diff options
| author | Matthew Harmsen <mharmsen@redhat.com> | 2013-10-15 17:55:05 -0700 |
|---|---|---|
| committer | Matthew Harmsen <mharmsen@redhat.com> | 2013-10-15 17:59:23 -0700 |
| commit | 47c77a67d67cb443070137fd9b8d64955d499089 (patch) | |
| tree | 12b7588f34a80a74c000e77b19017ec941ad5231 /base/common/src | |
| parent | 618be8bd7e9488a325789232c94aad109f9b6803 (diff) | |
Stand-alone DRM
* TRAC Ticket #667 - provide option for ca-less drm install
Diffstat (limited to 'base/common/src')
3 files changed, 207 insertions, 51 deletions
diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java index 4fdf594d1..23f9676fe 100644 --- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java @@ -71,6 +71,7 @@ public class ConfigurationRequest { private static final String ADMIN_PROFILE_ID = "adminProfileID"; private static final String IMPORT_ADMIN_CERT = "importAdminCert"; private static final String ADMIN_CERT = "adminCert"; + private static final String STANDALONE = "standAlone"; private static final String STEP_TWO = "stepTwo"; private static final String GENERATE_SERVER_CERT = "generateServerCert"; @@ -216,6 +217,9 @@ public class ConfigurationRequest { protected String adminCert; @XmlElement + protected String standAlone; + + @XmlElement protected String stepTwo; @XmlElement(defaultValue = "true") @@ -293,6 +297,7 @@ public class ConfigurationRequest { adminProfileID = form.getFirst(ADMIN_PROFILE_ID); adminCert = form.getFirst(ADMIN_CERT); importAdminCert = form.getFirst(IMPORT_ADMIN_CERT); + standAlone = form.getFirst(STANDALONE); stepTwo = form.getFirst(STEP_TWO); generateServerCert = form.getFirst(GENERATE_SERVER_CERT); authdbBaseDN = form.getFirst(AUTHDB_BASEDN); @@ -796,8 +801,16 @@ public class ConfigurationRequest { this.adminCert = adminCert; } - public String getStepTwo() { - return stepTwo; + public boolean getStandAlone() { + return (standAlone != null && standAlone.equalsIgnoreCase("true")); + } + + public void setStandAlone(String standAlone) { + this.standAlone = standAlone; + } + + public boolean getStepTwo() { + return (stepTwo != null && stepTwo.equalsIgnoreCase("true")); } public void setStepTwo(String stepTwo) { @@ -935,6 +948,7 @@ public class ConfigurationRequest { ", adminCert=" + adminCert + ", importAdminCert=" + importAdminCert + ", generateServerCert=" + generateServerCert + + ", standAlone=" + standAlone + ", stepTwo=" + stepTwo + ", authdbBaseDN=" + authdbBaseDN + ", authdbHost=" + authdbHost + diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 3c409690a..bbfb17374 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -2061,6 +2061,21 @@ public class ConfigurationUtils { CMS.reinit(IUGSubsystem.ID); } + public static void setExternalCACert(String certStr, String subsystem, IConfigStore config, Cert certObj) throws Exception { + certStr = CryptoUtil.stripCertBrackets(certStr.trim()); + certStr = CryptoUtil.normalizeCertStr(certStr); + config.putString(subsystem + ".external_ca.cert", certStr); + certObj.setSubsystem(subsystem); + certObj.setType(config.getString("preop.ca.type", "otherca")); + certObj.setCert(certStr); + } + + public static void setExternalCACertChain(String certChainStr, String subsystem, IConfigStore config, Cert certObj) { + certChainStr = CryptoUtil.normalizeCertAndReq(certChainStr); + config.putString(subsystem + ".external_ca_chain.cert", certChainStr); + certObj.setCertChain(certChainStr); + } + public static void createECCKeyPair(String token, String curveName, IConfigStore config, String ct) throws NoSuchAlgorithmException, NoSuchTokenException, TokenException, CryptoManager.NotInitializedException, EPropertyNotFound, EBaseException { @@ -2248,15 +2263,22 @@ public class ConfigurationUtils { String machineName = config.getString("machineName", ""); String securePort = config.getString("service.securePort", ""); if (certTag.equals("subsystem")) { - String content = - "requestor_name=" - + sysType + "-" + machineName + "-" + securePort + "&profileId=" + profileId - + "&cert_request_type=pkcs10&cert_request=" + URLEncoder.encode(pkcs10, "UTF-8") - + "&xmlOutput=true&sessionID=" + session_id; - cert = CertUtil.createRemoteCert(sd_hostname, sd_ee_port, - content, response, panel); - if (cert == null) { - throw new IOException("Error: remote certificate is null"); + boolean standalone = config.getBoolean(sysType.toLowerCase() + ".standalone", false); + if (standalone) { + // Treat standalone subsystem the same as "otherca" + config.putString(subsystem + "." + certTag + ".cert", + "...paste certificate here..."); + } else { + String content = + "requestor_name=" + + sysType + "-" + machineName + "-" + securePort + "&profileId=" + profileId + + "&cert_request_type=pkcs10&cert_request=" + URLEncoder.encode(pkcs10, "UTF-8") + + "&xmlOutput=true&sessionID=" + session_id; + cert = CertUtil.createRemoteCert(sd_hostname, sd_ee_port, + content, response, panel); + if (cert == null) { + throw new IOException("Error: remote certificate is null"); + } } } else if (v.equals("sdca")) { String ca_hostname = ""; @@ -2612,7 +2634,7 @@ public class ConfigurationUtils { boolean enable = config.getBoolean(PCERT_PREFIX + certTag + ".enable", true); if (!enable) return 0; - CMS.debug("handleCerts(): for cert tag " + cert.getCertTag()); + CMS.debug("handleCerts(): for cert tag '" + cert.getCertTag() + "' using cert type '" + cert.getType() + "'"); String b64 = cert.getCert(); String tokenname = config.getString("preop.module.token", ""); @@ -2648,7 +2670,7 @@ public class ConfigurationUtils { CryptoUtil.importUserCertificate(impl, nickname); else CryptoUtil.importUserCertificate(impl, nickname, false); - CMS.debug("handleCerts(): cert imported for certTag " + certTag); + CMS.debug("handleCerts(): cert imported for certTag '" + certTag + "'"); } catch (Exception ee) { ee.printStackTrace(); CMS.debug("handleCerts(): import certificate for certTag=" + certTag + " Exception: " + ee.toString()); @@ -2656,7 +2678,7 @@ public class ConfigurationUtils { } } else if (cert.getType().equals("remote")) { if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { - CMS.debug("handleCert(): process remote...import cert"); + CMS.debug("handleCerts(): process remote...import cert"); String b64chain = cert.getCertChain(); try { @@ -2715,7 +2737,7 @@ public class ConfigurationUtils { } } else { - CMS.debug("handleCert(): b64 not set"); + CMS.debug("handleCerts(): b64 not set"); return 1; } } else { @@ -2730,7 +2752,7 @@ public class ConfigurationUtils { deleteCert(tokenname, nickname); } } catch (Exception ee) { - CMS.debug("handleCert(): deleteCert Exception=" + ee.toString()); + CMS.debug("handleCerts(): deleteCert Exception=" + ee.toString()); } try { @@ -2763,7 +2785,7 @@ public class ConfigurationUtils { public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException, ObjectNotFoundException, TokenException { - if (tag.equals("signing")) return; + if (tag.equals("signing") || tag.equals("external_signing")) return; IConfigStore cs = CMS.getConfigStore(); String nickname = cs.getString("preop.cert." + tag + ".nickname", ""); @@ -3138,43 +3160,50 @@ public class ConfigurationUtils { String select = config.getString("securitydomain.select", ""); if (select.equals("new")) { group = system.getGroupFromName("Security Domain Administrators"); - if (!group.isMember(uid)) { + if (group != null && !group.isMember(uid)) { + CMS.debug("AdminPanel createAdmin: add user '" + uid + "' to group 'Security Domain Administrators'"); group.addMemberName(uid); system.modifyGroup(group); } group = system.getGroupFromName("Enterprise CA Administrators"); - if (!group.isMember(uid)) { + if (group != null && !group.isMember(uid)) { + CMS.debug("AdminPanel createAdmin: add user '" + uid + "' to group 'Enterprise CA Administrators'"); group.addMemberName(uid); system.modifyGroup(group); } group = system.getGroupFromName("Enterprise KRA Administrators"); - if (!group.isMember(uid)) { + if (group != null && !group.isMember(uid)) { + CMS.debug("AdminPanel createAdmin: add user '" + uid + "' to group 'Enterprise KRA Administrators'"); group.addMemberName(uid); system.modifyGroup(group); } group = system.getGroupFromName("Enterprise RA Administrators"); - if (!group.isMember(uid)) { + if (group != null && !group.isMember(uid)) { + CMS.debug("AdminPanel createAdmin: add user '" + uid + "' to group 'Enterprise RA Administrators'"); group.addMemberName(uid); system.modifyGroup(group); } group = system.getGroupFromName("Enterprise TKS Administrators"); - if (!group.isMember(uid)) { + if (group != null && !group.isMember(uid)) { + CMS.debug("AdminPanel createAdmin: add user '" + uid + "' to group 'Enterprise TKS Administrators'"); group.addMemberName(uid); system.modifyGroup(group); } group = system.getGroupFromName("Enterprise OCSP Administrators"); - if (!group.isMember(uid)) { + if (group != null && !group.isMember(uid)) { + CMS.debug("AdminPanel createAdmin: add user '" + uid + "' to group 'Enterprise OCSP Administrators'"); group.addMemberName(uid); system.modifyGroup(group); } group = system.getGroupFromName("Enterprise TPS Administrators"); - if (!group.isMember(uid)) { + if (group != null && !group.isMember(uid)) { + CMS.debug("AdminPanel createAdmin: add user '" + uid + "' to group 'Enterprise TPS Administrators'"); group.addMemberName(uid); system.modifyGroup(group); } diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java index fbadc80d3..c6100148f 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java @@ -84,6 +84,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou IConfigStore cs; String csType; + String csSubsystem; String csState; boolean isMasterCA = false; String instanceRoot; @@ -95,6 +96,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou public SystemConfigService() throws EPropertyNotFound, EBaseException { cs = CMS.getConfigStore(); csType = cs.getString("cs.type"); + csSubsystem = csType.toLowerCase(); csState = cs.getString("cs.state"); String domainType = cs.getString("securitydomain.select", "existingdomain"); if (csType.equals("CA") && domainType.equals("new")) { @@ -135,7 +137,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou validateData(data); ConfigurationResponse response = new ConfigurationResponse(); + if (data.getStandAlone() && data.getStepTwo()) { + // Stand-alone PKI (Step 2) + // Special case to import the external CA and its Chain + certList = "external_signing" + "," + certList; + } + // specify module and log into token + CMS.debug("=== Token Panel ==="); String token = data.getToken(); if (token == null) { token = ConfigurationRequest.TOKEN_DEFAULT; @@ -143,10 +152,12 @@ public class SystemConfigService extends PKIService implements SystemConfigResou tokenPanel(data, token); //configure security domain + CMS.debug("=== Security Domain Panel ==="); String securityDomainType = data.getSecurityDomainType(); String domainXML = securityDomainPanel(data, securityDomainType); //subsystem panel + CMS.debug("=== Subsystem Panel ==="); cs.putString("preop.subsystem.name", data.getSubsystemName()); // is this a clone of another subsystem? @@ -160,6 +171,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } // Hierarchy Panel + CMS.debug("=== Hierarchy Panel ==="); hierarchyPanel(data); // TPS Panels @@ -196,10 +208,12 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } // Database Panel + CMS.debug("=== Database Panel ==="); databasePanel(data); // SizePanel, NamePanel, CertRequestPanel //handle the CA URL + CMS.debug("=== Size Panel, Name Panel, CertRequest Panel ==="); try { if ((data.getHierarchy() == null) || (data.getHierarchy().equals("join"))) { String url = data.getIssuingCA(); @@ -248,29 +262,64 @@ public class SystemConfigService extends PKIService implements SystemConfigResou StringTokenizer t = new StringTokenizer(certList, ","); while (t.hasMoreTokens()) { String ct = t.nextToken(); + String certStr; boolean enable = cs.getBoolean("preop.cert." + ct + ".enable", true); if (!enable) continue; Collection<SystemCertData> certData = data.getSystemCerts(); Iterator<SystemCertData> iterator = certData.iterator(); SystemCertData cdata = null; + boolean cdata_found = false; while (iterator.hasNext()) { cdata = iterator.next(); - if (cdata.getTag().equals(ct)) break; + if (cdata.getTag().equals(ct)) { + cdata_found = true; + CMS.debug("Found data for '" + ct + "'"); + break; + } + } + if (!cdata_found) { + CMS.debug("No data for '" + ct + "' was found!"); + throw new BadRequestException("No data for '" + ct + "' was found!"); + } + + if (data.getStandAlone() && data.getStepTwo()) { + // Stand-alone PKI (Step 2) + if (ct.equals("external_signing")) { + String b64 = cdata.getCert(); + if ((b64!= null) && (b64.length()>0) && (!b64.startsWith("..."))) { + hasSigningCert = true; + if (data.getIssuingCA().equals("External CA")) { + String nickname = (cdata.getNickname() != null) ? cdata.getNickname() : "caSigningCert External CA"; + String tokenName = cdata.getToken() != null ? cdata.getToken() : token; + Cert certObj = new Cert(tokenName, nickname, ct); + ConfigurationUtils.setExternalCACert(b64, csSubsystem, cs, certObj); + CMS.debug("Step 2: certStr for '" + ct + "' is " + b64); + String certChainStr = cdata.getCertChain(); + if (certChainStr != null) { + ConfigurationUtils.setExternalCACertChain(certChainStr, csSubsystem, cs, certObj); + CMS.debug("Step 2: certChainStr for '" + ct + "' is " + certChainStr); + certs.addElement(certObj); + } else { + throw new BadRequestException("CertChain not provided"); + } + } + continue; + } + } } if (!generateServerCert && ct.equals("sslserver")) { if (!cdata.getToken().equals("internal")) { - cs.putString(csType.toLowerCase() + ".cert.sslserver.nickname", cdata.getNickname()); + cs.putString(csSubsystem + ".cert.sslserver.nickname", cdata.getNickname()); } else { - cs.putString(csType.toLowerCase() + ".cert.sslserver.nickname", data.getToken() + + cs.putString(csSubsystem + ".cert.sslserver.nickname", data.getToken() + ":" + cdata.getNickname()); } - cs.putString(csType.toLowerCase() + ".sslserver.nickname", cdata.getNickname()); - cs.putString(csType.toLowerCase() + ".sslserver.cert", cdata.getCert()); - cs.putString(csType.toLowerCase() + ".sslserver.certreq", cdata.getRequest()); - cs.putString(csType.toLowerCase() + ".sslserver.tokenname", cdata.getToken()); - cs.putString(csType.toLowerCase() + ".sslserver.cert", cdata.getCert()); + cs.putString(csSubsystem + ".sslserver.nickname", cdata.getNickname()); + cs.putString(csSubsystem + ".sslserver.cert", cdata.getCert()); + cs.putString(csSubsystem + ".sslserver.certreq", cdata.getRequest()); + cs.putString(csSubsystem + ".sslserver.tokenname", cdata.getToken()); continue; } @@ -294,7 +343,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou cs.putString("preop.cert." + ct + ".nickname", nickname); cs.putString("preop.cert." + ct + ".dn", dn); - if (data.getStepTwo() == null) { + if (!data.getStepTwo()) { if (keytype.equals("ecc")) { String curvename = (cdata.getKeyCurveName() != null) ? cdata.getKeyCurveName() : cs.getString("keys.ecc.curve.default"); @@ -307,7 +356,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, ct); } } else { - CMS.debug("configure(): step two selected. keys will not be generated"); + CMS.debug("configure(): step two selected. keys will not be generated for '" + ct + "'"); } String tokenName = cdata.getToken() != null ? cdata.getToken() : token; @@ -316,24 +365,50 @@ public class SystemConfigService extends PKIService implements SystemConfigResou certObj.setSubsystem(cs.getString("preop.cert." + ct + ".subsystem")); certObj.setType(cs.getString("preop.cert." + ct + ".type")); - if (data.getStepTwo() == null) { + if (!data.getStepTwo()) { ConfigurationUtils.configCert(null, null, null, certObj, null); } else { String subsystem = cs.getString("preop.cert." + ct + ".subsystem"); - String certStr = cs.getString(subsystem + "." + ct + ".cert" ); + if (data.getStandAlone()) { + // Stand-alone PKI (Step 2) + certStr = cdata.getCert(); + certStr = CryptoUtil.stripCertBrackets(certStr.trim()); + certStr = CryptoUtil.normalizeCertStr(certStr); + cs.putString(subsystem + "." + ct + ".cert", certStr); + } else { + certStr = cs.getString(subsystem + "." + ct + ".cert" ); + } + certObj.setCert(certStr); - CMS.debug("Step 2: certStr for " + ct + " is " + certStr); + CMS.debug("Step 2: certStr for '" + ct + "' is " + certStr); + } + + // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2) + if (data.getStandAlone()) { + if (!data.getStepTwo()) { + // Stand-alone PKI (Step 1) + ConfigurationUtils.handleCertRequest(cs, ct, certObj); + + CMS.debug("Stand-alone " + csType + " Admin CSR"); + String adminSubjectDN = data.getAdminSubjectDN(); + String certreqStr = data.getAdminCertRequest(); + certreqStr = CryptoUtil.normalizeCertAndReq(certreqStr); + cs.putString("preop.cert.admin.dn", adminSubjectDN); + cs.putString(csSubsystem + ".admin.certreq", certreqStr); + cs.putString(csSubsystem + ".admin.cert", "...paste certificate here..."); + } + } else { + ConfigurationUtils.handleCertRequest(cs, ct, certObj); } - ConfigurationUtils.handleCertRequest(cs, ct, certObj); if (data.getIsClone().equals("true")) { ConfigurationUtils.updateCloneConfig(); } // to determine if we have the signing cert when using an external ca - // this will only execute on a ca + // this will only execute on a ca or stand-alone pki String b64 = cdata.getCert(); - if (ct.equals("signing") && (b64!= null) && (b64.length()>0) && (!b64.startsWith("..."))) { + if ((ct.equals("signing") || ct.equals("external_signing")) && (b64!= null) && (b64.length()>0) && (!b64.startsWith("..."))) { hasSigningCert = true; if (data.getIssuingCA().equals("External CA")) { b64 = CryptoUtil.stripCertBrackets(b64.trim()); @@ -363,8 +438,9 @@ public class SystemConfigService extends PKIService implements SystemConfigResou throw new PKIException("Error in setting certificate names and key sizes: " + e); } - // submitting to external ca + // non-Stand-alone PKI submitting CSRs to external ca if ((data.getIssuingCA()!= null) && data.getIssuingCA().equals("External CA") && (!hasSigningCert)) { + CMS.debug("Submit CSRs to external ca . . ."); response.setSystemCerts(SystemCertDataFactory.create(certs)); response.setStatus(SUCCESS); return response; @@ -375,19 +451,22 @@ public class SystemConfigService extends PKIService implements SystemConfigResou Cert cert = c.nextElement(); int ret; try { + CMS.debug("Processing '" + cert.getCertTag() + "' certificate:"); ret = ConfigurationUtils.handleCerts(cert); ConfigurationUtils.setCertPermissions(cert.getCertTag()); + CMS.debug("Processed '" + cert.getCertTag() + "' certificate."); } catch (Exception e) { e.printStackTrace(); - throw new PKIException("Error in confguring system certificates" + e); + throw new PKIException("Error in configuring system certificates" + e); } if (ret != 0) { - throw new PKIException("Error in confguring system certificates"); + throw new PKIException("Error in configuring system certificates"); } } response.setSystemCerts(SystemCertDataFactory.create(certs)); // BackupKeyCertPanel/SavePKCS12Panel + CMS.debug("=== BackupKeyCert Panel/SavePKCS12 Panel ==="); if (data.getBackupKeys().equals("true")) { try { ConfigurationUtils.backupKeys(data.getBackupPassword(), data.getBackupFile()); @@ -398,10 +477,12 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } // AdminPanel + CMS.debug("=== Admin Panel ==="); adminPanel(data, response); // Done Panel // Create or update security domain + CMS.debug("=== Done Panel ==="); try { if (securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) { ConfigurationUtils.createSecurityDomain(); @@ -426,7 +507,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou // need to push connector information to the CA try { - if (csType.equals("KRA") && (!ca_host.equals(""))) { + if (csType.equals("KRA") && (!data.getStandAlone()) && (!ca_host.equals(""))) { ConfigurationUtils.updateConnectorInfo(CMS.getAgentHost(), CMS.getAgentPort()); ConfigurationUtils.setupClientAuthUser(); } @@ -441,8 +522,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou if (csType.equals("OCSP") && (!ca_host.equals(""))) { CMS.reinit(IOCSPAuthority.ID); ConfigurationUtils.importCACertToOCSP(); - ConfigurationUtils.updateOCSPConfig(); - ConfigurationUtils.setupClientAuthUser(); + if (!data.getStandAlone()) { + ConfigurationUtils.updateOCSPConfig(); + ConfigurationUtils.setupClientAuthUser(); + } } } catch (Exception e) { e.printStackTrace(); @@ -582,6 +665,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou data.getAdminName(), data.getAdminPassword()); if (data.getImportAdminCert().equalsIgnoreCase("true")) { String b64 = CryptoUtil.stripCertBrackets(data.getAdminCert().trim()); + if (data.getStandAlone() && data.getStepTwo()) { + // Stand-alone PKI (Step 2) + CMS.debug("adminPanel: Stand-alone " + csType + " Admin Cert"); + cs.putString(csSubsystem + ".admin.cert", b64); + cs.commit(false); + } + // Convert Admin Cert to X509CertImpl byte[] b = CryptoUtil.base64Decode(b64); admincerts[0] = new X509CertImpl(b); } else { @@ -708,7 +798,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou psStore.putString("replicationdb", replicationpwd); psStore.commit(false); - if (data.getStepTwo() == null) { + if (!data.getStepTwo()) { ConfigurationUtils.populateDB(); cs.putString("preop.internaldb.replicationpwd", replicationpwd); @@ -833,7 +923,12 @@ public class SystemConfigService extends PKIService implements SystemConfigResou cs.putString("securitydomain.httpsagentport", CMS.getAgentPort()); cs.putString("securitydomain.httpseeport", CMS.getEESSLPort()); cs.putString("securitydomain.httpsadminport", CMS.getAdminPort()); - cs.putString("preop.cert.subsystem.type", "local"); + // Stand-alone PKI (Step 1) + if (data.getStandAlone()) { + cs.putString("preop.cert.subsystem.type", "remote"); + } else { + cs.putString("preop.cert.subsystem.type", "local"); + } cs.putString("preop.cert.subsystem.profile", "subsystemCert.profile"); } else { cs.putString("preop.securitydomain.select", "existing"); @@ -926,6 +1021,20 @@ public class SystemConfigService extends PKIService implements SystemConfigResou throw new BadRequestException("Incorrect pin provided"); } + // validate legal stand-alone PKI subsystems + if (data.getStandAlone()) { + // ADD checks for valid types of Stand-alone PKI subsystems here + // AND to the 'checkStandalonePKI()' Python method of + // the 'ConfigurationFile' Python class in the Python file called + // 'pkihelper.py' + if (!csType.equals("KRA")) { + throw new BadRequestException("Stand-alone PKI " + csType + " subsystems are currently NOT supported!"); + } + if ((data.getIsClone() != null) && (data.getIsClone().equals("true"))) { + throw new BadRequestException("A stand-alone PKI subsystem cannot be a clone"); + } + } + // validate security domain settings String domainType = data.getSecurityDomainType(); if (domainType == null) { @@ -933,13 +1042,17 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } if (domainType.equals(ConfigurationRequest.NEW_DOMAIN)) { - if (!csType.equals("CA")) { - throw new BadRequestException("New Domain is only valid for CA subsytems"); + if (!(data.getStandAlone() || csType.equals("CA"))) { + throw new BadRequestException("New Domain is only valid for stand-alone PKI or CA subsytems"); } if (data.getSecurityDomainName() == null) { throw new BadRequestException("Security Domain Name is not provided"); } } else if (domainType.equals(ConfigurationRequest.EXISTING_DOMAIN)) { + if (data.getStandAlone()) { + throw new BadRequestException("Existing security domains are not valid for stand-alone PKI subsytems"); + } + String domainURI = data.getSecurityDomainUri(); if (domainURI == null) { throw new BadRequestException("Existing security domain requested, but no security domain URI provided"); @@ -1058,7 +1171,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } if (csType.equals("CA") && (data.getHierarchy() == null)) { - throw new BadRequestException("Hierarchy is requred for CA, not provided"); + throw new BadRequestException("Hierarchy is required for CA, not provided"); } if (data.getIsClone().equals("false")) { |