DRM connector protection

This patch prevents DRM connector to be overwritten by subsequent DRM installations.

Bug 804179.

3 files changed, 62 insertions, 37 deletions

diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
index 9b8d62537..895bf48dd 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
@@ -438,13 +438,18 @@ public class DonePanel extends WizardPanelBase {
 
         // need to push connector information to the CA
         if (type.equals("KRA") && !ca_host.equals("")) {
+            boolean connectorUpdated = true;
             try {
                 updateConnectorInfo(ownagenthost, ownagentsport);
+                CMS.debug("DonePanel: connector information updated.");
             } catch (IOException e) {
                 context.put("errorString", "Failed to update connector information.");
-                return;
+                context.put("info", "Failed to update connector information. "+e.getMessage());
+                connectorUpdated = false;
+                CMS.debug("DonePanel: exception in updating connector information. "+e.getMessage());
+                //return;
             }
-            setupClientAuthUser();
+            if (connectorUpdated) setupClientAuthUser();
         } // if KRA
 
         // import the CA certificate into the OCSP
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java
index d5c4f017d..f7a49dd5a 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java
@@ -122,41 +122,46 @@ public class UpdateConnector extends CMSServlet {
             return;
         }
 
-        IConfigStore cs = CMS.getConfigStore();
-
-        Enumeration list = httpReq.getParameterNames();
-        while (list.hasMoreElements()) {
-            String name = (String)list.nextElement();
-            String val = httpReq.getParameter(name);
-            if (name != null && name.startsWith("ca.connector")) {
-                CMS.debug("Adding connector update name=" + name + " val=" + val);
-                cs.putString(name, val);
-            } else {
-                CMS.debug("Skipping connector update name=" + name + " val=" + val);
+        // check if connector exists
+        ICertificateAuthority ca = (ICertificateAuthority)CMS.getSubsystem("ca");
+        ICAService caService = (ICAService)ca.getCAService();
+        boolean connectorExists = (caService.getKRAConnector() != null)? true:false;
+        if (connectorExists) {
+            CMS.debug("UpdateConnector: KRA connector already exists");
+        } else {
+            IConfigStore cs = CMS.getConfigStore();
+
+            Enumeration list = httpReq.getParameterNames();
+            while (list.hasMoreElements()) {
+                String name = (String)list.nextElement();
+                String val = httpReq.getParameter(name);
+                if (name != null && name.startsWith("ca.connector")) {
+                    CMS.debug("Adding connector update name=" + name + " val=" + val);
+                    cs.putString(name, val);
+                } else {
+                    CMS.debug("Skipping connector update name=" + name + " val=" + val);
+                }
+            }
+     
+            try { 
+                String nickname = cs.getString("ca.subsystem.nickname", "");
+                String tokenname = cs.getString("ca.subsystem.tokenname", "");
+                if (!tokenname.equals("Internal Key Storage Token"))
+                    nickname = tokenname+":"+nickname;
+                cs.putString("ca.connector.KRA.nickName", nickname);
+                cs.commit(false);
+            } catch (Exception e) {
             }
-        }
- 
-        try { 
-            String nickname = cs.getString("ca.subsystem.nickname", "");
-            String tokenname = cs.getString("ca.subsystem.tokenname", "");
-            if (!tokenname.equals("Internal Key Storage Token"))
-                nickname = tokenname+":"+nickname;
-            cs.putString("ca.connector.KRA.nickName", nickname);
-            cs.commit(false);
-        } catch (Exception e) {
-        }
 
-        // start the connector
-        try { 
-            ICertificateAuthority ca = (ICertificateAuthority)
-                CMS.getSubsystem("ca");
-            ICAService caService = (ICAService)ca.getCAService();
-            IConnector kraConnector = caService.getConnector(
-                cs.getSubStore("ca.connector.KRA"));
-            caService.setKRAConnector(kraConnector);
-            kraConnector.start();
-        } catch (Exception e) {
-            CMS.debug("Failed to start connector " + e);
+            // start the connector
+            try { 
+                IConnector kraConnector = caService.getConnector(
+                    cs.getSubStore("ca.connector.KRA"));
+                caService.setKRAConnector(kraConnector);
+                kraConnector.start();
+            } catch (Exception e) {
+                CMS.debug("Failed to start connector " + e);
+            }
         }
 
         // send success status back to the requestor
@@ -165,7 +170,12 @@ public class UpdateConnector extends CMSServlet {
             XMLObject xmlObj = new XMLObject();
             Node root = xmlObj.createRoot("XMLResponse");
 
-            xmlObj.addItemToContainer(root, "Status", SUCCESS);
+            if (connectorExists) {
+                xmlObj.addItemToContainer(root, "Status", FAILED);
+                xmlObj.addItemToContainer(root, "Error", "DRM connector already exists.");
+            } else {
+                xmlObj.addItemToContainer(root, "Status", SUCCESS);
+            }
             byte[] cb = xmlObj.toByteArray();
 
             outputResult(httpResp, "application/xml", cb);
diff --git a/dogtag/common-ui/shared/admin/console/config/donepanel.vm b/dogtag/common-ui/shared/admin/console/config/donepanel.vm
index 062025825..59d22a977 100644
--- a/dogtag/common-ui/shared/admin/console/config/donepanel.vm
+++ b/dogtag/common-ui/shared/admin/console/config/donepanel.vm
@@ -58,7 +58,17 @@ Please go to the <A href="https://$host:$port/$systemType/services"><b>services
 #end
 <br/>
 To create additional instances, type "/usr/bin/pkicreate" on the command line.
-<br>
 #if ($systemType != "tps")
+<br>
 To start the administration console, type "/usr/bin/pkiconsole" on the command line.
+<br/>
+#end
+#if (($systemType == "kra") && ($info != ""))
+<hr>
+<br>
+<b>Important warning</b> reported by Certificate Authority:<br>&nbsp;&nbsp;&nbsp;&nbsp;<b>$info</b>
+<br/>
+<br>
+This instance of Data Recovery Manager (DRM) is not connected to any Certificate Authority (CA).  Please consult the product documentation for the manual procedure of connecting a DRM to a CA.
+<br/>
 #end