diff options
author | Ade Lee <alee@redhat.com> | 2013-02-01 14:20:15 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2013-02-11 11:19:10 -0500 |
commit | 4cd35fd44d71305a985ad8616ffad0fd355af2bf (patch) | |
tree | 1a3fcedb747b97c113feb07e3293d4ed76addc95 | |
parent | c483f48647eb190dce94866871b6ea933634e62d (diff) | |
download | pki-4cd35fd44d71305a985ad8616ffad0fd355af2bf.tar.gz pki-4cd35fd44d71305a985ad8616ffad0fd355af2bf.tar.xz pki-4cd35fd44d71305a985ad8616ffad0fd355af2bf.zip |
Add updateDomainXML to admin interface
-rw-r--r-- | base/ca/shared/conf/acl.ldif | 2 | ||||
-rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/web.xml | 24 | ||||
-rw-r--r-- | base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 99 |
3 files changed, 102 insertions, 23 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif index 732179216..d5385e8e2 100644 --- a/base/ca/shared/conf/acl.ldif +++ b/base/ca/shared/conf/acl.ldif @@ -6,7 +6,7 @@ resourceACLS: certServer.general.configuration:read,modify,delete:allow (read) g resourceACLS: certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify -resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml +resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" ;deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter #resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter. resourceACLS: certServer.log.content.signedAudit:read:allow (read) group="Auditors":Only auditor is allowed to read the signed audit log diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml index b922b3d98..7528c310d 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -192,6 +192,25 @@ </servlet> <servlet> + <servlet-name> caUpdateDomainXML-admin </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.UpdateDomainXML </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caUpdateDomainXML </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> admin </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.securitydomain.domainxml </param-value> </init-param> + </servlet> + + <servlet> <servlet-name> caUpdateNumberRange </servlet-name> <servlet-class> com.netscape.cms.servlet.csadmin.UpdateNumberRange </servlet-class> <init-param><param-name> GetClientCert </param-name> @@ -1882,6 +1901,11 @@ <url-pattern> /agent/ca/updateDomainXML </url-pattern> </servlet-mapping> + <servlet-mapping> + <servlet-name> caUpdateDomainXML-admin </servlet-name> + <url-pattern> /admin/ca/updateDomainXML </url-pattern> + </servlet-mapping> + <servlet-mapping> <servlet-name> caUpdateNumberRange </servlet-name> <url-pattern> /admin/ca/updateNumberRange </url-pattern> diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 8b97c9be1..82c994652 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -641,18 +641,23 @@ public class ConfigurationUtils { CMS.debug("updateNumberRange start host=" + hostname + " adminPort=" + adminPort + " eePort=" + eePort); IConfigStore cs = CMS.getConfigStore(); - String cstype = ""; - cstype = cs.getString("cs.type", ""); + String cstype = cs.getString("cs.type", ""); cstype = cstype.toLowerCase(); String serverPath = "/" + cstype + "/admin/" + cstype + "/updateNumberRange"; String c = null; + XMLObject parser = null; try { c = getHttpResponse(hostname, adminPort, https, serverPath, content, null, null); if (c == null || c.equals("")) { CMS.debug("updateNumberRange: content is null."); throw new IOException("The server you want to contact is not available"); } + + CMS.debug("content from admin interface ="+ c); + // when the admin servlet is unavailable, we return a badly formatted error page + // in that case, this will throw an exception and be passed into the catch block. + parser = new XMLObject(new ByteArrayInputStream(c.getBytes())); } catch (Exception e) { // for backward compatibility, try the old ee interface too CMS.debug("updateNumberRange: Failed to contact master using admin port" + e); @@ -663,12 +668,10 @@ public class ConfigurationUtils { CMS.debug("updateNumberRange: content is null."); throw new IOException("The server you want to contact is not available"); } + CMS.debug("content from ee interface =" + c); + parser = new XMLObject(new ByteArrayInputStream(c.getBytes())); } - CMS.debug("content=" + c); - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = null; - parser = new XMLObject(bis); String status = parser.getValue("Status"); CMS.debug("updateNumberRange(): status=" + status); @@ -948,10 +951,18 @@ public class ConfigurationUtils { // delete all existing certificates first deleteExistingCerts(); + ArrayList<String> masterList = getMasterCertKeyList(); + for (int i = 0; i < pkeyinfo_collection.size(); i++) { Vector<Object> pkeyinfo_v = pkeyinfo_collection.elementAt(i); PrivateKeyInfo pkeyinfo = (PrivateKeyInfo) pkeyinfo_v.elementAt(0); String nickname = (String) pkeyinfo_v.elementAt(1); + if (! masterList.contains(nickname)) { + // TODO - fix this to only import the keys that we need. + CMS.debug("Ignoring " + nickname); + // only import the master's system keys + // continue; + } byte[] x509cert = getX509Cert(nickname, cert_collection); X509Certificate cert = cm.importCACertPackage(x509cert); ByteArrayOutputStream bos = new ByteArrayOutputStream(); @@ -988,6 +999,11 @@ public class ConfigurationUtils { byte[] cert = (byte[]) cert_v.elementAt(0); if (cert_v.size() > 1) { String name = (String) cert_v.elementAt(1); + if (! masterList.contains(name)) { + CMS.debug("Not importing " + name); + // only import the master's system certs + continue; + } // we need to delete the trusted CA certificate if it is // the same as the ca signing certificate if (isCASigningCert(name)) { @@ -1100,6 +1116,26 @@ public class ConfigurationUtils { } } + public static ArrayList<String> getMasterCertKeyList() throws EBaseException { + ArrayList<String> list = new ArrayList<String>(); + IConfigStore cs = CMS.getConfigStore(); + String certList = cs.getString("preop.cert.list", ""); + StringTokenizer st = new StringTokenizer(certList, ","); + while (st.hasMoreTokens()) { + String s = st.nextToken(); + if (s.equals("sslserver")) + continue; + String name = "preop.master." + s + ".nickname"; + String nickname = cs.getString(name); + list.add(nickname); + + name = "preop.cert." + s + ".dn"; + String dn = cs.getString(name); + list.add(dn); + } + return list; + } + public static byte[] getX509Cert(String nickname, Vector<Vector<Object>> cert_collection) throws CertificateException { for (int i = 0; i < cert_collection.size(); i++) { @@ -3251,9 +3287,8 @@ public class ConfigurationUtils { String eecaStr = (CMS.getEEClientAuthSSLPort() != null) ? "&eeclientauthsport=" + CMS.getEEClientAuthSSLPort() : ""; - updateDomainXML(sd_host, sd_agent_port, true, - "/ca/agent/ca/updateDomainXML", - "list=" + type + "List" + String url = "/ca/admin/ca/updateDomainXML"; + String content = "list=" + type + "List" + "&type=" + type + "&host=" + CMS.getEESSLHost() + "&name=" + subsystemName @@ -3263,7 +3298,19 @@ public class ConfigurationUtils { + "&agentsport=" + CMS.getAgentPort() + "&adminsport=" + CMS.getAdminPort() + eecaStr - + "&httpport=" + CMS.getEENonSSLPort()); + + "&httpport=" + CMS.getEENonSSLPort(); + + try { + String session_id = CMS.getConfigSDSessionId(); + content += "&sessionID="+ session_id; + updateDomainXML(sd_host, sd_admin_port, true, url, content, false); + } catch (Exception e) { + CMS.debug("updateSecurityDomain: failed to update security domain using admin port " + + sd_admin_port + ": " + e); + CMS.debug("updateSecurityDomain: now trying agent port with client auth"); + url = "/ca/agent/ca/updateDomainXML"; + updateDomainXML(sd_host, sd_agent_port, true, url, content, true); + } // Fetch the "updated" security domain and display it CMS.debug("updateSecurityDomain(): Dump contents of updated Security Domain . . ."); @@ -3302,21 +3349,27 @@ public class ConfigurationUtils { } public static void updateDomainXML(String hostname, int port, boolean https, - String servlet, String uri) throws IOException, EBaseException, SAXException, ParserConfigurationException { + String servlet, String uri, boolean useClientAuth) throws IOException, EBaseException, SAXException, + ParserConfigurationException { CMS.debug("WizardPanelBase updateDomainXML start hostname=" + hostname + " port=" + port); - IConfigStore cs = CMS.getConfigStore(); - String nickname = cs.getString("preop.cert.subsystem.nickname", ""); - String tokenname = cs.getString("preop.module.token", ""); + String c = null; + if (useClientAuth) { + IConfigStore cs = CMS.getConfigStore(); + String nickname = cs.getString("preop.cert.subsystem.nickname", ""); + String tokenname = cs.getString("preop.module.token", ""); - if (!tokenname.equals("") && - !tokenname.equals("Internal Key Storage Token") && - !tokenname.equals("internal")) { - nickname = tokenname + ":" + nickname; - } - CMS.debug("updateDomainXML() nickname=" + nickname); + if (!tokenname.equals("") && + !tokenname.equals("Internal Key Storage Token") && + !tokenname.equals("internal")) { + nickname = tokenname + ":" + nickname; + } + CMS.debug("updateDomainXML() nickname=" + nickname); - String c = getHttpResponse(hostname, port, https, servlet, uri, nickname, null); - if (c != null) { + c = getHttpResponse(hostname, port, https, servlet, uri, nickname, null); + } else { + c = getHttpResponse(hostname, port, https, servlet, uri, null, null); + } + if (c != null && !c.equals("")) { ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); XMLObject obj = new XMLObject(bis); String status = obj.getValue("Status"); @@ -3328,6 +3381,8 @@ public class ConfigurationUtils { String error = obj.getValue("Error"); throw new IOException(error); } + } else { + throw new IOException("Failed to get response when updating security domain"); } } |