summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-12-03 12:08:58 -0500
committerAde Lee <alee@redhat.com>2012-12-04 12:11:36 -0500
commit065d883a5595154ec4ca91e890aa380e3bf1d6b2 (patch)
tree67f95fac777fd6800560ecad4a110bc31cdc799f
parent66c519f0185f24a650df834d781be2ed7ef857f7 (diff)
downloadpki-065d883a5595154ec4ca91e890aa380e3bf1d6b2.tar.gz
pki-065d883a5595154ec4ca91e890aa380e3bf1d6b2.tar.xz
pki-065d883a5595154ec4ca91e890aa380e3bf1d6b2.zip
Use interpolation to build default parameters
This patch replaces the code in pkiparser with defaults that are built up using ConfigParser interpolation. The patch gets most (but not all) default parameters.
-rw-r--r--base/deploy/config/deployment.cfg154
-rwxr-xr-xbase/deploy/src/pkidestroy4
-rwxr-xr-xbase/deploy/src/pkispawn4
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py1
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py730
5 files changed, 139 insertions, 754 deletions
diff --git a/base/deploy/config/deployment.cfg b/base/deploy/config/deployment.cfg
index 6ff7a35bb..9eb930414 100644
--- a/base/deploy/config/deployment.cfg
+++ b/base/deploy/config/deployment.cfg
@@ -1,8 +1,13 @@
###############################################################################
-## Default Configuration: ##
+## Common Configuration: ##
+## ##
+## Values in this section are common to more than one PKI subsystem, and ##
+## contain required information which MAY be overridden by users as ##
+## necessary. ##
+## ##
+## There are also some meta-parameters that determine how the PKI ##
+## configuratiion should work. ##
## ##
-## This section contains meta-parameters that determine how the PKI ##
-## configuration should work. ##
###############################################################################
[DEFAULT]
@@ -47,35 +52,17 @@ destroy_scriplets=
infrastructure_layout
finalization
-###############################################################################
-## Common Configuration: ##
-## ##
-## Values in this section are common to more than one PKI subsystem, and ##
-## contain required information which MAY be overridden by users as ##
-## necessary. ##
-## ##
-## NOTE: Default values will be generated for any and all required ##
-## 'common' data values which are left undefined. ##
-###############################################################################
-[Common]
pki_admin_cert_request_type=crmf
pki_admin_domain_name=
pki_admin_dualkey=False
-pki_admin_email=
pki_admin_keysize=2048
-pki_admin_name=
-pki_admin_nickname=
pki_admin_password=
-pki_admin_subject_dn=
-pki_admin_uid=
pki_audit_group=pkiaudit
pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
-pki_audit_signing_nickname=
pki_audit_signing_signing_algorithm=SHA256withRSA
-pki_audit_signing_subject_dn=
-pki_audit_signing_token=
+pki_audit_signing_token=Internal Key Storage Token
pki_backup_keys=False
pki_backup_password=
pki_client_database_dir=
@@ -83,21 +70,22 @@ pki_client_database_password=
pki_client_database_purge=True
pki_client_dir=
pki_client_pkcs12_password=
-pki_ds_base_dn=
pki_ds_bind_dn=cn=Directory Manager
-pki_ds_database=
-pki_ds_hostname=
pki_ds_ldap_port=389
pki_ds_ldaps_port=636
pki_ds_password=
pki_ds_remove_data=True
pki_ds_secure_connection=False
pki_group=pkiuser
+pki_http_port=%(default_http_port)s
+pki_https_port=%(default_https_port)s
+pki_instance_id=%(pki_instance_name)s
+pki_instance_name=%(default_instance_name)s
pki_issuing_ca=
pki_restart_configured_instance=True
-pki_security_domain_hostname=
+pki_security_domain_hostname=%(hostname)s
pki_security_domain_https_port=8443
-pki_security_domain_name=
+pki_security_domain_name=%(dns_domainname)s Security Domain
pki_security_domain_password=
pki_security_domain_user=
pki_skip_configuration=False
@@ -105,15 +93,14 @@ pki_skip_installation=False
pki_ssl_server_key_algorithm=SHA256withRSA
pki_ssl_server_key_size=2048
pki_ssl_server_key_type=rsa
-pki_ssl_server_nickname=
-pki_ssl_server_subject_dn=
-pki_ssl_server_token=
+pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_id)s
+pki_ssl_server_subject_dn=cn=%(hostname)s,o=%(pki_security_domain_name)s
+pki_ssl_server_token=Internal Key Storage Token
+pki_subsystem=%(subsystem_type)s
pki_subsystem_key_algorithm=SHA256withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa
-pki_subsystem_nickname=
-pki_subsystem_subject_dn=
-pki_subsystem_token=
+pki_subsystem_token=Internal Key Storage Token
pki_token_name=internal
pki_token_password=
pki_user=pkiuser
@@ -126,9 +113,6 @@ pki_user=pkiuser
## required information which MAY be overridden by users as necessary. ##
###############################################################################
[Apache]
-pki_instance_name=pki-apache
-pki_http_port=80
-pki_https_port=443
###############################################################################
## Tomcat Configuration: ##
@@ -157,9 +141,6 @@ pki_clone_replication_security=None
pki_clone_uri=
pki_enable_java_debugger=False
pki_enable_proxy=False
-pki_http_port=8080
-pki_https_port=8443
-pki_instance_name=pki-tomcat
pki_proxy_http_port=80
pki_proxy_https_port=443
pki_security_manager=true
@@ -185,10 +166,10 @@ pki_tomcat_server_port=8005
pki_ca_signing_key_algorithm=SHA256withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
-pki_ca_signing_nickname=
+pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_id)s %(pki_subsystem)s
pki_ca_signing_signing_algorithm=SHA256withRSA
-pki_ca_signing_subject_dn=
-pki_ca_signing_token=
+pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
+pki_ca_signing_token=Internal Key Storage Token
pki_external=False
pki_external_ca_cert_chain_path=
pki_external_ca_cert_path=
@@ -198,13 +179,25 @@ pki_import_admin_cert=False
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
-pki_ocsp_signing_nickname=
+pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s %(pki_subsystem)s
pki_ocsp_signing_signing_algorithm=SHA256withRSA
-pki_ocsp_signing_subject_dn=
-pki_ocsp_signing_token=
+pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_token=Internal Key Storage Token
pki_subordinate=False
-pki_subsystem=CA
-pki_subsystem_name=
+pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=caadmin
+pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s CA
+pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-CA
+pki_ds_database=%(pki_instance_name)s-CA
+pki_ds_hostname=%(hostname)s
+pki_subsystem_name=CA %(hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s CA
+pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s
+
###############################################################################
## KRA Configuration: ##
@@ -218,19 +211,30 @@ pki_import_admin_cert=True
pki_storage_key_algorithm=SHA256withRSA
pki_storage_key_size=2048
pki_storage_key_type=rsa
-pki_storage_nickname=
+pki_storage_nickname=storageCert cert-%(pki_instance_id)s KRA
pki_storage_signing_algorithm=SHA256withRSA
-pki_storage_subject_dn=
-pki_storage_token=
-pki_subsystem=KRA
-pki_subsystem_name=
+pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s
+pki_storage_token=Internal Key Storage Token
pki_transport_key_algorithm=SHA256withRSA
pki_transport_key_size=2048
pki_transport_key_type=rsa
-pki_transport_nickname=
+pki_transport_nickname=transportCert cert-%(pki_instance_id)s KRA
pki_transport_signing_algorithm=SHA256withRSA
-pki_transport_subject_dn=
-pki_transport_token=
+pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s
+pki_transport_token=Internal Key Storage Token
+pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=kraadmin
+pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s KRA
+pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-KRA
+pki_ds_database=%(pki_instance_name)s-KRA
+pki_ds_hostname=%(hostname)s
+pki_subsystem_name=KRA %(hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s KRA
+pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s
###############################################################################
## OCSP Configuration: ##
@@ -244,12 +248,23 @@ pki_import_admin_cert=True
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
-pki_ocsp_signing_nickname=
+pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s OCSP
pki_ocsp_signing_signing_algorithm=SHA256withRSA
-pki_ocsp_signing_subject_dn=
-pki_ocsp_signing_token=
-pki_subsystem=OCSP
-pki_subsystem_name=
+pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_token=Internal Key Storage Token
+pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=ocspadmin
+pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s OCSP
+pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-OCSP
+pki_ds_database=%(pki_instance_name)s-OCSP
+pki_ds_hostname=%(hostname)s
+pki_subsystem_name=OCSP %(hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s OCSP
+pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s
###############################################################################
## RA Configuration: ##
@@ -258,8 +273,6 @@ pki_subsystem_name=
## required information which MAY be overridden by users as necessary. ##
###############################################################################
[RA]
-pki_subsystem=RA
-pki_subsystem_name=
###############################################################################
## TKS Configuration: ##
@@ -270,8 +283,19 @@ pki_subsystem_name=
###############################################################################
[TKS]
pki_import_admin_cert=True
-pki_subsystem=TKS
-pki_subsystem_name=
+pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=tksadmin
+pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s TKS
+pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-TKS
+pki_ds_database=%(pki_instance_name)s-TKS
+pki_ds_hostname=%(hostname)s
+pki_subsystem_name=TKS %(hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s TKS
+pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s
###############################################################################
## TPS Configuration: ##
@@ -280,5 +304,3 @@ pki_subsystem_name=
## required information which MAY be overridden by users as necessary. ##
###############################################################################
[TPS]
-pki_subsystem=TPS
-pki_subsystem_name=
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 4e8bca9d1..69daa13ad 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -119,8 +119,6 @@ def main(argv):
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_common_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
@@ -133,8 +131,6 @@ def main(argv):
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_common_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index 73d236247..79ab1b230 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -139,8 +139,6 @@ def main(argv):
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_common_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
@@ -153,8 +151,6 @@ def main(argv):
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_common_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 35c80a5f7..ec6c5ea38 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -205,7 +205,6 @@ pki_console_log_level = None
# PKI Deployment Global Dictionaries
pki_default_dict = None
-pki_common_dict = None
pki_web_server_dict = None
pki_subsystem_dict = None
pki_master_dict = None
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index a99425960..05536f424 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -79,8 +79,7 @@ class PKIConfigParser:
dest='pki_deployed_instance_name',
action='store',
nargs=1, required=True, metavar='<instance>',
- help='FORMAT: ${pki_instance_name}'
- '[.${pki_admin_domain_name}]')
+ help='FORMAT: ${pki_instance_name}')
# Establish 'Optional' command-line options
optional = parser.add_argument_group('optional arguments')
optional.add_argument('-h', '--help',
@@ -219,37 +218,51 @@ class PKIConfigParser:
"Read configuration file sections into dictionaries"
rv = 0
try:
- self.pki_config = ConfigParser.ConfigParser()
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ default_instance_name = 'pki-tomcat'
+ default_http_port = '8080'
+ default_https_port = '8443'
+ else:
+ default_instance_name = 'pki-apache'
+ default_http_port = '80'
+ default_https_port = '443'
+
+ predefined_dict = {'default_instance_name': default_instance_name,
+ 'default_http_port': default_http_port,
+ 'default_https_port': default_https_port,
+ 'dns_domainname': config.pki_dns_domainname,
+ 'subsystem_type' : config.pki_subsystem,
+ 'hostname': config.pki_hostname}
+
+ self.pki_config = ConfigParser.SafeConfigParser(predefined_dict)
# Make keys case-sensitive!
self.pki_config.optionxform = str
self.pki_config.read([
config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE,
config.pkideployment_cfg])
- config.pki_default_dict = self.pki_config.defaults()
+ config.pki_default_dict = dict(self.pki_config.items('DEFAULT'))
pkilogging.sensitive_parameters = config.pki_default_dict['sensitive_parameters'].split()
- config.pki_common_dict = dict(self.pki_config._sections['Common'])
if config.pki_subsystem == "CA":
- config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['CA'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('CA'))
elif config.pki_subsystem == "KRA":
- config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['KRA'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('KRA'))
elif config.pki_subsystem == "OCSP":
- config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['OCSP'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('OCSP'))
elif config.pki_subsystem == "RA":
- config.pki_web_server_dict = dict(self.pki_config._sections['Apache'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['RA'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Apache'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('RA'))
elif config.pki_subsystem == "TKS":
- config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['TKS'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('TKS'))
elif config.pki_subsystem == "TPS":
- config.pki_web_server_dict = dict(self.pki_config._sections['Apache'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['TPS'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Apache'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('TPS'))
# Insert empty record into dictionaries for "pretty print" statements
# NEVER print "sensitive" key value pairs!!!
config.pki_default_dict[0] = None
- config.pki_common_dict[0] = None
config.pki_web_server_dict[0] = None
config.pki_subsystem_dict[0] = None
except ConfigParser.ParsingError, err:
@@ -296,10 +309,10 @@ class PKIConfigParser:
# Configuration file name/value pairs
# NEVER add "sensitive" key value pairs to the master dictionary!!!
config.pki_master_dict.update(config.pki_default_dict)
- config.pki_master_dict.update(config.pki_common_dict)
config.pki_master_dict.update(config.pki_web_server_dict)
config.pki_master_dict.update(config.pki_subsystem_dict)
config.pki_master_dict.update(__name__="PKI Master Dictionary")
+
# IMPORTANT: A "PKI instance" no longer corresponds to a single
# pki subystem, but rather to a unique
# "Tomcat web instance" or a unique "Apache web instance".
@@ -345,17 +358,12 @@ class PKIConfigParser:
# OLD: "pki-${pki_subsystem}"
# (e. g. Tomcat: "pki-ca", "pki-kra", "pki-ocsp", "pki-tks")
# (e. g. Apache: "pki-ra", "pki-tps")
- # NEW: "${pki_instance_name}[.${pki_admin_domain_name}]"
+ # NEW: "${pki_instance_name}"
# (e. g. Tomcat: "pki-tomcat", "pki-tomcat.example.com")
# (e. g. Apache: "pki-apache", "pki-apache.example.com")
#
- if len(config.pki_master_dict['pki_admin_domain_name']):
- config.pki_master_dict['pki_instance_id'] =\
- config.pki_master_dict['pki_instance_name'] + "." +\
- config.pki_master_dict['pki_admin_domain_name']
- else:
- config.pki_master_dict['pki_instance_id'] =\
- config.pki_master_dict['pki_instance_name']
+ config.pki_master_dict['pki_instance_id'] = config.pki_master_dict['pki_instance_name']
+
# PKI Source name/value pairs
config.pki_master_dict['pki_source_conf_path'] =\
os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
@@ -1364,7 +1372,6 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and potentially overridden below:
#
- # config.pki_master_dict['pki_client_database_password']
# config.pki_master_dict['pki_client_dir']
# config.pki_master_dict['pki_client_subsystem_dir']
#
@@ -1464,9 +1471,6 @@ class PKIConfigParser:
#
# config.pki_master_dict['pki_security_domain_user']
# config.pki_master_dict['pki_issuing_ca']
- # config.pki_master_dict['pki_security_domain_hostname']
- # config.pki_master_dict['pki_security_domain_name']
- # config.pki_master_dict['pki_subsystem_name']
#
# if security domain user is not defined
@@ -1478,44 +1482,16 @@ class PKIConfigParser:
config.pki_master_dict['pki_security_domain_user'] =\
self.pki_config.get('CA', 'pki_admin_uid')
- # or use the Common admin uid if it's defined
- elif self.pki_config.has_option('Common', 'pki_admin_uid') and\
- len(self.pki_config.get('Common', 'pki_admin_uid')) > 0:
+ # or use the Default admin uid if it's defined
+ elif self.pki_config.has_option('DEFAULT', 'pki_admin_uid') and\
+ len(self.pki_config.get('DEFAULT', 'pki_admin_uid')) > 0:
config.pki_master_dict['pki_security_domain_user'] =\
- self.pki_config.get('Common', 'pki_admin_uid')
+ self.pki_config.get('DEFAULT', 'pki_admin_uid')
# otherwise use the default CA admin uid
else:
config.pki_master_dict['pki_security_domain_user'] = "caadmin"
- if not len(config.pki_master_dict['pki_subsystem_name']):
- if config.pki_master_dict['pki_subsystem'] in\
- config.PKI_TOMCAT_SUBSYSTEMS and \
- config.str2bool(config.pki_master_dict['pki_clone']):
- config.pki_master_dict['pki_subsystem_name'] =\
- config.PKI_DEPLOYMENT_CLONED_PKI_SUBSYSTEM + " " +\
- config.pki_subsystem + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- elif config.pki_subsystem == "CA" and \
- config.str2bool(config.pki_master_dict['pki_external']):
- config.pki_master_dict['pki_subsystem_name'] =\
- config.PKI_DEPLOYMENT_EXTERNAL_CA + " " +\
- config.pki_subsystem + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- elif config.pki_subsystem == "CA" and \
- config.str2bool(config.pki_master_dict['pki_subordinate']):
- config.pki_master_dict['pki_subsystem_name'] =\
- config.PKI_DEPLOYMENT_SUBORDINATE_CA + " " +\
- config.pki_subsystem + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- else:
- config.pki_master_dict['pki_subsystem_name'] =\
- config.pki_subsystem + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
if config.pki_subsystem != "CA" or\
config.str2bool(config.pki_master_dict['pki_clone']) or\
config.str2bool(config.pki_master_dict['pki_subordinate']):
@@ -1523,16 +1499,6 @@ class PKIConfigParser:
# CA Clone, KRA Clone, OCSP Clone, TKS Clone, or
# Subordinate CA
config.pki_master_dict['pki_security_domain_type'] = "existing"
- if not len(config.pki_master_dict['pki_security_domain_name']):
- # Guess that the security domain resides on the local host
- config.pki_master_dict['pki_security_domain_name'] =\
- config.pki_master_dict['pki_dns_domainname'] + " " +\
- "Security Domain"
- if not\
- len(config.pki_master_dict['pki_security_domain_hostname']):
- # Guess that the security domain resides on the local host
- config.pki_master_dict['pki_security_domain_hostname'] =\
- config.pki_master_dict['pki_hostname']
config.pki_master_dict['pki_security_domain_uri'] =\
"https" + "://" +\
config.pki_master_dict['pki_security_domain_hostname'] + ":" +\
@@ -1552,58 +1518,7 @@ class PKIConfigParser:
else:
# PKI CA
config.pki_master_dict['pki_security_domain_type'] = "new"
- if not len(config.pki_master_dict['pki_security_domain_name']):
- # Guess that the security domain resides on the local host
- config.pki_master_dict['pki_security_domain_name'] =\
- config.pki_master_dict['pki_dns_domainname'] + " " +\
- "Security Domain"
- # Jython scriptlet
- # 'Directory Server' Configuration name/value pairs
- #
- # Apache - [TPS]
- # Tomcat - [CA], [KRA], [OCSP], [TKS]
- # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_ds_password']
- # config.pki_master_dict['pki_clone_replication_security']
- # config.pki_master_dict['pki_ds_bind_dn']
- # config.pki_master_dict['pki_ds_ldap_port']
- # config.pki_master_dict['pki_ds_ldaps_port']
- # config.pki_master_dict['pki_ds_remove_data']
- # config.pki_master_dict['pki_ds_secure_connection']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_ds_base_dn']
- # config.pki_master_dict['pki_ds_database']
- # config.pki_master_dict['pki_ds_hostname']
- #
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if not len(config.pki_master_dict['pki_ds_base_dn']):
- # if the instance is NOT a clone, create a default BASE DN
- # of "o=${pki_instance_id}"; the reason that this default
- # CANNOT be created if the instance is a clone is due to the
- # fact that a master and clone MUST share the same BASE DN,
- # and creating this default would prevent the ability to
- # place a master and clone on the same machine (the method
- # most often used for testing purposes)
- config.pki_master_dict['pki_ds_base_dn'] =\
- "o=" + config.pki_master_dict['pki_instance_id'] +\
- "-" + config.pki_subsystem
- if not len(config.pki_master_dict['pki_ds_database']):
- config.pki_master_dict['pki_ds_database'] =\
- config.pki_master_dict['pki_instance_id'] +\
- "-" + config.pki_subsystem
- if not len(config.pki_master_dict['pki_ds_hostname']):
- # Guess that the Directory Server resides on the local host
- config.pki_master_dict['pki_ds_hostname'] =\
- config.pki_master_dict['pki_hostname']
+
# Jython scriptlet
# 'External CA' Configuration name/value pairs
#
@@ -1639,566 +1554,23 @@ class PKIConfigParser:
config.pki_master_dict['pki_database_path'] + "/" +\
config.pki_master_dict['pki_subsystem'].lower() + "_" +\
"backup" + "_" + "keys" + "." + "p12"
- # Jython scriptlet
- # 'Admin Certificate' Configuration name/value pairs
- #
- # Apache - [RA], [TPS]
- # Tomcat - [CA], [KRA], [OCSP], [TKS]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_admin_password']
- # config.pki_master_dict['pki_admin_cert_request_type']
- # config.pki_master_dict['pki_admin_dualkey']
- # config.pki_master_dict['pki_admin_keysize']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_admin_name']
- # config.pki_master_dict['pki_admin_uid']
- # config.pki_master_dict['pki_admin_email']
- # config.pki_master_dict['pki_admin_nickname']
- # config.pki_master_dict['pki_admin_subject_dn']
- #
+
config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert"
- if not len(config.pki_master_dict['pki_admin_uid']):
- config.pki_master_dict['pki_admin_uid'] =\
- config.pki_subsystem.lower() + "admin"
- if not len (config.pki_master_dict['pki_admin_name']):
- config.pki_master_dict['pki_admin_name'] =\
- config.pki_master_dict['pki_admin_uid']
- if not len(config.pki_master_dict['pki_admin_email']):
- config.pki_master_dict['pki_admin_email'] =\
- config.pki_master_dict['pki_admin_name'] + "@" +\
- config.pki_master_dict['pki_dns_domainname']
- if not len(config.pki_master_dict['pki_admin_nickname']):
- config.pki_master_dict['pki_admin_nickname'] =\
- "PKI Administrator for " +\
- config.pki_master_dict['pki_dns_domainname']
if not 'pki_import_admin_cert' in config.pki_master_dict:
config.pki_master_dict['pki_import_admin_cert'] = 'false'
- if not len(config.pki_master_dict['pki_admin_subject_dn']):
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=PKI Administrator" +\
- ",e=" + config.pki_master_dict['pki_admin_email'] +\
- ",o=" + config.pki_master_dict['pki_security_domain_name']
-
- # Jython scriptlet
- # 'CA Signing Certificate' Configuration name/value pairs
- #
- # Tomcat - [CA]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_ca_signing_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_ca_signing_key_algorithm']
- # config.pki_master_dict['pki_ca_signing_key_size']
- # config.pki_master_dict['pki_ca_signing_key_type']
- # config.pki_master_dict['pki_ca_signing_signing_algorithm']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_ca_signing_nickname']
- # config.pki_master_dict['pki_ca_signing_subject_dn']
- # config.pki_master_dict['pki_ca_signing_token']
- #
- if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- # config.pki_master_dict['pki_ca_signing_nickname']
- if not len(config.pki_master_dict\
- ['pki_ca_signing_nickname']):
- config.pki_master_dict['pki_ca_signing_nickname'] =\
- "caSigningCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- # config.pki_master_dict['pki_ca_signing_subject_dn']
- if config.str2bool(config.pki_master_dict['pki_external']):
- # External CA
- if not len(config.pki_master_dict\
- ['pki_ca_signing_subject_dn']):
- config.pki_master_dict['pki_ca_signing_subject_dn']\
- = "cn=" + "External CA Signing Certificate"
- elif config.str2bool(
- config.pki_master_dict['pki_subordinate']):
- # Subordinate CA
- if not len(config.pki_master_dict\
- ['pki_ca_signing_subject_dn']):
- config.pki_master_dict['pki_ca_signing_subject_dn']\
- = "cn=" + "SubCA Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- else:
- # PKI CA
- if not len(config.pki_master_dict\
- ['pki_ca_signing_subject_dn']):
- config.pki_master_dict['pki_ca_signing_subject_dn']\
- = "cn=" + "CA Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- # config.pki_master_dict['pki_ca_signing_tag']
- config.pki_master_dict['pki_ca_signing_tag'] =\
- "signing"
- # config.pki_master_dict['pki_ca_signing_token']
- if not len(config.pki_master_dict['pki_ca_signing_token']):
- config.pki_master_dict['pki_ca_signing_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'OCSP Signing Certificate' Configuration name/value pairs
- #
- # Tomcat - [CA], [OCSP]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_ocsp_signing_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_ocsp_signing_key_algorithm']
- # config.pki_master_dict['pki_ocsp_signing_key_size']
- # config.pki_master_dict['pki_ocsp_signing_key_type']
- # config.pki_master_dict['pki_ocsp_signing_signing_algorithm']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_ocsp_signing_nickname']
- # config.pki_master_dict['pki_ocsp_signing_subject_dn']
- # config.pki_master_dict['pki_ocsp_signing_token']
- #
- if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_nickname']):
- config.pki_master_dict['pki_ocsp_signing_nickname'] =\
- "ocspSigningCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if config.str2bool(config.pki_master_dict['pki_external']):
- # External CA
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn']):
- config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn'] =\
- "cn=" + "External CA OCSP Signing Certificate"
- elif config.str2bool(
- config.pki_master_dict['pki_subordinate']):
- # Subordinate CA
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn']):
- config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn'] =\
- "cn=" + "SubCA OCSP Signing Certificate"\
- + "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- else:
- # PKI CA
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn']):
- config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn'] =\
- "cn=" + "CA OCSP Signing Certificate"\
- + "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- config.pki_master_dict['pki_ocsp_signing_tag'] =\
- "ocsp_signing"
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_token']):
- config.pki_master_dict['pki_ocsp_signing_token'] =\
- "Internal Key Storage Token"
- elif config.pki_master_dict['pki_subsystem'] == "OCSP":
- # PKI OCSP
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_nickname']):
- config.pki_master_dict['pki_ocsp_signing_nickname'] =\
- "ocspSigningCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn']):
- config.pki_master_dict['pki_ocsp_signing_subject_dn'] =\
- "cn=" + "OCSP Signing Certificate" + "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_ocsp_signing_tag'] =\
- "signing"
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_token']):
- config.pki_master_dict['pki_ocsp_signing_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'SSL Server Certificate' Configuration name/value pairs
- #
- # Apache - [RA], [TPS]
- # Tomcat - [CA], [KRA], [OCSP], [TKS]
- # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_ssl_server_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_ssl_server_key_algorithm']
- # config.pki_master_dict['pki_ssl_server_key_size']
- # config.pki_master_dict['pki_ssl_server_key_type']
- # config.pki_master_dict['pki_ssl_server_nickname']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_ssl_server_subject_dn']
- # config.pki_master_dict['pki_ssl_server_token']
- #
- if not len(config.pki_master_dict['pki_ssl_server_nickname']):
- config.pki_master_dict['pki_ssl_server_nickname'] =\
- "Server-Cert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id']
- if not len(config.pki_master_dict['pki_ssl_server_subject_dn']):
- if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- config.pki_master_dict['pki_ssl_server_subject_dn'] =\
- "cn=" + config.pki_master_dict['pki_hostname'] +\
- "," + "ou=" + config.pki_master_dict['pki_instance_id'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if config.pki_master_dict['pki_subsystem'] == "CA" and\
- config.str2bool(config.pki_master_dict['pki_external']):
- # External CA
- config.pki_master_dict['pki_ssl_server_subject_dn'] =\
- "cn=" + config.pki_master_dict['pki_hostname'] +\
- "," + "o=" + "External CA"
- else:
- # PKI or Cloned CA, KRA, OCSP, TKS, or Subordinate CA
- config.pki_master_dict['pki_ssl_server_subject_dn'] =\
- "cn=" + config.pki_master_dict['pki_hostname'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_ca_signing_tag'] = "signing"
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ config.pki_master_dict['pki_ocsp_signing_tag'] = "ocsp_signing"
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ config.pki_master_dict['pki_ocsp_signing_tag'] = "signing"
config.pki_master_dict['pki_ssl_server_tag'] = "sslserver"
- if not len(config.pki_master_dict['pki_ssl_server_token']):
- config.pki_master_dict['pki_ssl_server_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'Subsystem Certificate' Configuration name/value pairs
- #
- # Apache - [RA], [TPS]
- # Tomcat - [CA], [KRA], [OCSP], [TKS]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_subsystem_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_subsystem_key_algorithm']
- # config.pki_master_dict['pki_subsystem_key_size']
- # config.pki_master_dict['pki_subsystem_key_type']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_subsystem_nickname']
- # config.pki_master_dict['pki_subsystem_subject_dn']
- # config.pki_master_dict['pki_subsystem_token']
- #
- if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- if not len(config.pki_master_dict['pki_subsystem_nickname']):
- config.pki_master_dict['pki_subsystem_nickname'] =\
- "subsystemCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
- if config.pki_master_dict['pki_subsystem'] == "RA":
- # PKI RA
- config.pki_master_dict['pki_subsystem_subject_dn'] =\
- "cn=" + "RA Subsystem Certificate" +\
- "," + "ou=" + config.pki_master_dict['pki_instance_id']\
- + "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "TPS":
- # PKI TPS
- config.pki_master_dict['pki_subsystem_subject_dn'] =\
- "cn=" + "TPS Subsystem Certificate" +\
- "," + "ou=" + config.pki_master_dict['pki_instance_id']\
- + "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
- if not len(config.pki_master_dict['pki_subsystem_token']):
- config.pki_master_dict['pki_subsystem_token'] =\
- "Internal Key Storage Token"
- elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if not len(config.pki_master_dict['pki_subsystem_nickname']):
- config.pki_master_dict['pki_subsystem_nickname'] =\
- "subsystemCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- if config.str2bool(
- config.pki_master_dict['pki_external']):
- # External CA
- config.pki_master_dict['pki_subsystem_subject_dn']\
- = "cn=" + "External CA Subsystem Certificate"
- elif config.str2bool(
- config.pki_master_dict['pki_subordinate']):
- # Subordinate CA
- config.pki_master_dict['pki_subsystem_subject_dn']\
- = "cn=" + "SubCA Subsystem Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- else:
- # PKI CA
- config.pki_master_dict['pki_subsystem_subject_dn']\
- = "cn=" + "CA Subsystem Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- config.pki_master_dict['pki_subsystem_subject_dn'] =\
- "cn=" + "DRM Subsystem Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "OCSP":
- # PKI OCSP
- config.pki_master_dict['pki_subsystem_subject_dn'] =\
- "cn=" + "OCSP Subsystem Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "TKS":
- # PKI TKS
- config.pki_master_dict['pki_subsystem_subject_dn'] =\
- "cn=" + "TKS Subsystem Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
- if not len(config.pki_master_dict['pki_subsystem_token']):
- config.pki_master_dict['pki_subsystem_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'Audit Signing Certificate' Configuration name/value pairs
- #
- # Apache - [TPS]
- # Tomcat - [CA], [KRA], [OCSP], [TKS]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_audit_signing_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_audit_signing_key_algorithm']
- # config.pki_master_dict['pki_audit_signing_key_size']
- # config.pki_master_dict['pki_audit_signing_key_type']
- # config.pki_master_dict['pki_audit_signing_signing_algorithm']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_audit_signing_nickname']
- # config.pki_master_dict['pki_audit_signing_subject_dn']
- # config.pki_master_dict['pki_audit_signing_token']
- #
- if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- if config.pki_master_dict['pki_subsystem'] != "RA":
- if not len(config.pki_master_dict\
- ['pki_audit_signing_nickname']):
- config.pki_master_dict['pki_audit_signing_nickname'] =\
- "auditSigningCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] +" " +\
- config.pki_subsystem
- if not len(config.pki_master_dict\
- ['pki_audit_signing_subject_dn']):
- config.pki_master_dict['pki_audit_signing_subject_dn'] =\
- "cn=" + "TPS Audit Signing Certificate" +\
- "," + "ou=" + config.pki_master_dict['pki_instance_id']\
- + "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_audit_signing_tag'] =\
- "audit_signing"
- if not len(config.pki_master_dict['pki_audit_signing_token']):
- config.pki_master_dict['pki_audit_signing_token'] =\
- "Internal Key Storage Token"
- elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if not len(config.pki_master_dict\
- ['pki_audit_signing_nickname']):
- config.pki_master_dict['pki_audit_signing_nickname'] =\
- "auditSigningCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict\
- ['pki_audit_signing_subject_dn']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- if config.str2bool(
- config.pki_master_dict['pki_external']):
- # External CA
- config.pki_master_dict\
- ['pki_audit_signing_subject_dn'] =\
- "cn=" + "External CA Audit Signing Certificate"
- elif config.str2bool(
- config.pki_master_dict['pki_subordinate']):
- # Subordinate CA
- config.pki_master_dict\
- ['pki_audit_signing_subject_dn'] =\
- "cn=" + "SubCA Audit Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- else:
- # PKI CA
- config.pki_master_dict\
- ['pki_audit_signing_subject_dn'] =\
- "cn=" + "CA Audit Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- config.pki_master_dict['pki_audit_signing_subject_dn']\
- = "cn=" + "DRM Audit Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "OCSP":
- # PKI OCSP
- config.pki_master_dict['pki_audit_signing_subject_dn']\
- = "cn=" + "OCSP Audit Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "TKS":
- # PKI TKS
- config.pki_master_dict['pki_audit_signing_subject_dn']\
- = "cn=" + "TKS Audit Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_audit_signing_tag'] =\
- "audit_signing"
- if not len(config.pki_master_dict['pki_audit_signing_token']):
- config.pki_master_dict['pki_audit_signing_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'DRM Transport Certificate' Configuration name/value pairs
- #
- # Tomcat - [KRA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_transport_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_transport_key_algorithm']
- # config.pki_master_dict['pki_transport_key_size']
- # config.pki_master_dict['pki_transport_key_type']
- # config.pki_master_dict['pki_transport_signing_algorithm']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_transport_nickname']
- # config.pki_master_dict['pki_transport_subject_dn']
- # config.pki_master_dict['pki_transport_token']
- #
- if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- if not len(config.pki_master_dict\
- ['pki_transport_nickname']):
- config.pki_master_dict['pki_transport_nickname'] =\
- "transportCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict\
- ['pki_transport_subject_dn']):
- config.pki_master_dict['pki_transport_subject_dn']\
- = "cn=" + "DRM Transport Certificate" +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_transport_tag'] =\
- "transport"
- if not len(config.pki_master_dict['pki_transport_token']):
- config.pki_master_dict['pki_transport_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'DRM Storage Certificate' Configuration name/value pairs
- #
- # Tomcat - [KRA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_storage_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_storage_key_algorithm']
- # config.pki_master_dict['pki_storage_key_size']
- # config.pki_master_dict['pki_storage_key_type']
- # config.pki_master_dict['pki_storage_signing_algorithm']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_storage_nickname']
- # config.pki_master_dict['pki_storage_subject_dn']
- # config.pki_master_dict['pki_storage_token']
- #
- if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- if not len(config.pki_master_dict['pki_storage_nickname']):
- config.pki_master_dict['pki_storage_nickname'] =\
- "storageCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict\
- ['pki_storage_subject_dn']):
- config.pki_master_dict['pki_storage_subject_dn']\
- = "cn=" + "DRM Storage Certificate" +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_storage_tag'] =\
- "storage"
- if not len(config.pki_master_dict['pki_storage_token']):
- config.pki_master_dict['pki_storage_token'] =\
- "Internal Key Storage Token"
+ config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
+ config.pki_master_dict['pki_audit_signing_tag'] = "audit_signing"
+ config.pki_master_dict['pki_transport_tag'] = "transport"
+ config.pki_master_dict['pki_storage_tag'] = "storage"
+
# Finalization name/value pairs
config.pki_master_dict['pki_deployment_cfg_replica'] =\
os.path.join(config.pki_master_dict['pki_subsystem_registry_path'],