summaryrefslogtreecommitdiffstats
path: root/base/deploy/src/scriptlets/pkijython.py
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-09-11 15:42:36 -0400
committerAde Lee <alee@redhat.com>2012-09-12 21:39:47 -0400
commitd7b67c5ba1cf193c50cd46ec4bdef79646bce1af (patch)
treead1c6a592d2ca7538b97115ef8c4bd3daa36f793 /base/deploy/src/scriptlets/pkijython.py
parentedd986d94f173ea9f63f105eaf0039327bc6f2e9 (diff)
downloadpki-d7b67c5ba1cf193c50cd46ec4bdef79646bce1af.tar.gz
pki-d7b67c5ba1cf193c50cd46ec4bdef79646bce1af.tar.xz
pki-d7b67c5ba1cf193c50cd46ec4bdef79646bce1af.zip
Various fixes to installation servlet and pki-deploy
Added logging so that we can see what is passed in to server from pkispawn. Fixed incorrect dbuser specification. Added required replication config items to pkispawn. Initial refactoring of construct_pki_configuration_data in pkijython.py
Diffstat (limited to 'base/deploy/src/scriptlets/pkijython.py')
-rw-r--r--base/deploy/src/scriptlets/pkijython.py402
1 files changed, 158 insertions, 244 deletions
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index c489fb13f..28a705046 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -254,23 +254,115 @@ class security_databases:
# PKI Deployment 'REST Client' Class
class rest_client:
client = None
+ master = None
+ sensitive = None
- def initialize(self, client_config, pki_dry_run_flag, log_level):
+ def initialize(self, client_config, master, sensitive):
try:
+ self.master = master
+ self.sensitive = sensitive
+ log_level = master['pki_jython_log_level']
if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
print "%s %s '%s'" %\
(log.PKI_JYTHON_INDENTATION_2,
log.PKI_JYTHON_INITIALIZING_REST_CLIENT,
client_config.serverURI)
- if not pki_dry_run_flag:
+ if not master['pki_dry_run_flag']:
self.client = SystemConfigClient(client_config)
return self.client
except URISyntaxException, e:
e.printStackTrace()
javasystem.exit(1)
- def construct_pki_configuration_data(self, master, sensitive, token):
+ def set_existing_security_domain(self, data):
+ data.setSecurityDomainType(ConfigurationRequest.EXISTING_DOMAIN)
+ data.setSecurityDomainUri(self.master['pki_security_domain_uri'])
+ data.setSecurityDomainUser(self.master['pki_security_domain_user'])
+ data.setSecurityDomainPassword(
+ self.sensitive['pki_security_domain_password'])
+
+ def set_new_security_domain(self, data):
+ data.setSecurityDomainType(ConfigurationRequest.NEW_DOMAIN)
+ data.setSecurityDomainName(self.master['pki_security_domain_name'])
+
+ def set_cloning_parameters(self, data):
+ data.setIsClone("true")
+ data.setCloneUri(self.master['pki_clone_uri'])
+ data.setP12File(self.master['pki_clone_pkcs12_path'])
+ data.setP12Password(self.sensitive['pki_clone_pkcs12_password'])
+ data.setReplicationSecurity(
+ self.master['pki_clone_replication_security'])
+ if self.master['pki_clone_replication_master_port']:
+ data.setMasterReplicationPort(
+ self.master['pki_clone_replication_master_port'])
+ if self.master['pki_clone_replication_clone_port']:
+ data.setCloneReplicationPort(
+ self.master['pki_clone_replication_clone_port'])
+
+ def set_database_parameters(self, data):
+ data.setDsHost(self.master['pki_ds_hostname'])
+ data.setDsPort(self.master['pki_ds_ldap_port'])
+ data.setBaseDN(self.master['pki_ds_base_dn'])
+ data.setBindDN(self.master['pki_ds_bind_dn'])
+ data.setDatabase(self.master['pki_ds_database'])
+ data.setBindpwd(self.sensitive['pki_ds_password'])
+ if config.str2bool(self.master['pki_ds_remove_data']):
+ data.setRemoveData("true")
+ else:
+ data.setRemoveData("false")
+ if config.str2bool(self.master['pki_ds_secure_connection']):
+ data.setSecureConn("true")
+ else:
+ data.setSecureConn("false")
+
+ def set_backup_parameters(self, data):
+ if config.str2bool(self.master['pki_backup_keys']):
+ data.setBackupKeys("true")
+ data.setBackupFile(self.master['pki_backup_keys_p12'])
+ data.setBackupPassword(self.sensitive['pki_backup_password'])
+ else:
+ data.setBackupKeys("false")
+
+ def set_admin_parameters(self, token, data):
+ data.setAdminEmail(self.master['pki_admin_email'])
+ data.setAdminName(self.master['pki_admin_name'])
+ data.setAdminPassword(self.sensitive['pki_admin_password'])
+ data.setAdminProfileID(self.master['pki_admin_profile_id'])
+ data.setAdminUID(self.master['pki_admin_uid'])
+ data.setAdminSubjectDN(self.master['pki_admin_subject_dn'])
+ if self.master['pki_admin_cert_request_type'] == "crmf":
+ data.setAdminCertRequestType("crmf")
+ if config.str2bool(self.master['pki_admin_dualkey']):
+ crmf_request = generateCRMFRequest(
+ token,
+ self.master['pki_admin_keysize'],
+ self.master['pki_admin_subject_dn'],
+ "true")
+ else:
+ crmf_request = generateCRMFRequest(
+ token,
+ self.master['pki_admin_keysize'],
+ self.master['pki_admin_subject_dn'],
+ "false")
+ data.setAdminCertRequest(crmf_request)
+ else:
+ javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY)
+ javasystem.exit(1)
+
+ def create_system_cert(self, tag):
+ cert = SystemCertData()
+ cert.setTag(self.master["pki_%s_tag" % tag])
+ cert.setKeyAlgorithm(self.master["pki_%s_key_algorithm" % tag])
+ cert.setKeySize(self.master["pki_%s_key_size" % tag])
+ cert.setKeyType(self.master["pki_%s_key_type" % tag])
+ cert.setNickname(self.master["pki_%s_nickname" % tag])
+ cert.setSubjectDN(self.master["pki_%s_subject_dn" % tag])
+ cert.setToken(self.master["pki_%s_token" % tag])
+ return cert
+
+ def construct_pki_configuration_data(self, token):
data = None
+ master = self.master
if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL:
print "%s %s '%s'" %\
(log.PKI_JYTHON_INDENTATION_2,
@@ -278,141 +370,57 @@ class rest_client:
master['pki_subsystem'])
if not master['pki_dry_run_flag']:
data = ConfigurationRequest()
+
# Miscellaneous Configuration Information
- data.setPin(sensitive['pki_one_time_pin'])
+ data.setPin(self.sensitive['pki_one_time_pin'])
data.setToken(ConfigurationRequest.TOKEN_DEFAULT)
+ data.setSubsystemName(master['pki_subsystem_name'])
+
+ # Hierarchy
if master['pki_instance_type'] == "Tomcat":
- data.setSubsystemName(master['pki_subsystem_name'])
if master['pki_subsystem'] == "CA":
if config.str2bool(master['pki_clone']):
# Cloned CA
+ # alee - is this correct?
data.setHierarchy("root")
- data.setIsClone("true")
- data.setCloneUri(master['pki_clone_uri'])
- data.setP12File(master['pki_clone_pkcs12_path'])
- data.setP12Password(
- sensitive['pki_clone_pkcs12_password'])
elif config.str2bool(master['pki_external']):
# External CA
data.setHierarchy("join")
- data.setIsClone("false")
elif config.str2bool(master['pki_subordinate']):
# Subordinate CA
data.setHierarchy("join")
- data.setIsClone("false")
else:
# PKI CA
data.setHierarchy("root")
- data.setIsClone("false")
- elif master['pki_subsystem'] == "KRA":
- if config.str2bool(master['pki_clone']):
- # Cloned KRA
- data.setIsClone("true")
- data.setCloneUri(master['pki_clone_uri'])
- data.setP12File(master['pki_clone_pkcs12_path'])
- data.setP12Password(
- sensitive['pki_clone_pkcs12_password'])
- else:
- # PKI KRA
- data.setIsClone("false")
- elif master['pki_subsystem'] == "OCSP":
- if config.str2bool(master['pki_clone']):
- # Cloned OCSP
- data.setIsClone("true")
- data.setCloneUri(master['pki_clone_uri'])
- data.setP12File(master['pki_clone_pkcs12_path'])
- data.setP12Password(
- sensitive['pki_clone_pkcs12_password'])
- else:
- # PKI OCSP
- data.setIsClone("false")
- elif master['pki_subsystem'] == "TKS":
- if config.str2bool(master['pki_clone']):
- # Cloned TKS
- data.setIsClone("true")
- data.setCloneUri(master['pki_clone_uri'])
- data.setP12File(master['pki_clone_pkcs12_path'])
- data.setP12Password(
- sensitive['pki_clone_pkcs12_password'])
- else:
- # PKI TKS
- data.setIsClone("false")
- # Security Domain Information
- #
- # NOTE: External CA's DO NOT require a security domain
- #
+
+ # Cloning parameters
+ if master['pki_instance_type'] == "Tomcat":
+ if config.str2bool(master['pki_clone']):
+ self.set_cloning_parameters(data)
+ else:
+ data.setIsClone("false")
+
+ # Security Domain
if master['pki_subsystem'] != "CA" or\
config.str2bool(master['pki_clone']) or\
config.str2bool(master['pki_subordinate']):
# PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
# CA Clone, KRA Clone, OCSP Clone, TKS Clone, or
# Subordinate CA
- data.setSecurityDomainType(
- ConfigurationRequest.EXISTING_DOMAIN)
- data.setSecurityDomainUri(
- master['pki_security_domain_uri'])
- data.setSecurityDomainUser(
- master['pki_security_domain_user'])
- data.setSecurityDomainPassword(
- sensitive['pki_security_domain_password'])
+ self.set_existing_security_domain(data)
elif not config.str2bool(master['pki_external']):
# PKI CA
- data.setSecurityDomainType(
- ConfigurationRequest.NEW_DOMAIN)
- data.setSecurityDomainName(
- master['pki_security_domain_name'])
- # Directory Server Information
+ self.set_new_security_domain(data)
+
if master['pki_subsystem'] != "RA":
- data.setDsHost(master['pki_ds_hostname'])
- data.setDsPort(master['pki_ds_ldap_port'])
- data.setBaseDN(master['pki_ds_base_dn'])
- data.setBindDN(master['pki_ds_bind_dn'])
- data.setDatabase(master['pki_ds_database'])
- data.setBindpwd(sensitive['pki_ds_password'])
- if config.str2bool(master['pki_ds_remove_data']):
- data.setRemoveData("true")
- else:
- data.setRemoveData("false")
- if config.str2bool(master['pki_ds_secure_connection']):
- data.setSecureConn("true")
- else:
- data.setSecureConn("false")
- # Backup Information
- if master['pki_instance_type'] == "Tomcat":
- if config.str2bool(master['pki_backup_keys']):
- data.setBackupKeys("true")
- data.setBackupFile(master['pki_backup_keys_p12'])
- data.setBackupPassword(
- sensitive['pki_backup_password'])
- else:
- data.setBackupKeys("false")
- # Admin Information
+ self.set_database_parameters(data)
+
if master['pki_instance_type'] == "Tomcat":
- if not config.str2bool(master['pki_clone']):
- data.setAdminEmail(master['pki_admin_email'])
- data.setAdminName(master['pki_admin_name'])
- data.setAdminPassword(sensitive['pki_admin_password'])
- data.setAdminProfileID(master['pki_admin_profile_id'])
- data.setAdminUID(master['pki_admin_uid'])
- data.setAdminSubjectDN(master['pki_admin_subject_dn'])
- if master['pki_admin_cert_request_type'] == "crmf":
- data.setAdminCertRequestType("crmf")
- if config.str2bool(master['pki_admin_dualkey']):
- crmf_request = generateCRMFRequest(
- token,
- master['pki_admin_keysize'],
- master['pki_admin_subject_dn'],
- "true")
- else:
- crmf_request = generateCRMFRequest(
- token,
- master['pki_admin_keysize'],
- master['pki_admin_subject_dn'],
- "false")
- data.setAdminCertRequest(crmf_request)
- else:
- javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY)
- javasystem.exit(1)
+ self.set_backup_parameters(data)
+
+ if not config.str2bool(master['pki_clone']):
+ self.set_admin_parameters(token, data)
+
# Issuing CA Information
if master['pki_subsystem'] != "CA" or\
config.str2bool(master['pki_clone']) or\
@@ -422,154 +430,60 @@ class rest_client:
# CA Clone, KRA Clone, OCSP Clone, TKS Clone,
# Subordinate CA, or External CA
data.setIssuingCA(master['pki_issuing_ca'])
+
# Create system certs
systemCerts = ArrayList()
+
# Create 'CA Signing Certificate'
- if master['pki_instance_type'] == "Tomcat":
+ if master['pki_subsystem'] == "CA":
if not config.str2bool(master['pki_clone']):
- if master['pki_subsystem'] == "CA":
- # External CA, Subordinate CA, or PKI CA
- cert1 = SystemCertData()
- cert1.setTag(master['pki_ca_signing_tag'])
- cert1.setKeyAlgorithm(
- master['pki_ca_signing_key_algorithm'])
- cert1.setKeySize(master['pki_ca_signing_key_size'])
- cert1.setKeyType(master['pki_ca_signing_key_type'])
- cert1.setNickname(master['pki_ca_signing_nickname'])
- cert1.setSigningAlgorithm(
- master['pki_ca_signing_signing_algorithm'])
- cert1.setSubjectDN(master['pki_ca_signing_subject_dn'])
- cert1.setToken(master['pki_ca_signing_token'])
- systemCerts.add(cert1)
+ cert = self.create_system_cert("ca_signing")
+ cert.setSigningAlgorithm(
+ master['pki_ca_signing_signing_algorithm'])
+ systemCerts.add(cert)
+
# Create 'OCSP Signing Certificate'
- if master['pki_instance_type'] == "Tomcat":
- if not config.str2bool(master['pki_clone']):
- if master['pki_subsystem'] == "CA" or\
- master['pki_subsystem'] == "OCSP":
- # External CA, Subordinate CA, PKI CA, or PKI OCSP
- cert2 = SystemCertData()
- cert2.setTag(master['pki_ocsp_signing_tag'])
- cert2.setKeyAlgorithm(
- master['pki_ocsp_signing_key_algorithm'])
- cert2.setKeySize(master['pki_ocsp_signing_key_size'])
- cert2.setKeyType(master['pki_ocsp_signing_key_type'])
- cert2.setNickname(master['pki_ocsp_signing_nickname'])
- cert2.setSigningAlgorithm(
- master['pki_ocsp_signing_signing_algorithm'])
- cert2.setSubjectDN(
- master['pki_ocsp_signing_subject_dn'])
- cert2.setToken(master['pki_ocsp_signing_token'])
- systemCerts.add(cert2)
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "CA" or\
+ master['pki_subsystem'] == "OCSP":
+ # External CA, Subordinate CA, PKI CA, or PKI OCSP
+ cert2 = self.create_system_cert("ocsp_signing")
+ cert2.setSigningAlgorithm(
+ master['pki_ocsp_signing_signing_algorithm'])
+ systemCerts.add(cert2)
+
# Create 'SSL Server Certificate'
- # PKI RA, PKI TPS,
- # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
- # PKI CA CLONE, PKI KRA CLONE, PKI OCSP CLONE, PKI TKS CLONE,
- # External CA, or Subordinate CA
- cert3 = SystemCertData()
- cert3.setTag(master['pki_ssl_server_tag'])
- cert3.setKeyAlgorithm(master['pki_ssl_server_key_algorithm'])
- cert3.setKeySize(master['pki_ssl_server_key_size'])
- cert3.setKeyType(master['pki_ssl_server_key_type'])
- cert3.setNickname(master['pki_ssl_server_nickname'])
- cert3.setSubjectDN(master['pki_ssl_server_subject_dn'])
- cert3.setToken(master['pki_ssl_server_token'])
+ # all subsystems
+ cert3 = self.create_system_cert("ssl_server")
systemCerts.add(cert3)
+
# Create 'Subsystem Certificate'
- if master['pki_instance_type'] == "Apache":
- # PKI RA or PKI TPS
- cert4 = SystemCertData()
- cert4.setTag(master['pki_subsystem_tag'])
- cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm'])
- cert4.setKeySize(master['pki_subsystem_key_size'])
- cert4.setKeyType(master['pki_subsystem_key_type'])
- cert4.setNickname(master['pki_subsystem_nickname'])
- cert4.setSubjectDN(master['pki_subsystem_subject_dn'])
- cert4.setToken(master['pki_subsystem_token'])
+ if not config.str2bool(master['pki_clone']):
+ cert4 = self.create_system_cert("subsystem")
systemCerts.add(cert4)
- elif master['pki_instance_type'] == "Tomcat":
- if not config.str2bool(master['pki_clone']):
- # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
- # External CA, or Subordinate CA
- cert4 = SystemCertData()
- cert4.setTag(master['pki_subsystem_tag'])
- cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm'])
- cert4.setKeySize(master['pki_subsystem_key_size'])
- cert4.setKeyType(master['pki_subsystem_key_type'])
- cert4.setNickname(master['pki_subsystem_nickname'])
- cert4.setSubjectDN(master['pki_subsystem_subject_dn'])
- cert4.setToken(master['pki_subsystem_token'])
- systemCerts.add(cert4)
+
# Create 'Audit Signing Certificate'
- if master['pki_instance_type'] == "Apache":
+ if not config.str2bool(master['pki_clone']):
if master['pki_subsystem'] != "RA":
- # PKI TPS
- cert5 = SystemCertData()
- cert5.setTag(master['pki_audit_signing_tag'])
- cert5.setKeyAlgorithm(
- master['pki_audit_signing_key_algorithm'])
- cert5.setKeySize(master['pki_audit_signing_key_size'])
- cert5.setKeyType(master['pki_audit_signing_key_type'])
- cert5.setNickname(master['pki_audit_signing_nickname'])
- cert5.setKeyAlgorithm(
+ cert5 = self.create_system_cert("audit_signing")
+ cert5.setSigningAlgorithm(
master['pki_audit_signing_signing_algorithm'])
- cert5.setSubjectDN(master['pki_audit_signing_subject_dn'])
- cert5.setToken(master['pki_audit_signing_token'])
systemCerts.add(cert5)
- elif master['pki_instance_type'] == "Tomcat":
- if not config.str2bool(master['pki_clone']):
- # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
- # External CA, or Subordinate CA
- cert5 = SystemCertData()
- cert5.setTag(master['pki_audit_signing_tag'])
- cert5.setKeyAlgorithm(
- master['pki_audit_signing_key_algorithm'])
- cert5.setKeySize(master['pki_audit_signing_key_size'])
- cert5.setKeyType(master['pki_audit_signing_key_type'])
- cert5.setNickname(master['pki_audit_signing_nickname'])
- cert5.setKeyAlgorithm(
- master['pki_audit_signing_signing_algorithm'])
- cert5.setSubjectDN(master['pki_audit_signing_subject_dn'])
- cert5.setToken(master['pki_audit_signing_token'])
- systemCerts.add(cert5)
- # Create 'DRM Transport Certificate'
- if master['pki_instance_type'] == "Tomcat":
- if not config.str2bool(master['pki_clone']):
- if master['pki_subsystem'] == "KRA":
- # PKI KRA
- cert6 = SystemCertData()
- cert6.setTag(master['pki_transport_tag'])
- cert6.setKeyAlgorithm(
- master['pki_transport_key_algorithm'])
- cert6.setKeySize(master['pki_transport_key_size'])
- cert6.setKeyType(master['pki_transport_key_type'])
- cert6.setNickname(master['pki_transport_nickname'])
- cert6.setKeyAlgorithm(
- master['pki_transport_signing_algorithm'])
- cert6.setSubjectDN(master['pki_transport_subject_dn'])
- cert6.setToken(master['pki_transport_token'])
- systemCerts.add(cert6)
- # Create 'DRM Storage Certificate'
- if master['pki_instance_type'] == "Tomcat":
- if not config.str2bool(master['pki_clone']):
- if master['pki_subsystem'] == "KRA":
- # PKI KRA
- cert7 = SystemCertData()
- cert7.setTag(master['pki_storage_tag'])
- cert7.setKeyAlgorithm(
- master['pki_storage_key_algorithm'])
- cert7.setKeySize(master['pki_storage_key_size'])
- cert7.setKeyType(master['pki_storage_key_type'])
- cert7.setNickname(master['pki_storage_nickname'])
- cert7.setKeyAlgorithm(
- master['pki_storage_signing_algorithm'])
- cert7.setSubjectDN(master['pki_storage_subject_dn'])
- cert7.setToken(master['pki_storage_token'])
- systemCerts.add(cert7)
- # Create system certs
+
+ # Create DRM Transport and storage Certificates
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "KRA":
+ cert6 = self.create_system_cert("transport")
+ systemCerts.add(cert6)
+
+ cert7 = self.create_system_cert("storage")
+ systemCerts.add(cert7)
+
data.setSystemCerts(systemCerts)
return data
- def configure_pki_data(self, data, master, sensitive):
+ def configure_pki_data(self, data):
+ master = self.master
if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL:
print "%s %s '%s'" %\
(log.PKI_JYTHON_INDENTATION_2,