diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2012-05-18 10:52:06 -0700 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2012-05-18 11:06:37 -0700 |
commit | 924403a14e92112c3c3d696319759b65eb57a30c (patch) | |
tree | ae097f21c022bd21b4c8b655a0030a8bef3953a3 /base/deploy/src/scriptlets/security_databases.py | |
parent | 488480629da8cd7c7263fab9773ef5860ad12947 (diff) | |
download | pki-924403a14e92112c3c3d696319759b65eb57a30c.tar.gz pki-924403a14e92112c3c3d696319759b65eb57a30c.tar.xz pki-924403a14e92112c3c3d696319759b65eb57a30c.zip |
PKI Deployment Scriptlets
* Introduced concept of "admin-domain" originally as a
separate folder, and later incorporated this concept
into an optional instance prefix
* Revised definition of <pki_instance_id> to be identified
as "[<pki_admin_domain_name>-]<pki_instance_name>
* Changed NSS security database model from one shared
database by BOTH a single Tomcat AND single Apache instance
into one per Tomcat instance (shared by CA/KRA/OCSP/TKS) and
one per Apache instance (shared by RA/TPS)
* Altered Configuration 'scriptlet' to invoke Jython for
access to new Java configuration servlet
* Renamed various "scriptlets" to comply with this new layout
* Re-aligned code to account for revised layout documented at
http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment
Diffstat (limited to 'base/deploy/src/scriptlets/security_databases.py')
-rw-r--r-- | base/deploy/src/scriptlets/security_databases.py | 50 |
1 files changed, 41 insertions, 9 deletions
diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index f32b7e497..1a08fdccb 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -27,7 +27,7 @@ import pkimessages as log import pkiscriptlet -# PKI Deployment Security Database Classes +# PKI Deployment Security Databases Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): rv = 0 @@ -36,11 +36,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) if not config.pki_dry_run_flag: util.password.create_password_conf( - master['pki_shared_password_conf']) + master['pki_shared_password_conf'], + master['pki_pin']) util.file.modify(master['pki_shared_password_conf']) util.certutil.create_security_databases( master['pki_database_path'], - master['pki_shared_password_conf']) + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + password_file=master['pki_shared_password_conf']) util.file.modify(master['pki_cert_database'], perms=\ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) util.file.modify(master['pki_key_database'], perms=\ @@ -49,6 +53,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) rv = util.certutil.verify_certificate_exists( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], password_file=master['pki_shared_password_conf']) @@ -58,6 +65,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_noise_bytes']) util.certutil.generate_self_signed_certificate( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], master['pki_self_signed_subject'], @@ -70,12 +80,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.delete(master['pki_self_signed_noise_file']) else: util.password.create_password_conf( - master['pki_shared_password_conf']) + master['pki_shared_password_conf'], + master['pki_pin']) util.certutil.create_security_databases( master['pki_database_path'], - master['pki_shared_password_conf']) + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + password_file=master['pki_shared_password_conf']) rv = util.certutil.verify_certificate_exists( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], password_file=master['pki_shared_password_conf']) @@ -85,6 +102,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_noise_bytes']) util.certutil.generate_self_signed_certificate( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], master['pki_self_signed_subject'], @@ -112,16 +132,28 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) if not config.pki_dry_run_flag: - if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - util.instance.pki_subsystem_instances() == 0: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 0: util.file.delete(master['pki_cert_database']) util.file.delete(master['pki_key_database']) util.file.delete(master['pki_secmod_database']) util.file.delete(master['pki_shared_password_conf']) else: # ALWAYS display correct information (even during dry_run) - if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - util.instance.pki_subsystem_instances() == 1: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 1: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 1: util.file.delete(master['pki_cert_database']) util.file.delete(master['pki_key_database']) util.file.delete(master['pki_secmod_database']) |