The tkstool requires a lot of user interaction which makes it not very user-friendly: 1. It requires user to type randomly to generate random seed. 2. It requires user to type "proceed" several times to navigate between screens. 3. It doesn't save the output to a file, so user has to write the keys manually or copy & paste. 4. When setting up TPS, the keys have to be typed in manually, it doesn't accept input file. If there's a typo, the keys have to be reentered.
And there's a bug, after exiting tkstool the terminal won't show anything you type anymore, it has to be closed.
Based on discussion with jmagne and rrelyea, tkstool needs to support the following operations in a non-interactive mode:
We plan to not use tkstool to generate the shared key, but rather automate this in the tks. I have accordingly changed the title of this ticket. This will be in conjunction with the work in ticket 455,
This has been completed here:
commit d042f57747ed314030de70ee09c13d3aa7f8855c Author: Ade Lee alee@redhat.com Date: Mon Sep 30 11:44:40 2013 -0400
Added method to modify connector Also changed permissions to allow admin users to delete a connector and its associated shared secret.
commit 3c933d160f2db29ee8bdbdb7016ab96cd9667519 Author: Ade Lee alee@redhat.com Date: Fri Sep 27 14:30:45 2013 -0400
Changes to TPSConnectorService based on review
commit e9c373e57675c660b79c8998d724a9627b26ebda Author: Ade Lee alee@redhat.com Date: Thu Sep 26 11:53:23 2013 -0400
Modify TKS self tests and execution to use new shared secret names The self tests and TokenServlet are modified to use the new shared secret names. A parameter has been added to allow legacy systems to continue running as-is. With a new system, the TKS self test will not fail on startup if no shared secret keys are configured. It will fail, however, if the keys are configured, but the ComputeSessionKey operation fails.
commit 6eaf2c01c211cf06053c82b1e296909ce8d874b6 Author: Ade Lee alee@redhat.com Date: Wed Sep 25 22:09:10 2013 -0400
Add service to generate and retrieve a shared secret A new REST service has been added to the TKS to manage shared secrets. The shared secret is tied to the TKS-TPS connector, and is created at the end of the TPS configuration. At this point, the TPS contacts the TKS and requests that the shared secret be generated. The secret is returned to the TPS, wrapped using the subsystem certificate of the TPS. The TPS should then decrypt the shared secret and store it in its certificate database. This operations requires JSS changes, though, and so will be deferred to a later patch. For now, though, if the TPS and TKS share the same certdb, then it is sufficient to generate the shared secret. Clients and CLI are also provided. The CLI in particular is used to remove the TPSConnector entries and the shared secret when the TPS is pkidestroyed.
Design page is here:
http://pki.fedoraproject.org/wiki/Automated_generation_of_Shared_Secret_v2
Metadata Update from @edewata: - Issue assigned to vakwetu - Issue set to the milestone: 10.1 - 09/13 (September)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/949
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.