diff options
author | Ade Lee <alee@redhat.com> | 2012-02-16 14:38:40 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2012-02-23 22:10:26 -0500 |
commit | ff4d47d6f176c5f7bc1d2848943c6098f8463253 (patch) | |
tree | 1730ea2247a5c80f3aeae7c3f0456d08cd68f49c | |
parent | 517c6f70fb15b3d0b2a9b17418ca5dbddc419520 (diff) | |
download | pki-ff4d47d6f176c5f7bc1d2848943c6098f8463253.tar.gz pki-ff4d47d6f176c5f7bc1d2848943c6098f8463253.tar.xz pki-ff4d47d6f176c5f7bc1d2848943c6098f8463253.zip |
Add client auth user to default install
When a subsystem is configured, a user is created to facilitate communication
between subsystems. This user is created on the security domain ca, and is
has the subsystem certificate in its user record.
This user will be reused as a user that can talk to the database using the
subsystem certificate for client auth. To do this, this patch does the following:
1. If not the security domain master CA, adds this user to the subsystem, and
adds the subsystem cert.
2. Adds the subsystem cert subject dn to the user's record in the seeAlso attribute
3. Adds acis for this user for the $basedn and for cn=config (for VLV searches)
By default, this user and acls will be added when the system is configured.
To actually use the user and client auth, more config steps are required. They
will be doc'ed in https://fedorahosted.org/pki/ticket/5
6 files changed, 176 insertions, 27 deletions
diff --git a/pki/base/common/src/com/netscape/certsrv/logging/AuditFormat.java b/pki/base/common/src/com/netscape/certsrv/logging/AuditFormat.java index 8d870ad90..3fae432df 100644 --- a/pki/base/common/src/com/netscape/certsrv/logging/AuditFormat.java +++ b/pki/base/common/src/com/netscape/certsrv/logging/AuditFormat.java @@ -17,10 +17,9 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.logging; - /** * Define audit log message format. Note that the name of this - * class "AuditFormat" is legacy and has nothing to do with the signed + * class "AuditFormat" is legacy and has nothing to do with the signed * audit log events format * * @version $Revision$, $Date$ @@ -104,9 +103,11 @@ public class AuditFormat { public static final String ADDUSERGROUPFORMAT = "Admin UID: {0} added User UID: {1} to group: {2}"; public static final String REMOVEUSERGROUPFORMAT = - "Admin UID: {0} removed User UID: {1} from group: {2}"; + "Admin UID: {0} removed User UID: {1} from group: {2}"; + public static final String ADDCERTSUBJECTDNFORMAT = + "Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}"; // LDAP publishing - public static final String LDAP_PUBLISHED_FORMAT = - "{0} successfully published serial number: 0x{1} with DN: {2}"; + public static final String LDAP_PUBLISHED_FORMAT = + "{0} successfully published serial number: 0x{1} with DN: {2}"; } diff --git a/pki/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java b/pki/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java index 59266fedc..091a19fdc 100644 --- a/pki/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java +++ b/pki/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java @@ -80,6 +80,14 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp { LDAPException; /** + * Add a certSubjectDN field to the user + * @param identity + * @throws EUsrGrpException + * @throws LDAPException + */ + public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException; + + /** * Removes a user certificate for a user entry * given a user certificate DN (actually, a combination of version, * serialNumber, issuerDN, and SubjectDN), and it gets removed diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java index bdd0b0d08..b81c25659 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java @@ -502,10 +502,13 @@ public class DatabasePanel extends WizardPanelBase { String baseDN = ""; String database = ""; String dn = ""; + String dbuser = ""; try { baseDN = cs.getString("internaldb.basedn"); database = cs.getString("internaldb.database", ""); + dbuser = "uid=" + cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" + + cs.getString("service.securePort") + ",ou=people," + baseDN; } catch (Exception e) { CMS.debug("DatabasePanel populateDB: " + e.toString()); throw new IOException( @@ -631,6 +634,11 @@ public class DatabasePanel extends WizardPanelBase { } attrs.add(new LDAPAttribute("objectClass", oc3)); attrs.add(new LDAPAttribute(n, v)); + + String dbuserACI = "(targetattr=\"*\")(version 3.0; acl \"Cert Manager access\"; allow (all) userdn=\"ldap:///" + + dbuser + "\";)"; + CMS.debug("ACI string is ["+ dbuserACI + "]"); + attrs.add(new LDAPAttribute("aci", dbuserACI)); LDAPEntry entry = new LDAPEntry(baseDN, attrs); conn.add(entry); } catch (Exception e) { @@ -695,6 +703,23 @@ public class DatabasePanel extends WizardPanelBase { throw new IOException("Failed to find base DN"); } + // add dbuser aci to cn=config + String dbuserACI = "(targetattr=\"*\")(version 3.0; acl \"Cert Manager access\"; allow (read) userdn=\"ldap:///" + + dbuser + "\";)"; + CMS.debug("ACI string is [" + dbuserACI + "]"); + String configDN = "cn=ldbm database,cn=plugins,cn=config"; + try { + + LDAPAttribute attr = new LDAPAttribute("aci", dbuserACI); + LDAPModification mod = new LDAPModification(LDAPModification.ADD, attr); + conn.modify(configDN, mod); + } catch (LDAPException e) { + if (e.getLDAPResultCode() != LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) { + e.printStackTrace(); + throw new IOException("Failed to add aci to " + configDN); + } + } + String select = ""; try { select = cs.getString("preop.subsystem.select", ""); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index fa5840dcd..9b8d62537 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; - import org.apache.velocity.Template; import org.apache.velocity.servlet.VelocityServlet; import org.apache.velocity.app.Velocity; @@ -35,6 +34,7 @@ import com.netscape.certsrv.ocsp.*; import com.netscape.certsrv.logging.*; import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.*; +import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.password.*; import netscape.security.x509.*; import netscape.ldap.*; @@ -42,6 +42,8 @@ import java.net.*; import java.io.*; import java.math.*; import java.security.cert.*; + +import org.mozilla.jss.CryptoManager; import org.w3c.dom.*; import java.util.*; @@ -520,6 +522,20 @@ public class DonePanel extends WizardPanelBase { } } + String dbuser = null; + try { + dbuser = cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" + cs.getString("service.securePort"); + if (! sdtype.equals("new")) { + setupDBUser(dbuser); + } + IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); + IUser user = system.getUser(dbuser); + system.addCertSubjectDN(user); + } catch (Exception e) { + e.printStackTrace(); + CMS.debug("Unable to create or update dbuser" + e); + } + cs.putInteger("cs.state", 1); try { // save variables needed for cloning and remove preop @@ -634,9 +650,65 @@ public class DonePanel extends WizardPanelBase { } } + private void setupDBUser(String dbuser) throws CertificateException, EUsrGrpException, LDAPException { + IUGSubsystem system = + (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - private void updateOCSPConfig(HttpServletResponse response) - throws IOException { + String b64 = getSubsystemCert(); + if (b64 == null) { + CMS.debug("DonePanel setupDBUser: failed to fetch subsystem cert"); + return; + } + + IUser user = system.createUser(dbuser); + user.setFullName(dbuser); + user.setEmail(""); + user.setPassword(""); + user.setUserType("agentType"); + user.setState("1"); + user.setPhone(""); + X509CertImpl[] certs = new X509CertImpl[1]; + certs[0] = new X509CertImpl(CMS.AtoB(b64)); + user.setX509Certificates(certs); + system.addUser(user); + CMS.debug("DonePanel setupDBUser: successfully add the user"); + system.addUserCert(user); + CMS.debug("DonePanel setupDBUser: successfully add the user certificate"); + } + + private String getSubsystemCert() { + IConfigStore cs = CMS.getConfigStore(); + String nickname = ""; + try { + nickname = cs.getString("preop.cert.subsystem.nickname", ""); + String tokenname = cs.getString("preop.module.token", ""); + if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token") + && !tokenname.equals("")) + nickname = tokenname + ":" + nickname; + } catch (Exception e) { + } + + CMS.debug("DonePanel getSubsystemCert: nickname=" + nickname); + String s = null; + try { + CryptoManager cm = CryptoManager.getInstance(); + org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(nickname); + + if (cert == null) { + CMS.debug("DonePanel getSubsystemCert: subsystem cert is null"); + return null; + } + + byte[] bytes = cert.getEncoded(); + s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes)); + } catch (Exception e) { + CMS.debug("DonePanel getSubsystemCert: exception: " + e.toString()); + } + return s; + } + + private void updateOCSPConfig(HttpServletResponse response) + throws IOException { IConfigStore config = CMS.getConfigStore(); String cahost = ""; int caport = -1; diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java index 5c89e5888..f47e0e59c 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java @@ -284,6 +284,7 @@ public class LDAPSecurityDomainSessionTable String pwd = null; String binddn = ""; String security = ""; + String clientNick = ""; IPasswordStore pwdStore = CMS.getPasswordStore(); @@ -301,6 +302,7 @@ public class LDAPSecurityDomainSessionTable port = cs.getString("internaldb.ldapconn.port"); binddn = cs.getString("internaldb.ldapauth.bindDN"); security = cs.getString("internaldb.ldapconn.secureConn"); + clientNick = cs.getString("internaldb.ldapauth.clientCertNickname"); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: getLDAPConn" + e.toString()); throw new IOException( @@ -317,9 +319,12 @@ public class LDAPSecurityDomainSessionTable } LDAPConnection conn = null; - if (security.equals("true")) { - //CMS.debug("SecurityDomainSessionTable getLDAPConn: creating secure (SSL) connection for internal ldap"); - conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); + if (!clientNick.equals("")) { + CMS.debug("SecurityDomainSessionTable getLDAPConn: creating secure (SSL) client auth connection for internal ldap"); + conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory(clientNick)); + } else if (security.equals("true")) { + //CMS.debug("SecurityDomainSessionTable getLDAPConn: creating secure (SSL) connection for internal ldap"); + conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); } else { //CMS.debug("SecurityDomainSessionTable getLDAPConn: creating non-secure (non-SSL) connection for internal ldap"); conn = new LDAPConnection(); diff --git a/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java index d19cbf2d3..4bb5a4fad 100644 --- a/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java +++ b/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmscore.usrgrp; - import java.util.*; import java.lang.*; import netscape.ldap.*; @@ -56,7 +55,7 @@ public final class UGSubsystem implements IUGSubsystem { protected static final String GROUP_ATTR_VALUE = "groupofuniquenames"; protected static final String LDAP_ATTR_USER_CERT_STRING = "description"; - // protected static final String LDAP_ATTR_CERTDN = "seeAlso"; + protected static final String LDAP_ATTR_CERTDN = "seeAlso"; protected static final String LDAP_ATTR_USER_CERT = "userCertificate"; protected static final String PROP_BASEDN = "basedn"; @@ -740,27 +739,18 @@ public final class UGSubsystem implements IUGSubsystem { LDAPModificationSet addCert = new LDAPModificationSet(); if ((cert = user.getX509Certificates()) != null) { - LDAPAttribute attrCertStr = new - LDAPAttribute(LDAP_ATTR_USER_CERT_STRING); - - /* - LDAPAttribute attrCertDNStr = new - LDAPAttribute(LDAP_ATTR_CERTDN); - */ - LDAPAttribute attrCertBin = new - LDAPAttribute(LDAP_ATTR_USER_CERT); + LDAPAttribute attrCertStr = new LDAPAttribute(LDAP_ATTR_USER_CERT_STRING); + LDAPAttribute attrCertBin = new LDAPAttribute(LDAP_ATTR_USER_CERT); try { attrCertBin.addValue(cert[0].getEncoded()); attrCertStr.addValue(getCertificateString(cert[0])); - // attrCertDNStr.addValue(cert[0].getSubjectDN().toString()); } catch (CertificateEncodingException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER_CERT", e.toString())); throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); } addCert.add(LDAPModification.ADD, attrCertStr); - //addCert.add(LDAPModification.ADD, attrCertDNStr); addCert.add(LDAPModification.ADD, attrCertBin); LDAPConnection ldapconn = null; @@ -806,6 +796,54 @@ public final class UGSubsystem implements IUGSubsystem { return; } + public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException { + User user = (User) identity; + + if (user == null) { + return; + } + + X509Certificate cert[] = null; + LDAPModificationSet addCert = new LDAPModificationSet(); + + if ((cert = user.getX509Certificates()) != null) { + LDAPAttribute attrCertDNStr = new LDAPAttribute(LDAP_ATTR_CERTDN); + attrCertDNStr.addValue(cert[0].getSubjectDN().toString()); + addCert.add(LDAPModification.ADD, attrCertDNStr); + + LDAPConnection ldapconn = null; + + try { + ldapconn = getConn(); + ldapconn.modify("uid=" + user.getUserID() + + "," + getUserBaseDN(), addCert); + // for audit log + SessionContext sessionContext = SessionContext.getContext(); + String adminId = (String) sessionContext.get(SessionContext.USER_ID); + + mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP, + AuditFormat.LEVEL, AuditFormat.ADDCERTSUBJECTDNFORMAT, + new Object[] { adminId, user.getUserID(), + cert[0].getSubjectDN().toString()} + ); + + } catch (LDAPException e) { + if (Debug.ON) { + e.printStackTrace(); + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + throw e; + } catch (ELdapException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + } finally { + if (ldapconn != null) + returnConn(ldapconn); + } + } + + return; + } + /** * Removes a user certificate for a user entry * given a user certificate DN (actually, a combination of version, @@ -846,7 +884,7 @@ public final class UGSubsystem implements IUGSubsystem { LDAPAttribute certAttrS = new LDAPAttribute(LDAP_ATTR_USER_CERT_STRING); - //LDAPAttribute certDNAttrS = new LDAPAttribute(LDAP_ATTR_CERTDN); + LDAPAttribute certDNAttrS = new LDAPAttribute(LDAP_ATTR_CERTDN); int certCount = 0; @@ -864,14 +902,14 @@ public final class UGSubsystem implements IUGSubsystem { try { certAttr.addValue(certs[i].getEncoded()); certAttrS.addValue(getCertificateString(certs[i])); - // certDNAttrS.addValue(certs[i].getSubjectDN().toString()); + certDNAttrS.addValue(certs[i].getSubjectDN().toString()); } catch (CertificateEncodingException e) { throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); } attrs.add(LDAPModification.DELETE, certAttr); attrs.add(LDAPModification.DELETE, certAttrS); - //attrs.add(LDAPModification.DELETE, certDNAttrS); + attrs.add(LDAPModification.DELETE, certDNAttrS); LDAPConnection ldapconn = null; |