summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2012-11-28 09:27:16 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2012-11-30 16:02:48 -0500
commit5e93dc2ce2c26c43d3e2f7e9a40cbf08507a5ea6 (patch)
treedd8f1cad6df0d45547111b9e46682975518c1a46
parentcef7a7704f9f4b48c0a9b242fabd3a919f2068d5 (diff)
downloadpki-5e93dc2ce2c26c43d3e2f7e9a40cbf08507a5ea6.tar.gz
pki-5e93dc2ce2c26c43d3e2f7e9a40cbf08507a5ea6.tar.xz
pki-5e93dc2ce2c26c43d3e2f7e9a40cbf08507a5ea6.zip
Reorganized sensitive parameters.
Previously sensitive parameters are stored in the Sensitive section in the configuration file, separate from the hierarchical structure used by non-sensitive parameters. To allow defining multiple subsystems in a single configuration file the sensitive and non-sensitive parameters have been reorganized into the same hierarchical structure. To maintain the security a new meta-parameter has been added to list all sensitive parameter names. This way the deployment code will know whether a parameter is sensitive, which then will mask the value before displaying it to the screen or storing it in a log file. Ticket #399
-rw-r--r--base/deploy/config/pkideployment.cfg76
-rwxr-xr-xbase/deploy/src/pkidestroy22
-rwxr-xr-xbase/deploy/src/pkispawn24
-rw-r--r--base/deploy/src/scriptlets/configuration.jy17
-rw-r--r--base/deploy/src/scriptlets/configuration.py3
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py2
-rw-r--r--base/deploy/src/scriptlets/pkihelper.py45
-rw-r--r--base/deploy/src/scriptlets/pkijython.py16
-rw-r--r--base/deploy/src/scriptlets/pkilogging.py18
-rw-r--r--base/deploy/src/scriptlets/pkimessages.py2
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py43
-rw-r--r--base/deploy/src/scriptlets/security_databases.py5
12 files changed, 150 insertions, 123 deletions
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
index 6630907a7..133d4e993 100644
--- a/base/deploy/config/pkideployment.cfg
+++ b/base/deploy/config/pkideployment.cfg
@@ -1,23 +1,29 @@
###############################################################################
-## 'Sensitive' Data: ##
-## ##
-## Values in this section pertain to various PKI subsystems, and contain ##
-## required 'sensitive' information which MUST ALWAYS be provided by users. ##
-## ##
-## IMPORTANT: Sensitive data values must NEVER be displayed to the ##
-## console NOR stored in log files!!! ##
-###############################################################################
-[Sensitive]
-pki_admin_password=
-pki_backup_password=
-pki_client_database_password=
-pki_client_pkcs12_password=
-pki_clone_pkcs12_password=
-pki_ds_password=
-pki_security_domain_password=
-pki_token_password=
-###############################################################################
-## 'Common' Data: ##
+## Default Configuration: ##
+## ##
+## This section contains meta-parameters that determine how the PKI ##
+## configuration should work. ##
+###############################################################################
+[DEFAULT]
+
+# The sensitive_parameters contains a list of parameters which may contain
+# sensitive information which must not be displayed to the console nor stored
+# in log files for security reasons.
+sensitive_parameters=
+ pki_admin_password
+ pki_backup_password
+ pki_client_database_password
+ pki_client_pin
+ pki_client_pkcs12_password
+ pki_clone_pkcs12_password
+ pki_ds_password
+ pki_one_time_pin
+ pki_pin
+ pki_security_domain_password
+ pki_token_password
+
+###############################################################################
+## Common Configuration: ##
## ##
## Values in this section are common to more than one PKI subsystem, and ##
## contain required information which MAY be overridden by users as ##
@@ -34,6 +40,7 @@ pki_admin_email=
pki_admin_keysize=2048
pki_admin_name=
pki_admin_nickname=
+pki_admin_password=
pki_admin_subject_dn=
pki_admin_uid=
pki_audit_group=pkiaudit
@@ -45,15 +52,19 @@ pki_audit_signing_signing_algorithm=SHA256withRSA
pki_audit_signing_subject_dn=
pki_audit_signing_token=
pki_backup_keys=False
+pki_backup_password=
pki_client_database_dir=
+pki_client_database_password=
pki_client_database_purge=True
pki_client_dir=
+pki_client_pkcs12_password=
pki_ds_base_dn=
pki_ds_bind_dn=cn=Directory Manager
pki_ds_database=
pki_ds_hostname=
pki_ds_ldap_port=389
pki_ds_ldaps_port=636
+pki_ds_password=
pki_ds_remove_data=True
pki_ds_secure_connection=False
pki_group=pkiuser
@@ -62,6 +73,7 @@ pki_restart_configured_instance=True
pki_security_domain_hostname=
pki_security_domain_https_port=8443
pki_security_domain_name=
+pki_security_domain_password=
pki_security_domain_user=
pki_skip_configuration=False
pki_skip_installation=False
@@ -78,9 +90,11 @@ pki_subsystem_nickname=
pki_subsystem_subject_dn=
pki_subsystem_token=
pki_token_name=internal
+pki_token_password=
pki_user=pkiuser
+
###############################################################################
-## 'Apache' Data: ##
+## Apache Configuration: ##
## ##
## Values in this section are common to PKI subsystems that run ##
## as an instance of 'Apache' (RA and TPS subsystems), and contain ##
@@ -90,8 +104,9 @@ pki_user=pkiuser
pki_instance_name=pki-apache
pki_http_port=80
pki_https_port=443
+
###############################################################################
-## 'Tomcat' Data: ##
+## Tomcat Configuration: ##
## ##
## Values in this section are common to PKI subsystems that run ##
## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ##
@@ -108,6 +123,7 @@ pki_https_port=443
[Tomcat]
pki_ajp_port=8009
pki_clone=False
+pki_clone_pkcs12_password=
pki_clone_pkcs12_path=
pki_clone_replicate_schema=True
pki_clone_replication_master_port=
@@ -123,8 +139,9 @@ pki_proxy_http_port=80
pki_proxy_https_port=443
pki_security_manager=true
pki_tomcat_server_port=8005
+
###############################################################################
-## 'CA' Data: ##
+## CA Configuration: ##
## ##
## Values in this section are common to CA subsystems including 'PKI CAs', ##
## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ##
@@ -162,8 +179,9 @@ pki_ocsp_signing_token=
pki_subordinate=False
pki_subsystem=CA
pki_subsystem_name=
+
###############################################################################
-## 'KRA' Data: ##
+## KRA Configuration: ##
## ##
## Values in this section are common to KRA subsystems ##
## including 'PKI KRAs' and 'Cloned KRAs', and contain ##
@@ -186,8 +204,9 @@ pki_transport_nickname=
pki_transport_signing_algorithm=SHA256withRSA
pki_transport_subject_dn=
pki_transport_token=
+
###############################################################################
-## 'OCSP' Data: ##
+## OCSP Configuration: ##
## ##
## Values in this section are common to OCSP subsystems ##
## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ##
@@ -203,8 +222,9 @@ pki_ocsp_signing_subject_dn=
pki_ocsp_signing_token=
pki_subsystem=OCSP
pki_subsystem_name=
+
###############################################################################
-## 'RA' Data: ##
+## RA Configuration: ##
## ##
## Values in this section are common to PKI RA subsystems, and contain ##
## required information which MAY be overridden by users as necessary. ##
@@ -212,8 +232,9 @@ pki_subsystem_name=
[RA]
pki_subsystem=RA
pki_subsystem_name=
+
###############################################################################
-## 'TKS' Data: ##
+## TKS Configuration: ##
## ##
## Values in this section are common to TKS subsystems ##
## including 'PKI TKSs' and 'Cloned TKSs', and contain ##
@@ -222,8 +243,9 @@ pki_subsystem_name=
[TKS]
pki_subsystem=TKS
pki_subsystem_name=
+
###############################################################################
-## 'TPS' Data: ##
+## TPS Configuration: ##
## ##
## Values in this section are common to PKI TPS subsystems, and contain ##
## required information which MAY be overridden by users as necessary. ##
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 1597712e1..88a47308f 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -29,7 +29,6 @@ try:
import argparse
import logging
import os
- import pprint
import socket
import struct
import subprocess
@@ -88,9 +87,6 @@ def main(argv):
print log.PKI_SUBPROCESS_ERROR_1 % exc
sys.exit(1)
- # Initialize 'pretty print' for objects
- pp = pprint.PrettyPrinter(indent=4)
-
# Read and process command-line arguments.
parser = PKIConfigParser()
parser.process_command_line_arguments(argv)
@@ -116,36 +112,36 @@ def main(argv):
# Read the specified PKI configuration file.
rv = parser.read_pki_configuration_file()
if rv != 0:
- config.pki_log.error(PKI_UNABLE_TO_PARSE_1, rv,
+ config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv,
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
else:
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_common_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_common_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_web_server_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_SUBSYSTEM,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_subsystem_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_subsystem_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_common_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_common_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_web_server_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_SUBSYSTEM,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_subsystem_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_subsystem_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
# Combine the various sectional dictionaries into a PKI master dictionary
@@ -154,7 +150,7 @@ def main(argv):
config.pki_log_name
config.pki_log.debug(log.PKI_DICTIONARY_MASTER,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_master_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_master_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
# Remove the specified PKI subsystem.
@@ -181,7 +177,7 @@ def main(argv):
sys.exit(1)
config.pki_log.debug(log.PKI_DICTIONARY_MASTER,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_master_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_master_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index a687d5bef..65c25a93d 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -29,7 +29,6 @@ try:
import argparse
import logging
import os
- import pprint
import socket
import struct
import subprocess
@@ -88,9 +87,6 @@ def main(argv):
print log.PKI_SUBPROCESS_ERROR_1 % exc
sys.exit(1)
- # Initialize 'pretty print' for objects
- pp = pprint.PrettyPrinter(indent=4)
-
# Read and process command-line arguments.
parser = PKIConfigParser()
parser.process_command_line_arguments(argv)
@@ -136,43 +132,43 @@ def main(argv):
# Read the specified PKI configuration file.
rv = parser.read_pki_configuration_file()
if rv != 0:
- config.pki_log.error(PKI_UNABLE_TO_PARSE_1, rv,
+ config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv,
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
else:
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_common_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_common_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_web_server_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_SUBSYSTEM,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_subsystem_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_subsystem_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_common_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_common_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_web_server_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_SUBSYSTEM,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_subsystem_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_subsystem_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
# Read in the PKI slots configuration file.
parser.compose_pki_slots_dictionary()
config.pki_log.debug(log.PKI_DICTIONARY_SLOTS,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_slots_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_slots_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
# Combine the various sectional dictionaries into a PKI master dictionary
@@ -185,7 +181,7 @@ def main(argv):
config.pki_log_name
config.pki_log.debug(log.PKI_DICTIONARY_MASTER,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_master_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_master_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
# Install and configure the specified PKI subsystem.
@@ -215,7 +211,7 @@ def main(argv):
sys.exit(1)
config.pki_log.debug(log.PKI_DICTIONARY_MASTER,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_master_dict),
+ config.pki_log.debug(pkilogging.format(config.pki_master_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy
index bf89a0170..80543b856 100644
--- a/base/deploy/src/scriptlets/configuration.jy
+++ b/base/deploy/src/scriptlets/configuration.jy
@@ -23,15 +23,9 @@ from com.netscape.certsrv.client import ClientConfig
def main(argv):
rv = 0
- # Establish 'master' and 'sensitive' as two separate PKI jython dictionaries
- master = dict()
- sensitive = dict()
-
# Import the master dictionary from 'pkispawn'
master = pickle.loads(argv[1])
-
- # Import the sensitive data dictionary from 'pkispawn'
- sensitive = pickle.loads(argv[2])
+ sensitive_parameters = master['sensitive_parameters'].split()
# Optionally enable a java debugger (e. g. - 'eclipse'):
if config.str2bool(master['pki_enable_java_debugger']):
@@ -63,8 +57,12 @@ def main(argv):
(log.PKI_JYTHON_INDENTATION_2,
javasystem.getProperties()['java.class.path'])
for key in master:
+ if key in sensitive_parameters:
+ value = 'XXXXXXXX'
+ else:
+ value = master[key]
print "%s '%s' = '%s'" %\
- (log.PKI_JYTHON_INDENTATION_2, key, master[key])
+ (log.PKI_JYTHON_INDENTATION_2, key, value)
# Initialize token
jyutil.security_databases.initialize_token(
@@ -84,8 +82,7 @@ def main(argv):
# Establish REST Client
client = jyutil.rest_client.initialize(
client_config,
- master,
- sensitive)
+ master)
# Construct PKI Subsystem Configuration Data
data = None
diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py
index c9454d951..2d7797b06 100644
--- a/base/deploy/src/scriptlets/configuration.py
+++ b/base/deploy/src/scriptlets/configuration.py
@@ -22,7 +22,6 @@
# PKI Deployment Imports
import pkiconfig as config
from pkiconfig import pki_master_dict as master
-from pkiconfig import pki_sensitive_dict as sensitive
import pkihelper as util
import pkimessages as log
import pkiscriptlet
@@ -51,7 +50,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# allowing 'certutil' to generate the security databases
util.password.create_password_conf(
master['pki_client_password_conf'],
- sensitive['pki_client_database_password'], pin_sans_token=True)
+ master['pki_client_database_password'], pin_sans_token=True)
util.file.modify(master['pki_client_password_conf'],
uid=0, gid=0)
# Similarly, create a simple password file containing the
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 92e46d045..004366216 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -199,7 +199,7 @@ pki_console_log_level = None
# PKI Deployment Global Dictionaries
-pki_sensitive_dict = None
+pki_default_dict = None
pki_common_dict = None
pki_web_server_dict = None
pki_subsystem_dict = None
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index 904e08614..8be6c5c5d 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -42,7 +42,6 @@ import seobject
# PKI Deployment Imports
import pkiconfig as config
from pkiconfig import pki_master_dict as master
-from pkiconfig import pki_sensitive_dict as sensitive
from pkiconfig import pki_slots_dict as slots
from pkiconfig import pki_selinux_config_ports as ports
import pkimanifest as manifest
@@ -419,7 +418,7 @@ class configuration_file:
# NOTE: This is the one and only parameter containing a sensitive
# parameter that may be stored in a log file.
config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_URL_1,
- sensitive['pki_configuration_url'],
+ master['pki_configuration_url'],
extra=config.PKI_INDENTATION_LEVEL_2)
config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_RESTART_1,
master['pki_registry_initscript_command'],
@@ -428,7 +427,7 @@ class configuration_file:
def display_configuration_url(self):
# NOTE: This is the one and only parameter containing a sensitive
# parameter that may be displayed to the screen.
- print log.PKI_CONFIGURATION_URL_1 % sensitive['pki_configuration_url']
+ print log.PKI_CONFIGURATION_URL_1 % master['pki_configuration_url']
print
print log.PKI_CONFIGURATION_RESTART_1 %\
master['pki_registry_initscript_command']
@@ -438,8 +437,8 @@ class configuration_file:
# Silently verify the existence of 'sensitive' data
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
# Verify existence of Directory Server Password (ALWAYS)
- if not sensitive.has_key('pki_ds_password') or\
- not len(sensitive['pki_ds_password']):
+ if not master.has_key('pki_ds_password') or\
+ not len(master['pki_ds_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_ds_password",
@@ -448,8 +447,8 @@ class configuration_file:
sys.exit(1)
# Verify existence of Admin Password (except for Clones)
if not config.str2bool(master['pki_clone']):
- if not sensitive.has_key('pki_admin_password') or\
- not len(sensitive['pki_admin_password']):
+ if not master.has_key('pki_admin_password') or\
+ not len(master['pki_admin_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_admin_password",
@@ -458,8 +457,8 @@ class configuration_file:
sys.exit(1)
# If required, verify existence of Backup Password
if config.str2bool(master['pki_backup_keys']):
- if not sensitive.has_key('pki_backup_password') or\
- not len(sensitive['pki_backup_password']):
+ if not master.has_key('pki_backup_password') or\
+ not len(master['pki_backup_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_backup_password",
@@ -467,8 +466,8 @@ class configuration_file:
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# Verify existence of Client Pin for NSS client security databases
- if not sensitive.has_key('pki_client_database_password') or\
- not len(sensitive['pki_client_database_password']):
+ if not master.has_key('pki_client_database_password') or\
+ not len(master['pki_client_database_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2,
"pki_client_database_password",
@@ -476,8 +475,8 @@ class configuration_file:
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# Verify existence of Client PKCS #12 Password for Admin Cert
- if not sensitive.has_key('pki_client_pkcs12_password') or\
- not len(sensitive['pki_client_pkcs12_password']):
+ if not master.has_key('pki_client_pkcs12_password') or\
+ not len(master['pki_client_pkcs12_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_client_pkcs12_password",
@@ -486,8 +485,8 @@ class configuration_file:
sys.exit(1)
# Verify existence of PKCS #12 Password (ONLY for Clones)
if config.str2bool(master['pki_clone']):
- if not sensitive.has_key('pki_clone_pkcs12_password') or\
- not len(sensitive['pki_clone_pkcs12_password']):
+ if not master.has_key('pki_clone_pkcs12_password') or\
+ not len(master['pki_clone_pkcs12_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_clone_pkcs12_password",
@@ -499,8 +498,8 @@ class configuration_file:
if config.str2bool(master['pki_clone']) or\
not master['pki_subsystem'] == "CA" or\
config.str2bool(master['pki_subordinate']):
- if not sensitive.has_key('pki_security_domain_password') or\
- not len(sensitive['pki_security_domain_password']):
+ if not master.has_key('pki_security_domain_password') or\
+ not len(master['pki_security_domain_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_security_domain_password",
@@ -509,8 +508,8 @@ class configuration_file:
sys.exit(1)
# If required, verify existence of Token Password
if not master['pki_token_name'] == "internal":
- if not sensitive.has_key('pki_token_password') or\
- not len(sensitive['pki_token_password']):
+ if not master.has_key('pki_token_password') or\
+ not len(master['pki_token_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_token_password",
@@ -1954,14 +1953,14 @@ class password:
extra=config.PKI_INDENTATION_LEVEL_2)
# overwrite the existing 'pkcs12_password.conf' file
with open(path, "wt") as fd:
- fd.write(sensitive['pki_client_pkcs12_password'])
+ fd.write(master['pki_client_pkcs12_password'])
fd.closed
else:
config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
extra=config.PKI_INDENTATION_LEVEL_2)
# create a new 'pkcs12_password.conf' file
with open(path, "wt") as fd:
- fd.write(sensitive['pki_client_pkcs12_password'])
+ fd.write(master['pki_client_pkcs12_password'])
fd.closed
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
@@ -2527,7 +2526,6 @@ class jython:
property = ""
# Compose this "jython" command
data = pickle.dumps(master)
- sensitive_data = pickle.dumps(sensitive)
ld_library_path = "LD_LIBRARY_PATH"
if master['pki_architecture'] == 64:
ld_library_path = ld_library_path + "=" +\
@@ -2537,8 +2535,7 @@ class jython:
ld_library_path = ld_library_path + "=" +\
"/usr/lib/jss:/usr/lib:/lib"
command = "export" + " " + ld_library_path + ";" + "jython" + " " +\
- property + " " + scriptlet + " " + "\"" + data + "\"" +\
- " " + "\"" + sensitive_data + "\""
+ property + " " + scriptlet + " " + "\"" + data + "\""
# Display this "jython" command
config.pki_log.info(
log.PKIHELPER_INVOKE_JYTHON_3,
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index e6098b01a..e106f0141 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -276,12 +276,10 @@ class security_databases:
class rest_client:
client = None
master = None
- sensitive = None
- def initialize(self, client_config, master, sensitive):
+ def initialize(self, client_config, master):
try:
self.master = master
- self.sensitive = sensitive
log_level = master['pki_jython_log_level']
if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
print "%s %s '%s'" %\
@@ -299,7 +297,7 @@ class rest_client:
data.setSecurityDomainUri(self.master['pki_security_domain_uri'])
data.setSecurityDomainUser(self.master['pki_security_domain_user'])
data.setSecurityDomainPassword(
- self.sensitive['pki_security_domain_password'])
+ self.master['pki_security_domain_password'])
def set_new_security_domain(self, data):
data.setSecurityDomainType(ConfigurationRequest.NEW_DOMAIN)
@@ -309,7 +307,7 @@ class rest_client:
data.setIsClone("true")
data.setCloneUri(self.master['pki_clone_uri'])
data.setP12File(self.master['pki_clone_pkcs12_path'])
- data.setP12Password(self.sensitive['pki_clone_pkcs12_password'])
+ data.setP12Password(self.master['pki_clone_pkcs12_password'])
data.setReplicateSchema(self.master['pki_clone_replicate_schema'])
data.setReplicationSecurity(
self.master['pki_clone_replication_security'])
@@ -326,7 +324,7 @@ class rest_client:
data.setBaseDN(self.master['pki_ds_base_dn'])
data.setBindDN(self.master['pki_ds_bind_dn'])
data.setDatabase(self.master['pki_ds_database'])
- data.setBindpwd(self.sensitive['pki_ds_password'])
+ data.setBindpwd(self.master['pki_ds_password'])
if config.str2bool(self.master['pki_ds_remove_data']):
data.setRemoveData("true")
else:
@@ -340,14 +338,14 @@ class rest_client:
if config.str2bool(self.master['pki_backup_keys']):
data.setBackupKeys("true")
data.setBackupFile(self.master['pki_backup_keys_p12'])
- data.setBackupPassword(self.sensitive['pki_backup_password'])
+ data.setBackupPassword(self.master['pki_backup_password'])
else:
data.setBackupKeys("false")
def set_admin_parameters(self, token, data):
data.setAdminEmail(self.master['pki_admin_email'])
data.setAdminName(self.master['pki_admin_name'])
- data.setAdminPassword(self.sensitive['pki_admin_password'])
+ data.setAdminPassword(self.master['pki_admin_password'])
data.setAdminProfileID(self.master['pki_admin_profile_id'])
data.setAdminUID(self.master['pki_admin_uid'])
data.setAdminSubjectDN(self.master['pki_admin_subject_dn'])
@@ -422,7 +420,7 @@ class rest_client:
data = ConfigurationRequest()
# Miscellaneous Configuration Information
- data.setPin(self.sensitive['pki_one_time_pin'])
+ data.setPin(master['pki_one_time_pin'])
data.setToken(ConfigurationRequest.TOKEN_DEFAULT)
data.setSubsystemName(master['pki_subsystem_name'])
diff --git a/base/deploy/src/scriptlets/pkilogging.py b/base/deploy/src/scriptlets/pkilogging.py
index 9b22ae39c..3c146a12c 100644
--- a/base/deploy/src/scriptlets/pkilogging.py
+++ b/base/deploy/src/scriptlets/pkilogging.py
@@ -22,7 +22,25 @@
# System Imports
import logging
import os
+import pprint
+sensitive_parameters = []
+
+# Initialize 'pretty print' for objects
+pp = pprint.PrettyPrinter(indent=4)
+
+def format(dict):
+ new_dict = {}
+
+ # mask sensitive data
+ for key in dict:
+ if key in sensitive_parameters:
+ value = 'XXXXXXXX'
+ else:
+ value = dict[key]
+ new_dict[key] = value
+
+ return pp.pformat(new_dict)
# PKI Deployment Logging Functions
def enable_pki_logger(log_dir, log_name, log_level, console_log_level, logger):
diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
index 435f7d10e..cec154c0a 100644
--- a/base/deploy/src/scriptlets/pkimessages.py
+++ b/base/deploy/src/scriptlets/pkimessages.py
@@ -193,7 +193,7 @@ PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s"
PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\
"context %s"
PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\
- "jython %s %s <master_dictionary> <sensitive_data>'"
+ "jython %s %s <master_dictionary>'"
PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory"
PKIHELPER_IS_A_FILE_1 = "'%s' is a file"
PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink"
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 58da5d260..438b23bd7 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -31,6 +31,7 @@ import time
# PKI Deployment Imports
+import pkilogging
import pkiconfig as config
import pkimessages as log
@@ -222,7 +223,8 @@ class PKIConfigParser:
# Make keys case-sensitive!
self.pki_config.optionxform = str
self.pki_config.read(config.pkideployment_cfg)
- config.pki_sensitive_dict = dict(self.pki_config._sections['Sensitive'])
+ config.pki_default_dict = self.pki_config.defaults()
+ pkilogging.sensitive_parameters = config.pki_default_dict['sensitive_parameters'].split()
config.pki_common_dict = dict(self.pki_config._sections['Common'])
if config.pki_subsystem == "CA":
config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat'])
@@ -244,10 +246,12 @@ class PKIConfigParser:
config.pki_subsystem_dict = dict(self.pki_config._sections['TPS'])
# Insert empty record into dictionaries for "pretty print" statements
# NEVER print "sensitive" key value pairs!!!
+ config.pki_default_dict[0] = None
config.pki_common_dict[0] = None
config.pki_web_server_dict[0] = None
config.pki_subsystem_dict[0] = None
except ConfigParser.ParsingError, err:
+ print err
rv = err
return rv
@@ -277,18 +281,19 @@ class PKIConfigParser:
# the configuration file
pin_low = 100000000000
pin_high = 999999999999
- config.pki_sensitive_dict['pki_pin'] =\
+ config.pki_master_dict['pki_pin'] =\
random.randint(pin_low, pin_high)
- config.pki_sensitive_dict['pki_client_pin'] =\
+ config.pki_master_dict['pki_client_pin'] =\
random.randint(pin_low, pin_high)
# Generate a one-time pin to be used prior to configuration
# and add this to the "sensitive" key value pairs read in from
# the configuration file
- config.pki_sensitive_dict['pki_one_time_pin'] =\
+ config.pki_master_dict['pki_one_time_pin'] =\
''.join(random.choice(string.ascii_letters + string.digits)\
for x in range(20))
# Configuration file name/value pairs
# NEVER add "sensitive" key value pairs to the master dictionary!!!
+ config.pki_master_dict.update(config.pki_default_dict)
config.pki_master_dict.update(config.pki_common_dict)
config.pki_master_dict.update(config.pki_web_server_dict)
config.pki_master_dict.update(config.pki_subsystem_dict)
@@ -1141,7 +1146,7 @@ class PKIConfigParser:
config.pki_master_dict['PKI_AJP_REDIRECT_PORT_SLOT'] =\
config.pki_master_dict['pki_https_port']
config.pki_master_dict['PKI_CERT_DB_PASSWORD_SLOT'] =\
- config.pki_sensitive_dict['pki_pin']
+ config.pki_master_dict['pki_pin']
config.pki_master_dict['PKI_CFG_PATH_NAME_SLOT'] =\
config.pki_master_dict['pki_target_cs_cfg']
config.pki_master_dict\
@@ -1213,7 +1218,7 @@ class PKIConfigParser:
config.pki_master_dict['PKI_TMPDIR_SLOT'] =\
config.pki_master_dict['pki_tomcat_tmpdir_path']
config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\
- config.pki_sensitive_dict['pki_one_time_pin']
+ config.pki_master_dict['pki_one_time_pin']
config.pki_master_dict['PKI_SECURE_PORT_SLOT'] =\
config.pki_master_dict['pki_https_port']
config.pki_master_dict['PKI_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\
@@ -1351,19 +1356,19 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and is NOT redefined below:
#
- # config.pki_sensitive_dict['pki_client_pkcs12_password']
+ # config.pki_master_dict['pki_client_pkcs12_password']
# config.pki_master_dict['pki_client_database_purge']
#
# The following variables are established via the specified PKI
# deployment configuration file and potentially overridden below:
#
- # config.pki_sensitive_dict['pki_client_database_password']
+ # config.pki_master_dict['pki_client_database_password']
# config.pki_master_dict['pki_client_dir']
#
- if not len(config.pki_sensitive_dict['pki_client_database_password']):
+ if not len(config.pki_master_dict['pki_client_database_password']):
# use randomly generated client 'pin'
- config.pki_sensitive_dict['pki_client_database_password'] =\
- str(config.pki_sensitive_dict['pki_client_pin'])
+ config.pki_master_dict['pki_client_database_password'] =\
+ str(config.pki_master_dict['pki_client_pin'])
if not len(config.pki_master_dict['pki_client_dir']):
config.pki_master_dict['pki_client_dir'] =\
os.path.join(
@@ -1434,9 +1439,9 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and are NOT redefined below:
#
- # config.pki_sensitive_dict['pki_clone_pkcs12_password']
- # config.pki_sensitive_dict['pki_security_domain_password']
- # config.pki_sensitive_dict['pki_token_password']
+ # config.pki_master_dict['pki_clone_pkcs12_password']
+ # config.pki_master_dict['pki_security_domain_password']
+ # config.pki_master_dict['pki_token_password']
# config.pki_master_dict['pki_clone_pkcs12_path']
# config.pki_master_dict['pki_clone_uri']
# config.pki_master_dict['pki_security_domain_https_port']
@@ -1552,7 +1557,7 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and are NOT redefined below:
#
- # config.pki_sensitive_dict['pki_ds_password']
+ # config.pki_master_dict['pki_ds_password']
# config.pki_master_dict['pki_clone_replication_security']
# config.pki_master_dict['pki_ds_bind_dn']
# config.pki_master_dict['pki_ds_ldap_port']
@@ -1612,7 +1617,7 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and are NOT redefined below:
#
- # config.pki_sensitive_dict['pki_backup_password']
+ # config.pki_master_dict['pki_backup_password']
# config.pki_master_dict['pki_backup_keys']
#
if config.str2bool(config.pki_master_dict['pki_backup_keys']):
@@ -1633,7 +1638,7 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and are NOT redefined below:
#
- # config.pki_sensitive_dict['pki_admin_password']
+ # config.pki_master_dict['pki_admin_password']
# config.pki_master_dict['pki_admin_cert_request_type']
# config.pki_master_dict['pki_admin_dualkey']
# config.pki_master_dict['pki_admin_keysize']
@@ -2334,13 +2339,13 @@ class PKIConfigParser:
# parameter that may be stored in a log file and displayed
# to the screen.
#
- config.pki_sensitive_dict['pki_configuration_url'] =\
+ config.pki_master_dict['pki_configuration_url'] =\
"https://{}:{}/{}/{}?pin={}".format(
config.pki_master_dict['pki_hostname'],
config.pki_master_dict['pki_https_port'],
config.pki_master_dict['pki_subsystem'].lower(),
"admin/console/config/login",
- config.pki_sensitive_dict['pki_one_time_pin'])
+ config.pki_master_dict['pki_one_time_pin'])
# Compose this "systemd" execution management command
if config.pki_master_dict['pki_subsystem'] in\
config.PKI_APACHE_SUBSYSTEMS:
diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py
index 0cc660b3a..a74a4c157 100644
--- a/base/deploy/src/scriptlets/security_databases.py
+++ b/base/deploy/src/scriptlets/security_databases.py
@@ -22,7 +22,6 @@
# PKI Deployment Imports
import pkiconfig as config
from pkiconfig import pki_master_dict as master
-from pkiconfig import pki_sensitive_dict as sensitive
import pkihelper as util
import pkimessages as log
import pkiscriptlet
@@ -41,14 +40,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
util.password.create_password_conf(
master['pki_shared_password_conf'],
- sensitive['pki_pin'])
+ master['pki_pin'])
# Since 'certutil' does NOT strip the 'token=' portion of
# the 'token=password' entries, create a temporary server 'pfile'
# which ONLY contains the 'password' for the purposes of
# allowing 'certutil' to generate the security databases
util.password.create_password_conf(
master['pki_shared_pfile'],
- sensitive['pki_pin'], pin_sans_token=True)
+ master['pki_pin'], pin_sans_token=True)
util.file.modify(master['pki_shared_password_conf'])
util.certutil.create_security_databases(
master['pki_database_path'],