summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2016-05-05 18:10:23 +0200
committerEndi S. Dewata <edewata@redhat.com>2016-05-05 19:03:18 +0200
commit8dd3aa3a0acaa786b7794744a31bb44d991c2fb1 (patch)
tree0484d36bbe3908309a69cf8c2d329187a80fe83c
parent2be9c6eaeb178325e9564d6a47e8078b4d2f0e1f (diff)
downloadpki-ticket-2244-2.tar.gz
pki-ticket-2244-2.tar.xz
pki-ticket-2244-2.zip
Added cleanUp() and cert_import scriptlet.ticket-2244-2
-rw-r--r--base/common/python/pki/system.py13
-rw-r--r--base/common/src/com/netscape/certsrv/system/SystemConfigResource.java4
-rw-r--r--base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java42
-rw-r--r--base/server/etc/default.cfg1
-rw-r--r--base/server/python/pki/server/deployment/pkihelper.py38
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/cert_import.py248
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/configuration.py206
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/finalization.py6
8 files changed, 321 insertions, 237 deletions
diff --git a/base/common/python/pki/system.py b/base/common/python/pki/system.py
index 7607578df..945c06407 100644
--- a/base/common/python/pki/system.py
+++ b/base/common/python/pki/system.py
@@ -267,7 +267,6 @@ class SystemConfigClient(object):
:param data: Configuration request containing all the input needed to
configure the subsystem
:type data: ConfigurationRequest
- :return: ConfigurationResponse -- response from configuration servlet.
"""
headers = {'Content-type': 'application/json',
'Accept': 'application/json'}
@@ -318,14 +317,22 @@ class SystemConfigClient(object):
"""
Contacts the server and invokes the Java configuration REST API to
finalize subsystem configuration.
-
- :return: ConfigurationResponse -- response from configuration servlet.
"""
headers = {'Content-type': 'application/json',
'Accept': 'application/json'}
self.connection.post('/rest/installer/finalizeConfiguration', None,
headers)
+ def cleanUp(self):
+ """
+ Contacts the server and invokes the Java configuration REST API to
+ clean up the configuration.
+ """
+ headers = {'Content-type': 'application/json',
+ 'Accept': 'application/json'}
+ self.connection.post('/rest/installer/cleanUp', None,
+ headers)
+
def getConfigurationResult(self):
"""
Contacts the server and invokes the Java configuration REST API to
diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
index 4835843c5..870664979 100644
--- a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
+++ b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
@@ -52,6 +52,10 @@ public interface SystemConfigResource {
public void finalizeConfiguration() throws Exception;
@POST
+ @Path("cleanUp")
+ public void cleanUp() throws Exception;
+
+ @POST
@Path("result")
public ConfigurationResponse getConfigurationResponse() throws Exception;
}
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index e4f5aec3f..7cedbf24b 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -267,6 +267,29 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
}
@Override
+ public void cleanUp() {
+
+ cs.putInteger("cs.state", 1);
+
+ // update serial numbers for clones
+
+ // save some variables, remove remaining preops
+ try {
+ ConfigurationUtils.removePreopConfigEntries();
+ } catch (EBaseException e) {
+ CMS.debug(e);
+ throw new PKIException("Errors when removing preop config entries: " + e, e);
+ }
+
+ // Create an empty file that designates the fact that although
+ // this server instance has been configured, it has NOT yet
+ // been restarted!
+ String restart_server = instanceRoot + "/conf/" + RESTART_SERVER_AFTER_CONFIGURATION;
+ Utils.exec("touch " + restart_server);
+ Utils.exec("chmod 00660 " + restart_server);
+ }
+
+ @Override
public ConfigurationResponse getConfigurationResponse() {
HttpSession session = servletRequest.getSession();
@@ -636,25 +659,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
}
public void finalizeConfiguration(ConfigurationRequest request, ConfigurationResponse response) {
-
- cs.putInteger("cs.state", 1);
-
- // update serial numbers for clones
-
- // save some variables, remove remaining preops
- try {
- ConfigurationUtils.removePreopConfigEntries();
- } catch (EBaseException e) {
- CMS.debug(e);
- throw new PKIException("Errors when removing preop config entries: " + e, e);
- }
-
- // Create an empty file that designates the fact that although
- // this server instance has been configured, it has NOT yet
- // been restarted!
- String restart_server = instanceRoot + "/conf/" + RESTART_SERVER_AFTER_CONFIGURATION;
- Utils.exec("touch " + restart_server);
- Utils.exec("chmod 00660 " + restart_server);
}
public void configureAdministrator(ConfigurationRequest data, ConfigurationResponse response) {
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index c759556de..24008a328 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -43,6 +43,7 @@ spawn_scriplets=
security_databases
client_database
csr_generation
+ cert_import
configuration
finalization
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 24e6ee0c2..2dc8a29cf 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3802,31 +3802,42 @@ class ConfigClient:
self.mdict['pki_req_ext_add'])
self.security_domain_type = self.mdict['pki_security_domain_type']
self.san_inject = config.str2bool(self.mdict['pki_san_inject'])
+ self.connection = None
+ self.client = None
- def configure_pki_data(self, data):
- config.pki_log.info(
- log.PKI_CONFIG_CONFIGURING_PKI_DATA,
- extra=config.PKI_INDENTATION_LEVEL_2)
+ def connect(self):
- connection = pki.client.PKIConnection(
+ self.connection = pki.client.PKIConnection(
protocol='https',
hostname=self.mdict['pki_hostname'],
port=self.mdict['pki_https_port'],
subsystem=self.mdict['pki_subsystem_type'],
trust_env=False)
+ self.client = pki.system.SystemConfigClient(self.connection)
+
+ def clean_up(self):
+
+ if not (self.external or self.standalone) or self.external_step_two:
+ self.client.cleanUp()
+
+ def configure_pki_data(self, data):
+
+ config.pki_log.info(
+ log.PKI_CONFIG_CONFIGURING_PKI_DATA,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+
try:
- client = pki.system.SystemConfigClient(connection)
- client.configure(data)
+ self.client.configure(data)
if not (self.external or self.standalone) or self.external_step_two:
- client.createCertificates()
- client.backupKeys()
- client.createUsers()
- client.configureSecurityDomain()
- client.finalizeConfiguration()
+ self.client.createCertificates()
+ self.client.backupKeys()
+ self.client.createUsers()
+ self.client.configureSecurityDomain()
+ self.client.finalizeConfiguration()
- response = client.getConfigurationResult()
+ response = self.client.getConfigurationResult()
config.pki_log.debug(
'Configuration complete',
@@ -4664,7 +4675,6 @@ class PKIDeployer:
self.servercertnick_conf = ServerCertNickConf(self)
self.systemd = Systemd(self)
self.tps_connector = TPSConnector(self)
- self.config_client = ConfigClient(self)
def init(self):
diff --git a/base/server/python/pki/server/deployment/scriptlets/cert_import.py b/base/server/python/pki/server/deployment/scriptlets/cert_import.py
new file mode 100644
index 000000000..76e6b26d8
--- /dev/null
+++ b/base/server/python/pki/server/deployment/scriptlets/cert_import.py
@@ -0,0 +1,248 @@
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+
+# PKI Deployment Imports
+from .. import pkiconfig as config
+from .. import pkimessages as log
+from .. import pkiscriptlet
+
+import pki.encoder
+import pki.nssdb
+import pki.server
+import pki.system
+import pki.util
+
+
+# PKI Deployment Configuration Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+
+ def spawn(self, deployer):
+
+ if config.str2bool(deployer.mdict['pki_skip_configuration']):
+ config.pki_log.info(log.SKIP_CONFIGURATION_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return
+
+ config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+
+ deployer.instance.verify_subsystem_exists()
+
+ instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name'])
+ instance.load()
+
+ subsystem = instance.get_subsystem(
+ deployer.mdict['pki_subsystem'].lower())
+
+ token = deployer.mdict['pki_token_name']
+ nssdb = instance.open_nssdb(token)
+
+ existing = deployer.configuration_file.existing
+ external = deployer.configuration_file.external
+ standalone = deployer.configuration_file.standalone
+ step_one = deployer.configuration_file.external_step_one
+ step_two = deployer.configuration_file.external_step_two
+
+ try:
+ if existing or external and step_two:
+ # existing CA or external CA step 2
+
+ # If specified, import CA signing CSR into CS.cfg.
+ signing_csr_path = deployer.mdict['pki_external_csr_path']
+ if signing_csr_path:
+ config.pki_log.info(
+ "importing CA signing CSR from %s",
+ signing_csr_path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ with open(signing_csr_path) as f:
+ signing_csr = f.read()
+ signing_csr = pki.nssdb.convert_csr(
+ signing_csr, 'pem', 'base64')
+ subsystem.config['ca.signing.certreq'] = signing_csr
+
+ # If specified, import CA signing cert into NSS database.
+ signing_nickname = deployer.mdict['pki_ca_signing_nickname']
+ signing_cert_file = deployer.mdict['pki_external_ca_cert_path']
+ if signing_cert_file:
+ config.pki_log.info(
+ "importing %s from %s",
+ signing_nickname, signing_cert_file,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ nssdb.add_cert(
+ nickname=signing_nickname,
+ cert_file=signing_cert_file,
+ trust_attributes='CT,C,C')
+
+ # If specified, import certs and keys from PKCS #12 file
+ # into NSS database.
+ pkcs12_file = deployer.mdict['pki_external_pkcs12_path']
+ if pkcs12_file:
+ config.pki_log.info(
+ "importing certificates and keys from %s", pkcs12_file,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ pkcs12_password = deployer.mdict[
+ 'pki_external_pkcs12_password']
+ nssdb.import_pkcs12(pkcs12_file, pkcs12_password)
+
+ # If specified, import cert chain into NSS database.
+ # Note: Cert chain must be imported after the system certs
+ # to ensure that the system certs are imported with
+ # the correct nicknames.
+ external_ca_cert_chain_nickname = \
+ deployer.mdict['pki_external_ca_cert_chain_nickname']
+ external_ca_cert_chain_file = deployer.mdict[
+ 'pki_external_ca_cert_chain_path']
+ if external_ca_cert_chain_file:
+ config.pki_log.info(
+ "importing certificate chain %s from %s",
+ external_ca_cert_chain_nickname,
+ external_ca_cert_chain_file,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ cert_chain, _nicks = nssdb.import_cert_chain(
+ nickname=external_ca_cert_chain_nickname,
+ cert_chain_file=external_ca_cert_chain_file,
+ trust_attributes='CT,C,C')
+ subsystem.config['ca.external_ca_chain.cert'] = cert_chain
+
+ # Export CA signing cert from NSS database and import
+ # it into CS.cfg.
+ signing_cert_data = nssdb.get_cert(
+ nickname=signing_nickname,
+ output_format='base64')
+ subsystem.config['ca.signing.nickname'] = signing_nickname
+ subsystem.config['ca.signing.tokenname'] = (
+ deployer.mdict['pki_ca_signing_token'])
+ subsystem.config['ca.signing.cert'] = signing_cert_data
+ subsystem.config['ca.signing.cacertnickname'] = signing_nickname
+ subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
+ deployer.mdict['pki_ca_signing_signing_algorithm'])
+
+ subsystem.save()
+
+ elif standalone and step_two:
+
+ # To be implemented in ticket #1692.
+ # Import standalone system certificates into NSS database.
+
+ pass
+
+ else: # self-signed CA
+
+ # To be implemented in ticket #1692.
+ # Generate self-signed CA cert.
+ # Import self-signed CA cert into NSS database.
+
+ pass
+
+ finally:
+ nssdb.close()
+
+ if external and step_one:
+ return
+
+ if len(deployer.instance.tomcat_instance_subsystems()) < 2:
+
+ deployer.password.create_password_conf(
+ deployer.mdict['pki_shared_pfile'],
+ deployer.mdict['pki_pin'], pin_sans_token=True)
+
+ # only create a self signed cert for a new instance
+ #
+ # NOTE: ALWAYS create the temporary sslserver certificate
+ # in the software DB regardless of whether the
+ # instance will utilize 'softokn' or an HSM
+ #
+ rv = deployer.certutil.verify_certificate_exists(
+ deployer.mdict['pki_database_path'],
+ deployer.mdict['pki_cert_database'],
+ deployer.mdict['pki_key_database'],
+ deployer.mdict['pki_secmod_database'],
+ deployer.mdict['pki_self_signed_token'],
+ deployer.mdict['pki_self_signed_nickname'],
+ password_file=deployer.mdict['pki_shared_pfile'])
+
+ if not rv:
+
+ # note: in the function below, certutil is used to generate
+ # the request for the self signed cert. The keys are generated
+ # by NSS, which does not actually use the data in the noise
+ # file, so it does not matter what is in this file. Certutil
+ # still requires it though, otherwise it waits for keyboard
+ # input
+ with open(
+ deployer.mdict['pki_self_signed_noise_file'], 'w') as f:
+ f.write("not_so_random_data")
+
+ deployer.certutil.generate_self_signed_certificate(
+ deployer.mdict['pki_database_path'],
+ deployer.mdict['pki_cert_database'],
+ deployer.mdict['pki_key_database'],
+ deployer.mdict['pki_secmod_database'],
+ deployer.mdict['pki_self_signed_token'],
+ deployer.mdict['pki_self_signed_nickname'],
+ deployer.mdict['pki_self_signed_subject'],
+ deployer.mdict['pki_self_signed_serial_number'],
+ deployer.mdict['pki_self_signed_validity_period'],
+ deployer.mdict['pki_self_signed_issuer_name'],
+ deployer.mdict['pki_self_signed_trustargs'],
+ deployer.mdict['pki_self_signed_noise_file'],
+ password_file=deployer.mdict['pki_shared_pfile'])
+
+ # Delete the temporary 'noise' file
+ deployer.file.delete(
+ deployer.mdict['pki_self_signed_noise_file'])
+
+ # Always delete the temporary 'pfile'
+ deployer.file.delete(deployer.mdict['pki_shared_pfile'])
+
+ # Start/Restart this Tomcat PKI Process
+ # Optionally prepare to enable a java debugger
+ # (e. g. - 'eclipse'):
+ if config.str2bool(deployer.mdict['pki_enable_java_debugger']):
+ config.prepare_for_an_external_java_debugger(
+ deployer.mdict['pki_target_tomcat_conf_instance_id'])
+ tomcat_instance_subsystems = \
+ len(deployer.instance.tomcat_instance_subsystems())
+ if tomcat_instance_subsystems == 1:
+ deployer.systemd.start()
+ elif tomcat_instance_subsystems > 1:
+ deployer.systemd.restart()
+
+ # wait for startup
+ status = deployer.instance.wait_for_startup(60)
+ if status is None:
+ config.pki_log.error(
+ "server failed to restart",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise Exception("server failed to restart")
+
+ # Optionally wait for debugger to attach (e. g. - 'eclipse'):
+ if config.str2bool(deployer.mdict['pki_enable_java_debugger']):
+ config.wait_to_attach_an_external_java_debugger()
+
+ def destroy(self, deployer):
+
+ config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ if len(deployer.instance.tomcat_instance_subsystems()) == 1:
+ if deployer.directory.exists(deployer.mdict['pki_client_dir']):
+ deployer.directory.delete(deployer.mdict['pki_client_dir'])
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index d8cf1145a..5a59faf27 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -23,6 +23,7 @@ import json
# PKI Deployment Imports
from .. import pkiconfig as config
+from .. import pkihelper
from .. import pkimessages as log
from .. import pkiscriptlet
@@ -46,214 +47,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- deployer.instance.verify_subsystem_exists()
-
- instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name'])
- instance.load()
-
- subsystem = instance.get_subsystem(
- deployer.mdict['pki_subsystem'].lower())
-
- token = deployer.mdict['pki_token_name']
- nssdb = instance.open_nssdb(token)
-
- existing = deployer.configuration_file.existing
- external = deployer.configuration_file.external
- standalone = deployer.configuration_file.standalone
- step_one = deployer.configuration_file.external_step_one
- step_two = deployer.configuration_file.external_step_two
-
- try:
- if existing or external and step_two:
- # existing CA or external CA step 2
-
- # If specified, import CA signing CSR into CS.cfg.
- signing_csr_path = deployer.mdict['pki_external_csr_path']
- if signing_csr_path:
- config.pki_log.info(
- "importing CA signing CSR from %s",
- signing_csr_path,
- extra=config.PKI_INDENTATION_LEVEL_2)
- with open(signing_csr_path) as f:
- signing_csr = f.read()
- signing_csr = pki.nssdb.convert_csr(
- signing_csr, 'pem', 'base64')
- subsystem.config['ca.signing.certreq'] = signing_csr
-
- # If specified, import CA signing cert into NSS database.
- signing_nickname = deployer.mdict['pki_ca_signing_nickname']
- signing_cert_file = deployer.mdict['pki_external_ca_cert_path']
- if signing_cert_file:
- config.pki_log.info(
- "importing %s from %s",
- signing_nickname, signing_cert_file,
- extra=config.PKI_INDENTATION_LEVEL_2)
- nssdb.add_cert(
- nickname=signing_nickname,
- cert_file=signing_cert_file,
- trust_attributes='CT,C,C')
-
- # If specified, import certs and keys from PKCS #12 file
- # into NSS database.
- pkcs12_file = deployer.mdict['pki_external_pkcs12_path']
- if pkcs12_file:
- config.pki_log.info(
- "importing certificates and keys from %s", pkcs12_file,
- extra=config.PKI_INDENTATION_LEVEL_2)
- pkcs12_password = deployer.mdict[
- 'pki_external_pkcs12_password']
- nssdb.import_pkcs12(pkcs12_file, pkcs12_password)
-
- # If specified, import cert chain into NSS database.
- # Note: Cert chain must be imported after the system certs
- # to ensure that the system certs are imported with
- # the correct nicknames.
- external_ca_cert_chain_nickname = \
- deployer.mdict['pki_external_ca_cert_chain_nickname']
- external_ca_cert_chain_file = deployer.mdict[
- 'pki_external_ca_cert_chain_path']
- if external_ca_cert_chain_file:
- config.pki_log.info(
- "importing certificate chain %s from %s",
- external_ca_cert_chain_nickname,
- external_ca_cert_chain_file,
- extra=config.PKI_INDENTATION_LEVEL_2)
- cert_chain, _nicks = nssdb.import_cert_chain(
- nickname=external_ca_cert_chain_nickname,
- cert_chain_file=external_ca_cert_chain_file,
- trust_attributes='CT,C,C')
- subsystem.config['ca.external_ca_chain.cert'] = cert_chain
-
- # Export CA signing cert from NSS database and import
- # it into CS.cfg.
- signing_cert_data = nssdb.get_cert(
- nickname=signing_nickname,
- output_format='base64')
- subsystem.config['ca.signing.nickname'] = signing_nickname
- subsystem.config['ca.signing.tokenname'] = (
- deployer.mdict['pki_ca_signing_token'])
- subsystem.config['ca.signing.cert'] = signing_cert_data
- subsystem.config['ca.signing.cacertnickname'] = signing_nickname
- subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
- deployer.mdict['pki_ca_signing_signing_algorithm'])
-
- subsystem.save()
-
- elif standalone and step_two:
-
- # To be implemented in ticket #1692.
- # Import standalone system certificates into NSS database.
-
- pass
-
- else: # self-signed CA
-
- # To be implemented in ticket #1692.
- # Generate self-signed CA cert.
- # Import self-signed CA cert into NSS database.
-
- pass
-
- finally:
- nssdb.close()
-
- if external and step_one:
- return
-
- if len(deployer.instance.tomcat_instance_subsystems()) < 2:
-
- deployer.password.create_password_conf(
- deployer.mdict['pki_shared_pfile'],
- deployer.mdict['pki_pin'], pin_sans_token=True)
-
- # only create a self signed cert for a new instance
- #
- # NOTE: ALWAYS create the temporary sslserver certificate
- # in the software DB regardless of whether the
- # instance will utilize 'softokn' or an HSM
- #
- rv = deployer.certutil.verify_certificate_exists(
- deployer.mdict['pki_database_path'],
- deployer.mdict['pki_cert_database'],
- deployer.mdict['pki_key_database'],
- deployer.mdict['pki_secmod_database'],
- deployer.mdict['pki_self_signed_token'],
- deployer.mdict['pki_self_signed_nickname'],
- password_file=deployer.mdict['pki_shared_pfile'])
-
- if not rv:
-
- # note: in the function below, certutil is used to generate
- # the request for the self signed cert. The keys are generated
- # by NSS, which does not actually use the data in the noise
- # file, so it does not matter what is in this file. Certutil
- # still requires it though, otherwise it waits for keyboard
- # input
- with open(
- deployer.mdict['pki_self_signed_noise_file'], 'w') as f:
- f.write("not_so_random_data")
-
- deployer.certutil.generate_self_signed_certificate(
- deployer.mdict['pki_database_path'],
- deployer.mdict['pki_cert_database'],
- deployer.mdict['pki_key_database'],
- deployer.mdict['pki_secmod_database'],
- deployer.mdict['pki_self_signed_token'],
- deployer.mdict['pki_self_signed_nickname'],
- deployer.mdict['pki_self_signed_subject'],
- deployer.mdict['pki_self_signed_serial_number'],
- deployer.mdict['pki_self_signed_validity_period'],
- deployer.mdict['pki_self_signed_issuer_name'],
- deployer.mdict['pki_self_signed_trustargs'],
- deployer.mdict['pki_self_signed_noise_file'],
- password_file=deployer.mdict['pki_shared_pfile'])
-
- # Delete the temporary 'noise' file
- deployer.file.delete(
- deployer.mdict['pki_self_signed_noise_file'])
-
- # Always delete the temporary 'pfile'
- deployer.file.delete(deployer.mdict['pki_shared_pfile'])
-
- # Start/Restart this Tomcat PKI Process
- # Optionally prepare to enable a java debugger
- # (e. g. - 'eclipse'):
- if config.str2bool(deployer.mdict['pki_enable_java_debugger']):
- config.prepare_for_an_external_java_debugger(
- deployer.mdict['pki_target_tomcat_conf_instance_id'])
- tomcat_instance_subsystems = \
- len(deployer.instance.tomcat_instance_subsystems())
- if tomcat_instance_subsystems == 1:
- deployer.systemd.start()
- elif tomcat_instance_subsystems > 1:
- deployer.systemd.restart()
-
- # wait for startup
- status = deployer.instance.wait_for_startup(60)
- if status is None:
- config.pki_log.error(
- "server failed to restart",
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception("server failed to restart")
-
- # Optionally wait for debugger to attach (e. g. - 'eclipse'):
- if config.str2bool(deployer.mdict['pki_enable_java_debugger']):
- config.wait_to_attach_an_external_java_debugger()
+ config_client = pkihelper.ConfigClient(deployer)
+ config_client.connect()
# Construct PKI Subsystem Configuration Data
- data = None
- if deployer.mdict['pki_instance_type'] == "Tomcat":
- # CA, KRA, OCSP, TKS, or TPS
- data = deployer.config_client.construct_pki_configuration_data()
+ data = config_client.construct_pki_configuration_data()
# Configure the subsystem
- deployer.config_client.configure_pki_data(
+ config_client.configure_pki_data(
json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
def destroy(self, deployer):
config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- if len(deployer.instance.tomcat_instance_subsystems()) == 1:
- if deployer.directory.exists(deployer.mdict['pki_client_dir']):
- deployer.directory.delete(deployer.mdict['pki_client_dir'])
diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py
index 3dc7f66de..236e665e0 100644
--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py
@@ -22,6 +22,7 @@ from __future__ import absolute_import
# PKI Deployment Imports
from .. import pkiconfig as config
+from .. import pkihelper
from .. import pkimessages as log
from .. import pkiscriptlet
@@ -44,6 +45,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
config.pki_log.info(log.FINALIZATION_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
+ # Finalize configuration
+ config_client = pkihelper.ConfigClient(deployer)
+ config_client.connect()
+ config_client.clean_up()
+
# Optionally, programmatically 'enable' the configured PKI instance
# to be started upon system boot (default is True)
if not config.str2bool(deployer.mdict['pki_enable_on_system_boot']):