diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2012-07-03 17:52:33 -0700 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2012-07-19 10:15:56 -0700 |
commit | 0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4 (patch) | |
tree | 79c0152be9f49069e977d0156283dbed746e7cfb /base/deploy/src | |
parent | 32b2670ba16084896e10ae27f7ce7b50313e375a (diff) | |
download | pki-0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4.tar.gz pki-0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4.tar.xz pki-0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4.zip |
PKI Deployment Scriptlets
* Integration of Tomcat 7
* Introduction of dependency upon tomcatjss 7.0
* Removal of http filtering configuration mechanisms
* Introduction of additional slot substitution to
support revised filesystem layout
* Addition of 'pkiuser' uid:gid creation methods
* Inclusion of per instance '*.profile' files
* Introduction of configurable 'configurationRoot'
parameter
* Introduction of default configuration of 'log4j'
mechanism (alee)
* Modify web.xml to use new Application classes to
bootstrap servers (alee)
* Introduction of "Wrapper" logic to support
Tomcat 6 --> Tomcat 7 API change (jmagne)
* Added jython helper function to allow attaching
a remote java debugger (e. g. - eclipse)
Diffstat (limited to 'base/deploy/src')
-rwxr-xr-x | base/deploy/src/pkidestroy | 34 | ||||
-rwxr-xr-x | base/deploy/src/pkispawn | 34 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/configuration.jy | 116 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/configuration.py | 69 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/finalization.py | 16 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/initialization.py | 7 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/instance_layout.py | 119 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/pkiconfig.py | 58 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/pkihelper.py | 382 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/pkijython.py | 429 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/pkimessages.py | 65 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/pkiparser.py | 1251 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/security_databases.py | 33 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/slot_substitution.py | 26 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/subsystem_layout.py | 68 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/war_explosion.py | 32 |
16 files changed, 2613 insertions, 126 deletions
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 6a2db56b8..5faa97cee 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -34,6 +34,7 @@ try: import socket import string import struct + import subprocess import time from time import strftime as date from pki.deployment import pkiconfig as config @@ -74,7 +75,18 @@ def main(argv): config.pki_architecture = struct.calcsize("P") * 8 # Retrieve hostname - config.pki_hostname = socket.gethostname() + config.pki_hostname = socket.getfqdn() + + # Retrieve DNS domainname + config.pki_dns_domainname = None + try: + config.pki_dns_domainname = subprocess.check_output("domainname", + shell=True) + config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_0) + sys.exit(1) # Initialize 'pretty print' for objects pp = pprint.PrettyPrinter(indent=4) @@ -111,6 +123,15 @@ def main(argv): extra=config.PKI_INDENTATION_LEVEL_0) sys.exit(1) else: + # NEVER print out 'sensitive' name/value pairs!!! + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_optional_dict), + extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), @@ -126,7 +147,7 @@ def main(argv): # Override PKI configuration file values with 'custom' command-line values. if not config.custom_pki_admin_domain_name is None: - config.pki_common_dict['pki_admin_domain_name'] =\ + config.pki_optional_dict['pki_admin_domain_name'] =\ config.custom_pki_admin_domain_name if not config.custom_pki_instance_name is None: config.pki_web_server_dict['pki_instance_name'] =\ @@ -140,6 +161,15 @@ def main(argv): if not config.custom_pki_ajp_port is None: config.pki_web_server_dict['pki_ajp_port'] =\ config.custom_pki_ajp_port + # NEVER print out 'sensitive' name/value pairs!!! + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_optional_dict), + extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index 66152a334..931b9baf0 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -34,6 +34,7 @@ try: import socket import string import struct + import subprocess import time from time import strftime as date from pki.deployment import pkiconfig as config @@ -74,7 +75,18 @@ def main(argv): config.pki_architecture = struct.calcsize("P") * 8 # Retrieve hostname - config.pki_hostname = socket.gethostname() + config.pki_hostname = socket.getfqdn() + + # Retrieve DNS domainname + config.pki_dns_domainname = None + try: + config.pki_dns_domainname = subprocess.check_output("domainname", + shell=True) + config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_0) + sys.exit(1) # Generate random 'pin's for use as security database passwords pin_low = 100000000000 @@ -140,6 +152,15 @@ def main(argv): extra=config.PKI_INDENTATION_LEVEL_0) sys.exit(1) else: + # NEVER print out 'sensitive' name/value pairs!!! + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_optional_dict), + extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), @@ -155,7 +176,7 @@ def main(argv): # Override PKI configuration file values with 'custom' command-line values. if not config.custom_pki_admin_domain_name is None: - config.pki_common_dict['pki_admin_domain_name'] =\ + config.pki_optional_dict['pki_admin_domain_name'] =\ config.custom_pki_admin_domain_name if not config.custom_pki_instance_name is None: config.pki_web_server_dict['pki_instance_name'] =\ @@ -169,6 +190,15 @@ def main(argv): if not config.custom_pki_ajp_port is None: config.pki_web_server_dict['pki_ajp_port'] =\ config.custom_pki_ajp_port + # NEVER print out 'sensitive' name/value pairs!!! + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_optional_dict), + extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy index f7366c723..a40e7c645 100644 --- a/base/deploy/src/scriptlets/configuration.jy +++ b/base/deploy/src/scriptlets/configuration.jy @@ -9,7 +9,6 @@ import sys # PKI Python Imports import pkijython as jyutil import pkiconfig as config -from pkiconfig import pki_master_jython_dict as master import pkimessages as log @@ -18,12 +17,19 @@ from java.lang import System as javasystem def main(argv): + rv = 0 + # Establish 'master' as the PKI jython dictionary master = dict() - # import the master dictionary from 'pkispawn' + # Import the master dictionary from 'pkispawn' master = pickle.loads(argv[1]) + # Optionally enable a java debugger (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.wait_to_attach_an_external_java_debugger() + + # IMPORTANT: Unfortunately, 'jython 2.2' does NOT support logging! # # Until, and unless, 'jython 2.5' or later is used, @@ -59,11 +65,107 @@ def main(argv): master['pki_jython_log_level']) # Log into token - jyutil.security_databases.log_into_token( - master['pki_client_database_path'], - master['pki_client_password_conf'], - master['pki_dry_run_flag'], - master['pki_jython_log_level']) + token = jyutil.security_databases.log_into_token( + master['pki_client_database_path'], + master['pki_client_password_conf'], + master['pki_dry_run_flag'], + master['pki_jython_log_level']) + + # Establish REST Client + client = jyutil.rest_client.initialize( + master['pki_jython_base_uri'], + master['pki_dry_run_flag'], + master['pki_jython_log_level']) + + # Construct PKI Subsystem Configuration Data + data = None + if master['pki_instance_type'] == "Apache": + if master['pki_subsystem'] == "RA": + print "%s '%s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif master['pki_subsystem'] == "TPS": + print "%s '%s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif master['pki_instance_type'] == "Tomcat": + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif config.str2bool(master['pki_external']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_EXTERNAL_CA, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif config.str2bool(master['pki_subordinate']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_SUBORDINATE_CA, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + else: + data = jyutil.rest_client.construct_pki_configuration_data( + master, token) + elif master['pki_subsystem'] == "KRA": + if config.str2bool(master['pki_clone']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + else: + print "%s '%s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif master['pki_subsystem'] == "OCSP": + if config.str2bool(master['pki_clone']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + else: + print "%s '%s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif master['pki_subsystem'] == "TKS": + if config.str2bool(master['pki_clone']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + else: + print "%s '%s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + + # Formulate PKI Subsystem Configuration Data Response + jyutil.rest_client.configure_pki_data(data, + master['pki_subsystem'], + master['pki_dry_run_flag'], + master['pki_jython_log_level']) if __name__ == "__main__": diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py index f40573940..421e08dc0 100644 --- a/base/deploy/src/scriptlets/configuration.py +++ b/base/deploy/src/scriptlets/configuration.py @@ -36,9 +36,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) if not config.pki_dry_run_flag: util.directory.create(master['pki_client_path'], uid=0, gid=0) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a client password file + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases util.password.create_password_conf( master['pki_client_password_conf'], - master['pki_client_pin']) + master['pki_client_pin'], pin_sans_token=True) util.directory.create(master['pki_client_database_path'], uid=0, gid=0) util.certutil.create_security_databases( @@ -47,19 +51,60 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_client_key_database'], master['pki_client_secmod_database'], password_file=master['pki_client_password_conf']) - util.symlink.create( - config.pki_master_dict['pki_systemd_service'], - config.pki_master_dict['pki_systemd_service_link']) + util.symlink.create(master['pki_systemd_service'], + master['pki_systemd_service_link']) else: + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a client password file + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases util.password.create_password_conf( master['pki_client_password_conf'], - master['pki_client_pin']) + master['pki_client_pin'], pin_sans_token=True) util.certutil.create_security_databases( master['pki_client_database_path'], master['pki_client_cert_database'], master['pki_client_key_database'], master['pki_client_secmod_database'], password_file=master['pki_client_password_conf']) + # Start/Restart this Apache/Tomcat PKI Process + if not config.pki_dry_run_flag: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + apache_instances = util.instance.apache_instances() + if apache_instances == 1: + util.systemd.start() + elif apache_instances > 1: + util.systemd.restart() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Optionally prepare to enable a java debugger + # (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.prepare_for_an_external_java_debugger( + master['pki_target_tomcat_conf_instance_id']) + tomcat_instances = util.instance.tomcat_instances() + if tomcat_instances == 1: + util.systemd.start() + elif tomcat_instances > 1: + util.systemd.restart() + else: + # ALWAYS display correct information (even during dry_run) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + apache_instances = util.instance.apache_instances() + if apache_instances == 0: + util.systemd.start() + elif apache_instances > 0: + util.systemd.restart() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Optionally prepare to enable a java debugger + # (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.prepare_for_an_external_java_debugger( + master['pki_target_tomcat_conf_instance_id']) + tomcat_instances = util.instance.tomcat_instances() + if tomcat_instances == 0: + util.systemd.start() + elif tomcat_instances > 0: + util.systemd.restart() # Pass control to the Java servlet via Jython 2.2 'configuration.jy' util.jython.invoke(master['pki_jython_configuration_scriptlet']) return self.rv @@ -67,6 +112,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def respawn(self): config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) + # ALWAYS Restart this Apache/Tomcat PKI Process + util.systemd.restart() return self.rv def destroy(self): @@ -76,23 +123,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ util.instance.apache_instances() == 1: util.directory.delete(master['pki_client_path']) - util.symlink.delete( - config.pki_master_dict['pki_systemd_service_link']) + util.symlink.delete(master['pki_systemd_service_link']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ util.instance.tomcat_instances() == 1: util.directory.delete(master['pki_client_path']) - util.symlink.delete( - config.pki_master_dict['pki_systemd_service_link']) + util.symlink.delete(master['pki_systemd_service_link']) else: # ALWAYS display correct information (even during dry_run) if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ util.instance.apache_instances() == 0: util.directory.delete(master['pki_client_path']) - util.symlink.delete( - config.pki_master_dict['pki_systemd_service_link']) + util.symlink.delete(master['pki_systemd_service_link']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ util.instance.tomcat_instances() == 0: util.directory.delete(master['pki_client_path']) - util.symlink.delete( - config.pki_master_dict['pki_systemd_service_link']) + util.symlink.delete(master['pki_systemd_service_link']) return self.rv diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py index 02c5065cb..bceec67e0 100644 --- a/base/deploy/src/scriptlets/finalization.py +++ b/base/deploy/src/scriptlets/finalization.py @@ -100,4 +100,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_0) if not config.pki_dry_run_flag: util.file.modify(master['pki_destroy_log'], silent=True) + # Start this Apache/Tomcat PKI Process + if not config.pki_dry_run_flag: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() >= 1: + util.systemd.start() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() >= 1: + util.systemd.start() + else: + # ALWAYS display correct information (even during dry_run) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() >= 0: + util.systemd.start() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() >= 0: + util.systemd.start() return self.rv diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py index 3077737c8..1ff8522ed 100644 --- a/base/deploy/src/scriptlets/initialization.py +++ b/base/deploy/src/scriptlets/initialization.py @@ -41,9 +41,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # verify that this type of "subsystem" does NOT yet # exist for this "instance" util.instance.verify_subsystem_does_not_exist() + # initialize 'uid' and 'gid' + util.identity.add_uid_and_gid(master['pki_user'], master['pki_group']) # establish 'uid' and 'gid' util.identity.set_uid(master['pki_user']) util.identity.set_gid(master['pki_group']) + # verify existence of MANDATORY configuration file data + util.configuration_file.verify_sensitive_data() + util.configuration_file.verify_mutually_exclusive_data() return self.rv def respawn(self): @@ -74,4 +79,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # establish 'uid' and 'gid' util.identity.set_uid(master['pki_user']) util.identity.set_gid(master['pki_group']) + # ALWAYS Stop this Apache/Tomcat PKI Process + util.systemd.stop() return self.rv diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py index 8a645f029..2fd7165d1 100644 --- a/base/deploy/src/scriptlets/instance_layout.py +++ b/base/deploy/src/scriptlets/instance_layout.py @@ -48,30 +48,90 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # establish Tomcat instance base util.directory.create(master['pki_tomcat_common_path']) util.directory.create(master['pki_tomcat_common_lib_path']) + util.directory.create(master['pki_tomcat_tmpdir_path']) util.directory.create(master['pki_tomcat_webapps_path']) util.directory.create(master['pki_tomcat_webapps_root_path']) util.directory.create(master['pki_tomcat_webapps_root_webinf_path']) util.file.copy(master['pki_source_webapps_root_web_xml'], master['pki_tomcat_webapps_root_webinf_web_xml'], overwrite_flag=True) - util.directory.create(master['pki_tomcat_webapps_webinf_path']) + util.directory.create(master['pki_tomcat_work_path']) + util.directory.create(master['pki_tomcat_work_catalina_path']) + util.directory.create(master['pki_tomcat_work_catalina_host_path']) util.directory.create( - master['pki_tomcat_webapps_webinf_classes_path']) - util.directory.create(master['pki_tomcat_webapps_webinf_lib_path']) + master['pki_tomcat_work_catalina_host_run_path']) + util.directory.create( + master['pki_tomcat_work_catalina_host_subsystem_path']) # establish Tomcat instance logs # establish Tomcat instance configuration util.directory.copy(master['pki_source_shared_path'], master['pki_instance_configuration_path'], overwrite_flag=True) # establish Tomcat instance registry - # establish Tomcat instance convenience - # symbolic links + # establish Tomcat instance convenience symbolic links util.symlink.create(master['pki_tomcat_bin_path'], master['pki_tomcat_bin_link']) util.symlink.create(master['pki_tomcat_lib_path'], master['pki_tomcat_lib_link']) + util.symlink.create(master['pki_instance_log4j_properties'], + master['pki_tomcat_lib_log4j_properties_link'], + uid=0, gid=0) util.symlink.create(master['pki_tomcat_systemd'], - master['pki_instance_systemd_link']) + master['pki_instance_systemd_link'], + uid=0, gid=0) + # establish Tomcat instance common lib jar symbolic links + util.symlink.create(master['pki_apache_commons_collections_jar'], + master['pki_apache_commons_collections_jar_link']) + util.symlink.create(master['pki_apache_commons_lang_jar'], + master['pki_apache_commons_lang_jar_link']) + util.symlink.create(master['pki_apache_commons_logging_jar'], + master['pki_apache_commons_logging_jar_link']) + util.symlink.create(master['pki_commons_codec_jar'], + master['pki_commons_codec_jar_link']) + util.symlink.create(master['pki_httpclient_jar'], + master['pki_httpclient_jar_link']) + util.symlink.create(master['pki_javassist_jar'], + master['pki_javassist_jar_link']) + util.symlink.create(master['pki_resteasy_jaxrs_api_jar'], + master['pki_resteasy_jaxrs_api_jar_link']) + util.symlink.create(master['pki_jettison_jar'], + master['pki_jettison_jar_link']) + util.symlink.create(master['pki_jss_jar'], + master['pki_jss_jar_link']) + util.symlink.create(master['pki_ldapjdk_jar'], + master['pki_ldapjdk_jar_link']) + util.symlink.create(master['pki_certsrv_jar'], + master['pki_certsrv_jar_link']) + util.symlink.create(master['pki_cmsbundle'], + master['pki_cmsbundle_jar_link']) + util.symlink.create(master['pki_cmscore'], + master['pki_cmscore_jar_link']) + util.symlink.create(master['pki_cms'], + master['pki_cms_jar_link']) + util.symlink.create(master['pki_cmsutil'], + master['pki_cmsutil_jar_link']) + util.symlink.create(master['pki_nsutil'], + master['pki_nsutil_jar_link']) + util.symlink.create(master['pki_resteasy_jaxb_provider_jar'], + master['pki_resteasy_jaxb_provider_jar_link']) + util.symlink.create(master['pki_resteasy_jaxrs_jar'], + master['pki_resteasy_jaxrs_jar_link']) + util.symlink.create(master['pki_resteasy_jettison_provider_jar'], + master['pki_resteasy_jettison_provider_jar_link']) + util.symlink.create(master['pki_scannotation_jar'], + master['pki_scannotation_jar_link']) + util.symlink.create(master['pki_symkey_jar'], + master['pki_symkey_jar_link']) + util.symlink.create(master['pki_tomcatjss_jar'], + master['pki_tomcatjss_jar_link']) + util.symlink.create(master['pki_velocity_jar'], + master['pki_velocity_jar_link']) + util.symlink.create(master['pki_xerces_j2_jar'], + master['pki_xerces_j2_jar_link']) + util.symlink.create(master['pki_xml_commons_apis_jar'], + master['pki_xml_commons_apis_jar_link']) + util.symlink.create(master['pki_xml_commons_resolver_jar'], + master['pki_xml_commons_resolver_jar_link']) # establish shared NSS security databases for this instance util.directory.create(master['pki_database_path']) # establish instance convenience symbolic links @@ -106,16 +166,53 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.copy(master['pki_source_webapps_root_web_xml'], master['pki_tomcat_webapps_root_webinf_web_xml'], overwrite_flag=True) - util.directory.modify(master['pki_tomcat_webapps_webinf_path']) + util.directory.modify(master['pki_tomcat_work_path']) + util.directory.modify(master['pki_tomcat_work_catalina_path']) + util.directory.modify(master['pki_tomcat_work_catalina_host_path']) + util.directory.modify( + master['pki_tomcat_work_catalina_host_run_path']) util.directory.modify( - master['pki_tomcat_webapps_webinf_classes_path']) - util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path']) + master['pki_tomcat_work_catalina_host_subsystem_path']) # update Tomcat instance logs # update Tomcat instance configuration # update Tomcat instance registry # update Tomcat instance convenience symbolic links util.symlink.modify(master['pki_tomcat_bin_link']) util.symlink.modify(master['pki_tomcat_lib_link']) + util.symlink.modify(master['pki_tomcat_lib_log4j_properties_link'], + uid=0, gid=0) + util.symlink.modify(master['pki_instance_systemd_link'], + uid=0, gid=0) + # update Tomcat instance common lib jar symbolic links + + util.symlink.modify( + master['pki_apache_commons_collections_jar_link']) + util.symlink.modify(master['pki_apache_commons_lang_jar_link']) + util.symlink.modify(master['pki_apache_commons_logging_jar_link']) + util.symlink.modify(master['pki_commons_codec_jar_link']) + util.symlink.modify(master['pki_httpclient_jar_link']) + util.symlink.modify(master['pki_javassist_jar_link']) + util.symlink.modify(master['pki_resteasy_jaxrs_api_jar_link']) + util.symlink.modify(master['pki_jettison_jar_link']) + util.symlink.modify(master['pki_jss_jar_link']) + util.symlink.modify(master['pki_ldapjdk_jar_link']) + util.symlink.modify(master['pki_certsrv_jar_link']) + util.symlink.modify(master['pki_cmsbundle_jar_link']) + util.symlink.modify(master['pki_cmscore_jar_link']) + util.symlink.modify(master['pki_cms_jar_link']) + util.symlink.modify(master['pki_cmsutil_jar_link']) + util.symlink.modify(master['pki_nsutil_jar_link']) + util.symlink.modify(master['pki_resteasy_jaxb_provider_jar_link']) + util.symlink.modify(master['pki_resteasy_jaxrs_jar_link']) + util.symlink.modify( + master['pki_resteasy_jettison_provider_jar_link']) + util.symlink.modify(master['pki_scannotation_jar_link']) + util.symlink.modify(master['pki_symkey_jar_link']) + util.symlink.modify(master['pki_tomcatjss_jar_link']) + util.symlink.modify(master['pki_velocity_jar_link']) + util.symlink.modify(master['pki_xerces_j2_jar_link']) + util.symlink.modify(master['pki_xml_commons_apis_jar_link']) + util.symlink.modify(master['pki_xml_commons_resolver_jar_link']) # update shared NSS security databases for this instance util.directory.modify(master['pki_database_path']) # update instance convenience symbolic links @@ -150,6 +247,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove shared NSS security database path for this instance util.directory.delete(master['pki_database_path']) # remove Tomcat instance configuration + util.symlink.delete( + master['pki_tomcat_lib_log4j_properties_link']) util.directory.delete(master['pki_instance_configuration_path']) # remove Tomcat instance registry util.directory.delete(master['pki_instance_type_registry_path']) @@ -174,6 +273,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove shared NSS security database path for this instance util.directory.delete(master['pki_database_path']) # remove Tomcat instance configuration + util.symlink.delete( + master['pki_tomcat_lib_log4j_properties_link']) util.directory.delete(master['pki_instance_configuration_path']) # remove Tomcat instance registry util.directory.delete(master['pki_instance_type_registry_path']) diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 2acd37d36..07537d7aa 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -28,6 +28,13 @@ PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770 PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777 PKI_DEPLOYMENT_DEFAULT_UMASK = 00002 +PKI_DEPLOYMENT_DEFAULT_COMMENT = "'Certificate System'" +PKI_DEPLOYMENT_DEFAULT_GID = 17 +PKI_DEPLOYMENT_DEFAULT_GROUP = "pkiuser" +PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin" +PKI_DEPLOYMENT_DEFAULT_UID = 17 +PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser" + PKI_SUBSYSTEMS = ["CA","KRA","OCSP","RA","TKS","TPS"] PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS","TPS"] PKI_APACHE_SUBSYSTEMS = ["RA","TPS"] @@ -39,6 +46,12 @@ PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '} PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '} PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '} +PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\ + "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-" +PKI_DEPLOYMENT_JAR_SOURCE_ROOT = "/usr/share/java" +PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT = "/usr/share/java/httpcomponents" +PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT = "/usr/share/java/pki" +PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT = "/usr/share/java/resteasy" PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki" PKI_DEPLOYMENT_SYSTEMD_ROOT = "/lib/systemd/system" PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT = "/etc/systemd/system" @@ -101,6 +114,48 @@ custom_pki_https_port = None custom_pki_ajp_port = None +# PKI Deployment Helper Functions +def str2bool(string): + return string.lower() in ("yes", "true", "t", "1") + +# NOTE: To utilize the 'preparations_for_an_external_java_debugger(master)' +# and 'wait_to_attach_an_external_java_debugger(master)' functions, +# change 'pki_enable_java_debugger=False' to +# 'pki_enable_java_debugger=True' in the appropriate +# 'pkideployment.cfg' configuration file. +def prepare_for_an_external_java_debugger(instance): + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + print "The following 'JAVA_OPTS' MUST be enabled (uncommented) in" + print "'%s':" % instance + print + print " JAVA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,\"" + print " \"address=8000,server=y,suspend\"" + print + raw_input("Enable external java debugger 'JAVA_OPTS' "\ + "and press return to continue . . . ") + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + return + +def wait_to_attach_an_external_java_debugger(): + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + print "Attach the java debugger to this process on the port specified by" + print "the 'address' selected by 'JAVA_OPTS' (e. g. - port 8000) and" + print "set any desired breakpoints" + print + raw_input("Please attach an external java debugger "\ + "and press return to continue . . . ") + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + return + + # PKI Deployment Logger Variables pki_jython_log_level = None pki_log = None @@ -111,6 +166,9 @@ pki_console_log_level = None # PKI Deployment Global Dictionaries +pki_sensitive_dict = None +pki_mandatory_dict = None +pki_optional_dict = None pki_common_dict = None pki_web_server_dict = None pki_subsystem_dict = None diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index b88eafe72..7b77bcee5 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -30,14 +30,17 @@ import random import shutil import string import subprocess +from grp import getgrgid from grp import getgrnam from pwd import getpwnam +from pwd import getpwuid import zipfile # PKI Deployment Imports import pkiconfig as config from pkiconfig import pki_master_dict as master +from pkiconfig import pki_sensitive_dict as sensitive from pkiconfig import pki_slots_dict as slots import pkimanifest as manifest import pkimessages as log @@ -117,6 +120,136 @@ def pki_copytree(src, dst, symlinks=False, ignore=None): # PKI Deployment Identity Class class identity: + def __add_gid(self, pki_group): + pki_gid = None + try: + # Does the specified 'pki_group' exist? + pki_gid = getgrnam(pki_group)[2] + # Yes, group 'pki_group' exists! + config.pki_log.info(log.PKIHELPER_GROUP_ADD_2, pki_group, pki_gid, + extra=config.PKI_INDENTATION_LEVEL_2) + except KeyError as exc: + # No, group 'pki_group' does not exist! + config.pki_log.debug(log.PKIHELPER_GROUP_ADD_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + try: + # Is the default well-known GID already defined? + group = getgrgid(config.PKI_DEPLOYMENT_DEFAULT_GID)[0] + # Yes, the default well-known GID exists! + config.pki_log.info(log.PKIHELPER_GROUP_ADD_DEFAULT_2, + group, config.PKI_DEPLOYMENT_DEFAULT_GID, + extra=config.PKI_INDENTATION_LEVEL_2) + # Attempt to create 'pki_group' using a random GID. + command = "/usr/sbin/groupadd" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + except KeyError as exc: + # No, the default well-known GID does not exist! + config.pki_log.debug(log.PKIHELPER_GROUP_ADD_GID_KEYERROR_1, + exc, extra=config.PKI_INDENTATION_LEVEL_2) + # Is the specified 'pki_group' the default well-known group? + if pki_group == config.PKI_DEPLOYMENT_DEFAULT_GROUP: + # Yes, attempt to create the default well-known group + # using the default well-known GID. + command = "/usr/sbin/groupadd" + " " +\ + "-g" + " " +\ + str(config.PKI_DEPLOYMENT_DEFAULT_GID) + " " +\ + "-r" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + else: + # No, attempt to create 'pki_group' using a random GID. + command = "/usr/sbin/groupadd" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + # Execute this "groupadd" command. + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def __add_uid(self, pki_user, pki_group): + pki_uid = None + try: + # Does the specified 'pki_user' exist? + pki_uid = getpwnam(pki_user)[2] + # Yes, user 'pki_user' exists! + config.pki_log.info(log.PKIHELPER_USER_ADD_2, pki_user, pki_uid, + extra=config.PKI_INDENTATION_LEVEL_2) + # NOTE: For now, never check validity of specified 'pki_group'! + except KeyError as exc: + # No, user 'pki_user' does not exist! + config.pki_log.debug(log.PKIHELPER_USER_ADD_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + try: + # Is the default well-known UID already defined? + user = getpwuid(config.PKI_DEPLOYMENT_DEFAULT_UID)[0] + # Yes, the default well-known UID exists! + config.pki_log.info(log.PKIHELPER_USER_ADD_DEFAULT_2, + user, config.PKI_DEPLOYMENT_DEFAULT_UID, + extra=config.PKI_INDENTATION_LEVEL_2) + # Attempt to create 'pki_user' using a random UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + except KeyError as exc: + # No, the default well-known UID does not exist! + config.pki_log.debug(log.PKIHELPER_USER_ADD_UID_KEYERROR_1, + exc, extra=config.PKI_INDENTATION_LEVEL_2) + # Is the specified 'pki_user' the default well-known user? + if pki_user == config.PKI_DEPLOYMENT_DEFAULT_USER: + # Yes, attempt to create the default well-known user + # using the default well-known UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + "-u" + " " +\ + str(config.PKI_DEPLOYMENT_DEFAULT_UID) + " " +\ + "-r" + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + else: + # No, attempt to create 'pki_user' using a random UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + # Execute this "useradd" command. + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def add_uid_and_gid(self, pki_user, pki_group): + self.__add_gid(pki_group) + self.__add_uid(pki_user, pki_group) + return + def get_uid(self, critical_failure=True): try: pki_uid = master['pki_uid'] @@ -170,18 +303,140 @@ class identity: return pki_gid +# PKI Deployment Configuration File Class +class configuration_file: + def verify_sensitive_data(self): + # Silently verify the existence of 'sensitive' data + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Verify existence of Directory Server Password (ALWAYS) + if not sensitive.has_key('pki_ds_password') or\ + not len(sensitive['pki_ds_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_DS_PASSWORD_1, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Admin Password (except for Clones) + if not config.str2bool(master['pki_clone']): + if not sensitive.has_key('pki_admin_password') or\ + not len(sensitive['pki_admin_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # If required, verify existence of Backup Password + # (except for Clones) + if config.str2bool(master['pki_backup_keys']): + if not config.str2bool(master['pki_clone']): + if not sensitive.has_key('pki_backup_password') or\ + not len(sensitive['pki_backup_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of PKCS #12 Password (ONLY for Clones) + if config.str2bool(master['pki_clone']): + if not sensitive.has_key('pki_pkcs12_password') or\ + not len(sensitive['pki_pkcs12_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Security Domain Password File + # (ONLY for Clones, Subordinate CA, KRA, OCSP, RA, TKS, or TPS) + if config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']) or\ + master['pki_subsystem'] == "KRA" or\ + master['pki_subsystem'] == "OCSP" or\ + master['pki_subsystem'] == "RA" or\ + master['pki_subsystem'] == "TKS" or\ + master['pki_subsystem'] == "TPS": + if not sensitive.has_key('pki_security_domain_password') or\ + not len(sensitive['pki_security_domain_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def verify_mutually_exclusive_data(self): + # Silently verify the existence of 'mutually exclusive' data + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_external']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_external']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_external']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + +# PKI Deployment XML File Class +#class xml_file: +# def remove_filter_section_from_web_xml(self, +# web_xml_source, +# web_xml_target): +# config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1, +# master['pki_target_subsystem_web_xml'], +# extra=config.PKI_INDENTATION_LEVEL_2) +# if not config.pki_dry_run_flag: +# begin_filters_section = False +# begin_servlet_section = False +# FILE = open(web_xml_target, "w") +# for line in fileinput.FileInput(web_xml_source): +# if not begin_filters_section: +# # Read and write lines until first "<filter>" tag +# if line.count("<filter>") >= 1: +# # Mark filters section +# begin_filters_section = True +# else: +# FILE.write(line) +# elif not begin_servlet_section: +# # Skip lines until first "<servlet>" tag +# if line.count("<servlet>") >= 1: +# # Mark servlets section and write out the opening tag +# begin_servlet_section = True +# FILE.write(line) +# else: +# continue +# else: +# # Read and write lines all lines after "<servlet>" tag +# FILE.write(line) +# FILE.close() + + # PKI Deployment Instance Class class instance: def apache_instances(self): rv = 0 try: - if not os.path.exists(master['pki_instance_path']) or\ - not os.path.isdir(master['pki_instance_path']): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - master['pki_instance_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) # count number of PKI subsystems present # within the specified Apache instance for subsystem in config.PKI_APACHE_SUBSYSTEMS: @@ -206,13 +461,6 @@ class instance: def pki_subsystem_instances(self): rv = 0 try: - if not os.path.exists(master['pki_path']) or\ - not os.path.isdir(master['pki_path']): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - master['pki_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) # Since ALL directories within the top-level PKI infrastructure # SHOULD represent PKI instances, look for all possible # PKI instances within the top-level PKI infrastructure @@ -247,13 +495,6 @@ class instance: def tomcat_instances(self): rv = 0 try: - if not os.path.exists(master['pki_instance_path']) or\ - not os.path.isdir(master['pki_instance_path']): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - master['pki_instance_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) # count number of PKI subsystems present # within the specified Tomcat instance for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: @@ -1295,8 +1536,8 @@ class war: # PKI Deployment Password Class class password: - def create_password_conf(self, path, pin, overwrite_flag=False, - critical_failure=True): + def create_password_conf(self, path, pin, pin_sans_token=False, + overwrite_flag=False, critical_failure=True): try: if not config.pki_dry_run_flag: if os.path.exists(path): @@ -1306,7 +1547,9 @@ class password: extra=config.PKI_INDENTATION_LEVEL_2) # overwrite the existing 'password.conf' file with open(path, "wt") as fd: - if master['pki_subsystem'] in\ + if pin_sans_token == True: + fd.write(str(pin)) + elif master['pki_subsystem'] in\ config.PKI_APACHE_SUBSYSTEMS: fd.write(master['pki_self_signed_token'] +\ ":" + str(pin)) @@ -1319,7 +1562,9 @@ class password: extra=config.PKI_INDENTATION_LEVEL_2) # create a new 'password.conf' file with open(path, "wt") as fd: - if master['pki_subsystem'] in\ + if pin_sans_token == True: + fd.write(str(pin)) + elif master['pki_subsystem'] in\ config.PKI_APACHE_SUBSYSTEMS: fd.write(master['pki_self_signed_token'] +\ ":" + str(pin)) @@ -1642,6 +1887,90 @@ class certutil: return +# PKI Deployment 'systemd' Execution Management Class +class systemd: + def start(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "start" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_id'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "start" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_id'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def stop(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "stop" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_id'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "stop" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_id'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def restart(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "restart" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_id'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "restart" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_id'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + # PKI Deployment 'jython' Class class jython: def invoke(self, scriptlet, critical_failure=True): @@ -1681,6 +2010,8 @@ class jython: # PKI Deployment Helper Class Instances identity = identity() +configuration_file = configuration_file() +#xml_file = xml_file() instance = instance() directory = directory() file = file() @@ -1688,4 +2019,5 @@ symlink = symlink() war = war() password = password() certutil = certutil() +systemd = systemd() jython = jython() diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index 9c8765a80..800826635 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -5,6 +5,7 @@ from java.io import BufferedReader from java.io import ByteArrayInputStream from java.io import FileReader from java.io import IOException +from java.lang import Integer from java.lang import String as javastring from java.lang import System as javasystem from java.net import URISyntaxException @@ -18,6 +19,7 @@ import jarray # System Python Imports +import ConfigParser import os import sys pki_python_module_path = os.path.join(sys.prefix, @@ -79,10 +81,15 @@ class classPathHacker: jarLoad = classPathHacker() # Webserver Jars jarLoad.addFile("/usr/share/java/httpcomponents/httpclient.jar") +jarLoad.addFile("/usr/share/java/httpcomponents/httpcore.jar") jarLoad.addFile("/usr/share/java/apache-commons-cli.jar") +jarLoad.addFile("/usr/share/java/apache-commons-codec.jar") +jarLoad.addFile("/usr/share/java/apache-commons-logging.jar") +jarLoad.addFile("/usr/share/java/istack-commons-runtime.jar") # Resteasy Jars jarLoad.addFile("/usr/share/java/glassfish-jaxb/jaxb-impl.jar") jarLoad.addFile("/usr/share/java/resteasy/jaxrs-api.jar") +jarLoad.addFile("/usr/share/java/resteasy/resteasy-atom-provider.jar") jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxb-provider.jar") jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxrs.jar") jarLoad.addFile("/usr/share/java/resteasy/resteasy-jettison-provider.jar") @@ -145,6 +152,63 @@ import pkiconfig as config import pkimessages as log +# PKI Deployment Jython Helper Functions +def extract_sensitive_data(configuration_file): + "Read 'sensitive' configuration file section into a dictionary" + try: + parser = ConfigParser.ConfigParser() + # Make keys case-sensitive! + parser.optionxform = str + parser.read(configuration_file) + # return dict(parser._sections['Sensitive']) + dictionary = {} + for option in parser.options('Sensitive'): + dictionary[option] = parser.get('Sensitive', option) + return dictionary + except ConfigParser.ParsingError, err: + javasystem.out.println(log.PKI_JYTHON_EXCEPTION_PARSER + " '" +\ + configuration_file + "': " + str(err)) + javasystem.exit(1) + +def generateCRMFRequest(token, keysize, subjectdn, dualkey): + kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA) + x = Integer(keysize) + key_len = x.intValue() + kg.initialize(key_len) + # 1st key pair + pair = kg.genKeyPair() + # create CRMF + certTemplate = CertTemplate() + certTemplate.setVersion(INTEGER(2)) + if not subjectdn is None: + name = X500Name(subjectdn) + cs = ByteArrayInputStream(name.getEncoded()) + n = Name.getTemplate().decode(cs) + certTemplate.setSubject(n) + certTemplate.setPublicKey(SubjectPublicKeyInfo(pair.getPublic())) + seq = SEQUENCE() + certReq = CertRequest(INTEGER(1), certTemplate, seq) + popdata = jarray.array([0x0,0x3,0x0], 'b') + pop = ProofOfPossession.createKeyEncipherment( + POPOPrivKey.createThisMessage(BIT_STRING(popdata, 3))) + crmfMsg = CertReqMsg(certReq, pop, None) + s1 = SEQUENCE() + # 1st : Encryption key + s1.addElement(crmfMsg) + # 2nd : Signing Key + if dualkey: + javasystem.out.println(log.PKI_JYTHON_IS_DUALKEY) + seq1 = SEQUENCE() + certReqSigning = CertRequest(INTEGER(1), certTemplate, seq1) + signingMsg = CertReqMsg(certReqSigning, pop, None) + s1.addElement(signingMsg) + encoded = jarray.array(ASN1Util.encode(s1), 'b') + # encoder = BASE64Encoder() + # Req1 = encoder.encodeBuffer(encoded) + Req1 = Utils.base64encode(encoded) + return Req1 + + # PKI Deployment 'security databases' Class class security_databases: def initialize_token(self, pki_database_path, pki_dry_run_flag, log_level): @@ -160,11 +224,13 @@ class security_databases: # it is ok if it is already initialized pass except Exception, e: - javasystem.out.println("INITIALIZATION ERROR: " + str(e)) + javasystem.out.println(log.PKI_JYTHON_INITIALIZATION_ERROR +\ + " " + str(e)) javasystem.exit(1) def log_into_token(self, pki_database_path, password_conf, pki_dry_run_flag, log_level): + token = None try: if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: print "%s %s '%s'" %\ @@ -174,10 +240,10 @@ class security_databases: if not pki_dry_run_flag: manager = CryptoManager.getInstance() token = manager.getInternalKeyStorageToken() - # Retrieve 'token_pwd' from 'password_conf' + # Retrieve 'password' from client-side 'password_conf' # # NOTE: For now, ONLY read the first line - # (which contains the password) + # (which contains "password") # fd = open(password_conf, "r") token_pwd = fd.readline() @@ -188,13 +254,364 @@ class security_databases: try: token.login(password) except Exception, e: - javasystem.out.println("login Exception: " + str(e)) + javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\ + " " + str(e)) if not token.isLoggedIn(): token.initPassword(password, password) + javasystem.exit(1) except Exception, e: - javasystem.out.println("Exception in logging into token: " +\ - str(e)) + javasystem.out.println(log.PKI_JYTHON_TOKEN_LOGIN_EXCEPTION +\ + " " + str(e)) javasystem.exit(1) + return token + + +# PKI Deployment 'REST Client' Class +class rest_client: + client = None + + def initialize(self, base_uri, pki_dry_run_flag, log_level): + try: + if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: + print "%s %s '%s'" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_INITIALIZING_REST_CLIENT, + base_uri) + if not pki_dry_run_flag: + self.client = ConfigurationRESTClient(base_uri, None) + return self.client + except URISyntaxException, e: + e.printStackTrace() + javasystem.exit(1) + + def construct_pki_configuration_data(self, master, token): + data = None + if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL: + print "%s %s '%s'" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CONSTRUCTING_PKI_DATA, + master['pki_subsystem']) + if not master['pki_dry_run_flag']: + sensitive = extract_sensitive_data(master['pki_deployment_cfg']) + data = ConfigurationData() + # Miscellaneous Configuration Information + data.setPin(master['pki_one_time_pin']) + data.setToken(ConfigurationData.TOKEN_DEFAULT) + if master['pki_instance_type'] == "Tomcat": + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']): + # Cloned CA + data.setHierarchy("root") + data.setIsClone("true") + data.setSubsystemName("Cloned CA Subsystem") + elif config.str2bool(master['pki_external']): + # External CA + data.setHierarchy("join") + data.setIsClone("false") + data.setSubsystemName("External CA Subsystem") + elif config.str2bool(master['pki_subordinate']): + # Subordinate CA + data.setHierarchy("join") + data.setIsClone("false") + data.setSubsystemName("Subordinate CA Subsystem") + else: + # PKI CA + data.setHierarchy("root") + data.setIsClone("false") + data.setSubsystemName("PKI CA Subsystem") + elif master['pki_subsystem'] == "KRA": + if config.str2bool(master['pki_clone']): + # Cloned KRA + data.setIsClone("true") + data.setSubsystemName("Cloned KRA Subsystem") + else: + # PKI KRA + data.setIsClone("false") + data.setSubsystemName("PKI KRA Subsystem") + elif master['pki_subsystem'] == "OCSP": + if config.str2bool(master['pki_clone']): + # Cloned OCSP + data.setIsClone("true") + data.setSubsystemName("Cloned OCSP Subsystem") + else: + # PKI OCSP + data.setIsClone("false") + data.setSubsystemName("PKI OCSP Subsystem") + elif master['pki_subsystem'] == "TKS": + if config.str2bool(master['pki_clone']): + # Cloned TKS + data.setIsClone("true") + data.setSubsystemName("Cloned TKS Subsystem") + else: + # PKI TKS + data.setIsClone("false") + data.setSubsystemName("PKI TKS Subsystem") + # Security Domain Information + if master['pki_instance_type'] == "Tomcat": + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_external']): + # External CA + data.setSecurityDomainType( + ConfigurationData.NEW_DOMAIN) + data.setSecurityDomainName( + master['pki_security_domain_name']) + elif not config.str2bool(master['pki_clone']) and\ + not config.str2bool(master['pki_subordinate']): + # PKI CA + data.setSecurityDomainType( + ConfigurationData.NEW_DOMAIN) + data.setSecurityDomainName( + master['pki_security_domain_name']) + else: + # PKI Cloned or Subordinate CA + data.setSecurityDomainType( + ConfigurationData.EXISTING_DOMAIN) + data.setSecurityDomainUri( + master['pki_security_domain_uri']) + data.setSecurityDomainUser( + master['pki_security_domain_user']) + data.setSecurityDomainPassword( + sensitive['pki_security_domain_password']) + else: + # PKI KRA, OCSP, or TKS + data.setSecurityDomainType( + ConfigurationData.EXISTING_DOMAIN) + data.setSecurityDomainUri( + master['pki_security_domain_uri']) + data.setSecurityDomainUser( + master['pki_security_domain_user']) + data.setSecurityDomainPassword( + sensitive['pki_security_domain_password']) + # Directory Server Information + if master['pki_subsystem'] != "RA": + data.setDsHost(master['pki_ds_hostname']) + data.setDsPort(master['pki_ds_http_port']) + data.setBaseDN(master['pki_ds_base_dn']) + data.setBindDN(master['pki_ds_bind_dn']) + data.setDatabase(master['pki_ds_database']) + data.setBindpwd(sensitive['pki_ds_password']) + if config.str2bool(master['pki_ds_remove_data']): + data.setRemoveData("true") + else: + data.setRemoveData("false") + if config.str2bool(master['pki_ds_secure_connection']): + data.setSecureConn("true") + else: + data.setSecureConn("false") + # Backup Information + if master['pki_instance_type'] == "Tomcat": + if config.str2bool(master['pki_backup_keys']): + data.setBackupKeys("true") + data.setBackupFile(master['pki_backup_file']) + data.setBackupPassword( + sensitive['pki_backup_password']) + else: + data.setBackupKeys("false") + # Admin Information + if master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + data.setAdminEmail(master['pki_admin_email']) + data.setAdminName(master['pki_admin_name']) + data.setAdminPassword(sensitive['pki_admin_password']) + data.setAdminProfileID(master['pki_admin_profile_id']) + data.setAdminUID(master['pki_admin_uid']) + data.setAdminSubjectDN(master['pki_admin_subject_dn']) + if master['pki_admin_cert_request_type'] == "crmf": + data.setAdminCertRequestType("crmf") + if config.str2bool(master['pki_admin_dualkey']): + crmf_request = generateCRMFRequest( + token, + master['pki_admin_keysize'], + master['pki_admin_subject_dn'], + "true") + else: + crmf_request = generateCRMFRequest( + token, + master['pki_admin_keysize'], + master['pki_admin_subject_dn'], + "false") + data.setAdminCertRequest(crmf_request) + else: + javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY) + javasystem.exit(1) + # Create system certs + systemCerts = ArrayList() + # Create 'CA Signing Certificate' + if master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "CA": + # External CA, Subordinate CA, or PKI CA + cert1 = CertData() + cert1.setTag(master['pki_ca_signing_tag']) + cert1.setKeyAlgorithm( + master['pki_ca_signing_key_algorithm']) + cert1.setKeySize(master['pki_ca_signing_key_size']) + cert1.setKeyType(master['pki_ca_signing_key_type']) + cert1.setNickname(master['pki_ca_signing_nickname']) + cert1.setSigningAlgorithm( + master['pki_ca_signing_signing_algorithm']) + cert1.setSubjectDN(master['pki_ca_signing_subject_dn']) + cert1.setToken(master['pki_ca_signing_token']) + systemCerts.add(cert1) + # Create 'OCSP Signing Certificate' + if master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "CA" or\ + master['pki_subsystem'] == "OCSP": + # External CA, Subordinate CA, PKI CA, or PKI OCSP + cert2 = CertData() + cert2.setTag(master['pki_ocsp_signing_tag']) + cert2.setKeyAlgorithm( + master['pki_ocsp_signing_key_algorithm']) + cert2.setKeySize(master['pki_ocsp_signing_key_size']) + cert2.setKeyType(master['pki_ocsp_signing_key_type']) + cert2.setNickname(master['pki_ocsp_signing_nickname']) + cert2.setSigningAlgorithm( + master['pki_ocsp_signing_signing_algorithm']) + cert2.setSubjectDN( + master['pki_ocsp_signing_subject_dn']) + cert2.setToken(master['pki_ocsp_signing_token']) + systemCerts.add(cert2) + # Create 'SSL Server Certificate' + # PKI RA, PKI TPS, + # PKI CA, PKI KRA, PKI OCSP, PKI TKS, + # PKI CA CLONE, PKI KRA CLONE, PKI OCSP CLONE, PKI TKS CLONE, + # External CA, or Subordinate CA + cert3 = CertData() + cert3.setTag(master['pki_ssl_server_tag']) + cert3.setKeyAlgorithm(master['pki_ssl_server_key_algorithm']) + cert3.setKeySize(master['pki_ssl_server_key_size']) + cert3.setKeyType(master['pki_ssl_server_key_type']) + cert3.setNickname(master['pki_ssl_server_nickname']) + cert3.setSubjectDN(master['pki_ssl_server_subject_dn']) + cert3.setToken(master['pki_ssl_server_token']) + systemCerts.add(cert3) + # Create 'Subsystem Certificate' + if master['pki_instance_type'] == "Apache": + # PKI RA or PKI TPS + cert4 = CertData() + cert4.setTag(master['pki_subsystem_tag']) + cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm']) + cert4.setKeySize(master['pki_subsystem_key_size']) + cert4.setKeyType(master['pki_subsystem_key_type']) + cert4.setNickname(master['pki_subsystem_nickname']) + cert4.setSubjectDN(master['pki_subsystem_subject_dn']) + cert4.setToken(master['pki_subsystem_token']) + systemCerts.add(cert4) + elif master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + # PKI CA, PKI KRA, PKI OCSP, PKI TKS, + # External CA, or Subordinate CA + cert4 = CertData() + cert4.setTag(master['pki_subsystem_tag']) + cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm']) + cert4.setKeySize(master['pki_subsystem_key_size']) + cert4.setKeyType(master['pki_subsystem_key_type']) + cert4.setNickname(master['pki_subsystem_nickname']) + cert4.setSubjectDN(master['pki_subsystem_subject_dn']) + cert4.setToken(master['pki_subsystem_token']) + systemCerts.add(cert4) + # Create 'Audit Signing Certificate' + if master['pki_instance_type'] == "Apache": + if master['pki_subsystem'] != "RA": + # PKI TPS + cert5 = CertData() + cert5.setTag(master['pki_audit_signing_tag']) + cert5.setKeyAlgorithm( + master['pki_audit_signing_key_algorithm']) + cert5.setKeySize(master['pki_audit_signing_key_size']) + cert5.setKeyType(master['pki_audit_signing_key_type']) + cert5.setNickname(master['pki_audit_signing_nickname']) + cert5.setKeyAlgorithm( + master['pki_audit_signing_signing_algorithm']) + cert5.setSubjectDN(master['pki_audit_signing_subject_dn']) + cert5.setToken(master['pki_audit_signing_token']) + systemCerts.add(cert5) + elif master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + # PKI CA, PKI KRA, PKI OCSP, PKI TKS, + # External CA, or Subordinate CA + cert5 = CertData() + cert5.setTag(master['pki_audit_signing_tag']) + cert5.setKeyAlgorithm( + master['pki_audit_signing_key_algorithm']) + cert5.setKeySize(master['pki_audit_signing_key_size']) + cert5.setKeyType(master['pki_audit_signing_key_type']) + cert5.setNickname(master['pki_audit_signing_nickname']) + cert5.setKeyAlgorithm( + master['pki_audit_signing_signing_algorithm']) + cert5.setSubjectDN(master['pki_audit_signing_subject_dn']) + cert5.setToken(master['pki_audit_signing_token']) + systemCerts.add(cert5) + # Create 'DRM Transport Certificate' + if master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "KRA": + # PKI KRA + cert6 = CertData() + cert6.setTag(master['pki_transport_tag']) + cert6.setKeyAlgorithm( + master['pki_transport_key_algorithm']) + cert6.setKeySize(master['pki_transport_key_size']) + cert6.setKeyType(master['pki_transport_key_type']) + cert6.setNickname(master['pki_transport_nickname']) + cert6.setKeyAlgorithm( + master['pki_transport_signing_algorithm']) + cert6.setSubjectDN(master['pki_transport_subject_dn']) + cert6.setToken(master['pki_transport_token']) + systemCerts.add(cert6) + # Create 'DRM Storage Certificate' + if master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "KRA": + # PKI KRA + cert7 = CertData() + cert7.setTag(master['pki_storage_tag']) + cert7.setKeyAlgorithm( + master['pki_storage_key_algorithm']) + cert7.setKeySize(master['pki_storage_key_size']) + cert7.setKeyType(master['pki_storage_key_type']) + cert7.setNickname(master['pki_storage_nickname']) + cert7.setKeyAlgorithm( + master['pki_storage_signing_algorithm']) + cert7.setSubjectDN(master['pki_storage_subject_dn']) + cert7.setToken(master['pki_storage_token']) + systemCerts.add(cert7) + # Create system certs + data.setSystemCerts(systemCerts) + return data + + def configure_pki_data(self, data, pki_subsystem, pki_dry_run_flag, + log_level): + if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: + print "%s %s '%s'" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CONFIGURING_PKI_DATA, + pki_subsystem) + if not pki_dry_run_flag: + try: + response = self.client.configure(data) + javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\ + " " + response.getStatus()) + javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\ + " " + response.getAdminCert().getCert()) + certs = response.getSystemCerts() + iterator = certs.iterator() + while iterator.hasNext(): + cdata = iterator.next() + javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\ + cdata.getTag()) + javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\ + cdata.getCert()) + javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\ + cdata.getRequest()) + except Exception, e: + javasystem.out.println( + log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e)) + javasystem.exit(1) + return + # PKI Deployment Jython Class Instances security_databases = security_databases() +rest_client = rest_client() diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index 806a64e4d..d7d50a63e 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -20,6 +20,14 @@ # # PKI Deployment Engine Messages +PKI_DICTIONARY_MANDATORY ="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI MANDATORY DICTIONARY\n"\ +"=====================================================" +PKI_DICTIONARY_OPTIONAL ="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI OPTIONAL DICTIONARY\n"\ +"=====================================================" PKI_DICTIONARY_COMMON ="\n"\ "=====================================================\n"\ " DISPLAY CONTENTS OF PKI COMMON DICTIONARY\n"\ @@ -40,6 +48,7 @@ PKI_DICTIONARY_WEB_SERVER="\n"\ "=====================================================\n"\ " DISPLAY CONTENTS OF PKI WEB SERVER DICTIONARY\n"\ "=====================================================" +# NEVER print out 'sensitive' data dictionary!!! # PKI Deployment Log Messages @@ -150,10 +159,16 @@ PKIHELPER_CP_P_2 = "cp -p %s %s" PKIHELPER_CP_RP_2 = "cp -rp %s %s" PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'" PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'" +PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1 = "KeyError: Master dictionary "\ + "is missing the key called '%s'!" PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty" PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty" PKIHELPER_GID_2 = "GID of '%s' is %s" PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ." +PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." +PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." +PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" +PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\ "jython %s %s <master_dictionary>'" PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" @@ -165,32 +180,82 @@ PKIHELPER_MKDIR_1 = "mkdir -p %s" PKIHELPER_MODIFY_DIR_1 = "modifying '%s'" PKIHELPER_MODIFY_FILE_1 = "modifying '%s'" PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = "cloned CAs and external "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\ + "CAs, and subordinate CAs"\ + "MUST ALL be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA = "external CAs and subordinate "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\ "filling it with '%d' random bytes" PKIHELPER_PASSWORD_CONF_1 = "generating '%s'" PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2 = "instance '%s' contains '%d' "\ "PKI subsystems" +PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'" PKIHELPER_RM_F_1 = "rm -f %s" PKIHELPER_RM_RF_1 = "rm -rf %s" PKIHELPER_RMDIR_1 = "rmdir %s" PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'" PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'" +PKIHELPER_SYSTEMD_COMMAND_1 = "executing '%s'" PKIHELPER_TOMCAT_INSTANCES_2 = "instance '%s' contains '%d' "\ "Tomcat PKI subsystems" PKIHELPER_TOUCH_1 = "touch %s" PKIHELPER_UID_2 = "UID of '%s' is %s" +PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1 =\ + "A value for 'pki_admin_password' MUST be defined in '%s'" +PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1 =\ + "A value for 'pki_backup_password' MUST be defined in '%s'" +PKIHELPER_UNDEFINED_DS_PASSWORD_1 =\ + "A value for 'pki_ds_password' MUST be defined in '%s'" +PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1 =\ + "A value for 'pki_pkcs12_password' MUST be defined in '%s'" +PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1 =\ + "A value for 'pki_security_domain_password' MUST be defined in '%s'" PKIHELPER_USER_1 = "retrieving UID for '%s' . . ." +PKIHELPER_USER_ADD_2 = "adding UID '%s' for user '%s' . . ." +PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ." +PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s" +PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s" # PKI Deployment Jython "Scriptlet" Messages # (MUST contain NO embedded formats since Jython 2.2 does not support logging!) +PKI_JYTHON_CDATA_TAG = "tag:" +PKI_JYTHON_CDATA_CERT = "cert:" +PKI_JYTHON_CDATA_REQUEST = "request:" +PKI_JYTHON_CLONED_PKI_SUBSYSTEM = "Cloned" +PKI_JYTHON_CONFIGURING_PKI_DATA = "configuring PKI configuration data for" +PKI_JYTHON_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data for" +PKI_JYTHON_CRMF_SUPPORT_ONLY = "only the 'crmf' certificate request type "\ + "is currently supported" +PKI_JYTHON_IS_DUALKEY = "dualkey = true" +PKI_JYTHON_EXCEPTION_PARSER = "Problem parsing" +PKI_JYTHON_EXTERNAL_CA = "External" PKI_JYTHON_INDENTATION_0 = "pkispawn : JYTHON " PKI_JYTHON_INDENTATION_1 = "pkispawn : JYTHON ..." PKI_JYTHON_INDENTATION_2 = "pkispawn : JYTHON ......." PKI_JYTHON_INDENTATION_3 = "pkispawn : JYTHON ..........." PKI_JYTHON_INDENTATION_4 = "pkispawn : JYTHON ..............." +PKI_JYTHON_INITIALIZATION_ERROR = "INITIALIZATION ERROR:" +PKI_JYTHON_INITIALIZING_REST_CLIENT = "initializing REST client via" PKI_JYTHON_INITIALIZING_TOKEN = "initializing token located in" +PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION =\ + "Exception from Java Configuration Servlet:" PKI_JYTHON_LOG_INTO_TOKEN = "logging into token located in" +PKI_JYTHON_LOGIN_EXCEPTION = "login Exception:" +PKI_JYTHON_RESPONSE_ADMIN_CERT = "adminCert:" +PKI_JYTHON_RESPONSE_STATUS = "status:" +PKI_JYTHON_TOKEN_LOGIN_EXCEPTION = "Exception in logging into token:" +PKI_JYTHON_NOT_YET_IMPLEMENTED = "NOT YET IMPLEMENTED" +PKI_JYTHON_SUBORDINATE_CA = "Subordinate" # PKI Deployment "Scriptlet" Messages diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 0add192f7..5abfdc064 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -53,22 +53,18 @@ def process_command_line_arguments(argv): required=True, metavar='<subsystem>', help='where <subsystem> is ' 'CA, KRA, OCSP, RA, TKS, or TPS') + if os.path.basename(argv[0]) == 'pkispawn': + mandatory.add_argument('-f', + dest='pkideployment_cfg', action='store', + nargs=1, required=True, metavar='<file>', + help='specifies configuration filename') optional = parser.add_argument_group('optional arguments') optional.add_argument('--dry_run', dest='pki_dry_run_flag', action='store_true', help='do not actually perform any actions') - optional.add_argument('-f', - dest='pkideployment_cfg', action='store', - nargs=1, metavar='<file>', - help='overrides default configuration filename') optional.add_argument('-h', '--help', dest='help', action='help', help='show this help message and exit') - optional.add_argument('-p', - dest='pki_root_prefix', action='store', - nargs=1, metavar='<prefix>', - help='directory prefix to specify local directory ' - '[TEST ONLY]') if os.path.basename(argv[0]) == 'pkispawn': optional.add_argument('-u', dest='pki_update_flag', action='store_true', @@ -98,6 +94,12 @@ def process_command_line_arguments(argv): dest='custom_pki_ajp_port', action='store', nargs=1, metavar='<port>', help='AJP port (CA, KRA, OCSP, TKS)') + test = parser.add_argument_group('test arguments') + test.add_argument('-p', + dest='pki_root_prefix', action='store', + nargs=1, metavar='<prefix>', + help='directory prefix to specify local directory ' + '[TEST ONLY]') args = parser.parse_args() config.pki_subsystem = str(args.pki_subsystem).strip('[\']') @@ -187,7 +189,7 @@ def process_command_line_arguments(argv): print parser.print_help() parser.exit(-1); - if not args.pkideployment_cfg is None: + if os.path.basename(argv[0]) == 'pkispawn': config.pkideployment_cfg = str(args.pkideployment_cfg).strip('[\']') elif os.path.basename(argv[0]) == 'pkidestroy': # NOTE: When performing 'pkidestroy', a configuration file must be @@ -258,6 +260,9 @@ def read_pki_configuration_file(): # Make keys case-sensitive! parser.optionxform = str parser.read(config.pkideployment_cfg) + config.pki_sensitive_dict = dict(parser._sections['Sensitive']) + config.pki_mandatory_dict = dict(parser._sections['Mandatory']) + config.pki_optional_dict = dict(parser._sections['Optional']) config.pki_common_dict = dict(parser._sections['Common']) if config.pki_subsystem == "CA": config.pki_web_server_dict = dict(parser._sections['Tomcat']) @@ -278,6 +283,9 @@ def read_pki_configuration_file(): config.pki_web_server_dict = dict(parser._sections['Apache']) config.pki_subsystem_dict = dict(parser._sections['TPS']) # Insert empty record into dictionaries for "pretty print" statements + # NEVER print "sensitive" key value pairs!!! + config.pki_mandatory_dict[0] = None + config.pki_optional_dict[0] = None config.pki_common_dict[0] = None config.pki_web_server_dict[0] = None config.pki_subsystem_dict[0] = None @@ -297,13 +305,19 @@ def compose_pki_master_dictionary(): config.pki_certificate_timestamp config.pki_master_dict['pki_architecture'] = config.pki_architecture config.pki_master_dict['pki_hostname'] = config.pki_hostname + config.pki_master_dict['pki_dns_domainname'] =\ + config.pki_dns_domainname config.pki_master_dict['pki_pin'] = config.pki_pin config.pki_master_dict['pki_client_pin'] = config.pki_client_pin config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin config.pki_master_dict['pki_dry_run_flag'] = config.pki_dry_run_flag config.pki_master_dict['pki_jython_log_level'] =\ config.pki_jython_log_level + config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg # Configuration file name/value pairs + # NEVER add "sensitive" key value pairs to the master dictionary!!! + config.pki_master_dict.update(config.pki_mandatory_dict) + config.pki_master_dict.update(config.pki_optional_dict) config.pki_master_dict.update(config.pki_common_dict) config.pki_master_dict.update(config.pki_web_server_dict) config.pki_master_dict.update(config.pki_subsystem_dict) @@ -357,8 +371,7 @@ def compose_pki_master_dictionary(): # (e. g. Tomcat: "tomcat", "example.com-tomcat") # (e. g. Apache: "apache", "example.com-apache") # - if not config.pki_master_dict['pki_admin_domain_name'] is None and\ - not config.pki_master_dict['pki_admin_domain_name'] is '': + if len(config.pki_master_dict['pki_admin_domain_name']): config.pki_master_dict['pki_instance_id'] =\ config.pki_master_dict['pki_admin_domain_name'] +\ "-" + config.pki_master_dict['pki_instance_name'] @@ -458,6 +471,9 @@ def compose_pki_master_dictionary(): os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, "ca", "emails") + config.pki_master_dict['pki_source_flatfile_txt'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "flatfile.txt") config.pki_master_dict['pki_source_profiles'] =\ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, "ca", @@ -465,6 +481,43 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_source_proxy_conf'] =\ os.path.join(config.pki_master_dict['pki_source_conf_path'], "proxy.conf") + config.pki_master_dict['pki_source_registry_cfg'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "registry.cfg") + # '*.profile' + config.pki_master_dict['pki_source_admincert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "adminCert.profile") + config.pki_master_dict['pki_source_caauditsigningcert_profile']\ + = os.path.join( + config.pki_master_dict['pki_source_conf_path'], + "caAuditSigningCert.profile") + config.pki_master_dict['pki_source_cacert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "caCert.profile") + config.pki_master_dict['pki_source_caocspcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "caOCSPCert.profile") + config.pki_master_dict['pki_source_servercert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "serverCert.profile") + config.pki_master_dict['pki_source_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "subsystemCert.profile") + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # '*.profile' + config.pki_master_dict['pki_source_servercert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "serverCert.profile") + config.pki_master_dict['pki_source_storagecert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "storageCert.profile") + config.pki_master_dict['pki_source_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "subsystemCert.profile") + config.pki_master_dict['pki_source_transportcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "transportCert.profile") # PKI top-level file system layout name/value pairs # NOTE: Never use 'os.path.join()' whenever 'pki_root_prefix' # is being prepended!!! @@ -498,12 +551,14 @@ def compose_pki_master_dictionary(): if config.pki_master_dict['pki_subsystem'] in\ config.PKI_APACHE_SUBSYSTEMS: # Apache instance base name/value pairs + config.pki_master_dict['pki_instance_type'] = "Apache" # Apache instance log name/value pairs # Apache instance configuration name/value pairs # Apache instance registry name/value pairs config.pki_master_dict['pki_instance_type_registry_path'] =\ - os.path.join(config.pki_master_dict['pki_registry_path'], - "apache") + os.path.join( + config.pki_master_dict['pki_registry_path'], + config.pki_master_dict['pki_instance_type'].lower()) config.pki_master_dict['pki_instance_registry_path'] =\ os.path.join( config.pki_master_dict['pki_instance_type_registry_path'], @@ -513,12 +568,16 @@ def compose_pki_master_dictionary(): elif config.pki_master_dict['pki_subsystem'] in\ config.PKI_TOMCAT_SUBSYSTEMS: # Tomcat instance base name/value pairs + config.pki_master_dict['pki_instance_type'] = "Tomcat" config.pki_master_dict['pki_tomcat_common_path'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], "common") config.pki_master_dict['pki_tomcat_common_lib_path'] =\ os.path.join(config.pki_master_dict['pki_tomcat_common_path'], "lib") + config.pki_master_dict['pki_tomcat_tmpdir_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + "temp") config.pki_master_dict['pki_tomcat_webapps_path'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], "webapps") @@ -529,28 +588,43 @@ def compose_pki_master_dictionary(): os.path.join( config.pki_master_dict['pki_tomcat_webapps_root_path'], "WEB-INF") - config.pki_master_dict['pki_tomcat_webapps_webinf_path'] =\ - os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], - "WEB-INF") - config.pki_master_dict['pki_tomcat_webapps_webinf_classes_path'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_webinf_path'], - "classes") - config.pki_master_dict['pki_tomcat_webapps_webinf_lib_path'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_webinf_path'], - "lib") config.pki_master_dict['pki_tomcat_webapps_root_webinf_web_xml'] =\ os.path.join( config.pki_master_dict\ ['pki_tomcat_webapps_root_webinf_path'], "web.xml") + config.pki_master_dict['pki_tomcat_work_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + "work") + config.pki_master_dict['pki_tomcat_work_catalina_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_work_path'], + "Catalina") + config.pki_master_dict['pki_tomcat_work_catalina_host_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_work_catalina_path'], + "localhost") + config.pki_master_dict['pki_tomcat_work_catalina_host_run_path'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_work_catalina_host_path'], + "_") + config.pki_master_dict\ + ['pki_tomcat_work_catalina_host_subsystem_path'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_work_catalina_host_path'], + config.pki_master_dict['pki_subsystem'].lower()) # Tomcat instance log name/value pairs # Tomcat instance configuration name/value pairs + config.pki_master_dict['pki_instance_log4j_properties'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "log4j.properties") # Tomcat instance registry name/value pairs config.pki_master_dict['pki_instance_type_registry_path'] =\ - os.path.join(config.pki_master_dict['pki_registry_path'], - "tomcat") + os.path.join( + config.pki_master_dict['pki_registry_path'], + config.pki_master_dict['pki_instance_type'].lower()) config.pki_master_dict['pki_instance_registry_path'] =\ os.path.join( config.pki_master_dict['pki_instance_type_registry_path'], @@ -562,9 +636,205 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_tomcat_lib_link'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], "lib") + config.pki_master_dict['pki_tomcat_lib_log4j_properties_link'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_lib_path'], + "log4j.properties") config.pki_master_dict['pki_instance_systemd_link'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], config.pki_master_dict['pki_instance_id']) + # Tomcat instance common lib jars + if config.pki_master_dict['pki_architecture'] == 64: + config.pki_master_dict['pki_jss_jar'] =\ + os.path.join("/usr/lib64/java", + "jss4.jar") + config.pki_master_dict['pki_symkey_jar'] =\ + os.path.join("/usr/lib64/java", + "symkey.jar") + else: + config.pki_master_dict['pki_jss_jar'] =\ + os.path.join("/usr/lib/java", + "jss4.jar") + config.pki_master_dict['pki_symkey_jar'] =\ + os.path.join("/usr/lib/java", + "symkey.jar") + config.pki_master_dict['pki_apache_commons_collections_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "apache-commons-collections.jar") + config.pki_master_dict['pki_apache_commons_lang_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "apache-commons-lang.jar") + config.pki_master_dict['pki_apache_commons_logging_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "apache-commons-logging.jar") + config.pki_master_dict['pki_commons_codec_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "commons-codec.jar") + config.pki_master_dict['pki_httpclient_jar'] =\ + os.path.join( + config.PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT, + "httpclient.jar") + config.pki_master_dict['pki_javassist_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "javassist.jar") + config.pki_master_dict['pki_resteasy_jaxrs_api_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "jaxrs-api.jar") + config.pki_master_dict['pki_jettison_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "jettison.jar") + config.pki_master_dict['pki_ldapjdk_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "ldapjdk.jar") + config.pki_master_dict['pki_certsrv_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-certsrv.jar") + config.pki_master_dict['pki_cmsbundle'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cmsbundle.jar") + config.pki_master_dict['pki_cmscore'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cmscore.jar") + config.pki_master_dict['pki_cms'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cms.jar") + config.pki_master_dict['pki_cmsutil'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cmsutil.jar") + config.pki_master_dict['pki_nsutil'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-nsutil.jar") + config.pki_master_dict['pki_resteasy_jaxb_provider_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "resteasy-jaxb-provider.jar") + config.pki_master_dict['pki_resteasy_jaxrs_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "resteasy-jaxrs.jar") + config.pki_master_dict['pki_resteasy_jettison_provider_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "resteasy-jettison-provider.jar") + config.pki_master_dict['pki_scannotation_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "scannotation.jar") + config.pki_master_dict['pki_tomcatjss_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "tomcatjss.jar") + config.pki_master_dict['pki_velocity_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "velocity.jar") + config.pki_master_dict['pki_xerces_j2_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "xerces-j2.jar") + config.pki_master_dict['pki_xml_commons_apis_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "xml-commons-apis.jar") + config.pki_master_dict['pki_xml_commons_resolver_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "xml-commons-resolver.jar") + # Tomcat instance common lib jar symbolic links + config.pki_master_dict['pki_jss_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "jss4.jar") + config.pki_master_dict['pki_symkey_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "symkey.jar") + config.pki_master_dict['pki_apache_commons_collections_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-collections.jar") + config.pki_master_dict['pki_apache_commons_lang_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-lang.jar") + config.pki_master_dict['pki_apache_commons_logging_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-logging.jar") + config.pki_master_dict['pki_commons_codec_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-codec.jar") + config.pki_master_dict['pki_httpclient_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "httpclient.jar") + config.pki_master_dict['pki_javassist_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "javassist.jar") + config.pki_master_dict['pki_resteasy_jaxrs_api_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "jaxrs-api.jar") + config.pki_master_dict['pki_jettison_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "jettison.jar") + config.pki_master_dict['pki_ldapjdk_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "ldapjdk.jar") + config.pki_master_dict['pki_certsrv_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-certsrv.jar") + config.pki_master_dict['pki_cmsbundle_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cmsbundle.jar") + config.pki_master_dict['pki_cmscore_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cmscore.jar") + config.pki_master_dict['pki_cms_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cms.jar") + config.pki_master_dict['pki_cmsutil_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cmsutil.jar") + config.pki_master_dict['pki_nsutil_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-nsutil.jar") + config.pki_master_dict['pki_resteasy_jaxb_provider_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "resteasy-jaxb-provider.jar") + config.pki_master_dict['pki_resteasy_jaxrs_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "resteasy-jaxrs.jar") + config.pki_master_dict['pki_resteasy_jettison_provider_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "resteasy-jettison-provider.jar") + config.pki_master_dict['pki_scannotation_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "scannotation.jar") + config.pki_master_dict['pki_tomcatjss_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "tomcatjss.jar") + config.pki_master_dict['pki_velocity_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "velocity.jar") + config.pki_master_dict['pki_xerces_j2_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "xerces-j2.jar") + config.pki_master_dict['pki_xml_commons_apis_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "xml-commons-apis.jar") + config.pki_master_dict['pki_xml_commons_resolver_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "xml-commons-resolver.jar") # Instance layout NSS security database name/value pairs config.pki_master_dict['pki_database_path'] =\ os.path.join( @@ -612,9 +882,6 @@ def compose_pki_master_dictionary(): elif config.pki_master_dict['pki_subsystem'] in\ config.PKI_TOMCAT_SUBSYSTEMS: # Instance-based Tomcat PKI subsystem base name/value pairs - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\ - os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], - config.pki_master_dict['pki_subsystem'].lower()) if config.pki_master_dict['pki_subsystem'] == "CA": config.pki_master_dict['pki_subsystem_emails_path'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], @@ -632,18 +899,6 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_subsystem_tomcat_webapps_link'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], "webapps") - config.pki_master_dict\ - ['pki_tomcat_webapps_subsystem_webinf_classes_link'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "classes") - config.pki_master_dict\ - ['pki_tomcat_webapps_subsystem_webinf_lib_link'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "lib") # Instance-based Apache/Tomcat PKI subsystem convenience symbolic links config.pki_master_dict['pki_subsystem_database_link'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], @@ -654,6 +909,78 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_subsystem_logs_link'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], "logs") + # PKI Target (war file) name/value pairs + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + # Tomcat PKI subsystem war file base name/value pairs + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], + config.pki_master_dict['pki_subsystem'].lower()) + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_classes_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "classes") + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_lib_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "lib") + # Tomcat PKI subsystem war file convenience symbolic links + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_ca_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-ca.jar") + # config.pki_master_dict['pki_ca_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-ca.jar") + config.pki_master_dict['pki_ca_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-ca.jar") + elif config.pki_master_dict['pki_subsystem'] == "KRA": + config.pki_master_dict['pki_kra_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-kra.jar") + # config.pki_master_dict['pki_kra_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-kra.jar") + config.pki_master_dict['pki_kra_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-kra.jar") + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + config.pki_master_dict['pki_ocsp_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-ocsp.jar") + # config.pki_master_dict['pki_ocsp_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-ocsp.jar") + config.pki_master_dict['pki_ocsp_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-ocsp.jar") + elif config.pki_master_dict['pki_subsystem'] == "TKS": + config.pki_master_dict['pki_tks_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-tks.jar") + # config.pki_master_dict['pki_tks_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-tks.jar") + config.pki_master_dict['pki_tks_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-tks.jar") # PKI Target (slot substitution) name/value pairs config.pki_master_dict['pki_target_cs_cfg'] =\ os.path.join( @@ -699,12 +1026,50 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], "WEB-INF", "web.xml") + config.pki_master_dict['pki_target_subsystem_web_xml_orig'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "web.xml.orig") # subystem-specific slot substitution name/value pairs if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_target_flatfile_txt'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "flatfile.txt") config.pki_master_dict['pki_target_proxy_conf'] =\ os.path.join(config.pki_master_dict\ ['pki_subsystem_configuration_path'], "proxy.conf") + config.pki_master_dict['pki_target_registry_cfg'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "registry.cfg") + # '*.profile' + config.pki_master_dict['pki_target_admincert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "adminCert.profile") + config.pki_master_dict['pki_target_caauditsigningcert_profile']\ + = os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caAuditSigningCert.profile") + config.pki_master_dict['pki_target_cacert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caCert.profile") + config.pki_master_dict['pki_target_caocspcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caOCSPCert.profile") + config.pki_master_dict['pki_target_servercert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "serverCert.profile") + config.pki_master_dict['pki_target_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "subsystemCert.profile") # in-place slot substitution name/value pairs config.pki_master_dict['pki_target_profileselect_template'] =\ os.path.join( @@ -713,6 +1078,24 @@ def compose_pki_master_dictionary(): "ee", config.pki_master_dict['pki_subsystem'].lower(), "ProfileSelect.template") + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # '*.profile' + config.pki_master_dict['pki_target_servercert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "serverCert.profile") + config.pki_master_dict['pki_target_storagecert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "storageCert.profile") + config.pki_master_dict['pki_target_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "subsystemCert.profile") + config.pki_master_dict['pki_target_transportcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "transportCert.profile") # Slot assignment name/value pairs # NOTE: Master key == Slots key; Master value ==> Slots value config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\ @@ -830,6 +1213,8 @@ def compose_pki_master_dictionary(): "tomcat") config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_proxy_https_port'] + config.pki_master_dict['PKI_TMPDIR_SLOT'] =\ + config.pki_master_dict['pki_tomcat_tmpdir_path'] config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_proxy_http_port'] config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\ @@ -846,6 +1231,8 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_security_manager'] config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\ config.pki_master_dict['pki_target_server_xml'] + config.pki_master_dict['PKI_SUBSYSTEM_DIR_SLOT'] =\ + config.pki_master_dict['pki_subsystem'].lower() + "/" config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\ config.pki_master_dict['pki_subsystem'].lower() config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\ @@ -924,6 +1311,10 @@ def compose_pki_master_dictionary(): "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" # Shared Apache/Tomcat NSS security database name/value pairs + config.pki_master_dict['pki_shared_pfile'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "pfile") config.pki_master_dict['pki_shared_password_conf'] =\ os.path.join( config.pki_master_dict['pki_instance_configuration_path'], @@ -941,13 +1332,13 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_self_signed_nickname'] =\ "Server-Cert cert-" + config.pki_master_dict['pki_instance_id'] config.pki_master_dict['pki_self_signed_subject'] =\ - "CN=" + config.pki_master_dict['pki_hostname'] + "," +\ - "O=" + config.pki_master_dict['pki_certificate_timestamp'] + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ + "o=" + config.pki_master_dict['pki_certificate_timestamp'] config.pki_master_dict['pki_self_signed_serial_number'] = 0 config.pki_master_dict['pki_self_signed_validity_period'] = 12 config.pki_master_dict['pki_self_signed_issuer_name'] =\ - "CN=" + config.pki_master_dict['pki_hostname'] + "," +\ - "O=" + config.pki_master_dict['pki_certificate_timestamp'] + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ + "o=" + config.pki_master_dict['pki_certificate_timestamp'] config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu" config.pki_master_dict['pki_self_signed_noise_file'] =\ os.path.join( @@ -992,10 +1383,778 @@ def compose_pki_master_dictionary(): "pki", "deployment", "configuration.jy") + config.pki_master_dict['pki_jython_base_uri'] =\ + "https" + "://" + config.pki_master_dict['pki_hostname'] + ":" +\ + config.pki_master_dict['pki_https_port'] + "/" +\ + config.pki_master_dict['pki_subsystem'].lower() + "/" + "pki" + # Jython scriptlet + # 'Security Domain' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_security_domain_type'] + # config.pki_master_dict['pki_security_domain_uri'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_security_domain_https_port'] + # config.pki_master_dict['pki_security_domain_password'] + # config.pki_master_dict['pki_security_domain_user'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_security_domain_hostname'] + # config.pki_master_dict['pki_security_domain_name'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if config.pki_subsystem == "CA": + if config.str2bool(config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict['pki_security_domain_type'] = "new" + if not len(config.pki_master_dict\ + ['pki_security_domain_name']): + config.pki_master_dict['pki_security_domain_name'] =\ + "External CA Security Domain" + elif not config.str2bool(config.pki_master_dict['pki_clone'])\ + and not\ + config.str2bool(config.pki_master_dict['pki_subordinate']): + # PKI CA + config.pki_master_dict['pki_security_domain_type'] = "new" + if not len(config.pki_master_dict\ + ['pki_security_domain_name']): + config.pki_master_dict['pki_security_domain_name'] =\ + config.pki_master_dict['pki_dns_domainname'] +\ + " " + "Security Domain" + else: + # PKI Cloned or Subordinate CA + config.pki_master_dict['pki_security_domain_type'] =\ + "existing" + if not len(config.pki_master_dict\ + ['pki_security_domain_hostname']): + # Guess that it is the local host + config.pki_master_dict['pki_security_domain_hostname']\ + = config.pki_master_dict['pki_hostname'] + config.pki_master_dict['pki_security_domain_uri'] =\ + "https" + "://" +\ + config.pki_master_dict['pki_security_domain_hostname']\ + + ":" + config.pki_security_domain_https_port + else: + # PKI KRA, OCSP, or TKS + config.pki_master_dict['pki_security_domain_type'] = "existing" + if not len(config.pki_master_dict\ + ['pki_security_domain_hostname']): + # Guess that it is the local host + config.pki_master_dict['pki_security_domain_hostname'] =\ + config.pki_master_dict['pki_hostname'] + config.pki_master_dict['pki_security_domain_uri'] =\ + "https" + "://" +\ + config.pki_master_dict['pki_security_domain_hostname'] +\ + ":" +\ + config.pki_master_dict['pki_security_domain_https_port'] + # Jython scriptlet + # 'Directory Server' Configuration name/value pairs + # + # Apache - [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ds_bind_dn'] + # config.pki_master_dict['pki_ds_http_port'] + # config.pki_master_dict['pki_ds_https_port'] + # config.pki_master_dict['pki_ds_password'] + # config.pki_master_dict['pki_ds_remove_data'] + # config.pki_master_dict['pki_ds_secure_connection'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ds_base_dn'] + # config.pki_master_dict['pki_ds_database'] + # config.pki_master_dict['pki_ds_hostname'] + # + if not len(config.pki_master_dict['pki_ds_base_dn']): + config.pki_master_dict['pki_ds_base_dn'] =\ + "o=" + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_ds_database']): + config.pki_master_dict['pki_ds_database'] =\ + "o=" + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_ds_hostname']): + # Guess that the Directory Server resides on the local host + config.pki_master_dict['pki_ds_hostname'] =\ + config.pki_master_dict['pki_hostname'] + # Jython scriptlet + # 'Backup' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_backup_keys'] + # config.pki_master_dict['pki_backup_password'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_backup_file'] + # + if config.str2bool(config.pki_master_dict['pki_backup_keys']): + if not len(config.pki_master_dict['pki_backup_file']): + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if config.str2bool( + config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "externalca.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "subca.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + else: + # PKI CA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "ca.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "kra.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "ocsp.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "tks.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + # Jython scriptlet + # 'Admin Certificate' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_admin_cert_request_type'] + # config.pki_master_dict['pki_admin_dualkey'] + # config.pki_master_dict['pki_admin_keysize'] + # config.pki_master_dict['pki_admin_name'] + # config.pki_master_dict['pki_admin_password'] + # config.pki_master_dict['pki_admin_uid'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_admin_email'] + # config.pki_master_dict['pki_admin_subject_dn'] + # + config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert" + if not len(config.pki_master_dict['pki_admin_email']): + config.pki_master_dict['pki_admin_email'] =\ + config.pki_master_dict['pki_admin_name'] + "@" +\ + config.pki_master_dict['pki_dns_domainname'] + if not len(config.pki_master_dict['pki_admin_subject_dn']): + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + if config.pki_master_dict['pki_subsystem'] == "RA": + # PKI RA + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "RA Administrator" + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TPS": + # PKI TPS + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "TPS Administrator" + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + # PKI CA, Subordinate CA, or External CA + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "CA Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "KRA Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "OCSP Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "TKS Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + # Jython scriptlet + # 'CA Signing Certificate' Configuration name/value pairs + # + # Tomcat - [CA] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_ca_signing_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ca_signing_key_algorithm'] + # config.pki_master_dict['pki_ca_signing_key_size'] + # config.pki_master_dict['pki_ca_signing_key_type'] + # config.pki_master_dict['pki_ca_signing_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ca_signing_nickname'] + # config.pki_master_dict['pki_ca_signing_subject_dn'] + # config.pki_master_dict['pki_ca_signing_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + # config.pki_master_dict['pki_ca_signing_nickname'] + if not len(config.pki_master_dict\ + ['pki_ca_signing_nickname']): + config.pki_master_dict['pki_ca_signing_nickname'] =\ + "caSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + # config.pki_master_dict['pki_ca_signing_subject_dn'] + if config.str2bool(config.pki_master_dict['pki_external']): + # External CA + if not len(config.pki_master_dict\ + ['pki_ca_signing_subject_dn']): + config.pki_master_dict['pki_ca_signing_subject_dn']\ + = "cn=" + "External CA Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + if not len(config.pki_master_dict\ + ['pki_ca_signing_subject_dn']): + config.pki_master_dict['pki_ca_signing_subject_dn']\ + = "cn=" + "SubCA Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + if not len(config.pki_master_dict\ + ['pki_ca_signing_subject_dn']): + config.pki_master_dict['pki_ca_signing_subject_dn']\ + = "cn=" + "CA Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + # config.pki_master_dict['pki_ca_signing_tag'] + config.pki_master_dict['pki_ca_signing_tag'] =\ + "signing" + # config.pki_master_dict['pki_ca_signing_token'] + if not len(config.pki_master_dict['pki_ca_signing_token']): + config.pki_master_dict['pki_ca_signing_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'OCSP Signing Certificate' Configuration name/value pairs + # + # Tomcat - [CA], [OCSP] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_ocsp_signing_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ocsp_signing_key_algorithm'] + # config.pki_master_dict['pki_ocsp_signing_key_size'] + # config.pki_master_dict['pki_ocsp_signing_key_type'] + # config.pki_master_dict['pki_ocsp_signing_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ocsp_signing_nickname'] + # config.pki_master_dict['pki_ocsp_signing_subject_dn'] + # config.pki_master_dict['pki_ocsp_signing_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_nickname']): + config.pki_master_dict['pki_ocsp_signing_nickname'] =\ + "ocspSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if config.str2bool(config.pki_master_dict['pki_external']): + # External CA + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "External CA OCSP Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "SubCA OCSP Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "CA OCSP Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + config.pki_master_dict['pki_ocsp_signing_tag'] =\ + "ocsp_signing" + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_token']): + config.pki_master_dict['pki_ocsp_signing_token'] =\ + "Internal Key Storage Token" + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_nickname']): + config.pki_master_dict['pki_ocsp_signing_nickname'] =\ + "ocspSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "OCSP Signing Certificate" + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_ocsp_signing_tag'] =\ + "signing" + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_token']): + config.pki_master_dict['pki_ocsp_signing_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'SSL Server Certificate' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_ssl_server_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ssl_server_key_algorithm'] + # config.pki_master_dict['pki_ssl_server_key_size'] + # config.pki_master_dict['pki_ssl_server_key_type'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ssl_server_nickname'] + # config.pki_master_dict['pki_ssl_server_subject_dn'] + # config.pki_master_dict['pki_ssl_server_token'] + # + if not len(config.pki_master_dict['pki_ssl_server_nickname']): + config.pki_master_dict['pki_ssl_server_nickname'] =\ + "Server-Cert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_ssl_server_subject_dn']): + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + config.pki_master_dict['pki_ssl_server_subject_dn'] =\ + "cn=" + config.pki_master_dict['pki_hostname'] +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_ssl_server_subject_dn'] =\ + "cn=" + config.pki_master_dict['pki_hostname'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_ssl_server_tag'] = "sslserver" + if not len(config.pki_master_dict['pki_ssl_server_token']): + config.pki_master_dict['pki_ssl_server_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'Subsystem Certificate' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_subsystem_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_subsystem_key_algorithm'] + # config.pki_master_dict['pki_subsystem_key_size'] + # config.pki_master_dict['pki_subsystem_key_type'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_subsystem_nickname'] + # config.pki_master_dict['pki_subsystem_subject_dn'] + # config.pki_master_dict['pki_subsystem_token'] + # + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + if not len(config.pki_master_dict['pki_subsystem_nickname']): + config.pki_master_dict['pki_subsystem_nickname'] =\ + "subsystemCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_subsystem_subject_dn']): + if config.pki_master_dict['pki_subsystem'] == "RA": + # PKI RA + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "RA Subsystem Certificate" +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id']\ + + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TPS": + # PKI TPS + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "TPS Subsystem Certificate" +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id']\ + + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_subsystem_tag'] = "subsystem" + if not len(config.pki_master_dict['pki_subsystem_token']): + config.pki_master_dict['pki_subsystem_token'] =\ + "Internal Key Storage Token" + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if not len(config.pki_master_dict['pki_subsystem_nickname']): + config.pki_master_dict['pki_subsystem_nickname'] =\ + "subsystemCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_subsystem_subject_dn']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if config.str2bool( + config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict['pki_subsystem_subject_dn']\ + = "cn=" + "External CA Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + config.pki_master_dict['pki_subsystem_subject_dn']\ + = "cn=" + "SubCA Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + config.pki_master_dict['pki_subsystem_subject_dn']\ + = "cn=" + "CA Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "DRM Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "OCSP Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "TKS Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + config.pki_master_dict['pki_subsystem_tag'] = "subsystem" + if not len(config.pki_master_dict['pki_subsystem_token']): + config.pki_master_dict['pki_subsystem_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'Audit Signing Certificate' Configuration name/value pairs + # + # Apache - [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_audit_signing_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_audit_signing_key_algorithm'] + # config.pki_master_dict['pki_audit_signing_key_size'] + # config.pki_master_dict['pki_audit_signing_key_type'] + # config.pki_master_dict['pki_audit_signing_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_audit_signing_nickname'] + # config.pki_master_dict['pki_audit_signing_subject_dn'] + # config.pki_master_dict['pki_audit_signing_token'] + # + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + if config.pki_master_dict['pki_subsystem'] != "RA": + if not len(config.pki_master_dict\ + ['pki_audit_signing_nickname']): + config.pki_master_dict['pki_audit_signing_nickname'] =\ + "auditSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_audit_signing_subject_dn']): + config.pki_master_dict['pki_audit_signing_subject_dn'] =\ + "cn=" + "TPS Audit Signing Certificate" +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id']\ + + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_audit_signing_tag'] =\ + "audit_signing" + if not len(config.pki_master_dict['pki_audit_signing_token']): + config.pki_master_dict['pki_audit_signing_token'] =\ + "Internal Key Storage Token" + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if not len(config.pki_master_dict\ + ['pki_audit_signing_nickname']): + config.pki_master_dict['pki_audit_signing_nickname'] =\ + "auditSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_audit_signing_subject_dn']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if config.str2bool( + config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict\ + ['pki_audit_signing_subject_dn'] =\ + "cn=" + "External CA Audit Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + config.pki_master_dict\ + ['pki_audit_signing_subject_dn'] =\ + "cn=" + "SubCA Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + config.pki_master_dict\ + ['pki_audit_signing_subject_dn'] =\ + "cn=" + "CA Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_audit_signing_subject_dn']\ + = "cn=" + "DRM Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_audit_signing_subject_dn']\ + = "cn=" + "OCSP Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_audit_signing_subject_dn']\ + = "cn=" + "TKS Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_audit_signing_tag'] =\ + "audit_signing" + if not len(config.pki_master_dict['pki_audit_signing_token']): + config.pki_master_dict['pki_audit_signing_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'DRM Transport Certificate' Configuration name/value pairs + # + # Tomcat - [KRA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_transport_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_transport_key_algorithm'] + # config.pki_master_dict['pki_transport_key_size'] + # config.pki_master_dict['pki_transport_key_type'] + # config.pki_master_dict['pki_transport_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_transport_nickname'] + # config.pki_master_dict['pki_transport_subject_dn'] + # config.pki_master_dict['pki_transport_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + if not len(config.pki_master_dict\ + ['pki_transport_nickname']): + config.pki_master_dict['pki_transport_nickname'] =\ + "transportCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_transport_subject_dn']): + config.pki_master_dict['pki_transport_subject_dn']\ + = "cn=" + "DRM Transport Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_transport_tag'] =\ + "transport" + if not len(config.pki_master_dict['pki_transport_token']): + config.pki_master_dict['pki_transport_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'DRM Storage Certificate' Configuration name/value pairs + # + # Tomcat - [KRA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_storage_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_storage_key_algorithm'] + # config.pki_master_dict['pki_storage_key_size'] + # config.pki_master_dict['pki_storage_key_type'] + # config.pki_master_dict['pki_storage_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_storage_nickname'] + # config.pki_master_dict['pki_storage_subject_dn'] + # config.pki_master_dict['pki_storage_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + if not len(config.pki_master_dict['pki_storage_nickname']): + config.pki_master_dict['pki_storage_nickname'] =\ + "storageCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_storage_subject_dn']): + config.pki_master_dict['pki_storage_subject_dn']\ + = "cn=" + "DRM Storage Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_storage_tag'] =\ + "storage" + if not len(config.pki_master_dict['pki_storage_token']): + config.pki_master_dict['pki_storage_token'] =\ + "Internal Key Storage Token" except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) + except KeyError as err: + config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1, + err, extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) return diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index 1a08fdccb..8364d9519 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -38,13 +38,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.password.create_password_conf( master['pki_shared_password_conf'], master['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_shared_pfile'], + master['pki_pin'], pin_sans_token=True) util.file.modify(master['pki_shared_password_conf']) util.certutil.create_security_databases( master['pki_database_path'], master['pki_cert_database'], master['pki_key_database'], master['pki_secmod_database'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) util.file.modify(master['pki_cert_database'], perms=\ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) util.file.modify(master['pki_key_database'], perms=\ @@ -58,7 +65,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) if not rv: util.file.generate_noise_file( master['pki_self_signed_noise_file'], @@ -76,18 +83,28 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_issuer_name'], master['pki_self_signed_trustargs'], master['pki_self_signed_noise_file'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) + # Delete the temporary 'noise' file util.file.delete(master['pki_self_signed_noise_file']) + # Delete the temporary 'pfile' + util.file.delete(master['pki_shared_pfile']) else: util.password.create_password_conf( master['pki_shared_password_conf'], master['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_shared_pfile'], + master['pki_pin'], pin_sans_token=True) util.certutil.create_security_databases( master['pki_database_path'], master['pki_cert_database'], master['pki_key_database'], master['pki_secmod_database'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) rv = util.certutil.verify_certificate_exists( master['pki_database_path'], master['pki_cert_database'], @@ -95,7 +112,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) if not rv: util.file.generate_noise_file( master['pki_self_signed_noise_file'], @@ -113,7 +130,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_issuer_name'], master['pki_self_signed_trustargs'], master['pki_self_signed_noise_file'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) + # Delete the temporary 'noise' file + util.file.delete(master['pki_self_signed_noise_file']) + # Delete the temporary 'pfile' + util.file.delete(master['pki_shared_pfile']) return self.rv def respawn(self): diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py index 93b0ae750..3467596e8 100644 --- a/base/deploy/src/scriptlets/slot_substitution.py +++ b/base/deploy/src/scriptlets/slot_substitution.py @@ -39,7 +39,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_cs_cfg']) util.file.copy_with_slot_substitution(master['pki_source_registry'], master['pki_target_registry'], - overwrite_flag=True) + uid=0, gid=0, overwrite_flag=True) if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: util.file.copy_with_slot_substitution( master['pki_source_catalina_properties'], @@ -56,7 +56,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf_instance_id'], - overwrite_flag=True) + uid=0, gid=0, overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf'], @@ -69,6 +69,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_velocity_properties']) util.file.apply_slot_substitution( master['pki_target_subsystem_web_xml']) + # Strip "<filter>" section from subsystem "web.xml" + # This is ONLY necessary because XML comments cannot be "nested"! + #util.file.copy(master['pki_target_subsystem_web_xml'], + # master['pki_target_subsystem_web_xml_orig']) + #util.file.delete(master['pki_target_subsystem_web_xml']) + #util.xml_file.remove_filter_section_from_web_xml( + # master['pki_target_subsystem_web_xml_orig'], + # master['pki_target_subsystem_web_xml']) + #util.file.delete(master['pki_target_subsystem_web_xml_orig']) if master['pki_subsystem'] == "CA": util.file.copy_with_slot_substitution( master['pki_source_proxy_conf'], @@ -85,7 +94,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): overwrite_flag=True) util.file.copy_with_slot_substitution(master['pki_source_registry'], master['pki_target_registry'], - overwrite_flag=True) + uid=0, gid=0, overwrite_flag=True) if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: util.file.copy_with_slot_substitution( master['pki_source_catalina_properties'], @@ -102,7 +111,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf_instance_id'], - overwrite_flag=True) + uid=0, gid=0, overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf'], @@ -115,6 +124,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_velocity_properties']) util.file.apply_slot_substitution( master['pki_target_subsystem_web_xml']) + # Strip "<filter>" section from subsystem "web.xml" + # This is ONLY necessary because XML comments cannot be "nested"! + #util.file.copy(master['pki_target_subsystem_web_xml'], + # master['pki_target_subsystem_web_xml_orig']) + #util.file.delete(master['pki_target_subsystem_web_xml']) + #util.xml_file.remove_filter_section_from_web_xml( + # master['pki_target_subsystem_web_xml_orig'], + # master['pki_target_subsystem_web_xml']) + #util.file.delete(master['pki_target_subsystem_web_xml_orig']) if master['pki_subsystem'] == "CA": util.file.copy_with_slot_substitution( master['pki_source_proxy_conf'], diff --git a/base/deploy/src/scriptlets/subsystem_layout.py b/base/deploy/src/scriptlets/subsystem_layout.py index 4ea5e6f84..d9c597d60 100644 --- a/base/deploy/src/scriptlets/subsystem_layout.py +++ b/base/deploy/src/scriptlets/subsystem_layout.py @@ -56,6 +56,34 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_subsystem_profiles_path']) # establish instance-based Tomcat PKI subsystem logs # establish instance-based Tomcat PKI subsystem configuration + if master['pki_subsystem'] == "CA": + util.file.copy(master['pki_source_flatfile_txt'], + master['pki_target_flatfile_txt']) + util.file.copy(master['pki_source_registry_cfg'], + master['pki_target_registry_cfg']) + # '*.profile' + util.file.copy(master['pki_source_admincert_profile'], + master['pki_target_admincert_profile']) + util.file.copy(master['pki_source_caauditsigningcert_profile'], + master['pki_target_caauditsigningcert_profile']) + util.file.copy(master['pki_source_cacert_profile'], + master['pki_target_cacert_profile']) + util.file.copy(master['pki_source_caocspcert_profile'], + master['pki_target_caocspcert_profile']) + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile']) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile']) + elif master['pki_subsystem'] == "KRA": + # '*.profile' + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile']) + util.file.copy(master['pki_source_storagecert_profile'], + master['pki_target_storagecert_profile']) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile']) + util.file.copy(master['pki_source_transportcert_profile'], + master['pki_target_transportcert_profile']) # establish instance-based Tomcat PKI subsystem registry # establish instance-based Tomcat PKI subsystem convenience # symbolic links @@ -98,6 +126,46 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): overwrite_flag=True) # update instance-based Tomcat PKI subsystem logs # update instance-based Tomcat PKI subsystem configuration + if master['pki_subsystem'] == "CA": + # util.file.copy(master['pki_source_flatfile_txt'], + # master['pki_target_flatfile_txt'], + # overwrite_flag=True) + util.file.copy(master['pki_source_registry_cfg'], + master['pki_target_registry_cfg'], + overwrite_flag=True) + # '*.profile' + util.file.copy(master['pki_source_admincert_profile'], + master['pki_target_admincert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_caauditsigningcert_profile'], + master['pki_target_caauditsigningcert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_cacert_profile'], + master['pki_target_cacert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_caocspcert_profile'], + master['pki_target_caocspcert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile'], + overwrite_flag=True) + elif master['pki_subsystem'] == "KRA": + # '*.profile' + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_storagecert_profile'], + master['pki_target_storagecert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_transportcert_profile'], + master['pki_target_transportcert_profile'], + overwrite_flag=True) # update instance-based Tomcat PKI subsystem registry # update instance-based Tomcat PKI subsystem convenience # symbolic links diff --git a/base/deploy/src/scriptlets/war_explosion.py b/base/deploy/src/scriptlets/war_explosion.py index ca2ea601b..16113ba7d 100644 --- a/base/deploy/src/scriptlets/war_explosion.py +++ b/base/deploy/src/scriptlets/war_explosion.py @@ -39,11 +39,23 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.create(master['pki_tomcat_webapps_subsystem_path']) util.war.explode(master['pki_war'], master['pki_tomcat_webapps_subsystem_path']) - # establish convenience symbolic links - util.symlink.create(master['pki_tomcat_webapps_webinf_classes_path'], - master['pki_tomcat_webapps_subsystem_webinf_classes_link']) - util.symlink.create(master['pki_tomcat_webapps_webinf_lib_path'], - master['pki_tomcat_webapps_subsystem_webinf_lib_link']) + util.directory.create( + master['pki_tomcat_webapps_subsystem_webinf_classes_path']) + util.directory.create( + master['pki_tomcat_webapps_subsystem_webinf_lib_path']) + # establish Tomcat webapps subsystem WEB-INF lib symbolic links + if master['pki_subsystem'] == "CA": + util.symlink.create(master['pki_ca_jar'], + master['pki_ca_jar_link']) + elif master['pki_subsystem'] == "KRA": + util.symlink.create(master['pki_kra_jar'], + master['pki_kra_jar_link']) + elif master['pki_subsystem'] == "OCSP": + util.symlink.create(master['pki_ocsp_jar'], + master['pki_ocsp_jar_link']) + elif master['pki_subsystem'] == "TKS": + util.symlink.create(master['pki_tks_jar'], + master['pki_tks_jar_link']) # set ownerships, permissions, and acls util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path']) return self.rv @@ -56,8 +68,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.modify(master['pki_tomcat_webapps_subsystem_path']) util.war.explode(master['pki_war'], master['pki_tomcat_webapps_subsystem_path']) + # update Tomcat webapps subsystem WEB-INF lib symbolic links + if master['pki_subsystem'] == "CA": + util.symlink.modify(master['pki_ca_jar_link']) + elif master['pki_subsystem'] == "KRA": + util.symlink.modify(master['pki_kra_jar_link']) + elif master['pki_subsystem'] == "OCSP": + util.symlink.modify(master['pki_ocsp_jar_link']) + elif master['pki_subsystem'] == "TKS": + util.symlink.modify(master['pki_tks_jar_link']) # update ownerships, permissions, and acls - # NOTE: This includes existing convenience symbolic links util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path']) return self.rv |