diff options
author | Andrew Wnuk <awnuk@redhat.com> | 2012-08-17 17:49:21 -0700 |
---|---|---|
committer | Andrew Wnuk <awnuk@redhat.com> | 2012-08-17 17:49:21 -0700 |
commit | c987bc0c31da927b2f764a4ae42bd8fb4a245fee (patch) | |
tree | 8f645d82f88563c2d4e93ed4c23abc06855f4eea | |
parent | 477fd0b29e53b9706f5f458eae342bc35ea82adf (diff) | |
download | pki-c987bc0c31da927b2f764a4ae42bd8fb4a245fee.tar.gz pki-c987bc0c31da927b2f764a4ae42bd8fb4a245fee.tar.xz pki-c987bc0c31da927b2f764a4ae42bd8fb4a245fee.zip |
DRM connector protection
This patch prevents DRM connector to be overwritten by subsequent DRM installations.
Bug 804179.
3 files changed, 62 insertions, 37 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index 9b8d62537..895bf48dd 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -438,13 +438,18 @@ public class DonePanel extends WizardPanelBase { // need to push connector information to the CA if (type.equals("KRA") && !ca_host.equals("")) { + boolean connectorUpdated = true; try { updateConnectorInfo(ownagenthost, ownagentsport); + CMS.debug("DonePanel: connector information updated."); } catch (IOException e) { context.put("errorString", "Failed to update connector information."); - return; + context.put("info", "Failed to update connector information. "+e.getMessage()); + connectorUpdated = false; + CMS.debug("DonePanel: exception in updating connector information. "+e.getMessage()); + //return; } - setupClientAuthUser(); + if (connectorUpdated) setupClientAuthUser(); } // if KRA // import the CA certificate into the OCSP diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java index d5c4f017d..f7a49dd5a 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java @@ -122,41 +122,46 @@ public class UpdateConnector extends CMSServlet { return; } - IConfigStore cs = CMS.getConfigStore(); - - Enumeration list = httpReq.getParameterNames(); - while (list.hasMoreElements()) { - String name = (String)list.nextElement(); - String val = httpReq.getParameter(name); - if (name != null && name.startsWith("ca.connector")) { - CMS.debug("Adding connector update name=" + name + " val=" + val); - cs.putString(name, val); - } else { - CMS.debug("Skipping connector update name=" + name + " val=" + val); + // check if connector exists + ICertificateAuthority ca = (ICertificateAuthority)CMS.getSubsystem("ca"); + ICAService caService = (ICAService)ca.getCAService(); + boolean connectorExists = (caService.getKRAConnector() != null)? true:false; + if (connectorExists) { + CMS.debug("UpdateConnector: KRA connector already exists"); + } else { + IConfigStore cs = CMS.getConfigStore(); + + Enumeration list = httpReq.getParameterNames(); + while (list.hasMoreElements()) { + String name = (String)list.nextElement(); + String val = httpReq.getParameter(name); + if (name != null && name.startsWith("ca.connector")) { + CMS.debug("Adding connector update name=" + name + " val=" + val); + cs.putString(name, val); + } else { + CMS.debug("Skipping connector update name=" + name + " val=" + val); + } + } + + try { + String nickname = cs.getString("ca.subsystem.nickname", ""); + String tokenname = cs.getString("ca.subsystem.tokenname", ""); + if (!tokenname.equals("Internal Key Storage Token")) + nickname = tokenname+":"+nickname; + cs.putString("ca.connector.KRA.nickName", nickname); + cs.commit(false); + } catch (Exception e) { } - } - - try { - String nickname = cs.getString("ca.subsystem.nickname", ""); - String tokenname = cs.getString("ca.subsystem.tokenname", ""); - if (!tokenname.equals("Internal Key Storage Token")) - nickname = tokenname+":"+nickname; - cs.putString("ca.connector.KRA.nickName", nickname); - cs.commit(false); - } catch (Exception e) { - } - // start the connector - try { - ICertificateAuthority ca = (ICertificateAuthority) - CMS.getSubsystem("ca"); - ICAService caService = (ICAService)ca.getCAService(); - IConnector kraConnector = caService.getConnector( - cs.getSubStore("ca.connector.KRA")); - caService.setKRAConnector(kraConnector); - kraConnector.start(); - } catch (Exception e) { - CMS.debug("Failed to start connector " + e); + // start the connector + try { + IConnector kraConnector = caService.getConnector( + cs.getSubStore("ca.connector.KRA")); + caService.setKRAConnector(kraConnector); + kraConnector.start(); + } catch (Exception e) { + CMS.debug("Failed to start connector " + e); + } } // send success status back to the requestor @@ -165,7 +170,12 @@ public class UpdateConnector extends CMSServlet { XMLObject xmlObj = new XMLObject(); Node root = xmlObj.createRoot("XMLResponse"); - xmlObj.addItemToContainer(root, "Status", SUCCESS); + if (connectorExists) { + xmlObj.addItemToContainer(root, "Status", FAILED); + xmlObj.addItemToContainer(root, "Error", "DRM connector already exists."); + } else { + xmlObj.addItemToContainer(root, "Status", SUCCESS); + } byte[] cb = xmlObj.toByteArray(); outputResult(httpResp, "application/xml", cb); diff --git a/dogtag/common-ui/shared/admin/console/config/donepanel.vm b/dogtag/common-ui/shared/admin/console/config/donepanel.vm index 062025825..59d22a977 100644 --- a/dogtag/common-ui/shared/admin/console/config/donepanel.vm +++ b/dogtag/common-ui/shared/admin/console/config/donepanel.vm @@ -58,7 +58,17 @@ Please go to the <A href="https://$host:$port/$systemType/services"><b>services #end <br/> To create additional instances, type "/usr/bin/pkicreate" on the command line. -<br> #if ($systemType != "tps") +<br> To start the administration console, type "/usr/bin/pkiconsole" on the command line. +<br/> +#end +#if (($systemType == "kra") && ($info != "")) +<hr> +<br> +<b>Important warning</b> reported by Certificate Authority:<br> <b>$info</b> +<br/> +<br> +This instance of Data Recovery Manager (DRM) is not connected to any Certificate Authority (CA). Please consult the product documentation for the manual procedure of connecting a DRM to a CA. +<br/> #end |