. +// +// SPDX-License-Identifier: GPL-2.0-or-later +// +package org.dogtagpki.server.cli; + +import org.dogtagpki.cli.CLI; + +/** + * @author Endi S. Dewata + */ +public class SubsystemDBReplicationAgreementCLI extends CLI { + + public SubsystemDBReplicationAgreementCLI(CLI parent) { + super( + "agmt", + parent.parent.parent.name.toUpperCase() + " replication agreement management commands", + parent); + + addModule(new SubsystemDBReplicationAgreementInitCLI(this)); + } +} diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationAgreementInitCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationAgreementInitCLI.java new file mode 100644 index 00000000000..7084d4fe88f --- /dev/null +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationAgreementInitCLI.java @@ -0,0 +1,98 @@ +// +// Copyright Red Hat, Inc. +// +// SPDX-License-Identifier: GPL-2.0-or-later +// +package org.dogtagpki.server.cli; + +import org.apache.commons.cli.CommandLine; +import org.dogtagpki.cli.CLI; +import org.dogtagpki.cli.CLIException; +import org.dogtagpki.util.logging.PKILogger; +import org.dogtagpki.util.logging.PKILogger.LogLevel; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.netscape.cms.servlet.csadmin.LDAPConfigurator; +import com.netscape.cmscore.apps.EngineConfig; +import com.netscape.cmscore.base.ConfigStorage; +import com.netscape.cmscore.base.FileConfigStorage; +import com.netscape.cmscore.ldapconn.LDAPConfig; +import com.netscape.cmscore.ldapconn.LdapBoundConnFactory; +import com.netscape.cmscore.ldapconn.PKISocketConfig; + +import netscape.ldap.LDAPConnection; + +/** + * @author Endi S. Dewata + */ +public class SubsystemDBReplicationAgreementInitCLI extends SubsystemCLI { + + public static Logger logger = LoggerFactory.getLogger(SubsystemDBReplicationAgreementInitCLI.class); + + public SubsystemDBReplicationAgreementInitCLI(CLI parent) { + super( + "init", + "Initialize " + parent.parent.parent.parent.getName().toUpperCase() + " replication agreement", + parent); + } + + @Override + public void createOptions() { + + options.addOption(null, "ldap-config", true, "LDAP configuration file"); + + options.addOption("v", "verbose", false, "Run in verbose mode."); + options.addOption(null, "debug", false, "Run in debug mode."); + options.addOption(null, "help", false, "Show help message."); + } + + @Override + public void execute(CommandLine cmd) throws Exception { + + String[] cmdArgs = cmd.getArgs(); + + if (cmdArgs.length < 1) { + throw new CLIException("Missing replication agreement name"); + } + + String agreementName = cmdArgs[0]; + + if (cmd.hasOption("debug")) { + PKILogger.setLevel(LogLevel.DEBUG); + + } else if (cmd.hasOption("verbose")) { + PKILogger.setLevel(LogLevel.INFO); + } + + String ldapConfigFile = cmd.getOptionValue("ldap-config"); + + if (ldapConfigFile == null) { + throw new Exception("Missing LDAP configuration file"); + } + + initializeTomcatJSS(); + String subsystem = parent.parent.parent.parent.getName(); + EngineConfig cs = getEngineConfig(subsystem); + cs.load(); + + PKISocketConfig socketConfig = cs.getSocketConfig(); + + logger.info("Loading {}", ldapConfigFile); + ConfigStorage configStorage = new FileConfigStorage(ldapConfigFile); + LDAPConfig ldapConfig = new LDAPConfig(configStorage); + ldapConfig.load(); + + LdapBoundConnFactory connFactory = new LdapBoundConnFactory("LDAPConfigurator"); + connFactory.init(socketConfig, ldapConfig); + LDAPConnection conn = connFactory.getConn(); + + try { + LDAPConfigurator configurator = new LDAPConfigurator(conn, ldapConfig); + configurator.initializeReplicationAgreement(agreementName); + + } finally { + if (conn != null) conn.disconnect(); + } + } +} diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationCLI.java index 064b9df2eb8..7daa3220a7b 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationCLI.java @@ -16,5 +16,6 @@ public SubsystemDBReplicationCLI(CLI parent) { super("repl", parent.parent.name.toUpperCase() + " database replication management commands", parent); addModule(new SubsystemDBReplicationSetupCLI(this)); + addModule(new SubsystemDBReplicationAgreementCLI(this)); } } diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationSetupCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationSetupCLI.java index 02d9cb9fbbe..5207b71ab15 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationSetupCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationSetupCLI.java @@ -181,9 +181,6 @@ public void setupReplication( logger.info("New replica number range: " + beginReplicaNumber + "-" + endReplicaNumber); dbConfig.putString("beginReplicaNumber", Integer.toString(beginReplicaNumber)); - logger.info("Initializing replication agreement"); - masterConfigurator.initializeReplicationAgreement(masterAgreementName); - } finally { if (masterConn != null) masterConn.disconnect(); }