diff options
| author | Matthew Harmsen <mharmsen@redhat.com> | 2012-07-03 17:52:33 -0700 |
|---|---|---|
| committer | Matthew Harmsen <mharmsen@redhat.com> | 2012-07-19 10:15:56 -0700 |
| commit | 0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4 (patch) | |
| tree | 79c0152be9f49069e977d0156283dbed746e7cfb /base/deploy/src/scriptlets/security_databases.py | |
| parent | 32b2670ba16084896e10ae27f7ce7b50313e375a (diff) | |
| download | pki-0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4.tar.gz pki-0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4.tar.xz pki-0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4.zip | |
PKI Deployment Scriptlets
* Integration of Tomcat 7
* Introduction of dependency upon tomcatjss 7.0
* Removal of http filtering configuration mechanisms
* Introduction of additional slot substitution to
support revised filesystem layout
* Addition of 'pkiuser' uid:gid creation methods
* Inclusion of per instance '*.profile' files
* Introduction of configurable 'configurationRoot'
parameter
* Introduction of default configuration of 'log4j'
mechanism (alee)
* Modify web.xml to use new Application classes to
bootstrap servers (alee)
* Introduction of "Wrapper" logic to support
Tomcat 6 --> Tomcat 7 API change (jmagne)
* Added jython helper function to allow attaching
a remote java debugger (e. g. - eclipse)
Diffstat (limited to 'base/deploy/src/scriptlets/security_databases.py')
| -rw-r--r-- | base/deploy/src/scriptlets/security_databases.py | 33 |
1 files changed, 27 insertions, 6 deletions
diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index 1a08fdccb..8364d9519 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -38,13 +38,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.password.create_password_conf( master['pki_shared_password_conf'], master['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_shared_pfile'], + master['pki_pin'], pin_sans_token=True) util.file.modify(master['pki_shared_password_conf']) util.certutil.create_security_databases( master['pki_database_path'], master['pki_cert_database'], master['pki_key_database'], master['pki_secmod_database'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) util.file.modify(master['pki_cert_database'], perms=\ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) util.file.modify(master['pki_key_database'], perms=\ @@ -58,7 +65,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) if not rv: util.file.generate_noise_file( master['pki_self_signed_noise_file'], @@ -76,18 +83,28 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_issuer_name'], master['pki_self_signed_trustargs'], master['pki_self_signed_noise_file'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) + # Delete the temporary 'noise' file util.file.delete(master['pki_self_signed_noise_file']) + # Delete the temporary 'pfile' + util.file.delete(master['pki_shared_pfile']) else: util.password.create_password_conf( master['pki_shared_password_conf'], master['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_shared_pfile'], + master['pki_pin'], pin_sans_token=True) util.certutil.create_security_databases( master['pki_database_path'], master['pki_cert_database'], master['pki_key_database'], master['pki_secmod_database'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) rv = util.certutil.verify_certificate_exists( master['pki_database_path'], master['pki_cert_database'], @@ -95,7 +112,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) if not rv: util.file.generate_noise_file( master['pki_self_signed_noise_file'], @@ -113,7 +130,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_issuer_name'], master['pki_self_signed_trustargs'], master['pki_self_signed_noise_file'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) + # Delete the temporary 'noise' file + util.file.delete(master['pki_self_signed_noise_file']) + # Delete the temporary 'pfile' + util.file.delete(master['pki_shared_pfile']) return self.rv def respawn(self): |