diff --git a/SOURCES/0001-Fix-pki-server-migrate-CLI.patch b/SOURCES/0001-Fix-pki-server-migrate-CLI.patch
new file mode 100644
index 0000000..db5395a
--- /dev/null
+++ b/SOURCES/0001-Fix-pki-server-migrate-CLI.patch
@@ -0,0 +1,225 @@
+From bbdb82268026821cd6a00edae09cc30079effd30 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 8 Mar 2022 15:19:09 -0600
+Subject: [PATCH] Fix pki-server migrate CLI
+
+The pki-server migrate CLI has been modified to configure the
+AJP connectors with either secret or requiredSecret parameter
+(mutually exclusive) depending on the Tomcat version.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2061458
+---
+ base/server/python/pki/server/cli/migrate.py | 60 ----------
+ base/server/python/pki/server/instance.py | 118 +++++++++++++++++++
+ 2 files changed, 118 insertions(+), 60 deletions(-)
+
+diff --git a/base/server/python/pki/server/cli/migrate.py b/base/server/python/pki/server/cli/migrate.py
+index 2005004c4e..6e0ed6c2a7 100644
+--- a/base/server/python/pki/server/cli/migrate.py
++++ b/base/server/python/pki/server/cli/migrate.py
+@@ -23,7 +23,6 @@ from __future__ import print_function
+
+ import getopt
+ import logging
+-import re
+ import sys
+
+ from lxml import etree
+@@ -104,62 +103,3 @@ class MigrateCLI(pki.cli.CLI):
+
+ for instance in instances:
+ instance.init()
+-
+- # update AJP connectors for Tomcat 9.0.31 or later
+-
+- tomcat_version = pki.server.Tomcat.get_version()
+- if tomcat_version >= pki.util.Version('9.0.31'):
+-
+- for instance in instances:
+- self.update_ajp_connectors(instance)
+-
+- def update_ajp_connectors(self, instance):
+-
+- logger.info('Updating AJP connectors in %s', instance.server_xml)
+-
+- document = etree.parse(instance.server_xml, self.parser)
+- server = document.getroot()
+-
+- # replace 'requiredSecret' with 'secret' in comments
+-
+- services = server.findall('Service')
+- for service in services:
+-
+- children = list(service)
+- for child in children:
+-
+- if not isinstance(child, etree._Comment): # pylint: disable=protected-access
+- # not a comment -> skip
+- continue
+-
+- if 'protocol="AJP/1.3"' not in child.text:
+- # not an AJP connector -> skip
+- continue
+-
+- child.text = re.sub(r'requiredSecret=',
+- r'secret=',
+- child.text,
+- flags=re.MULTILINE)
+-
+- # replace 'requiredSecret' with 'secret' in Connectors
+-
+- connectors = server.findall('Service/Connector')
+- for connector in connectors:
+-
+- if connector.get('protocol') != 'AJP/1.3':
+- # not an AJP connector -> skip
+- continue
+-
+- if connector.get('secret'):
+- # already has a 'secret' -> skip
+- continue
+-
+- if connector.get('requiredSecret') is None:
+- # does not have a 'requiredSecret' -> skip
+- continue
+-
+- value = connector.attrib.pop('requiredSecret')
+- connector.set('secret', value)
+-
+- with open(instance.server_xml, 'wb') as f:
+- document.write(f, pretty_print=True, encoding='utf-8')
+diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py
+index ad938b841d..ff43dae8ec 100644
+--- a/base/server/python/pki/server/instance.py
++++ b/base/server/python/pki/server/instance.py
+@@ -836,9 +836,127 @@ class PKIInstance(pki.server.PKIServer):
+ nssdb.close()
+ shutil.rmtree(tmpdir)
+
++ def configure_ajp_connectors_secret(self):
++
++ logger.info('Configuring AJP connectors secret')
++
++ document = etree.parse(self.server_xml, parser)
++ server = document.getroot()
++
++ # replace 'requiredSecret' with 'secret' in comments
++
++ services = server.findall('Service')
++ for service in services:
++
++ children = list(service)
++ for child in children:
++
++ if not isinstance(child, etree._Comment): # pylint: disable=protected-access
++ # not a comment -> skip
++ continue
++
++ if 'protocol="AJP/1.3"' not in child.text:
++ # not an AJP connector -> skip
++ continue
++
++ child.text = re.sub(r'requiredSecret=',
++ r'secret=',
++ child.text,
++ flags=re.MULTILINE)
++
++ # replace 'requiredSecret' with 'secret' in Connectors
++
++ connectors = server.findall('Service/Connector')
++ for connector in connectors:
++
++ if connector.get('protocol') != 'AJP/1.3':
++ # not an AJP connector -> skip
++ continue
++
++ # remove existing 'requiredSecret' if any
++ value = connector.attrib.pop('requiredSecret', None)
++ print('AJP connector requiredSecret: %s' % value)
++
++ if connector.get('secret'):
++ # already has a 'secret' -> skip
++ continue
++
++ if not value:
++ raise Exception('Missing AJP connector secret in %s' % self.server_xml)
++
++ # store 'secret'
++ connector.set('secret', value)
++
++ with open(self.server_xml, 'wb') as f:
++ document.write(f, pretty_print=True, encoding='utf-8')
++
++ def configure_ajp_connectors_required_secret(self):
++
++ logger.info('Configuring AJP connectors requiredSecret')
++
++ document = etree.parse(self.server_xml, parser)
++ server = document.getroot()
++
++ # replace 'secret' with 'requiredSecret' in comments
++
++ services = server.findall('Service')
++ for service in services:
++
++ children = list(service)
++ for child in children:
++
++ if not isinstance(child, etree._Comment): # pylint: disable=protected-access
++ # not a comment -> skip
++ continue
++
++ if 'protocol="AJP/1.3"' not in child.text:
++ # not an AJP connector -> skip
++ continue
++
++ child.text = re.sub(r'secret=',
++ r'requiredSecret=',
++ child.text,
++ flags=re.MULTILINE)
++
++ # replace 'secret' with 'requiredSecret' in Connectors
++
++ connectors = server.findall('Service/Connector')
++ for connector in connectors:
++
++ if connector.get('protocol') != 'AJP/1.3':
++ # not an AJP connector -> skip
++ continue
++
++ # remove existing 'secret' if any
++ value = connector.attrib.pop('secret', None)
++ print('AJP connector secret: %s' % value)
++
++ if connector.get('requiredSecret'):
++ # already has a 'requiredSecret' -> skip
++ continue
++
++ if not value:
++ raise Exception('Missing AJP connector requiredSecret in %s' % self.server_xml)
++
++ # store 'requiredSecret'
++ connector.set('requiredSecret', value)
++
++ with open(self.server_xml, 'wb') as f:
++ document.write(f, pretty_print=True, encoding='utf-8')
++
++ def configure_ajp_connectors(self):
++
++ tomcat_version = pki.server.Tomcat.get_version()
++
++ if tomcat_version >= pki.util.Version('9.0.31'):
++ self.configure_ajp_connectors_secret()
++ else:
++ self.configure_ajp_connectors_required_secret()
++
+ def init(self):
+ super(PKIInstance, self).init()
+ self.validate_banner()
++ self.configure_ajp_connectors()
+
+ @classmethod
+ def instances(cls):
+--
+2.33.1
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index bf8aa96..adc4290 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -13,7 +13,7 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
Version: 10.11.2
-Release: 4%{?_timestamp}%{?_commit_id}%{?dist}
+Release: 5%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -alpha1
# To create a tarball from a version tag:
@@ -33,6 +33,7 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
Patch2: 0001-Fix-replica-reinstallation.patch
Patch3: 0001-Fix-AJP-connector-migration.patch
+Patch4: 0001-Fix-pki-server-migrate-CLI.patch
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
@@ -1365,6 +1366,9 @@ fi
################################################################################
%changelog
+* Wed Mar 09 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-5
+- Bug 2061458 - Additional fix for AJP connector migration
+
* Tue Jan 04 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-4
- Bug 2029023 - Fix AJP connector migration