subsequent OCSPs and DRM connector protection

This patch corrects process of attaching OCSP subsystem to CA.
It improves handling of adding subsequent OCSP subsystems to CA.
This patch also prevents DRM connector to be overwritten
by subsequent DRM installations.

Bug 804179.

4 files changed, 71 insertions, 51 deletions

diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
index f514a59f0..e81afdd2f 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
@@ -178,6 +178,7 @@ public class DonePanel extends WizardPanelBase {
                 ConfigurationUtils.setupClientAuthUser();
             }
         } catch (Exception e) {
+            context.put("info", "Failed to update connector information. "+e.getMessage());
             CMS.debug("DonePanel - update(): Error while pushing KRA connectot information to the CA: " + e);
             e.printStackTrace();
         }
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java
index b6f64767a..b62e184b7 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java
@@ -51,6 +51,7 @@ public class UpdateConnector extends CMSServlet {
      */
     private static final long serialVersionUID = 972871860008509849L;
     private final static String SUCCESS = "0";
+    private final static String FAILED = "1";
     private final static String AUTH_FAILURE = "2";
 
     public UpdateConnector() {
@@ -121,42 +122,47 @@ public class UpdateConnector extends CMSServlet {
             return;
         }
 
-        IConfigStore cs = CMS.getConfigStore();
-
-        @SuppressWarnings("unchecked")
-        Enumeration<String> list = httpReq.getParameterNames();
-        while (list.hasMoreElements()) {
-            String name = list.nextElement();
-            String val = httpReq.getParameter(name);
-            if (name != null && name.startsWith("ca.connector")) {
-                CMS.debug("Adding connector update name=" + name + " val=" + val);
-                cs.putString(name, val);
-            } else {
-                CMS.debug("Skipping connector update name=" + name + " val=" + val);
+        // check if connector exists
+        ICertificateAuthority ca = (ICertificateAuthority)CMS.getSubsystem("ca");
+        ICAService caService = (ICAService)ca.getCAService();
+        boolean connectorExists = (caService.getKRAConnector() != null)? true:false;
+        if (connectorExists) {
+            CMS.debug("UpdateConnector: KRA connector already exists");
+        } else {
+            IConfigStore cs = CMS.getConfigStore();
+
+            @SuppressWarnings("unchecked")
+            Enumeration<String> list = httpReq.getParameterNames();
+            while (list.hasMoreElements()) {
+                String name = list.nextElement();
+                String val = httpReq.getParameter(name);
+                if (name != null && name.startsWith("ca.connector")) {
+                    CMS.debug("Adding connector update name=" + name + " val=" + val);
+                    cs.putString(name, val);
+                } else {
+                    CMS.debug("Skipping connector update name=" + name + " val=" + val);
+                }
             }
-        }
 
-        try {
-            String nickname = cs.getString("ca.subsystem.nickname", "");
-            String tokenname = cs.getString("ca.subsystem.tokenname", "");
-            if (!tokenname.equals("Internal Key Storage Token"))
-                nickname = tokenname + ":" + nickname;
-            cs.putString("ca.connector.KRA.nickName", nickname);
-            cs.commit(false);
-        } catch (Exception e) {
-        }
+            try {
+                String nickname = cs.getString("ca.subsystem.nickname", "");
+                String tokenname = cs.getString("ca.subsystem.tokenname", "");
+                if (!tokenname.equals("Internal Key Storage Token"))
+                    nickname = tokenname + ":" + nickname;
+                cs.putString("ca.connector.KRA.nickName", nickname);
+                cs.commit(false);
+            } catch (Exception e) {
+            }
 
-        // start the connector
-        try {
-            ICertificateAuthority ca = (ICertificateAuthority)
-                    CMS.getSubsystem("ca");
-            ICAService caService = (ICAService) ca.getCAService();
-            IConnector kraConnector = caService.getConnector(
-                    cs.getSubStore("ca.connector.KRA"));
-            caService.setKRAConnector(kraConnector);
-            kraConnector.start();
-        } catch (Exception e) {
-            CMS.debug("Failed to start connector " + e);
+            // start the connector
+            try {
+                IConnector kraConnector = caService.getConnector(
+                        cs.getSubStore("ca.connector.KRA"));
+                caService.setKRAConnector(kraConnector);
+                kraConnector.start();
+            } catch (Exception e) {
+                CMS.debug("Failed to start connector " + e);
+            }
         }
 
         // send success status back to the requestor
@@ -165,7 +171,12 @@ public class UpdateConnector extends CMSServlet {
             XMLObject xmlObj = new XMLObject();
             Node root = xmlObj.createRoot("XMLResponse");
 
-            xmlObj.addItemToContainer(root, "Status", SUCCESS);
+            if (connectorExists) {
+                xmlObj.addItemToContainer(root, "Status", FAILED);
+                xmlObj.addItemToContainer(root, "Error", "DRM connector already exists.");
+            } else {
+                xmlObj.addItemToContainer(root, "Status", SUCCESS);
+            }
             byte[] cb = xmlObj.toByteArray();
 
             outputResult(httpResp, "application/xml", cb);
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java
index 3d564e955..c34df8b9c 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java
@@ -116,24 +116,22 @@ public class UpdateOCSPConfig extends CMSServlet {
 
         String ocsphost = httpReq.getParameter("ocsp_host");
         String ocspport = httpReq.getParameter("ocsp_port");
+        String ocspname = ocsphost.replace('.', '-')+"-"+ocspport;
+        String publisherPrefix = "ca.publish.publisher.instance.OCSPPublisher-"+ocspname;
+        String rulePrefix = "ca.publish.rule.instance.ocsprule-"+ocspname;
         try {
             cs.putString("ca.publish.enable", "true");
-            cs.putString("ca.publish.publisher.instance.OCSPPublisher.host",
-                    ocsphost);
-            cs.putString("ca.publish.publisher.instance.OCSPPublisher.port",
-                    ocspport);
-            cs.putString("ca.publish.publisher.instance.OCSPPublisher.nickName",
-                    nickname);
-            cs.putString("ca.publish.publisher.instance.OCSPPublisher.path",
-                    "/ocsp/agent/ocsp/addCRL");
-            cs.putString("ca.publish.publisher.instance.OCSPPublisher.pluginName", "OCSPPublisher");
-            cs.putString("ca.publish.publisher.instance.OCSPPublisher.enableClientAuth", "true");
-            cs.putString("ca.publish.rule.instance.ocsprule.enable", "true");
-            cs.putString("ca.publish.rule.instance.ocsprule.mapper", "NoMap");
-            cs.putString("ca.publish.rule.instance.ocsprule.pluginName", "Rule");
-            cs.putString("ca.publish.rule.instance.ocsprule.publisher",
-                    "OCSPPublisher");
-            cs.putString("ca.publish.rule.instance.ocsprule.type", "crl");
+            cs.putString(publisherPrefix+".host", ocsphost);
+            cs.putString(publisherPrefix+".port", ocspport);
+            cs.putString(publisherPrefix+".nickName", nickname);
+            cs.putString(publisherPrefix+".path", "/ocsp/agent/ocsp/addCRL");
+            cs.putString(publisherPrefix+".pluginName", "OCSPPublisher");
+            cs.putString(publisherPrefix+".enableClientAuth", "true");
+            cs.putString(rulePrefix+".enable", "true");
+            cs.putString(rulePrefix+".mapper", "NoMap");
+            cs.putString(rulePrefix+".pluginName", "Rule");
+            cs.putString(rulePrefix+".publisher", "OCSPPublisher-"+ocspname);
+            cs.putString(rulePrefix+".type", "crl");
             cs.commit(false);
             // insert info
             CMS.debug("UpdateOCSPConfig: Sending response");
diff --git a/dogtag/common-ui/shared/admin/console/config/donepanel.vm b/dogtag/common-ui/shared/admin/console/config/donepanel.vm
index 062025825..59d22a977 100644
--- a/dogtag/common-ui/shared/admin/console/config/donepanel.vm
+++ b/dogtag/common-ui/shared/admin/console/config/donepanel.vm
@@ -58,7 +58,17 @@ Please go to the <A href="https://$host:$port/$systemType/services"><b>services
 #end
 <br/>
 To create additional instances, type "/usr/bin/pkicreate" on the command line.
-<br>
 #if ($systemType != "tps")
+<br>
 To start the administration console, type "/usr/bin/pkiconsole" on the command line.
+<br/>
+#end
+#if (($systemType == "kra") && ($info != ""))
+<hr>
+<br>
+<b>Important warning</b> reported by Certificate Authority:<br>&nbsp;&nbsp;&nbsp;&nbsp;<b>$info</b>
+<br/>
+<br>
+This instance of Data Recovery Manager (DRM) is not connected to any Certificate Authority (CA).  Please consult the product documentation for the manual procedure of connecting a DRM to a CA.
+<br/>
 #end