This is related to tkstool improvements (#378).

Based on discussion with jmagne and rrelyea, the process can be automated as follows:

• During TKS configuration:
  1. TKS generates a transport key in TKS database.
  2. TKS provides a servlet to retrieve the transport key.

• During TPS configuration:
  1. TPS connects to TKS and authenticates using TPS certificate.
  2. TPS invokes the TKS servlet. The servlet will wrap the transport key with TPS public key and return it as byte stream.
  3. TPS unwraps the transport key with TPS private key and stores it in TPS database.

TKS and TPS could either use the improved tkstool or JSS to generate, export, and import the transport key.

The design for this is here:

http://pki.fedoraproject.org/wiki/Automated_generation_of_Shared_Secret_v2

The first part of this has been implemnented, and checked in as below:

commit d042f57747ed314030de70ee09c13d3aa7f8855c Author: Ade Lee ​alee@redhat.com Date: Mon Sep 30 11:44:40 2013 -0400

Added method to modify connector

Also changed permissions to allow admin users to delete a connector and its associated shared secret.

commit 3c933d160f2db29ee8bdbdb7016ab96cd9667519 Author: Ade Lee ​alee@redhat.com Date: Fri Sep 27 14:30:45 2013 -0400

Changes to TPSConnectorService based on review

commit e9c373e57675c660b79c8998d724a9627b26ebda Author: Ade Lee ​alee@redhat.com Date: Thu Sep 26 11:53:23 2013 -0400

Modify TKS self tests and execution to use new shared secret names

The self tests and TokenServlet? are modified to use the new shared secret names. A parameter has been added to allow legacy systems to continue running as-is. With a new system, the TKS self test will not fail on startup if no shared secret keys are configured. It will fail, however, if the keys are configured, but the ComputeSessionKey? operation fails.

commit 6eaf2c01c211cf06053c82b1e296909ce8d874b6 Author: Ade Lee ​alee@redhat.com Date: Wed Sep 25 22:09:10 2013 -0400

Add service to generate and retrieve a shared secret

A new REST service has been added to the TKS to manage shared secrets. The shared secret is tied to the TKS-TPS connector, and is created at the end of the TPS configuration. At this point, the TPS contacts the TKS and requests that the shared secret be generated. The secret is returned to the TPS, wrapped using the subsystem certificate of the TPS.

The TPS should then decrypt the shared secret and store it in its certificate database. This operations requires JSS changes, though, and so will be deferred to a later patch. For now, though, if the TPS and TKS share the same certdb, then it is sufficient to generate the shared secret.

Clients and CLI are also provided. The CLI in particular is used to remove the TPSConnector entries and the shared secret when the TPS is pkidestroyed.

We need to implement the second part, which is the unwrapping of the wrapped shared secret package and its import into the TPS certdb.

Closing this as the first part is done.

Second part is opened in 10.2 as another ticket.
https://fedorahosted.org/pki/ticket/758

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1026

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.