summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Harmsen <mharmsen@redhat.com>2012-05-18 10:52:06 -0700
committerMatthew Harmsen <mharmsen@redhat.com>2012-05-18 11:06:37 -0700
commit924403a14e92112c3c3d696319759b65eb57a30c (patch)
treeae097f21c022bd21b4c8b655a0030a8bef3953a3
parent488480629da8cd7c7263fab9773ef5860ad12947 (diff)
downloadpki-924403a14e92112c3c3d696319759b65eb57a30c.tar.gz
pki-924403a14e92112c3c3d696319759b65eb57a30c.tar.xz
pki-924403a14e92112c3c3d696319759b65eb57a30c.zip
PKI Deployment Scriptlets
* Introduced concept of "admin-domain" originally as a separate folder, and later incorporated this concept into an optional instance prefix * Revised definition of <pki_instance_id> to be identified as "[<pki_admin_domain_name>-]<pki_instance_name> * Changed NSS security database model from one shared database by BOTH a single Tomcat AND single Apache instance into one per Tomcat instance (shared by CA/KRA/OCSP/TKS) and one per Apache instance (shared by RA/TPS) * Altered Configuration 'scriptlet' to invoke Jython for access to new Java configuration servlet * Renamed various "scriptlets" to comply with this new layout * Re-aligned code to account for revised layout documented at http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment
-rw-r--r--base/deploy/CMakeLists.txt32
-rw-r--r--base/deploy/config/pkideployment.cfg22
-rwxr-xr-xbase/deploy/src/pkidestroy17
-rwxr-xr-xbase/deploy/src/pkispawn10
-rw-r--r--base/deploy/src/scriptlets/configuration.jy70
-rw-r--r--base/deploy/src/scriptlets/configuration.py49
-rw-r--r--base/deploy/src/scriptlets/finalization.py14
-rw-r--r--base/deploy/src/scriptlets/infrastructure_layout.py102
-rw-r--r--base/deploy/src/scriptlets/initialization.py8
-rw-r--r--base/deploy/src/scriptlets/instance_layout.py145
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py33
-rw-r--r--base/deploy/src/scriptlets/pkihelper.py197
-rw-r--r--base/deploy/src/scriptlets/pkijython.py200
-rw-r--r--base/deploy/src/scriptlets/pkimessages.py23
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py268
-rw-r--r--base/deploy/src/scriptlets/pkiscriptlet.py2
-rw-r--r--base/deploy/src/scriptlets/security_databases.py50
-rw-r--r--base/deploy/src/scriptlets/slot_substitution.py2
-rw-r--r--base/deploy/src/scriptlets/subsystem_layout.py4
-rw-r--r--base/deploy/src/scriptlets/war_explosion.py2
-rw-r--r--base/deploy/src/scriptlets/webserver_layout.py152
21 files changed, 930 insertions, 472 deletions
diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt
index f1bdafec4..44705818c 100644
--- a/base/deploy/CMakeLists.txt
+++ b/base/deploy/CMakeLists.txt
@@ -56,12 +56,15 @@ execute_process(
)
install(
FILES
+ src/scriptlets/configuration.jy
src/scriptlets/configuration.py
src/scriptlets/finalization.py
+ src/scriptlets/infrastructure_layout.py
src/scriptlets/initialization.py
src/scriptlets/instance_layout.py
src/scriptlets/pkiconfig.py
src/scriptlets/pkihelper.py
+ src/scriptlets/pkijython.py
src/scriptlets/pkilogging.py
src/scriptlets/pkimanifest.py
src/scriptlets/pkimessages.py
@@ -71,7 +74,6 @@ install(
src/scriptlets/slot_substitution.py
src/scriptlets/subsystem_layout.py
src/scriptlets/war_explosion.py
- src/scriptlets/webserver_layout.py
DESTINATION
${PYTHON_SITE_PACKAGES}/pki/deployment
PERMISSIONS
@@ -114,13 +116,13 @@ foreach(TOMCAT_SUBSYSTEM ${TOMCAT_SUBSYSTEMS})
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
- \"${PYTHON_SITE_PACKAGES}/pki/deployment/instance_layout.py\"
- \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/010_instance_layout\")"
+ \"${PYTHON_SITE_PACKAGES}/pki/deployment/infrastructure_layout.py\"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/010_infrastructure_layout\")"
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
- \"${PYTHON_SITE_PACKAGES}/pki/deployment/webserver_layout.py\"
- \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/020_webserver_layout\")"
+ \"${PYTHON_SITE_PACKAGES}/pki/deployment/instance_layout.py\"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/020_instance_layout\")"
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
@@ -170,16 +172,16 @@ foreach(TOMCAT_SUBSYSTEM ${TOMCAT_SUBSYSTEMS})
\"${PYTHON_SITE_PACKAGES}/pki/deployment/configuration.py\"
\"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/930_configuration\")"
)
-# install(CODE "execute_process(COMMAND
-# ${CMAKE_COMMAND} -E create_symlink
-# \"${PYTHON_SITE_PACKAGES}/pki/deployment/slot_substitution.py\"
-# \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/940_slot_substitution\")"
-# )
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
\"${PYTHON_SITE_PACKAGES}/pki/deployment/war_explosion.py\"
- \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/950_war_explosion\")"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/940_war_explosion\")"
)
+# install(CODE "execute_process(COMMAND
+# ${CMAKE_COMMAND} -E create_symlink
+# \"${PYTHON_SITE_PACKAGES}/pki/deployment/slot_substitution.py\"
+# \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/950_slot_substitution\")"
+# )
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
\"${PYTHON_SITE_PACKAGES}/pki/deployment/subsystem_layout.py\"
@@ -192,13 +194,13 @@ foreach(TOMCAT_SUBSYSTEM ${TOMCAT_SUBSYSTEMS})
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
- \"${PYTHON_SITE_PACKAGES}/pki/deployment/webserver_layout.py\"
- \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/980_webserver_layout\")"
+ \"${PYTHON_SITE_PACKAGES}/pki/deployment/instance_layout.py\"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/980_instance_layout\")"
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
- \"${PYTHON_SITE_PACKAGES}/pki/deployment/instance_layout.py\"
- \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/990_instance_layout\")"
+ \"${PYTHON_SITE_PACKAGES}/pki/deployment/infrastructure_layout.py\"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/990_infrastructure_layout\")"
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
index 1122daa9f..c9c356043 100644
--- a/base/deploy/config/pkideployment.cfg
+++ b/base/deploy/config/pkideployment.cfg
@@ -1,43 +1,37 @@
[Common]
-pki_source_root=/usr/share/pki
-pki_instance_root=/var/lib/pki
-pki_instance_log_root=/var/log/pki
-pki_instance_configuration_root=/etc/pki
-pki_instance_name=default
+pki_admin_domain_name=
pki_user=pkiuser
pki_group=pkiuser
pki_audit_group=pkiaudit
[Apache]
-pki_web_server=Apache
+pki_instance_name=apache
pki_http_port=80
pki_https_port=443
[Tomcat]
-pki_web_server=Tomcat
-pki_tomcat_root=/usr/share/tomcat
-pki_tomcat_systemd=/usr/sbin/tomcat-sysd
+pki_instance_name=tomcat
pki_http_port=8080
pki_https_port=8443
pki_ajp_port=8009
-pki_proxy_https_port=443
pki_proxy_http_port=80
+pki_proxy_https_port=443
pki_security_manager=true
[CA]
pki_subsystem=CA
pki_war_name=ca.war
-tomcat_server_port=9701
+pki_tomcat_server_port=9701
[KRA]
pki_subsystem=KRA
pki_war_name=kra.war
-tomcat_server_port=10701
+pki_tomcat_server_port=10701
[OCSP]
pki_subsystem=OCSP
pki_war_name=ocsp.war
-tomcat_server_port=11701
+pki_tomcat_server_port=11701
[RA]
pki_subsystem=RA
[TKS]
pki_subsystem=TKS
pki_war_name=tks.war
-tomcat_server_port=13701
+pki_tomcat_server_port=13701
[TPS]
pki_subsystem=TPS
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index c54ba9a78..2d0b5d285 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -33,6 +33,7 @@ try:
import random
import socket
import string
+ import struct
import time
from time import strftime as date
from pki.deployment import pkiconfig as config
@@ -69,19 +70,12 @@ def main(argv):
config.pki_certificate_timestamp =\
date('%Y-%m-%d %H:%M:%S', time.localtime(ticks))
+ # Obtain the architecture bit-size
+ config.pki_architecture = struct.calcsize("P") * 8
+
# Retrieve hostname
config.pki_hostname = socket.gethostname()
- # Generate a random 'pin' for use as the security database password
- pin_low = 100000000000
- pin_high = 999999999999
- config.pki_pin = random.randint(pin_low, pin_high)
-
- # Generate a one-time pin to be used prior to configuration
- config.pki_one_time_pin =\
- ''.join(random.choice(string.ascii_letters + string.digits)\
- for x in range(20))
-
# Initialize 'pretty print' for objects
pp = pprint.PrettyPrinter(indent=4)
@@ -131,6 +125,9 @@ def main(argv):
extra=config.PKI_INDENTATION_LEVEL_0)
# Override PKI configuration file values with 'custom' command-line values.
+ if not config.pki_admin_domain_name is None:
+ config.pki_common_dict['pki_admin_domain_name'] =\
+ config.pki_admin_domain_name
if not config.pki_instance_name is None:
config.pki_common_dict['pki_instance_name'] =\
config.pki_instance_name
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index c537b8e4d..d665f3c9f 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -33,6 +33,7 @@ try:
import random
import socket
import string
+ import struct
import time
from time import strftime as date
from pki.deployment import pkiconfig as config
@@ -69,13 +70,17 @@ def main(argv):
config.pki_certificate_timestamp =\
date('%Y-%m-%d %H:%M:%S', time.localtime(ticks))
+ # Obtain the architecture bit-size
+ config.pki_architecture = struct.calcsize("P") * 8
+
# Retrieve hostname
config.pki_hostname = socket.gethostname()
- # Generate a random 'pin' for use as the security database password
+ # Generate random 'pin's for use as security database passwords
pin_low = 100000000000
pin_high = 999999999999
config.pki_pin = random.randint(pin_low, pin_high)
+ config.pki_client_pin = random.randint(pin_low, pin_high)
# Generate a one-time pin to be used prior to configuration
config.pki_one_time_pin =\
@@ -149,6 +154,9 @@ def main(argv):
extra=config.PKI_INDENTATION_LEVEL_0)
# Override PKI configuration file values with 'custom' command-line values.
+ if not config.pki_admin_domain_name is None:
+ config.pki_common_dict['pki_admin_domain_name'] =\
+ config.pki_admin_domain_name
if not config.pki_instance_name is None:
config.pki_common_dict['pki_instance_name'] =\
config.pki_instance_name
diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy
new file mode 100644
index 000000000..f7366c723
--- /dev/null
+++ b/base/deploy/src/scriptlets/configuration.jy
@@ -0,0 +1,70 @@
+#!/usr/bin/jython
+
+# System Python Imports
+import os
+import pickle
+import sys
+
+
+# PKI Python Imports
+import pkijython as jyutil
+import pkiconfig as config
+from pkiconfig import pki_master_jython_dict as master
+import pkimessages as log
+
+
+# System Java Imports
+from java.lang import System as javasystem
+
+
+def main(argv):
+ # Establish 'master' as the PKI jython dictionary
+ master = dict()
+
+ # import the master dictionary from 'pkispawn'
+ master = pickle.loads(argv[1])
+
+ # IMPORTANT: Unfortunately, 'jython 2.2' does NOT support logging!
+ #
+ # Until, and unless, 'jython 2.5' or later is used,
+ # debugging will basically be limited to using 'print'
+ # since creating a logging mechanism for 'jython 2.2'
+ # would not make sense at this point in time, although
+ # a 'customized' manual log process could be created.
+ #
+ # Regardless of 'jython' version, the log file generated
+ # by this standalone 'jython' process would be unique and
+ # separate to the log file generated for the PKI
+ # deployment scriptlets 'python' process, as they exist
+ # as two separate processes (until and unless 'jython 2.7'
+ # could be used to completely replace 'python 2.7',
+ # in which case a single process could be executed
+ # end-to-end from installation through configuration).
+ #
+ if master['pki_jython_log_level'] >= config.PKI_JYTHON_DEBUG_LOG_LEVEL:
+ # javasystem.out.println("Hello")
+ print "%s %s" %\
+ (log.PKI_JYTHON_INDENTATION_2, sys.path)
+ print "%s %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ javasystem.getProperties()['java.class.path'])
+ for key in master:
+ print "%s '%s' = '%s'" %\
+ (log.PKI_JYTHON_INDENTATION_2, key, master[key])
+
+ # Initialize token
+ jyutil.security_databases.initialize_token(
+ master['pki_client_database_path'],
+ master['pki_dry_run_flag'],
+ master['pki_jython_log_level'])
+
+ # Log into token
+ jyutil.security_databases.log_into_token(
+ master['pki_client_database_path'],
+ master['pki_client_password_conf'],
+ master['pki_dry_run_flag'],
+ master['pki_jython_log_level'])
+
+
+if __name__ == "__main__":
+ main(sys.argv)
diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py
index 45b325ce7..1155e9002 100644
--- a/base/deploy/src/scriptlets/configuration.py
+++ b/base/deploy/src/scriptlets/configuration.py
@@ -22,31 +22,66 @@
# PKI Deployment Imports
import pkiconfig as config
from pkiconfig import pki_master_dict as master
+import pkihelper as util
import pkimessages as log
import pkiscriptlet
-# PKI Deployment Instance Population Classes
+# PKI Deployment Configuration Scriptlet
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
rv = 0
def spawn(self):
config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- config.pki_log.info("NOT YET IMPLEMENTED",
- extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ util.directory.create(master['pki_client_path'], uid=0, gid=0)
+ util.password.create_password_conf(
+ master['pki_client_password_conf'],
+ master['pki_client_pin'])
+ util.directory.create(master['pki_client_database_path'],
+ uid=0, gid=0)
+ util.certutil.create_security_databases(
+ master['pki_client_database_path'],
+ master['pki_client_cert_database'],
+ master['pki_client_key_database'],
+ master['pki_client_secmod_database'],
+ password_file=master['pki_client_password_conf'])
+ else:
+ util.password.create_password_conf(
+ master['pki_client_password_conf'],
+ master['pki_client_pin'])
+ util.certutil.create_security_databases(
+ master['pki_client_database_path'],
+ master['pki_client_cert_database'],
+ master['pki_client_key_database'],
+ master['pki_client_secmod_database'],
+ password_file=master['pki_client_password_conf'])
+ # Pass control to the Java servlet via Jython 2.2 'configuration.jy'
+ util.jython.invoke(master['pki_jython_configuration_scriptlet'])
return self.rv
def respawn(self):
config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- config.pki_log.info("NOT YET IMPLEMENTED",
- extra=config.PKI_INDENTATION_LEVEL_2)
return self.rv
def destroy(self):
config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- config.pki_log.info("NOT YET IMPLEMENTED",
- extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() == 0:
+ util.directory.delete(master['pki_client_path'])
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() == 0:
+ util.directory.delete(master['pki_client_path'])
+ else:
+ # ALWAYS display correct information (even during dry_run)
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() == 1:
+ util.directory.delete(master['pki_client_path'])
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() == 1:
+ util.directory.delete(master['pki_client_path'])
return self.rv
diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py
index 9a3c23cb5..acf51391a 100644
--- a/base/deploy/src/scriptlets/finalization.py
+++ b/base/deploy/src/scriptlets/finalization.py
@@ -28,7 +28,7 @@ import pkimessages as log
import pkiscriptlet
-# PKI Deployment Instance Population Classes
+# PKI Deployment Finalization Scriptlet
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
rv = 0
@@ -43,8 +43,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# Save a timestamped copy of the installation manifest file
filename = master['pki_root_prefix'] +\
config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
- master['pki_instance_name'] + "/" +\
- master['pki_web_server'].lower() + "/" +\
+ master['pki_instance_id'] + "/" +\
master['pki_subsystem'].lower() +"/" +\
"spawn" + "_" + "manifest" + "." +\
master['pki_timestamp'] + "." + "csv"
@@ -59,7 +58,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# Log final process messages
config.pki_log.info(log.PKISPAWN_END_MESSAGE_2,
master['pki_subsystem'],
- master['pki_instance_name'],
+ master['pki_instance_id'],
extra=config.PKI_INDENTATION_LEVEL_0)
if not config.pki_dry_run_flag:
util.file.modify(master['pki_spawn_log'], silent=True)
@@ -77,8 +76,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# Save a timestamped copy of the updated manifest file
filename = master['pki_root_prefix'] +\
config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
- master['pki_instance_name'] + "/" +\
- master['pki_web_server'].lower() + "/" +\
+ master['pki_instance_id'] + "/" +\
master['pki_subsystem'].lower() +"/" +\
"respawn" + "_" + "manifest" + "." +\
master['pki_timestamp'] + "." + "csv"
@@ -93,7 +91,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# Log final process messages
config.pki_log.info(log.PKIRESPAWN_END_MESSAGE_2,
master['pki_subsystem'],
- master['pki_instance_name'],
+ master['pki_instance_id'],
extra=config.PKI_INDENTATION_LEVEL_0)
if not config.pki_dry_run_flag:
util.file.modify(master['pki_respawn_log'], silent=True)
@@ -104,7 +102,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2,
master['pki_subsystem'],
- master['pki_instance_name'],
+ master['pki_instance_id'],
extra=config.PKI_INDENTATION_LEVEL_0)
if not config.pki_dry_run_flag:
util.file.modify(master['pki_destroy_log'], silent=True)
diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py
new file mode 100644
index 000000000..fd94de512
--- /dev/null
+++ b/base/deploy/src/scriptlets/infrastructure_layout.py
@@ -0,0 +1,102 @@
+#!/usr/bin/python -t
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+
+
+# PKI Deployment Top-Level Infrastructure Layout Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+
+ def spawn(self):
+ config.pki_log.info(log.ADMIN_DOMAIN_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ # establish top-level infrastructure base
+ util.directory.create(master['pki_path'])
+ # establish top-level infrastructure logs
+ util.directory.create(master['pki_log_path'])
+ # establish top-level infrastructure configuration
+ if master['pki_configuration_path'] !=\
+ config.PKI_DEPLOYMENT_CONFIGURATION_ROOT:
+ util.directory.create(master['pki_configuration_path'])
+ # establish top-level infrastructure registry
+ util.directory.create(master['pki_registry_path'])
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.ADMIN_DOMAIN_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ # update top-level infrastructure base
+ util.directory.modify(master['pki_path'])
+ # update top-level infrastructure logs
+ util.directory.modify(master['pki_log_path'])
+ # update top-level infrastructure configuration
+ if master['pki_configuration_path'] !=\
+ config.PKI_DEPLOYMENT_CONFIGURATION_ROOT:
+ util.directory.modify(master['pki_configuration_path'])
+ # update top-level infrastructure registry
+ util.directory.modify(master['pki_registry_path'])
+ return self.rv
+
+ def destroy(self):
+ config.pki_log.info(log.ADMIN_DOMAIN_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ # remove top-level infrastructure base
+ if not config.pki_dry_run_flag:
+ if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
+ util.instance.pki_subsystem_instances() == 0:
+ # remove top-level infrastructure base
+ util.directory.delete(master['pki_path'])
+ # remove top-level infrastructure logs
+ util.directory.delete(master['pki_log_path'])
+ # remove top-level infrastructure configuration
+ if util.directory.is_empty(master['pki_configuration_path'])\
+ and master['pki_configuration_path'] !=\
+ config.PKI_DEPLOYMENT_CONFIGURATION_ROOT:
+ util.directory.delete(master['pki_configuration_path'])
+ # remove top-level infrastructure registry
+ util.directory.delete(master['pki_registry_path'])
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ util.file.delete(master['pki_target_tomcat_conf'])
+
+ else:
+ # ALWAYS display correct information (even during dry_run)
+ if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
+ util.instance.pki_subsystem_instances() == 1:
+ # remove top-level infrastructure base
+ util.directory.delete(master['pki_path'])
+ # remove top-level infrastructure logs
+ util.directory.delete(master['pki_log_path'])
+ # remove top-level infrastructure configuration
+ if util.directory.is_empty(master['pki_configuration_path'])\
+ and master['pki_configuration_path'] !=\
+ config.PKI_DEPLOYMENT_CONFIGURATION_ROOT:
+ util.directory.delete(master['pki_configuration_path'])
+ # remove top-level infrastructure registry
+ util.directory.delete(master['pki_registry_path'])
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ util.file.delete(master['pki_target_tomcat_conf'])
+ return self.rv
diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py
index 408ddfb59..3077737c8 100644
--- a/base/deploy/src/scriptlets/initialization.py
+++ b/base/deploy/src/scriptlets/initialization.py
@@ -27,14 +27,14 @@ import pkimessages as log
import pkiscriptlet
-# PKI Deployment Instance Population Classes
+# PKI Deployment Initialization Scriptlet
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
rv = 0
def spawn(self):
config.pki_log.info(log.PKISPAWN_BEGIN_MESSAGE_2,
master['pki_subsystem'],
- master['pki_instance_name'],
+ master['pki_instance_id'],
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
@@ -49,7 +49,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
def respawn(self):
config.pki_log.info(log.PKIRESPAWN_BEGIN_MESSAGE_2,
master['pki_subsystem'],
- master['pki_instance_name'],
+ master['pki_instance_id'],
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.info(log.INITIALIZATION_RESPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
@@ -64,7 +64,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
def destroy(self):
config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2,
master['pki_subsystem'],
- master['pki_instance_name'],
+ master['pki_instance_id'],
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py
index baa261cad..60e94d1a1 100644
--- a/base/deploy/src/scriptlets/instance_layout.py
+++ b/base/deploy/src/scriptlets/instance_layout.py
@@ -27,7 +27,7 @@ import pkimessages as log
import pkiscriptlet
-# PKI Deployment Instance Population Classes
+# PKI Deployment Instance Layout Scriptlet
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
rv = 0
@@ -35,93 +35,134 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
config.pki_log.info(log.INSTANCE_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# establish instance base
- util.directory.create(master['pki_path'])
util.directory.create(master['pki_instance_path'])
# establish instance logs
- util.directory.create(master['pki_log_path'])
util.directory.create(master['pki_instance_log_path'])
# establish instance configuration
- if master['pki_configuration_path'] !=\
- config.PKI_SHARED_CONFIGURATION_ROOT:
- util.directory.create(master['pki_configuration_path'])
util.directory.create(master['pki_instance_configuration_path'])
# establish instance registry
- util.directory.create(master['pki_registry_path'])
util.directory.create(master['pki_instance_registry_path'])
- # establish shared NSS security databases
+ # establish Apache/Tomcat specific instance
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # establish Tomcat instance base
+ util.directory.create(master['pki_tomcat_common_path'])
+ util.directory.create(master['pki_tomcat_common_lib_path'])
+ util.directory.create(master['pki_tomcat_webapps_path'])
+ util.directory.create(master['pki_tomcat_webapps_root_path'])
+ util.directory.create(master['pki_tomcat_webapps_root_webinf_path'])
+ util.file.copy(master['pki_source_webapps_root_web_xml'],
+ master['pki_tomcat_webapps_root_webinf_web_xml'],
+ overwrite_flag=True)
+ util.directory.create(master['pki_tomcat_webapps_webinf_path'])
+ util.directory.create(
+ master['pki_tomcat_webapps_webinf_classes_path'])
+ util.directory.create(master['pki_tomcat_webapps_webinf_lib_path'])
+ # establish Tomcat instance logs
+ # establish Tomcat instance configuration
+ # establish Tomcat instance registry
+ # establish Tomcat instance convenience
+ # symbolic links
+ util.symlink.create(master['pki_tomcat_bin_path'],
+ master['pki_tomcat_bin_link'])
+ util.symlink.create(master['pki_tomcat_lib_path'],
+ master['pki_tomcat_lib_link'])
+ util.symlink.create(master['pki_tomcat_systemd'],
+ master['pki_instance_systemd_link'])
+ # establish shared NSS security databases for this instance
util.directory.create(master['pki_database_path'])
- # establish convenience symbolic links
+ # establish instance convenience symbolic links
util.symlink.create(master['pki_database_path'],
master['pki_instance_database_link'])
+ util.symlink.create(master['pki_instance_configuration_path'],
+ master['pki_instance_conf_link'])
+ util.symlink.create(master['pki_instance_log_path'],
+ master['pki_instance_logs_link'])
return self.rv
def respawn(self):
config.pki_log.info(log.INSTANCE_RESPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# update instance base
- util.directory.modify(master['pki_path'])
util.directory.modify(master['pki_instance_path'])
# update instance logs
- util.directory.modify(master['pki_log_path'])
util.directory.modify(master['pki_instance_log_path'])
# update instance configuration
- if master['pki_configuration_path'] !=\
- config.PKI_SHARED_CONFIGURATION_ROOT:
- util.directory.modify(master['pki_configuration_path'])
util.directory.modify(master['pki_instance_configuration_path'])
# update instance registry
- util.directory.modify(master['pki_registry_path'])
util.directory.modify(master['pki_instance_registry_path'])
- # update shared NSS security databases
+ # update Apache/Tomcat specific instance
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # update Tomcat instance base
+ util.directory.modify(master['pki_tomcat_common_path'])
+ util.directory.modify(master['pki_tomcat_common_lib_path'])
+ util.directory.modify(master['pki_tomcat_webapps_path'])
+ util.directory.modify(master['pki_tomcat_webapps_root_path'])
+ util.directory.modify(master['pki_tomcat_webapps_root_webinf_path'])
+ util.file.copy(master['pki_source_webapps_root_web_xml'],
+ master['pki_tomcat_webapps_root_webinf_web_xml'],
+ overwrite_flag=True)
+ util.directory.modify(master['pki_tomcat_webapps_webinf_path'])
+ util.directory.modify(
+ master['pki_tomcat_webapps_webinf_classes_path'])
+ util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path'])
+ # update Tomcat instance logs
+ # update Tomcat instance configuration
+ # update Tomcat instance registry
+ # update Tomcat instance convenience symbolic links
+ util.symlink.modify(master['pki_tomcat_bin_link'])
+ util.symlink.modify(master['pki_tomcat_lib_link'])
+ # update shared NSS security databases for this instance
util.directory.modify(master['pki_database_path'])
- # update convenience symbolic links
+ # update instance convenience symbolic links
util.symlink.modify(master['pki_instance_database_link'])
+ util.symlink.modify(master['pki_instance_conf_link'])
+ util.symlink.modify(master['pki_instance_logs_link'])
return self.rv
def destroy(self):
config.pki_log.info(log.INSTANCE_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- # remove instance base
if not config.pki_dry_run_flag:
- if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
- util.instance.pki_subsystem_instances() == 0:
- # remove instance base
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() == 0:
+ # remove Apache instance base
util.directory.delete(master['pki_instance_path'])
- util.directory.delete(master['pki_path'])
- # remove instance logs
- util.directory.delete(master['pki_instance_log_path'])
- util.directory.delete(master['pki_log_path'])
- # remove shared NSS security database path
+ # remove Apache instance logs
+ # remove shared NSS security database path for this instance
util.directory.delete(master['pki_database_path'])
- # remove instance configuration
+ # remove Apache instance configuration
util.directory.delete(master['pki_instance_configuration_path'])
- if util.directory.is_empty(master['pki_configuration_path'])\
- and master['pki_configuration_path'] !=\
- config.PKI_SHARED_CONFIGURATION_ROOT:
- util.directory.delete(master['pki_configuration_path'])
- # remove instance registry
- util.directory.delete(master['pki_instance_registry_path'])
- util.directory.delete(master['pki_registry_path'])
- util.file.delete(master['pki_target_tomcat_conf'])
-
+ # remove Apache instance registry
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() == 0:
+ # remove Tomcat instance base
+ util.directory.delete(master['pki_instance_path'])
+ # remove Tomcat instance logs
+ # remove shared NSS security database path for this instance
+ util.directory.delete(master['pki_database_path'])
+ # remove Tomcat instance configuration
+ util.directory.delete(master['pki_instance_configuration_path'])
+ # remove Tomcat instance registry
else:
# ALWAYS display correct information (even during dry_run)
- if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
- util.instance.pki_subsystem_instances() == 1:
- # remove instance base
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() == 1:
+ # remove Apache instance base
util.directory.delete(master['pki_instance_path'])
- util.directory.delete(master['pki_path'])
- # remove instance logs
- util.directory.delete(master['pki_instance_log_path'])
- util.directory.delete(master['pki_log_path'])
- # remove shared NSS security database path
+ # remove Apache instance logs
+ # remove shared NSS security database path for this instance
util.directory.delete(master['pki_database_path'])
- if util.directory.is_empty(master['pki_configuration_path'])\
- and master['pki_configuration_path'] !=\
- config.PKI_SHARED_CONFIGURATION_ROOT:
- util.directory.delete(master['pki_configuration_path'])
- # remove instance registry
- util.directory.delete(master['pki_instance_registry_path'])
- util.directory.delete(master['pki_registry_path'])
- util.file.delete(master['pki_target_tomcat_conf'])
+ # remove Apache instance configuration
+ util.directory.delete(master['pki_instance_configuration_path'])
+ # remove Apache instance registry
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() == 1:
+ # remove Tomcat instance base
+ util.directory.delete(master['pki_instance_path'])
+ # remove Tomcat instance logs
+ # remove shared NSS security database path for this instance
+ util.directory.delete(master['pki_database_path'])
+ # remove Tomcat instance configuration
+ util.directory.delete(master['pki_instance_configuration_path'])
+ # remove Tomcat instance registry
return self.rv
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 31b05312c..76d54ad15 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -19,10 +19,6 @@
# All rights reserved.
#
-# System Imports
-import logging
-
-
# PKI Deployment Constants
PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS = 00770
PKI_DEPLOYMENT_DEFAULT_EXE_PERMISSIONS = 00770
@@ -43,6 +39,13 @@ PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '}
PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '}
PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '}
+PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki"
+PKI_DEPLOYMENT_TOMCAT_ROOT = "/usr/share/tomcat"
+PKI_DEPLOYMENT_TOMCAT_SYSTEMD = "/usr/sbin/tomcat-sysd"
+PKI_DEPLOYMENT_BASE_ROOT = "/var/lib/pki"
+# NOTE: Top-level "/etc/pki" is owned by the "filesystem" package!
+PKI_DEPLOYMENT_CONFIGURATION_ROOT = "/etc/pki"
+PKI_DEPLOYMENT_LOG_ROOT = "/var/log/pki"
# NOTE: Well-known 'registry root', default 'instance', and default
# 'configuration file' names MUST be created in order to potentially
# obtain an instance-specific configuration file
@@ -53,20 +56,29 @@ PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '}
# in the configuration file (the value in the default configuration file
# should always match the 'default' instance name specified below).
PKI_DEPLOYMENT_REGISTRY_ROOT = "/etc/sysconfig/pki"
-PKI_DEPLOYMENT_DEFAULT_INSTANCE_NAME = "default"
+PKI_DEPLOYMENT_DEFAULT_ADMIN_DOMAIN_NAME = None
+PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME = "apache"
+PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME = "tomcat"
PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE = "pkideployment.cfg"
PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\
"/usr/share/pki/deployment/config/pkislots.cfg"
-# NOTE: Top-level "/etc/pki" is owned by the "filesystem" package!
-PKI_SHARED_CONFIGURATION_ROOT = "/etc/pki"
+
+# PKI Deployment Jython 2.2 Constants
+PKI_JYTHON_CRITICAL_LOG_LEVEL = 1
+PKI_JYTHON_ERROR_LOG_LEVEL = 2
+PKI_JYTHON_WARNING_LOG_LEVEL = 3
+PKI_JYTHON_INFO_LOG_LEVEL = 4
+PKI_JYTHON_DEBUG_LOG_LEVEL = 5
# PKI Deployment Global Variables
pki_install_time = None
pki_timestamp = None
+pki_architecture = None
pki_hostname = None
pki_pin = None
+pki_client_pin = None
pki_one_time_pin = None
@@ -80,6 +92,7 @@ pki_root_prefix = None
pki_update_flag = False
# PKI Deployment "Custom" Command-Line Variables
+pki_admin_domain_name = None
pki_instance_name = None
pki_http_port = None
pki_https_port = None
@@ -87,11 +100,12 @@ pki_ajp_port = None
# PKI Deployment Logger Variables
+pki_jython_log_level = None
pki_log = None
pki_log_dir = None
pki_log_name = None
-pki_log_level = logging.INFO
-pki_console_log_level = logging.WARNING
+pki_log_level = None
+pki_console_log_level = None
# PKI Deployment Global Dictionaries
@@ -100,3 +114,4 @@ pki_web_server_dict = None
pki_subsystem_dict = None
pki_master_dict = None
pki_slots_dict = None
+pki_master_jython_dict = None
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index b04af2db0..b88eafe72 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -25,6 +25,7 @@ import errno
import sys
import os
import fileinput
+import pickle
import random
import shutil
import string
@@ -174,27 +175,27 @@ class instance:
def apache_instances(self):
rv = 0
try:
- if not os.path.exists(master['pki_webserver_path']) or\
- not os.path.isdir(master['pki_webserver_path']):
+ if not os.path.exists(master['pki_instance_path']) or\
+ not os.path.isdir(master['pki_instance_path']):
config.pki_log.error(
log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
- master['pki_webserver_path'],
+ master['pki_instance_path'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# count number of PKI subsystems present
- # within the specfied Apache instance
+ # within the specified Apache instance
for subsystem in config.PKI_APACHE_SUBSYSTEMS:
- path = master['pki_webserver_path'] + "/" + subsystem.lower()
+ path = master['pki_instance_path'] + "/" + subsystem.lower()
if os.path.exists(path) and os.path.isdir(path):
rv = rv + 1
# always display correct information (even during dry_run)
if config.pki_dry_run_flag and rv > 0:
config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2,
- master['pki_webserver_path'], rv - 1,
+ master['pki_instance_path'], rv - 1,
extra=config.PKI_INDENTATION_LEVEL_2)
else:
config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2,
- master['pki_webserver_path'],
+ master['pki_instance_path'],
rv, extra=config.PKI_INDENTATION_LEVEL_2)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
@@ -205,27 +206,29 @@ class instance:
def pki_subsystem_instances(self):
rv = 0
try:
- if not os.path.exists(master['pki_instance_path']) or\
- not os.path.isdir(master['pki_instance_path']):
+ if not os.path.exists(master['pki_path']) or\
+ not os.path.isdir(master['pki_path']):
config.pki_log.error(
log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
- master['pki_instance_path'],
+ master['pki_path'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
- # count total number of Apache PKI subsystems present
- # within the specfied PKI instance
- for apache_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- apache_path = master['pki_instance_path'] + "/" + "apache" +\
- "/" + apache_subsystem.lower()
- if os.path.exists(apache_path) and os.path.isdir(apache_path):
- rv = rv + 1
- # count total number of Tomcat PKI subsystems present
- # within the specfied PKI instance
- for tomcat_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- tomcat_path = master['pki_instance_path'] + "/" + "tomcat" +\
- "/" + tomcat_subsystem.lower()
- if os.path.exists(tomcat_path) and os.path.isdir(tomcat_path):
- rv = rv + 1
+ # Since ALL directories within the top-level PKI infrastructure
+ # SHOULD represent PKI instances, look for all possible
+ # PKI instances within the top-level PKI infrastructure
+ for instance in os.listdir(master['pki_path']):
+ if os.path.isdir(os.path.join(master['pki_path'],instance))\
+ and not\
+ os.path.islink(os.path.join(master['pki_path'],instance)):
+ dir = os.path.join(master['pki_path'],instance)
+ # Since ANY directory within this PKI instance COULD
+ # be a PKI subsystem, look for all possible
+ # PKI subsystems within this PKI instance
+ for name in os.listdir(dir):
+ if os.path.isdir(os.path.join(dir,name)) and\
+ not os.path.islink(os.path.join(dir,name)):
+ if name.upper() in config.PKI_SUBSYSTEMS:
+ rv = rv + 1
# always display correct information (even during dry_run)
if config.pki_dry_run_flag and rv > 0:
config.pki_log.debug(log.PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2,
@@ -244,27 +247,27 @@ class instance:
def tomcat_instances(self):
rv = 0
try:
- if not os.path.exists(master['pki_webserver_path']) or\
- not os.path.isdir(master['pki_webserver_path']):
+ if not os.path.exists(master['pki_instance_path']) or\
+ not os.path.isdir(master['pki_instance_path']):
config.pki_log.error(
log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
- master['pki_webserver_path'],
+ master['pki_instance_path'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# count number of PKI subsystems present
- # within the specfied Tomcat instance
+ # within the specified Tomcat instance
for subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- path = master['pki_webserver_path'] + "/" + subsystem.lower()
+ path = master['pki_instance_path'] + "/" + subsystem.lower()
if os.path.exists(path) and os.path.isdir(path):
rv = rv + 1
# always display correct information (even during dry_run)
if config.pki_dry_run_flag and rv > 0:
config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2,
- master['pki_webserver_path'], rv - 1,
+ master['pki_instance_path'], rv - 1,
extra=config.PKI_INDENTATION_LEVEL_2)
else:
config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2,
- master['pki_webserver_path'],
+ master['pki_instance_path'],
rv, extra=config.PKI_INDENTATION_LEVEL_2)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
@@ -277,7 +280,7 @@ class instance:
if not os.path.exists(master['pki_subsystem_path']):
config.pki_log.error(log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2,
master['pki_subsystem'],
- master['pki_instance_name'],
+ master['pki_instance_id'],
extra=config.PKI_INDENTATION_LEVEL_1)
sys.exit(1)
except OSError as exc:
@@ -290,7 +293,7 @@ class instance:
if os.path.exists(master['pki_subsystem_path']):
config.pki_log.error(log.PKI_SUBSYSTEM_ALREADY_EXISTS_2,
master['pki_subsystem'],
- master['pki_instance_name'],
+ master['pki_instance_id'],
extra=config.PKI_INDENTATION_LEVEL_1)
sys.exit(1)
except OSError as exc:
@@ -1292,7 +1295,8 @@ class war:
# PKI Deployment Password Class
class password:
- def create_password_conf(self, path, overwrite_flag=False):
+ def create_password_conf(self, path, pin, overwrite_flag=False,
+ critical_failure=True):
try:
if not config.pki_dry_run_flag:
if os.path.exists(path):
@@ -1304,11 +1308,11 @@ class password:
with open(path, "wt") as fd:
if master['pki_subsystem'] in\
config.PKI_APACHE_SUBSYSTEMS:
- fd.write("internal" + ":" +\
- str(master['pki_pin']))
+ fd.write(master['pki_self_signed_token'] +\
+ ":" + str(pin))
else:
- fd.write("internal" + "=" +\
- str(master['pki_pin']))
+ fd.write(master['pki_self_signed_token'] +\
+ "=" + str(pin))
fd.closed
else:
config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
@@ -1317,11 +1321,11 @@ class password:
with open(path, "wt") as fd:
if master['pki_subsystem'] in\
config.PKI_APACHE_SUBSYSTEMS:
- fd.write("internal" + ":" +\
- str(master['pki_pin']))
+ fd.write(master['pki_self_signed_token'] +\
+ ":" + str(pin))
else:
- fd.write("internal" + "=" +\
- str(master['pki_pin']))
+ fd.write(master['pki_self_signed_token'] +\
+ "=" + str(pin))
fd.closed
else:
if not os.path.exists(path) or overwrite_flag:
@@ -1337,7 +1341,9 @@ class password:
# PKI Deployment NSS 'certutil' Class
class certutil:
- def create_security_databases(self, path, password_file=None, prefix=None,
+ def create_security_databases(self, path, pki_cert_database,
+ pki_key_database, pki_secmod_database,
+ password_file=None, prefix=None,
critical_failure=True):
try:
# Compose this "certutil" command
@@ -1360,15 +1366,15 @@ class certutil:
log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
- if os.path.exists(master['pki_cert_database']) or\
- os.path.exists(master['pki_key_database']) or\
- os.path.exists(master['pki_secmod_database']):
+ if os.path.exists(pki_cert_database) or\
+ os.path.exists(pki_key_database) or\
+ os.path.exists(pki_secmod_database):
# Simply notify user that the security databases exist
config.pki_log.info(
log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3,
- master['pki_cert_database'],
- master['pki_key_database'],
- master['pki_secmod_database'],
+ pki_cert_database,
+ pki_key_database,
+ pki_secmod_database,
extra=config.PKI_INDENTATION_LEVEL_2)
else:
if password_file != None:
@@ -1387,15 +1393,15 @@ class certutil:
# Execute this "certutil" command
subprocess.call(command, shell=True)
else:
- if os.path.exists(master['pki_cert_database']) or\
- os.path.exists(master['pki_key_database']) or\
- os.path.exists(master['pki_secmod_database']):
+ if os.path.exists(pki_cert_database) or\
+ os.path.exists(pki_key_database) or\
+ os.path.exists(pki_secmod_database):
# Simply notify user that the security databases exist
config.pki_log.info(
log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3,
- master['pki_cert_database'],
- master['pki_key_database'],
- master['pki_secmod_database'],
+ pki_cert_database,
+ pki_key_database,
+ pki_secmod_database,
extra=config.PKI_INDENTATION_LEVEL_2)
else:
# Display this "certutil" command
@@ -1415,8 +1421,10 @@ class certutil:
sys.exit(1)
return
- def verify_certificate_exists(self, path, token, nickname,
- password_file=None):
+ def verify_certificate_exists(self, path, pki_cert_database,
+ pki_key_database, pki_secmod_database,
+ token, nickname, password_file=None,
+ silent=True):
rv = 0
try:
# Compose this "certutil" command
@@ -1448,7 +1456,8 @@ class certutil:
# OPTIONALLY specify a password file
if password_file != None:
command = command + " " + "-f" + " " + password_file
- # Always execute this command silently
+ # By default, execute this command silently
+ if silent != False:
command = command + " > /dev/null 2>&1"
if not config.pki_dry_run_flag:
if not os.path.exists(path):
@@ -1456,15 +1465,15 @@ class certutil:
log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
- if not os.path.exists(master['pki_cert_database']) or\
- not os.path.exists(master['pki_key_database']) or\
- not os.path.exists(master['pki_secmod_database']):
+ if not os.path.exists(pki_cert_database) or\
+ not os.path.exists(pki_key_database) or\
+ not os.path.exists(pki_secmod_database):
# NSS security databases MUST exist!
config.pki_log.error(
log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3,
- master['pki_cert_database'],
- master['pki_key_database'],
- master['pki_secmod_database'],
+ pki_cert_database,
+ pki_key_database,
+ pki_secmod_database,
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
if password_file != None:
@@ -1477,9 +1486,9 @@ class certutil:
sys.exit(1)
else:
# Check for first time through as dry_run
- if not os.path.exists(master['pki_cert_database']) or\
- not os.path.exists(master['pki_key_database']) or\
- not os.path.exists(master['pki_secmod_database']):
+ if not os.path.exists(pki_cert_database) or\
+ not os.path.exists(pki_key_database) or\
+ not os.path.exists(pki_secmod_database):
return False
# Execute this "certutil" command
subprocess.check_call(command, shell=True)
@@ -1492,7 +1501,9 @@ class certutil:
sys.exit(1)
return True
- def generate_self_signed_certificate(self, path, token, nickname,
+ def generate_self_signed_certificate(self, path, pki_cert_database,
+ pki_key_database, pki_secmod_database,
+ token, nickname,
subject, serial_number,
validity_period, issuer_name,
trustargs, noise_file,
@@ -1591,15 +1602,15 @@ class certutil:
log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
- if not os.path.exists(master['pki_cert_database']) or\
- not os.path.exists(master['pki_key_database']) or\
- not os.path.exists(master['pki_secmod_database']):
+ if not os.path.exists(pki_cert_database) or\
+ not os.path.exists(pki_key_database) or\
+ not os.path.exists(pki_secmod_database):
# NSS security databases MUST exist!
config.pki_log.error(
log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3,
- master['pki_cert_database'],
- master['pki_key_database'],
- master['pki_secmod_database'],
+ pki_cert_database,
+ pki_key_database,
+ pki_secmod_database,
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
if not os.path.exists(noise_file):
@@ -1631,6 +1642,43 @@ class certutil:
return
+# PKI Deployment 'jython' Class
+class jython:
+ def invoke(self, scriptlet, critical_failure=True):
+ try:
+ # From 'http://www.jython.org/archive/22/userfaq.html':
+ # Setting this to false will allow Jython to provide access to
+ # non-public fields, methods, and constructors of Java objects.
+ property = "-Dpython.security.respectJavaAccessibility=false"
+ # comment the next line out to use the "property" defined above
+ property = ""
+ # Compose this "jython" command
+ data = pickle.dumps(master)
+ ld_library_path = "LD_LIBRARY_PATH"
+ if master['pki_architecture'] == 64:
+ ld_library_path = ld_library_path + "=" +\
+ "/usr/lib64/jss:/usr/lib64:/lib64:" +\
+ "/usr/lib/jss:/usr/lib:/lib"
+ else:
+ ld_library_path = ld_library_path + "=" +\
+ "/usr/lib/jss:/usr/lib:/lib"
+ command = "export" + " " + ld_library_path + ";" + "jython" + " " +\
+ property + " " + scriptlet + " " + "\"" + data + "\""
+ # Display this "jython" command
+ config.pki_log.info(
+ log.PKIHELPER_INVOKE_JYTHON_3,
+ ld_library_path, property, scriptlet,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # Invoke this "jython" command
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+
# PKI Deployment Helper Class Instances
identity = identity()
instance = instance()
@@ -1640,3 +1688,4 @@ symlink = symlink()
war = war()
password = password()
certutil = certutil()
+jython = jython()
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
new file mode 100644
index 000000000..9c8765a80
--- /dev/null
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -0,0 +1,200 @@
+#!/usr/bin/jython
+
+# System Java Imports
+from java.io import BufferedReader
+from java.io import ByteArrayInputStream
+from java.io import FileReader
+from java.io import IOException
+from java.lang import String as javastring
+from java.lang import System as javasystem
+from java.net import URISyntaxException
+from java.security import KeyPair
+from java.security import NoSuchAlgorithmException
+from java.util import ArrayList
+from java.util import Collection
+from java.util import Iterator
+from org.python.core import PyDictionary
+import jarray
+
+
+# System Python Imports
+import os
+import sys
+pki_python_module_path = os.path.join(sys.prefix,
+ "lib",
+ "python" + str(sys.version_info[0]) +
+ "." + str(sys.version_info[1]),
+ "site-packages",
+ "pki",
+ "deployment",
+ "configuration.jy")
+sys.path.append(pki_python_module_path)
+
+
+# http://www.jython.org/jythonbook/en/1.0/appendixB.html#working-with-classpath
+###############################################################################
+# from http://forum.java.sun.com/thread.jspa?threadID=300557
+#
+# Author: SG Langer Jan 2007 translated the above Java to this Jython class
+# Purpose: Allow runtime additions of new Class/jars either from local files
+# or URL
+###############################################################################
+class classPathHacker:
+ import java.lang.reflect.Method
+ import java.io.File
+ import java.net.URL
+ import java.net.URLClassLoader
+ import jarray
+
+ def addFile(self, s):
+ ##################################################
+ # Purpose: If adding a file/jar call this first
+ # with s = path_to_jar
+ ##################################################
+
+ # make a URL out of 's'
+ f = self.java.io.File (s)
+ u = f.toURL ()
+ a = self.addURL (u)
+ return a
+
+ def addURL(self, u):
+ ###########################################
+ # Purpose: Call this with u= URL for the
+ # new Class/jar to be loaded
+ ###########################################
+
+ parameters = self.jarray.array([self.java.net.URL],
+ self.java.lang.Class)
+ sysloader = self.java.lang.ClassLoader.getSystemClassLoader()
+ sysclass = self.java.net.URLClassLoader
+ method = sysclass.getDeclaredMethod("addURL", parameters)
+ a = method.setAccessible(1)
+ jar_a = self.jarray.array([u], self.java.lang.Object)
+ b = method.invoke(sysloader, jar_a)
+ return u
+
+
+# Dynamically Load Additional Java Jars ('append' to existing classpath)
+jarLoad = classPathHacker()
+# Webserver Jars
+jarLoad.addFile("/usr/share/java/httpcomponents/httpclient.jar")
+jarLoad.addFile("/usr/share/java/apache-commons-cli.jar")
+# Resteasy Jars
+jarLoad.addFile("/usr/share/java/glassfish-jaxb/jaxb-impl.jar")
+jarLoad.addFile("/usr/share/java/resteasy/jaxrs-api.jar")
+jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxb-provider.jar")
+jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxrs.jar")
+jarLoad.addFile("/usr/share/java/resteasy/resteasy-jettison-provider.jar")
+jarLoad.addFile("/usr/share/java/scannotation.jar")
+# PKI Jars
+jarLoad.addFile("/usr/share/java/pki/pki-cms.jar")
+jarLoad.addFile("/usr/share/java/pki/pki-cmsutil.jar")
+jarLoad.addFile("/usr/share/java/pki/pki-nsutil.jar")
+# JSS JNI Jars
+#
+# NOTE: Always load 64-bit JNI 'jss4.jar'
+# PRIOR to 32-bit JNI 'jss4.jar'
+#
+jarLoad.addFile("/usr/lib64/java/jss4.jar")
+jarLoad.addFile("/usr/lib/java/jss4.jar")
+
+
+# Apache Commons Java Imports
+from org.apache.commons.cli import CommandLine
+from org.apache.commons.cli import CommandLineParser
+from org.apache.commons.cli import HelpFormatter
+from org.apache.commons.cli import Options
+from org.apache.commons.cli import ParseException
+from org.apache.commons.cli import PosixParser
+
+
+# JSS Java Imports
+from org.mozilla.jss import CryptoManager
+from org.mozilla.jss.asn1 import ASN1Util
+from org.mozilla.jss.asn1 import BIT_STRING
+from org.mozilla.jss.asn1 import INTEGER
+from org.mozilla.jss.asn1 import InvalidBERException
+from org.mozilla.jss.asn1 import SEQUENCE
+from org.mozilla.jss.crypto import AlreadyInitializedException
+from org.mozilla.jss.crypto import CryptoToken
+from org.mozilla.jss.crypto import KeyPairAlgorithm
+from org.mozilla.jss.crypto import KeyPairGenerator
+from org.mozilla.jss.crypto import TokenException
+from org.mozilla.jss.pkix.crmf import CertReqMsg
+from org.mozilla.jss.pkix.crmf import CertRequest
+from org.mozilla.jss.pkix.crmf import CertTemplate
+from org.mozilla.jss.pkix.crmf import POPOPrivKey
+from org.mozilla.jss.pkix.crmf import ProofOfPossession
+from org.mozilla.jss.pkix.primitive import Name
+from org.mozilla.jss.pkix.primitive import SubjectPublicKeyInfo
+from org.mozilla.jss.util import Password
+
+
+# PKI Java Imports
+from com.netscape.cms.servlet.csadmin import ConfigurationRESTClient
+from com.netscape.cms.servlet.csadmin.model import CertData
+from com.netscape.cms.servlet.csadmin.model import ConfigurationData
+from com.netscape.cms.servlet.csadmin.model import ConfigurationResponseData
+from com.netscape.cmsutil.util import Utils
+from netscape.security.x509 import X500Name
+
+
+# PKI Python Imports
+import pkiconfig as config
+import pkimessages as log
+
+
+# PKI Deployment 'security databases' Class
+class security_databases:
+ def initialize_token(self, pki_database_path, pki_dry_run_flag, log_level):
+ try:
+ if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
+ print "%s %s '%s'" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_INITIALIZING_TOKEN,
+ pki_database_path)
+ if not pki_dry_run_flag:
+ CryptoManager.initialize(pki_database_path)
+ except AlreadyInitializedException, e:
+ # it is ok if it is already initialized
+ pass
+ except Exception, e:
+ javasystem.out.println("INITIALIZATION ERROR: " + str(e))
+ javasystem.exit(1)
+
+ def log_into_token(self, pki_database_path, password_conf,
+ pki_dry_run_flag, log_level):
+ try:
+ if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
+ print "%s %s '%s'" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_LOG_INTO_TOKEN,
+ pki_database_path)
+ if not pki_dry_run_flag:
+ manager = CryptoManager.getInstance()
+ token = manager.getInternalKeyStorageToken()
+ # Retrieve 'token_pwd' from 'password_conf'
+ #
+ # NOTE: For now, ONLY read the first line
+ # (which contains the password)
+ #
+ fd = open(password_conf, "r")
+ token_pwd = fd.readline()
+ fd.close
+ # Convert 'token_pwd' into a 'java char[]'
+ jtoken_pwd = jarray.array(token_pwd, 'c')
+ password = Password(jtoken_pwd)
+ try:
+ token.login(password)
+ except Exception, e:
+ javasystem.out.println("login Exception: " + str(e))
+ if not token.isLoggedIn():
+ token.initPassword(password, password)
+ except Exception, e:
+ javasystem.out.println("Exception in logging into token: " +\
+ str(e))
+ javasystem.exit(1)
+
+# PKI Deployment Jython Class Instances
+security_databases = security_databases()
diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
index 774b1f169..806a64e4d 100644
--- a/base/deploy/src/scriptlets/pkimessages.py
+++ b/base/deploy/src/scriptlets/pkimessages.py
@@ -123,6 +123,8 @@ PKISPAWN_END_MESSAGE_2 = "END spawning subsystem '%s' of "\
# PKI Deployment "Helper" Messages
PKIHELPER_APACHE_INSTANCES_2 = "instance '%s' contains '%d' "\
"Apache PKI subsystems"
+PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\
+ "slot substitutions on '%s'"
PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = "certutil: Missing "\
"'-c issuer-name' option!"
PKIHELPER_CERTUTIL_MISSING_NICKNAME = "certutil: Missing "\
@@ -152,13 +154,13 @@ PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty"
PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty"
PKIHELPER_GID_2 = "GID of '%s' is %s"
PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ."
+PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\
+ "jython %s %s <master_dictionary>'"
PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory"
PKIHELPER_IS_A_FILE_1 = "'%s' is a file"
PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink"
PKIHELPER_JAR_XF_C_2 = "jar -xf %s -C %s"
PKIHELPER_LINK_S_2 = "ln -s %s %s"
-PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\
- "slot substitutions on '%s'"
PKIHELPER_MKDIR_1 = "mkdir -p %s"
PKIHELPER_MODIFY_DIR_1 = "modifying '%s'"
PKIHELPER_MODIFY_FILE_1 = "modifying '%s'"
@@ -180,7 +182,21 @@ PKIHELPER_UID_2 = "UID of '%s' is %s"
PKIHELPER_USER_1 = "retrieving UID for '%s' . . ."
+# PKI Deployment Jython "Scriptlet" Messages
+# (MUST contain NO embedded formats since Jython 2.2 does not support logging!)
+PKI_JYTHON_INDENTATION_0 = "pkispawn : JYTHON "
+PKI_JYTHON_INDENTATION_1 = "pkispawn : JYTHON ..."
+PKI_JYTHON_INDENTATION_2 = "pkispawn : JYTHON ......."
+PKI_JYTHON_INDENTATION_3 = "pkispawn : JYTHON ..........."
+PKI_JYTHON_INDENTATION_4 = "pkispawn : JYTHON ..............."
+PKI_JYTHON_INITIALIZING_TOKEN = "initializing token located in"
+PKI_JYTHON_LOG_INTO_TOKEN = "logging into token located in"
+
+
# PKI Deployment "Scriptlet" Messages
+ADMIN_DOMAIN_DESTROY_1 = "depopulating '%s'"
+ADMIN_DOMAIN_RESPAWN_1 = "repopulating '%s'"
+ADMIN_DOMAIN_SPAWN_1 = "populating '%s'"
CONFIGURATION_DESTROY_1 = "unconfiguring '%s'"
CONFIGURATION_RESPAWN_1 = "reconfiguring '%s'"
CONFIGURATION_SPAWN_1 = "configuring '%s'"
@@ -208,6 +224,3 @@ SUBSYSTEM_SPAWN_1 = "populating '%s'"
WAR_EXPLOSION_DESTROY_1 = "removing '%s'"
WAR_EXPLOSION_RESPAWN_1 = "redeploying '%s'"
WAR_EXPLOSION_SPAWN_1 = "deploying '%s'"
-WEBSERVER_DESTROY_1 = "depopulating '%s'"
-WEBSERVER_RESPAWN_1 = "repopulating '%s'"
-WEBSERVER_SPAWN_1 = "populating '%s'"
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 19c9119a6..a9a53dd76 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -24,6 +24,7 @@ import ConfigParser
import argparse
import logging
import os
+import sys
import time
@@ -66,7 +67,8 @@ def process_command_line_arguments(argv):
optional.add_argument('-p',
dest='pki_root_prefix', action='store',
nargs=1, metavar='<prefix>',
- help='directory prefix to specify local directory')
+ help='directory prefix to specify local directory '
+ '[TEST ONLY]')
if os.path.basename(argv[0]) == 'pkispawn':
optional.add_argument('-u',
dest='pki_update_flag', action='store_true',
@@ -76,6 +78,10 @@ def process_command_line_arguments(argv):
help='display verbose information (details below)')
custom = parser.add_argument_group('custom arguments '
'(OVERRIDES configuration file values)')
+ custom.add_argument('-d',
+ dest='pki_admin_domain_name', action='store',
+ nargs=1, metavar='<admin_domain>',
+ help='PKI admin domain name (instance name prefix)')
custom.add_argument('-i',
dest='pki_instance_name', action='store',
nargs=1, metavar='<instance>',
@@ -114,12 +120,15 @@ def process_command_line_arguments(argv):
if args.pki_update_flag:
config.pki_update_flag = args.pki_update_flag
if args.pki_verbosity == 1:
+ config.pki_jython_log_level = config.PKI_JYTHON_INFO_LOG_LEVEL
config.pki_console_log_level = logging.INFO
config.pki_log_level = logging.INFO
elif args.pki_verbosity == 2:
+ config.pki_jython_log_level = config.PKI_JYTHON_INFO_LOG_LEVEL
config.pki_console_log_level = logging.INFO
config.pki_log_level = logging.DEBUG
elif args.pki_verbosity == 3:
+ config.pki_jython_log_level = config.PKI_JYTHON_DEBUG_LOG_LEVEL
config.pki_console_log_level = logging.DEBUG
config.pki_log_level = logging.DEBUG
elif args.pki_verbosity > 3:
@@ -127,8 +136,17 @@ def process_command_line_arguments(argv):
print
parser.print_help()
parser.exit(-1);
+ else:
+ # Set default log levels
+ config.pki_jython_log_level = config.PKI_JYTHON_WARNING_LOG_LEVEL
+ config.pki_console_log_level = logging.WARNING
+ config.pki_log_level = logging.INFO
+ if not args.pki_admin_domain_name is None:
+ config.pki_admin_domain_name =\
+ str(args.pki_admin_domain_name).strip('[\']')
if not args.pki_instance_name is None:
- config.pki_instance_name = str(args.pki_instance_name).strip('[\']')
+ config.pki_instance_name =\
+ str(args.pki_instance_name).strip('[\']')
if not args.pki_http_port is None:
config.pki_http_port = str(args.pki_http_port).strip('[\']')
if not args.pki_https_port is None:
@@ -173,13 +191,14 @@ def process_command_line_arguments(argv):
# explicitly specified if it does not use the default location
# and/or default configuration file name.
if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- pki_web_server = "Apache"
+ default_pki_instance_name =\
+ config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME
elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- pki_web_server = "Tomcat"
+ default_pki_instance_name =\
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME
config.pkideployment_cfg = config.pki_root_prefix +\
config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
- config.PKI_DEPLOYMENT_DEFAULT_INSTANCE_NAME + "/" +\
- pki_web_server.lower() +"/" +\
+ default_pki_instance_name +"/" +\
config.pki_subsystem.lower() +"/" +\
config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
if not os.path.exists(config.pkideployment_cfg) or\
@@ -238,62 +257,83 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_timestamp'] = config.pki_timestamp
config.pki_master_dict['pki_certificate_timestamp'] =\
config.pki_certificate_timestamp
+ config.pki_master_dict['pki_architecture'] = config.pki_architecture
config.pki_master_dict['pki_hostname'] = config.pki_hostname
config.pki_master_dict['pki_pin'] = config.pki_pin
+ config.pki_master_dict['pki_client_pin'] = config.pki_client_pin
config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin
+ config.pki_master_dict['pki_dry_run_flag'] = config.pki_dry_run_flag
+ config.pki_master_dict['pki_jython_log_level'] =\
+ config.pki_jython_log_level
# Configuration file name/value pairs
config.pki_master_dict.update(config.pki_common_dict)
config.pki_master_dict.update(config.pki_web_server_dict)
config.pki_master_dict.update(config.pki_subsystem_dict)
config.pki_master_dict.update(__name__="PKI Master Dictionary")
# IMPORTANT: A "PKI instance" no longer corresponds to a single
- # pki subystem, but rather to zero or one unique
- # "Tomcat web instance" AND/OR zero or one unique
- # "Apache web instance". Obviously, each
- # "PKI instance" must contain at least one of these
- # two web instances. The name of the default
- # "PKI instance" is called "default" and may be
- # changed in the PKI deployment configuration file,
- # and/or overridden via the command-line interface.
+ # pki subystem, but rather to a unique
+ # "Tomcat web instance" or a unique "Apache web instance".
#
- # A "Tomcat instance" consists of a single process
+ # A "Tomcat web instance" consists of a single process
# which may itself contain zero or one unique
# "CA" and/or "KRA" and/or "OCSP" and/or "TKS"
- # pki subystems. Obviously, the "Tomcat instance" must
- # contain at least one of these four pki subystems.
+ # pki subystems. Obviously, the "Tomcat web instance"
+ # must contain at least one of these four pki subystems.
#
- # Similarly, an "Apache instance" consists of a single
+ # Similarly, an "Apache web instance" consists of a single
# process which may itself contain zero or one unique
# "RA" and/or "TPS" pki subsystems. Obviously, the
- # "Apache instance" must contain at least one of these
+ # "Apache web instance" must contain at least one of these
# two pki subystems.
#
+ # Optionally, to more clearly distinguish a "PKI instance",
+ # a common PKI "Admin Domain" may be used as a prefix to
+ # either an "Apache web instance", or a
+ # "Tomcat web instance".
+ #
+ # Thus, a specific "PKI instance" of a CA, KRA, OCSP,
+ # or TKS subystem must be referenced via the name of
+ # the particular PKI "Tomcat web instance" containing
+ # this PKI subsystem optionally preceded by a
+ # specified PKI "Admin Domain" separated via a "-".
+ #
+ # Likewise, a specific "PKI instance" of an RA, or TPS
+ # subystem must be referenced via the name of
+ # the particular PKI "Apache web instance" containing
+ # this PKI subsystem optionally preceded by a
+ # specified PKI "Admin Domain" separated via a "-".
+ #
# To emulate the original behavior of having a CA and
# KRA be unique PKI instances, each must be located
- # within a separately named "PKI instance" if residing
- # on the same host machine, or may be located within
- # an identically named "PKI instance" when residing on
- # two separate host machines.
+ # within separately named "Tomcat web instances" if
+ # residing on the same host machine, or may be located
+ # within an identically named "PKI instance" when residing
+ # on two separate host machines.
#
# PKI INSTANCE NAMING CONVENTION:
#
# OLD: "pki-${pki_subsystem}"
- # (e. g. Tomcat - "pki-ca", "pki-kra", "pki-ocsp", "pki-tks")
- # (e. g. Apache - "pki-ra", "pki-tps")
- # NEW: "pki-${pki_instance_name}-${pki_web_server}"
- # (e. g. Tomcat: "pki-default-tomcat")
- # (e. g. Apache: "pki-default-apache")
+ # (e. g. Tomcat: "pki-ca", "pki-kra", "pki-ocsp", "pki-tks")
+ # (e. g. Apache: "pki-ra", "pki-tps")
+ # NEW: "[${pki_admin_domain_name}-]${pki_instance_name}"
+ # (e. g. Tomcat: "tomcat", "example.com-tomcat")
+ # (e. g. Apache: "apache", "example.com-apache")
#
- config.pki_master_dict['pki_instance_id'] =\
- "pki" + "-" + config.pki_master_dict['pki_instance_name'] + "-" +\
- config.pki_master_dict['pki_web_server'].lower()
+ if not config.pki_master_dict['pki_admin_domain_name'] is None and\
+ not config.pki_master_dict['pki_admin_domain_name'] is '':
+ config.pki_master_dict['pki_instance_id'] =\
+ config.pki_master_dict['pki_admin_domain_name'] +\
+ "-" + config.pki_master_dict['pki_instance_name']
+ else:
+ config.pki_master_dict['pki_instance_id'] =\
+ config.pki_master_dict['pki_instance_name']
# PKI Source name/value pairs
config.pki_master_dict['pki_source_conf_path'] =\
- os.path.join(config.pki_master_dict['pki_source_root'],
+ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
config.pki_master_dict['pki_subsystem'].lower(),
"conf")
config.pki_master_dict['pki_source_setup_path'] =\
- os.path.join(config.pki_master_dict['pki_source_root'],
+ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
config.pki_master_dict['pki_subsystem'].lower(),
"setup")
config.pki_master_dict['pki_source_cs_cfg'] =\
@@ -305,17 +345,19 @@ def compose_pki_master_dictionary():
if config.pki_master_dict['pki_subsystem'] in\
config.PKI_TOMCAT_SUBSYSTEMS:
config.pki_master_dict['pki_tomcat_bin_path'] =\
- os.path.join(config.pki_master_dict['pki_tomcat_root'],
+ os.path.join(config.PKI_DEPLOYMENT_TOMCAT_ROOT,
"bin")
config.pki_master_dict['pki_tomcat_lib_path'] =\
- os.path.join(config.pki_master_dict['pki_tomcat_root'],
+ os.path.join(config.PKI_DEPLOYMENT_TOMCAT_ROOT,
"lib")
+ config.pki_master_dict['pki_tomcat_systemd'] =\
+ config.PKI_DEPLOYMENT_TOMCAT_SYSTEMD
config.pki_master_dict['pki_war_path'] =\
- os.path.join(config.pki_master_dict['pki_source_root'],
+ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
config.pki_master_dict['pki_subsystem'].lower(),
"war")
config.pki_master_dict['pki_source_webapps_path'] =\
- os.path.join(config.pki_master_dict['pki_source_root'],
+ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
config.pki_master_dict['pki_subsystem'].lower(),
"webapps")
config.pki_master_dict['pki_war'] =\
@@ -344,85 +386,60 @@ def compose_pki_master_dictionary():
"web.xml")
if config.pki_master_dict['pki_subsystem'] == "CA":
config.pki_master_dict['pki_source_emails'] =\
- os.path.join(config.pki_master_dict['pki_source_root'],
+ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
"ca",
"emails")
config.pki_master_dict['pki_source_profiles'] =\
- os.path.join(config.pki_master_dict['pki_source_root'],
+ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
"ca",
"profiles")
config.pki_master_dict['pki_source_proxy_conf'] =\
os.path.join(config.pki_master_dict['pki_source_conf_path'],
"proxy.conf")
- # Instance layout base name/value pairs
+ # PKI top-level file system layout name/value pairs
# NOTE: Never use 'os.path.join()' whenever 'pki_root_prefix'
# is being prepended!!!
config.pki_master_dict['pki_root_prefix'] = config.pki_root_prefix
config.pki_master_dict['pki_path'] =\
config.pki_master_dict['pki_root_prefix'] +\
- config.pki_master_dict['pki_instance_root']
- config.pki_master_dict['pki_instance_path'] =\
- os.path.join(config.pki_master_dict['pki_path'],
- config.pki_master_dict['pki_instance_name'])
- # Instance layout log name/value pairs
+ config.PKI_DEPLOYMENT_BASE_ROOT
config.pki_master_dict['pki_log_path'] =\
config.pki_master_dict['pki_root_prefix'] +\
- config.pki_master_dict['pki_instance_log_root']
- config.pki_master_dict['pki_instance_log_path'] =\
- os.path.join(config.pki_master_dict['pki_log_path'],
- config.pki_master_dict['pki_instance_name'])
- # Instance layout configuration name/value pairs
+ config.PKI_DEPLOYMENT_LOG_ROOT
config.pki_master_dict['pki_configuration_path'] =\
config.pki_master_dict['pki_root_prefix'] +\
- config.pki_master_dict['pki_instance_configuration_root']
- config.pki_master_dict['pki_instance_configuration_path'] =\
- os.path.join(config.pki_master_dict['pki_configuration_path'],
- config.pki_master_dict['pki_instance_name'])
- # Instance layout registry name/value pairs
+ config.PKI_DEPLOYMENT_CONFIGURATION_ROOT
config.pki_master_dict['pki_registry_path'] =\
config.pki_master_dict['pki_root_prefix'] +\
config.PKI_DEPLOYMENT_REGISTRY_ROOT
+ # Apache/Tomcat instance base name/value pairs
+ config.pki_master_dict['pki_instance_path'] =\
+ os.path.join(config.pki_master_dict['pki_path'],
+ config.pki_master_dict['pki_instance_id'])
+ # Apache/Tomcat instance log name/value pairs
+ config.pki_master_dict['pki_instance_log_path'] =\
+ os.path.join(config.pki_master_dict['pki_log_path'],
+ config.pki_master_dict['pki_instance_id'])
+ # Apache/Tomcat instance configuration name/value pairs
+ config.pki_master_dict['pki_instance_configuration_path'] =\
+ os.path.join(config.pki_master_dict['pki_configuration_path'],
+ config.pki_master_dict['pki_instance_id'])
+ # Apache/Tomcat instance registry name/value pairs
config.pki_master_dict['pki_instance_registry_path'] =\
os.path.join(config.pki_master_dict['pki_registry_path'],
- config.pki_master_dict['pki_instance_name'])
- # Instance layout NSS security database name/value pairs
- config.pki_master_dict['pki_database_path'] =\
- os.path.join(
- config.pki_master_dict['pki_instance_configuration_path'],
- "alias")
- # Instance layout convenience symbolic links
- config.pki_master_dict['pki_instance_database_link'] =\
- os.path.join(config.pki_master_dict['pki_instance_path'],
- "alias")
- # Instance-based Apache/Tomcat webserver base name/value pairs
- config.pki_master_dict['pki_webserver_path'] =\
- os.path.join(config.pki_master_dict['pki_instance_path'],
- config.pki_master_dict['pki_web_server'].lower())
- # Instance-based Apache/Tomcat webserver log name/value pairs
- config.pki_master_dict['pki_webserver_log_path'] =\
- os.path.join(config.pki_master_dict['pki_instance_log_path'],
- config.pki_master_dict['pki_web_server'].lower())
- # Instance-based Apache/Tomcat webserver configuration name/value pairs
- config.pki_master_dict['pki_webserver_configuration_path'] =\
- os.path.join(
- config.pki_master_dict['pki_instance_configuration_path'],
- config.pki_master_dict['pki_web_server'].lower())
- # Instance-based Apache/Tomcat webserver registry name/value pairs
- config.pki_master_dict['pki_webserver_registry_path'] =\
- os.path.join(config.pki_master_dict['pki_instance_registry_path'],
- config.pki_master_dict['pki_web_server'].lower())
- # Instance-based Tomcat-specific webserver name/value pairs
+ config.pki_master_dict['pki_instance_id'])
+ # Tomcat-specific instance name/value pairs
if config.pki_master_dict['pki_subsystem'] in\
config.PKI_TOMCAT_SUBSYSTEMS:
- # Instance-based Tomcat webserver base name/value pairs
+ # Tomcat instance base name/value pairs
config.pki_master_dict['pki_tomcat_common_path'] =\
- os.path.join(config.pki_master_dict['pki_webserver_path'],
+ os.path.join(config.pki_master_dict['pki_instance_path'],
"common")
config.pki_master_dict['pki_tomcat_common_lib_path'] =\
os.path.join(config.pki_master_dict['pki_tomcat_common_path'],
"lib")
config.pki_master_dict['pki_tomcat_webapps_path'] =\
- os.path.join(config.pki_master_dict['pki_webserver_path'],
+ os.path.join(config.pki_master_dict['pki_instance_path'],
"webapps")
config.pki_master_dict['pki_tomcat_webapps_root_path'] =\
os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
@@ -447,45 +464,50 @@ def compose_pki_master_dictionary():
config.pki_master_dict\
['pki_tomcat_webapps_root_webinf_path'],
"web.xml")
- # Instance-based Tomcat webserver log name/value pairs
- # Instance-based Tomcat webserver configuration name/value pairs
- # Instance-based Tomcat webserver registry name/value pairs
- # Instance-based Tomcat webserver convenience symbolic links
+ # Tomcat instance log name/value pairs
+ # Tomcat instance configuration name/value pairs
+ # Tomcat instance registry name/value pairs
+ # Tomcat instance convenience symbolic links
config.pki_master_dict['pki_tomcat_bin_link'] =\
- os.path.join(config.pki_master_dict['pki_webserver_path'],
+ os.path.join(config.pki_master_dict['pki_instance_path'],
"bin")
config.pki_master_dict['pki_tomcat_lib_link'] =\
- os.path.join(config.pki_master_dict['pki_webserver_path'],
+ os.path.join(config.pki_master_dict['pki_instance_path'],
"lib")
- config.pki_master_dict['pki_webserver_systemd_link'] =\
- os.path.join(config.pki_master_dict['pki_webserver_path'],
+ config.pki_master_dict['pki_instance_systemd_link'] =\
+ os.path.join(config.pki_master_dict['pki_instance_path'],
config.pki_master_dict['pki_instance_id'])
- # Instance-based Apache/Tomcat webserver convenience symbolic links
- config.pki_master_dict['pki_webserver_database_link'] =\
- os.path.join(config.pki_master_dict['pki_webserver_path'],
+ # Instance layout NSS security database name/value pairs
+ config.pki_master_dict['pki_database_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_configuration_path'],
+ "alias")
+ # Apache/Tomcat instance convenience symbolic links
+ config.pki_master_dict['pki_instance_database_link'] =\
+ os.path.join(config.pki_master_dict['pki_instance_path'],
"alias")
- config.pki_master_dict['pki_webserver_conf_link'] =\
- os.path.join(config.pki_master_dict['pki_webserver_path'],
+ config.pki_master_dict['pki_instance_conf_link'] =\
+ os.path.join(config.pki_master_dict['pki_instance_path'],
"conf")
- config.pki_master_dict['pki_webserver_logs_link'] =\
- os.path.join(config.pki_master_dict['pki_webserver_path'],
+ config.pki_master_dict['pki_instance_logs_link'] =\
+ os.path.join(config.pki_master_dict['pki_instance_path'],
"logs")
# Instance-based PKI subsystem base name/value pairs
config.pki_master_dict['pki_subsystem_path'] =\
- os.path.join(config.pki_master_dict['pki_webserver_path'],
+ os.path.join(config.pki_master_dict['pki_instance_path'],
config.pki_master_dict['pki_subsystem'].lower())
# Instance-based PKI subsystem log name/value pairs
config.pki_master_dict['pki_subsystem_log_path'] =\
- os.path.join(config.pki_master_dict['pki_webserver_log_path'],
+ os.path.join(config.pki_master_dict['pki_instance_log_path'],
config.pki_master_dict['pki_subsystem'].lower())
# Instance-based PKI subsystem configuration name/value pairs
config.pki_master_dict['pki_subsystem_configuration_path'] =\
os.path.join(
- config.pki_master_dict['pki_webserver_configuration_path'],
+ config.pki_master_dict['pki_instance_configuration_path'],
config.pki_master_dict['pki_subsystem'].lower())
# Instance-based PKI subsystem registry name/value pairs
config.pki_master_dict['pki_subsystem_registry_path'] =\
- os.path.join(config.pki_master_dict['pki_webserver_registry_path'],
+ os.path.join(config.pki_master_dict['pki_instance_registry_path'],
config.pki_master_dict['pki_subsystem'].lower())
# Instance-based Apache/Tomcat PKI subsystem name/value pairs
if config.pki_master_dict['pki_subsystem'] in\
@@ -696,7 +718,7 @@ def compose_pki_master_dictionary():
config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\
config.pki_master_dict['pki_subsystem_path']
config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\
- config.pki_master_dict['pki_webserver_path']
+ config.pki_master_dict['pki_instance_path']
config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\
config.pki_master_dict['pki_hostname']
config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\
@@ -754,7 +776,7 @@ def compose_pki_master_dictionary():
config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\
"/var/run/" + config.pki_master_dict['pki_instance_id'] + ".pid"
config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\
- config.pki_master_dict['tomcat_server_port']
+ config.pki_master_dict['pki_tomcat_server_port']
config.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] =\
"-SSL2_RC4_128_WITH_MD5," +\
"-SSL2_RC4_128_EXPORT40_WITH_MD5," +\
@@ -840,6 +862,38 @@ def compose_pki_master_dictionary():
os.path.join(
config.pki_master_dict['pki_subsystem_configuration_path'],
"password.conf")
+ # Client NSS security database name/value pairs
+ config.pki_master_dict['pki_client_path'] =\
+ os.path.join(
+ "/tmp",
+ config.pki_master_dict['pki_instance_id'] + "_" + "client")
+ config.pki_master_dict['pki_client_password_conf'] =\
+ os.path.join(
+ config.pki_master_dict['pki_client_path'],
+ "password.conf")
+ config.pki_master_dict['pki_client_database_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_client_path'],
+ "alias")
+ config.pki_master_dict['pki_client_cert_database'] =\
+ os.path.join(config.pki_master_dict['pki_client_database_path'],
+ "cert8.db")
+ config.pki_master_dict['pki_client_key_database'] =\
+ os.path.join(config.pki_master_dict['pki_client_database_path'],
+ "key3.db")
+ config.pki_master_dict['pki_client_secmod_database'] =\
+ os.path.join(config.pki_master_dict['pki_client_database_path'],
+ "secmod.db")
+ # Jython scriptlet name/value pairs
+ config.pki_master_dict['pki_jython_configuration_scriptlet'] =\
+ os.path.join(sys.prefix,
+ "lib",
+ "python" + str(sys.version_info[0]) + "." +
+ str(sys.version_info[1]),
+ "site-packages",
+ "pki",
+ "deployment",
+ "configuration.jy")
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
diff --git a/base/deploy/src/scriptlets/pkiscriptlet.py b/base/deploy/src/scriptlets/pkiscriptlet.py
index 6f29e2c8b..767b3c609 100644
--- a/base/deploy/src/scriptlets/pkiscriptlet.py
+++ b/base/deploy/src/scriptlets/pkiscriptlet.py
@@ -23,7 +23,7 @@
import abc
-# PKI Deployment Classes
+# PKI Deployment Abstract Base PKI Scriptlet
class AbstractBasePkiScriptlet(object):
__metaclass__ = abc.ABCMeta
diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py
index f32b7e497..1a08fdccb 100644
--- a/base/deploy/src/scriptlets/security_databases.py
+++ b/base/deploy/src/scriptlets/security_databases.py
@@ -27,7 +27,7 @@ import pkimessages as log
import pkiscriptlet
-# PKI Deployment Security Database Classes
+# PKI Deployment Security Databases Scriptlet
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
rv = 0
@@ -36,11 +36,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
if not config.pki_dry_run_flag:
util.password.create_password_conf(
- master['pki_shared_password_conf'])
+ master['pki_shared_password_conf'],
+ master['pki_pin'])
util.file.modify(master['pki_shared_password_conf'])
util.certutil.create_security_databases(
master['pki_database_path'],
- master['pki_shared_password_conf'])
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
+ password_file=master['pki_shared_password_conf'])
util.file.modify(master['pki_cert_database'], perms=\
config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
util.file.modify(master['pki_key_database'], perms=\
@@ -49,6 +53,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
rv = util.certutil.verify_certificate_exists(
master['pki_database_path'],
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
master['pki_self_signed_token'],
master['pki_self_signed_nickname'],
password_file=master['pki_shared_password_conf'])
@@ -58,6 +65,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_self_signed_noise_bytes'])
util.certutil.generate_self_signed_certificate(
master['pki_database_path'],
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
master['pki_self_signed_token'],
master['pki_self_signed_nickname'],
master['pki_self_signed_subject'],
@@ -70,12 +80,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.file.delete(master['pki_self_signed_noise_file'])
else:
util.password.create_password_conf(
- master['pki_shared_password_conf'])
+ master['pki_shared_password_conf'],
+ master['pki_pin'])
util.certutil.create_security_databases(
master['pki_database_path'],
- master['pki_shared_password_conf'])
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
+ password_file=master['pki_shared_password_conf'])
rv = util.certutil.verify_certificate_exists(
master['pki_database_path'],
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
master['pki_self_signed_token'],
master['pki_self_signed_nickname'],
password_file=master['pki_shared_password_conf'])
@@ -85,6 +102,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_self_signed_noise_bytes'])
util.certutil.generate_self_signed_certificate(
master['pki_database_path'],
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
master['pki_self_signed_token'],
master['pki_self_signed_nickname'],
master['pki_self_signed_subject'],
@@ -112,16 +132,28 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
if not config.pki_dry_run_flag:
- if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
- util.instance.pki_subsystem_instances() == 0:
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() == 0:
+ util.file.delete(master['pki_cert_database'])
+ util.file.delete(master['pki_key_database'])
+ util.file.delete(master['pki_secmod_database'])
+ util.file.delete(master['pki_shared_password_conf'])
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() == 0:
util.file.delete(master['pki_cert_database'])
util.file.delete(master['pki_key_database'])
util.file.delete(master['pki_secmod_database'])
util.file.delete(master['pki_shared_password_conf'])
else:
# ALWAYS display correct information (even during dry_run)
- if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
- util.instance.pki_subsystem_instances() == 1:
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() == 1:
+ util.file.delete(master['pki_cert_database'])
+ util.file.delete(master['pki_key_database'])
+ util.file.delete(master['pki_secmod_database'])
+ util.file.delete(master['pki_shared_password_conf'])
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() == 1:
util.file.delete(master['pki_cert_database'])
util.file.delete(master['pki_key_database'])
util.file.delete(master['pki_secmod_database'])
diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py
index 0a52af9f0..2e2d94545 100644
--- a/base/deploy/src/scriptlets/slot_substitution.py
+++ b/base/deploy/src/scriptlets/slot_substitution.py
@@ -28,7 +28,7 @@ import pkimessages as log
import pkiscriptlet
-# PKI Deployment Instance Population Classes
+# PKI Deployment Slot Substitution Scriptlet
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
rv = 0
diff --git a/base/deploy/src/scriptlets/subsystem_layout.py b/base/deploy/src/scriptlets/subsystem_layout.py
index 7dc347167..4ea5e6f84 100644
--- a/base/deploy/src/scriptlets/subsystem_layout.py
+++ b/base/deploy/src/scriptlets/subsystem_layout.py
@@ -27,7 +27,7 @@ import pkimessages as log
import pkiscriptlet
-# PKI Deployment Instance Population Classes
+# PKI Deployment Subsystem Layout Scriptlet
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
rv = 0
@@ -62,7 +62,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.symlink.create(master['pki_tomcat_webapps_path'],
master['pki_subsystem_tomcat_webapps_link'])
# establish instance-based subsystem convenience symbolic links
- util.symlink.create(master['pki_webserver_database_link'],
+ util.symlink.create(master['pki_instance_database_link'],
master['pki_subsystem_database_link'])
util.symlink.create(master['pki_subsystem_configuration_path'],
master['pki_subsystem_conf_link'])
diff --git a/base/deploy/src/scriptlets/war_explosion.py b/base/deploy/src/scriptlets/war_explosion.py
index 1a89c9f7c..ca2ea601b 100644
--- a/base/deploy/src/scriptlets/war_explosion.py
+++ b/base/deploy/src/scriptlets/war_explosion.py
@@ -27,7 +27,7 @@ import pkimessages as log
import pkiscriptlet
-# PKI Deployment Instance Population Classes
+# PKI Deployment War Explosion Scriptlet
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
rv = 0
diff --git a/base/deploy/src/scriptlets/webserver_layout.py b/base/deploy/src/scriptlets/webserver_layout.py
deleted file mode 100644
index ca24b7000..000000000
--- a/base/deploy/src/scriptlets/webserver_layout.py
+++ /dev/null
@@ -1,152 +0,0 @@
-#!/usr/bin/python -t
-# Authors:
-# Matthew Harmsen <mharmsen@redhat.com>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2012 Red Hat, Inc.
-# All rights reserved.
-#
-
-# PKI Deployment Imports
-import pkiconfig as config
-from pkiconfig import pki_master_dict as master
-import pkihelper as util
-import pkimessages as log
-import pkiscriptlet
-
-
-# PKI Deployment Instance Population Classes
-class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
- rv = 0
-
- def spawn(self):
- config.pki_log.info(log.WEBSERVER_SPAWN_1, __name__,
- extra=config.PKI_INDENTATION_LEVEL_1)
- # establish instance-based webserver base
- util.directory.create(master['pki_webserver_path'])
- # establish instance-based webserver logs
- util.directory.create(master['pki_webserver_log_path'])
- # establish instance-based webserver configuration
- util.directory.create(master['pki_webserver_configuration_path'])
- # establish instance-based webserver registry
- util.directory.create(master['pki_webserver_registry_path'])
- # establish instance-based Apache/Tomcat specific webserver
- if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- # establish instance-based Tomcat webserver base
- util.directory.create(master['pki_tomcat_common_path'])
- util.directory.create(master['pki_tomcat_common_lib_path'])
- util.directory.create(master['pki_tomcat_webapps_path'])
- util.directory.create(master['pki_tomcat_webapps_root_path'])
- util.directory.create(master['pki_tomcat_webapps_root_webinf_path'])
- util.file.copy(master['pki_source_webapps_root_web_xml'],
- master['pki_tomcat_webapps_root_webinf_web_xml'],
- overwrite_flag=True)
- util.directory.create(master['pki_tomcat_webapps_webinf_path'])
- util.directory.create(\
- master['pki_tomcat_webapps_webinf_classes_path'])
- util.directory.create(master['pki_tomcat_webapps_webinf_lib_path'])
- # establish instance-based Tomcat webserver logs
- # establish instance-based Tomcat webserver configuration
- # establish instance-based Tomcat webserver registry
- # establish instance-based Tomcat webserver convenience
- # symbolic links
- util.symlink.create(master['pki_tomcat_bin_path'],
- master['pki_tomcat_bin_link'])
- util.symlink.create(master['pki_tomcat_lib_path'],
- master['pki_tomcat_lib_link'])
- util.symlink.create(master['pki_tomcat_systemd'],
- master['pki_webserver_systemd_link'])
- # establish instance-based webserver convenience symbolic links
- util.symlink.create(master['pki_instance_database_link'],
- master['pki_webserver_database_link'])
- util.symlink.create(master['pki_webserver_configuration_path'],
- master['pki_webserver_conf_link'])
- util.symlink.create(master['pki_webserver_log_path'],
- master['pki_webserver_logs_link'])
- return self.rv
-
- def respawn(self):
- config.pki_log.info(log.WEBSERVER_RESPAWN_1, __name__,
- extra=config.PKI_INDENTATION_LEVEL_1)
- # update instance-based webserver base
- util.directory.modify(master['pki_webserver_path'])
- # update instance-based webserver logs
- util.directory.modify(master['pki_webserver_log_path'])
- # update instance-based webserver configuration
- util.directory.modify(master['pki_webserver_configuration_path'])
- # update instance-based webserver registry
- util.directory.modify(master['pki_webserver_registry_path'])
- # update instance-based Apache/Tomcat specific webserver
- if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- # update instance-based Tomcat webserver base
- util.directory.modify(master['pki_tomcat_common_path'])
- util.directory.modify(master['pki_tomcat_common_lib_path'])
- util.directory.modify(master['pki_tomcat_webapps_path'])
- util.directory.modify(master['pki_tomcat_webapps_root_path'])
- util.directory.modify(master['pki_tomcat_webapps_root_webinf_path'])
- util.file.copy(master['pki_source_webapps_root_web_xml'],
- master['pki_tomcat_webapps_root_webinf_web_xml'],
- overwrite_flag=True)
- util.directory.modify(master['pki_tomcat_webapps_webinf_path'])
- util.directory.modify(\
- master['pki_tomcat_webapps_webinf_classes_path'])
- util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path'])
- # update instance-based Tomcat webserver logs
- # update instance-based Tomcat webserver configuration
- # update instance-based Tomcat webserver registry
- # update instance-based Tomcat webserver convenience symbolic links
- util.symlink.modify(master['pki_tomcat_bin_link'])
- util.symlink.modify(master['pki_tomcat_lib_link'])
- # update instance-based webserver convenience symbolic links
- util.symlink.modify(master['pki_webserver_database_link'])
- util.symlink.modify(master['pki_webserver_conf_link'])
- util.symlink.modify(master['pki_webserver_logs_link'])
- return self.rv
-
- def destroy(self):
- config.pki_log.info(log.WEBSERVER_DESTROY_1, __name__,
- extra=config.PKI_INDENTATION_LEVEL_1)
- if not config.pki_dry_run_flag:
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instances() == 0:
- # remove instance-based webserver base
- util.directory.delete(master['pki_webserver_path'])
- # remove instance-based webserver logs
- # remove instance-based webserver configuration
- # remove instance-based webserver registry
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instances() == 0:
- # remove instance-based webserver base
- util.directory.delete(master['pki_webserver_path'])
- # remove instance-based webserver logs
- # remove instance-based webserver configuration
- # remove instance-based webserver registry
- else:
- # ALWAYS display correct information (even during dry_run)
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instances() == 1:
- # remove instance-based webserver base
- util.directory.delete(master['pki_webserver_path'])
- # remove instance-based webserver logs
- # remove instance-based webserver configuration
- # remove instance-based webserver registry
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instances() == 1:
- # remove instance-based webserver base
- util.directory.delete(master['pki_webserver_path'])
- # remove instance-based webserver logs
- # remove instance-based webserver configuration
- # remove instance-based webserver registry
- return self.rv