summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-12-02 22:42:36 -0500
committerAde Lee <alee@redhat.com>2012-12-03 09:08:46 -0500
commit03a6350687e033461306d6b9000ef8ea34af96f9 (patch)
treec6decbb0d5a166926e30c7d068065169b2dd54b0
parent6be1194058b64e24848b0f12eaa3d6cee0cadf2e (diff)
downloadpki-03a6350687e033461306d6b9000ef8ea34af96f9.tar.gz
pki-03a6350687e033461306d6b9000ef8ea34af96f9.tar.xz
pki-03a6350687e033461306d6b9000ef8ea34af96f9.zip
Common User: pkispawn changes
-rw-r--r--base/deploy/config/deployment.cfg4
-rw-r--r--base/deploy/src/scriptlets/pkijython.py48
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py152
3 files changed, 55 insertions, 149 deletions
diff --git a/base/deploy/config/deployment.cfg b/base/deploy/config/deployment.cfg
index 278df62d3..6ff7a35bb 100644
--- a/base/deploy/config/deployment.cfg
+++ b/base/deploy/config/deployment.cfg
@@ -194,6 +194,7 @@ pki_external_ca_cert_chain_path=
pki_external_ca_cert_path=
pki_external_csr_path=
pki_external_step_two=False
+pki_import_admin_cert=False
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
@@ -213,6 +214,7 @@ pki_subsystem_name=
## required information which MAY be overridden by users as necessary. ##
###############################################################################
[KRA]
+pki_import_admin_cert=True
pki_storage_key_algorithm=SHA256withRSA
pki_storage_key_size=2048
pki_storage_key_type=rsa
@@ -238,6 +240,7 @@ pki_transport_token=
## required information which MAY be overridden by users as necessary. ##
###############################################################################
[OCSP]
+pki_import_admin_cert=True
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
@@ -266,6 +269,7 @@ pki_subsystem_name=
## required information which MAY be overridden by users as necessary. ##
###############################################################################
[TKS]
+pki_import_admin_cert=True
pki_subsystem=TKS
pki_subsystem_name=
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index e106f0141..c1bec9327 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -349,24 +349,34 @@ class rest_client:
data.setAdminProfileID(self.master['pki_admin_profile_id'])
data.setAdminUID(self.master['pki_admin_uid'])
data.setAdminSubjectDN(self.master['pki_admin_subject_dn'])
- if self.master['pki_admin_cert_request_type'] == "crmf":
- data.setAdminCertRequestType("crmf")
- if config.str2bool(self.master['pki_admin_dualkey']):
- crmf_request = generateCRMFRequest(
- token,
- self.master['pki_admin_keysize'],
- self.master['pki_admin_subject_dn'],
- "true")
- else:
- crmf_request = generateCRMFRequest(
- token,
- self.master['pki_admin_keysize'],
- self.master['pki_admin_subject_dn'],
- "false")
- data.setAdminCertRequest(crmf_request)
+ if config.str2bool(self.master['pki_import_admin_cert']):
+ data.setImportAdminCert("true")
+ # read config from file
+ f = open(self.master['pki_admin_cert_file'])
+ b64 = f.read().replace('\n','')
+ f.close()
+ data.setAdminCert(b64)
else:
- javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY)
- javasystem.exit(1)
+ data.setImportAdminCert("false")
+ data.setAdminSubjectDN(self.master['pki_admin_subject_dn'])
+ if self.master['pki_admin_cert_request_type'] == "crmf":
+ data.setAdminCertRequestType("crmf")
+ if config.str2bool(self.master['pki_admin_dualkey']):
+ crmf_request = generateCRMFRequest(
+ token,
+ self.master['pki_admin_keysize'],
+ self.master['pki_admin_subject_dn'],
+ "true")
+ else:
+ crmf_request = generateCRMFRequest(
+ token,
+ self.master['pki_admin_keysize'],
+ self.master['pki_admin_subject_dn'],
+ "false")
+ data.setAdminCertRequest(crmf_request)
+ else:
+ javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY)
+ javasystem.exit(1)
def create_system_cert(self, tag):
cert = SystemCertData()
@@ -566,8 +576,10 @@ class rest_client:
cdata.getCert())
javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\
cdata.getRequest())
+
# Cloned PKI subsystems do not return an Admin Certificate
- if not config.str2bool(master['pki_clone']):
+ if not config.str2bool(master['pki_clone']) and \
+ not config.str2bool(master['pki_import_admin_cert']):
admin_cert = response.getAdminCert().getCert()
javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\
" " + admin_cert)
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index d05870e04..edb2fd556 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -1408,6 +1408,15 @@ class PKIConfigParser:
config.pki_master_dict['pki_database_path'] + "/" +\
config.pki_master_dict['pki_subsystem'].lower() + "_" +\
"admin" + "_" + "cert" + "." + "p12"
+
+ # the admin cert is stored with the NSS server databases
+ # in case we want to use a common admin user cert
+ if not 'pki_admin_cert_file' in config.pki_master_dict or\
+ not len(config.pki_master_dict['pki_admin_cert_file']):
+ config.pki_master_dict['pki_admin_cert_file'] =\
+ config.pki_master_dict['pki_database_path'] +\
+ "/ca_admin.cert"
+
# Jython scriptlet name/value pairs
config.pki_master_dict['pki_jython_configuration_scriptlet'] =\
os.path.join(sys.prefix,
@@ -1666,138 +1675,19 @@ class PKIConfigParser:
config.pki_master_dict['pki_admin_name'] + "@" +\
config.pki_master_dict['pki_dns_domainname']
if not len(config.pki_master_dict['pki_admin_nickname']):
- if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- if config.pki_master_dict['pki_subsystem'] == "RA":
- # PKI RA
- config.pki_master_dict['pki_admin_nickname'] =\
- "RA Administrator&#39;s" + " " +\
- config.pki_master_dict['pki_security_domain_name'] +\
- " " + "ID"
- elif config.pki_master_dict['pki_subsystem'] == "TPS":
- # PKI TPS
- config.pki_master_dict['pki_admin_nickname'] =\
- "TPS Administrator&#39;s" + " " +\
- config.pki_master_dict['pki_security_domain_name'] +\
- " " + "ID"
- elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- if config.str2bool(
- config.pki_master_dict['pki_external']):
- # External CA
- config.pki_master_dict['pki_admin_nickname'] =\
- "CA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "&#39;s" + " " +\
- "External CA ID"
- else:
- # PKI CA or Subordinate CA
- config.pki_master_dict['pki_admin_nickname'] =\
- "CA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "&#39;s" + " " +\
- config.pki_master_dict\
- ['pki_security_domain_name'] + " " + "ID"
- elif config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- config.pki_master_dict['pki_admin_nickname'] =\
- "KRA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "&#39;s" + " " +\
- config.pki_master_dict['pki_security_domain_name']\
- + " " + "ID"
- elif config.pki_master_dict['pki_subsystem'] == "OCSP":
- # PKI OCSP
- config.pki_master_dict['pki_admin_nickname'] =\
- "OCSP Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "&#39;s" + " " +\
- config.pki_master_dict['pki_security_domain_name']\
- + " " + "ID"
- elif config.pki_master_dict['pki_subsystem'] == "TKS":
- # PKI TKS
- config.pki_master_dict['pki_admin_nickname'] =\
- "TKS Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "&#39;s" + " " +\
- config.pki_master_dict['pki_security_domain_name']\
- + " " + "ID"
+ config.pki_master_dict['pki_admin_nickname'] =\
+ "PKI Administrator for " +\
+ config.pki_master_dict['pki_dns_domainname']
+
+ if not 'pki_import_admin_cert' in config.pki_master_dict:
+ config.pki_master_dict['pki_import_admin_cert'] = 'false'
+
if not len(config.pki_master_dict['pki_admin_subject_dn']):
- if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- if config.pki_master_dict['pki_subsystem'] == "RA":
- # PKI RA
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "RA Administrator" + "," +\
- "uid=" + config.pki_master_dict['pki_admin_uid'] +\
- "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "TPS":
- # PKI TPS
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "TPS Administrator" + "," +\
- "uid=" + config.pki_master_dict['pki_admin_uid'] +\
- "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- if config.str2bool(
- config.pki_master_dict['pki_external']):
- # External CA
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "CA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "," + "uid=" +\
- config.pki_master_dict['pki_admin_uid']\
- + "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" + "External CA"
- else:
- # PKI CA or Subordinate CA
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "CA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "," + "uid=" +\
- config.pki_master_dict['pki_admin_uid']\
- + "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "KRA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] + "," +\
- "uid=" + config.pki_master_dict['pki_admin_uid'] +\
- "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "OCSP":
- # PKI OCSP
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "OCSP Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] + "," +\
- "uid=" + config.pki_master_dict['pki_admin_uid'] +\
- "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "TKS":
- # PKI TKS
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "TKS Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] + "," +\
- "uid=" + config.pki_master_dict['pki_admin_uid'] +\
- "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=PKI Administrator" +\
+ ",e=" + config.pki_master_dict['pki_admin_email'] +\
+ ",o=" + config.pki_master_dict['pki_security_domain_name']
+
# Jython scriptlet
# 'CA Signing Certificate' Configuration name/value pairs
#