Ideal situation would be to have dogtag using shared ports behind apache proxy (which uses standard ports)
Email thread:
On 06/15/2011 10:02 AM, Ade Lee wrote:
I have contacted Michael Brown and Kent Lamb - two Red Hat guys working with the DoD deployment of CS. Michael had specifically been tasked with figuring out how to deploy CS behind apache. His current configuration used a normally configured CS, port forwarding, and apache as a proxy(using mod_proxy_ajp). His configuration is working and I have received his configuration files. It is possible to configure Dogtag to run with shared ports. (http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/installing-ports.html) This was the default configuration before port separation was introduced. This will remove the requirement for port forwarding. We will need to re-test this configuration though - to ensure that nothing has broken. As for consolidating the DS port, thats a whole other discussion .. Ade
I have contacted Michael Brown and Kent Lamb - two Red Hat guys working with the DoD deployment of CS. Michael had specifically been tasked with figuring out how to deploy CS behind apache. His current configuration used a normally configured CS, port forwarding, and apache as a proxy(using mod_proxy_ajp). His configuration is working and I have received his configuration files.
It is possible to configure Dogtag to run with shared ports. (http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/installing-ports.html)
This was the default configuration before port separation was introduced. This will remove the requirement for port forwarding. We will need to re-test this configuration though - to ensure that nothing has broken.
As for consolidating the DS port, thats a whole other discussion ..
Ade
Working to use mod_proxy_ajp as a front ends to the PKI components. All calls to the CA will go through the Apache instance and then forward to tomcat over a port on 'localhost'.
Would we be able to pull it int 2.1.x?
I'd say it is is risky. I'm not comfortable yet giving it a thumbs up until we go through a round of QA.
Replying to [comment:3 admiyo]:
Sure, but this effectively means that we need to pull it in to put on QE plate.
Let's go for it and if it causes to many problems, we can always back it out. devel repos are not building ipa at the moment, so this needs to be addressed for us to test this ...
We ares till waiting on changes to the Dogtag installation and configuration, so we cannot bring it in yet. This allows you to test tit ,but it still requires manual configuration.
Fixed in: 5ee9334
Metadata Update from @vakwetu: - Issue assigned to admiyo - Issue set to the milestone: FreeIPA 3.0 Core Effort Backlog
Login to comment on this ticket.