diff options
| author | Matthew Harmsen <mharmsen@redhat.com> | 2012-07-18 17:48:11 -0700 |
|---|---|---|
| committer | Matthew Harmsen <mharmsen@redhat.com> | 2012-07-19 10:16:42 -0700 |
| commit | 3fcefc1b67e7afe0455267b3876d9e6ef47531cc (patch) | |
| tree | 023d0c199d696df9655174f2e3a5a7d79bb52310 /base/deploy/src/scriptlets/configuration.py | |
| parent | 0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4 (diff) | |
| download | pki-3fcefc1b67e7afe0455267b3876d9e6ef47531cc.tar.gz pki-3fcefc1b67e7afe0455267b3876d9e6ef47531cc.tar.xz pki-3fcefc1b67e7afe0455267b3876d9e6ef47531cc.zip | |
PKI Deployment Scriptlets
Saved Admin Certificate, imported it into NSS client security databases, and
exported it to a PKCS #12 file such that it may be imported into a browser.
TRAC Ticket #221
Dogtag 10: Create a PKCS #12 file containing the Admin Certificate
(https://fedorahosted.org/pki/ticket/221)
Diffstat (limited to 'base/deploy/src/scriptlets/configuration.py')
| -rw-r--r-- | base/deploy/src/scriptlets/configuration.py | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py index 421e08dc0..742a4ec33 100644 --- a/base/deploy/src/scriptlets/configuration.py +++ b/base/deploy/src/scriptlets/configuration.py @@ -35,7 +35,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) if not config.pki_dry_run_flag: - util.directory.create(master['pki_client_path'], uid=0, gid=0) + # Place "slightly" less restrictive permissions on + # the top-level client directory ONLY + util.directory.create(master['pki_client_path'], + uid=0, gid=0, + perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a client password file # which ONLY contains the 'password' for the purposes of @@ -43,6 +47,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.password.create_password_conf( master['pki_client_password_conf'], master['pki_client_pin'], pin_sans_token=True) + util.file.modify(master['pki_client_password_conf'], + uid=0, gid=0) + # Similarly, create a simple password file containing the + # PKCS #12 password used when exporting the "Admin Certificate" + # into a PKCS #12 file + util.password.create_client_pkcs12_password_conf( + master['pki_client_pkcs12_password_conf']) + util.file.modify(master['pki_client_pkcs12_password_conf'], + uid=0, gid=0) util.directory.create(master['pki_client_database_path'], uid=0, gid=0) util.certutil.create_security_databases( @@ -61,6 +74,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.password.create_password_conf( master['pki_client_password_conf'], master['pki_client_pin'], pin_sans_token=True) + # Similarly, create a simple password file containing the + # PKCS #12 password used when exporting the "Admin Certificate" + # into a PKCS #12 file + util.password.create_client_pkcs12_password_conf( + master['pki_client_pkcs12_password_conf']) util.certutil.create_security_databases( master['pki_client_database_path'], master['pki_client_cert_database'], @@ -112,6 +130,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def respawn(self): config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) + util.file.modify(master['pki_client_password_conf'], + uid=0, gid=0) + util.file.modify(master['pki_client_pkcs12_password_conf'], + uid=0, gid=0) # ALWAYS Restart this Apache/Tomcat PKI Process util.systemd.restart() return self.rv |