diff options
| author | Ade Lee <alee@redhat.com> | 2012-09-11 15:42:36 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2012-09-12 21:39:47 -0400 |
| commit | d7b67c5ba1cf193c50cd46ec4bdef79646bce1af (patch) | |
| tree | ad1c6a592d2ca7538b97115ef8c4bd3daa36f793 /base/deploy | |
| parent | edd986d94f173ea9f63f105eaf0039327bc6f2e9 (diff) | |
| download | pki-d7b67c5ba1cf193c50cd46ec4bdef79646bce1af.tar.gz pki-d7b67c5ba1cf193c50cd46ec4bdef79646bce1af.tar.xz pki-d7b67c5ba1cf193c50cd46ec4bdef79646bce1af.zip | |
Various fixes to installation servlet and pki-deploy
Added logging so that we can see what is passed in to server from pkispawn.
Fixed incorrect dbuser specification.
Added required replication config items to pkispawn.
Initial refactoring of construct_pki_configuration_data in pkijython.py
Diffstat (limited to 'base/deploy')
| -rw-r--r-- | base/deploy/config/pkideployment.cfg | 2 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/configuration.jy | 14 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkihelper.py | 2 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkijython.py | 402 |
4 files changed, 166 insertions, 254 deletions
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index 006111622..a7e61ccb8 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -107,6 +107,8 @@ pki_https_port=443 pki_ajp_port=8009 pki_clone=False pki_clone_pkcs12_path= +pki_clone_replication_master_port= +pki_clone_replication_clone_port= pki_clone_replication_security=None pki_clone_uri= pki_enable_java_debugger=False diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy index a53cf9d76..0f5968bce 100644 --- a/base/deploy/src/scriptlets/configuration.jy +++ b/base/deploy/src/scriptlets/configuration.jy @@ -86,8 +86,8 @@ def main(argv): # Establish REST Client client = jyutil.rest_client.initialize( client_config, - master['pki_dry_run_flag'], - master['pki_jython_log_level']) + master, + sensitive) # Construct PKI Subsystem Configuration Data data = None @@ -123,17 +123,13 @@ def main(argv): else: # PKI or Cloned CA data = jyutil.rest_client.construct_pki_configuration_data( - master, sensitive, token) + token) else: # PKI or Cloned KRA, OCSP, or TKS - data = jyutil.rest_client.construct_pki_configuration_data( - master, sensitive, token) + data = jyutil.rest_client.construct_pki_configuration_data(token) # Formulate PKI Subsystem Configuration Data Response - jyutil.rest_client.configure_pki_data(data, - master, - sensitive) - + jyutil.rest_client.configure_pki_data(data) if __name__ == "__main__": main(sys.argv) diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index 038198ad3..adbbe7cb5 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -2562,7 +2562,7 @@ class security_domain: log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3, typeval, secname, - error[0], + error, extra=config.PKI_INDENTATION_LEVEL_2) if critical_failure == True: sys.exit(-1) diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index c489fb13f..28a705046 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -254,23 +254,115 @@ class security_databases: # PKI Deployment 'REST Client' Class class rest_client: client = None + master = None + sensitive = None - def initialize(self, client_config, pki_dry_run_flag, log_level): + def initialize(self, client_config, master, sensitive): try: + self.master = master + self.sensitive = sensitive + log_level = master['pki_jython_log_level'] if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: print "%s %s '%s'" %\ (log.PKI_JYTHON_INDENTATION_2, log.PKI_JYTHON_INITIALIZING_REST_CLIENT, client_config.serverURI) - if not pki_dry_run_flag: + if not master['pki_dry_run_flag']: self.client = SystemConfigClient(client_config) return self.client except URISyntaxException, e: e.printStackTrace() javasystem.exit(1) - def construct_pki_configuration_data(self, master, sensitive, token): + def set_existing_security_domain(self, data): + data.setSecurityDomainType(ConfigurationRequest.EXISTING_DOMAIN) + data.setSecurityDomainUri(self.master['pki_security_domain_uri']) + data.setSecurityDomainUser(self.master['pki_security_domain_user']) + data.setSecurityDomainPassword( + self.sensitive['pki_security_domain_password']) + + def set_new_security_domain(self, data): + data.setSecurityDomainType(ConfigurationRequest.NEW_DOMAIN) + data.setSecurityDomainName(self.master['pki_security_domain_name']) + + def set_cloning_parameters(self, data): + data.setIsClone("true") + data.setCloneUri(self.master['pki_clone_uri']) + data.setP12File(self.master['pki_clone_pkcs12_path']) + data.setP12Password(self.sensitive['pki_clone_pkcs12_password']) + data.setReplicationSecurity( + self.master['pki_clone_replication_security']) + if self.master['pki_clone_replication_master_port']: + data.setMasterReplicationPort( + self.master['pki_clone_replication_master_port']) + if self.master['pki_clone_replication_clone_port']: + data.setCloneReplicationPort( + self.master['pki_clone_replication_clone_port']) + + def set_database_parameters(self, data): + data.setDsHost(self.master['pki_ds_hostname']) + data.setDsPort(self.master['pki_ds_ldap_port']) + data.setBaseDN(self.master['pki_ds_base_dn']) + data.setBindDN(self.master['pki_ds_bind_dn']) + data.setDatabase(self.master['pki_ds_database']) + data.setBindpwd(self.sensitive['pki_ds_password']) + if config.str2bool(self.master['pki_ds_remove_data']): + data.setRemoveData("true") + else: + data.setRemoveData("false") + if config.str2bool(self.master['pki_ds_secure_connection']): + data.setSecureConn("true") + else: + data.setSecureConn("false") + + def set_backup_parameters(self, data): + if config.str2bool(self.master['pki_backup_keys']): + data.setBackupKeys("true") + data.setBackupFile(self.master['pki_backup_keys_p12']) + data.setBackupPassword(self.sensitive['pki_backup_password']) + else: + data.setBackupKeys("false") + + def set_admin_parameters(self, token, data): + data.setAdminEmail(self.master['pki_admin_email']) + data.setAdminName(self.master['pki_admin_name']) + data.setAdminPassword(self.sensitive['pki_admin_password']) + data.setAdminProfileID(self.master['pki_admin_profile_id']) + data.setAdminUID(self.master['pki_admin_uid']) + data.setAdminSubjectDN(self.master['pki_admin_subject_dn']) + if self.master['pki_admin_cert_request_type'] == "crmf": + data.setAdminCertRequestType("crmf") + if config.str2bool(self.master['pki_admin_dualkey']): + crmf_request = generateCRMFRequest( + token, + self.master['pki_admin_keysize'], + self.master['pki_admin_subject_dn'], + "true") + else: + crmf_request = generateCRMFRequest( + token, + self.master['pki_admin_keysize'], + self.master['pki_admin_subject_dn'], + "false") + data.setAdminCertRequest(crmf_request) + else: + javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY) + javasystem.exit(1) + + def create_system_cert(self, tag): + cert = SystemCertData() + cert.setTag(self.master["pki_%s_tag" % tag]) + cert.setKeyAlgorithm(self.master["pki_%s_key_algorithm" % tag]) + cert.setKeySize(self.master["pki_%s_key_size" % tag]) + cert.setKeyType(self.master["pki_%s_key_type" % tag]) + cert.setNickname(self.master["pki_%s_nickname" % tag]) + cert.setSubjectDN(self.master["pki_%s_subject_dn" % tag]) + cert.setToken(self.master["pki_%s_token" % tag]) + return cert + + def construct_pki_configuration_data(self, token): data = None + master = self.master if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL: print "%s %s '%s'" %\ (log.PKI_JYTHON_INDENTATION_2, @@ -278,141 +370,57 @@ class rest_client: master['pki_subsystem']) if not master['pki_dry_run_flag']: data = ConfigurationRequest() + # Miscellaneous Configuration Information - data.setPin(sensitive['pki_one_time_pin']) + data.setPin(self.sensitive['pki_one_time_pin']) data.setToken(ConfigurationRequest.TOKEN_DEFAULT) + data.setSubsystemName(master['pki_subsystem_name']) + + # Hierarchy if master['pki_instance_type'] == "Tomcat": - data.setSubsystemName(master['pki_subsystem_name']) if master['pki_subsystem'] == "CA": if config.str2bool(master['pki_clone']): # Cloned CA + # alee - is this correct? data.setHierarchy("root") - data.setIsClone("true") - data.setCloneUri(master['pki_clone_uri']) - data.setP12File(master['pki_clone_pkcs12_path']) - data.setP12Password( - sensitive['pki_clone_pkcs12_password']) elif config.str2bool(master['pki_external']): # External CA data.setHierarchy("join") - data.setIsClone("false") elif config.str2bool(master['pki_subordinate']): # Subordinate CA data.setHierarchy("join") - data.setIsClone("false") else: # PKI CA data.setHierarchy("root") - data.setIsClone("false") - elif master['pki_subsystem'] == "KRA": - if config.str2bool(master['pki_clone']): - # Cloned KRA - data.setIsClone("true") - data.setCloneUri(master['pki_clone_uri']) - data.setP12File(master['pki_clone_pkcs12_path']) - data.setP12Password( - sensitive['pki_clone_pkcs12_password']) - else: - # PKI KRA - data.setIsClone("false") - elif master['pki_subsystem'] == "OCSP": - if config.str2bool(master['pki_clone']): - # Cloned OCSP - data.setIsClone("true") - data.setCloneUri(master['pki_clone_uri']) - data.setP12File(master['pki_clone_pkcs12_path']) - data.setP12Password( - sensitive['pki_clone_pkcs12_password']) - else: - # PKI OCSP - data.setIsClone("false") - elif master['pki_subsystem'] == "TKS": - if config.str2bool(master['pki_clone']): - # Cloned TKS - data.setIsClone("true") - data.setCloneUri(master['pki_clone_uri']) - data.setP12File(master['pki_clone_pkcs12_path']) - data.setP12Password( - sensitive['pki_clone_pkcs12_password']) - else: - # PKI TKS - data.setIsClone("false") - # Security Domain Information - # - # NOTE: External CA's DO NOT require a security domain - # + + # Cloning parameters + if master['pki_instance_type'] == "Tomcat": + if config.str2bool(master['pki_clone']): + self.set_cloning_parameters(data) + else: + data.setIsClone("false") + + # Security Domain if master['pki_subsystem'] != "CA" or\ config.str2bool(master['pki_clone']) or\ config.str2bool(master['pki_subordinate']): # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or # Subordinate CA - data.setSecurityDomainType( - ConfigurationRequest.EXISTING_DOMAIN) - data.setSecurityDomainUri( - master['pki_security_domain_uri']) - data.setSecurityDomainUser( - master['pki_security_domain_user']) - data.setSecurityDomainPassword( - sensitive['pki_security_domain_password']) + self.set_existing_security_domain(data) elif not config.str2bool(master['pki_external']): # PKI CA - data.setSecurityDomainType( - ConfigurationRequest.NEW_DOMAIN) - data.setSecurityDomainName( - master['pki_security_domain_name']) - # Directory Server Information + self.set_new_security_domain(data) + if master['pki_subsystem'] != "RA": - data.setDsHost(master['pki_ds_hostname']) - data.setDsPort(master['pki_ds_ldap_port']) - data.setBaseDN(master['pki_ds_base_dn']) - data.setBindDN(master['pki_ds_bind_dn']) - data.setDatabase(master['pki_ds_database']) - data.setBindpwd(sensitive['pki_ds_password']) - if config.str2bool(master['pki_ds_remove_data']): - data.setRemoveData("true") - else: - data.setRemoveData("false") - if config.str2bool(master['pki_ds_secure_connection']): - data.setSecureConn("true") - else: - data.setSecureConn("false") - # Backup Information - if master['pki_instance_type'] == "Tomcat": - if config.str2bool(master['pki_backup_keys']): - data.setBackupKeys("true") - data.setBackupFile(master['pki_backup_keys_p12']) - data.setBackupPassword( - sensitive['pki_backup_password']) - else: - data.setBackupKeys("false") - # Admin Information + self.set_database_parameters(data) + if master['pki_instance_type'] == "Tomcat": - if not config.str2bool(master['pki_clone']): - data.setAdminEmail(master['pki_admin_email']) - data.setAdminName(master['pki_admin_name']) - data.setAdminPassword(sensitive['pki_admin_password']) - data.setAdminProfileID(master['pki_admin_profile_id']) - data.setAdminUID(master['pki_admin_uid']) - data.setAdminSubjectDN(master['pki_admin_subject_dn']) - if master['pki_admin_cert_request_type'] == "crmf": - data.setAdminCertRequestType("crmf") - if config.str2bool(master['pki_admin_dualkey']): - crmf_request = generateCRMFRequest( - token, - master['pki_admin_keysize'], - master['pki_admin_subject_dn'], - "true") - else: - crmf_request = generateCRMFRequest( - token, - master['pki_admin_keysize'], - master['pki_admin_subject_dn'], - "false") - data.setAdminCertRequest(crmf_request) - else: - javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY) - javasystem.exit(1) + self.set_backup_parameters(data) + + if not config.str2bool(master['pki_clone']): + self.set_admin_parameters(token, data) + # Issuing CA Information if master['pki_subsystem'] != "CA" or\ config.str2bool(master['pki_clone']) or\ @@ -422,154 +430,60 @@ class rest_client: # CA Clone, KRA Clone, OCSP Clone, TKS Clone, # Subordinate CA, or External CA data.setIssuingCA(master['pki_issuing_ca']) + # Create system certs systemCerts = ArrayList() + # Create 'CA Signing Certificate' - if master['pki_instance_type'] == "Tomcat": + if master['pki_subsystem'] == "CA": if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "CA": - # External CA, Subordinate CA, or PKI CA - cert1 = SystemCertData() - cert1.setTag(master['pki_ca_signing_tag']) - cert1.setKeyAlgorithm( - master['pki_ca_signing_key_algorithm']) - cert1.setKeySize(master['pki_ca_signing_key_size']) - cert1.setKeyType(master['pki_ca_signing_key_type']) - cert1.setNickname(master['pki_ca_signing_nickname']) - cert1.setSigningAlgorithm( - master['pki_ca_signing_signing_algorithm']) - cert1.setSubjectDN(master['pki_ca_signing_subject_dn']) - cert1.setToken(master['pki_ca_signing_token']) - systemCerts.add(cert1) + cert = self.create_system_cert("ca_signing") + cert.setSigningAlgorithm( + master['pki_ca_signing_signing_algorithm']) + systemCerts.add(cert) + # Create 'OCSP Signing Certificate' - if master['pki_instance_type'] == "Tomcat": - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "CA" or\ - master['pki_subsystem'] == "OCSP": - # External CA, Subordinate CA, PKI CA, or PKI OCSP - cert2 = SystemCertData() - cert2.setTag(master['pki_ocsp_signing_tag']) - cert2.setKeyAlgorithm( - master['pki_ocsp_signing_key_algorithm']) - cert2.setKeySize(master['pki_ocsp_signing_key_size']) - cert2.setKeyType(master['pki_ocsp_signing_key_type']) - cert2.setNickname(master['pki_ocsp_signing_nickname']) - cert2.setSigningAlgorithm( - master['pki_ocsp_signing_signing_algorithm']) - cert2.setSubjectDN( - master['pki_ocsp_signing_subject_dn']) - cert2.setToken(master['pki_ocsp_signing_token']) - systemCerts.add(cert2) + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "CA" or\ + master['pki_subsystem'] == "OCSP": + # External CA, Subordinate CA, PKI CA, or PKI OCSP + cert2 = self.create_system_cert("ocsp_signing") + cert2.setSigningAlgorithm( + master['pki_ocsp_signing_signing_algorithm']) + systemCerts.add(cert2) + # Create 'SSL Server Certificate' - # PKI RA, PKI TPS, - # PKI CA, PKI KRA, PKI OCSP, PKI TKS, - # PKI CA CLONE, PKI KRA CLONE, PKI OCSP CLONE, PKI TKS CLONE, - # External CA, or Subordinate CA - cert3 = SystemCertData() - cert3.setTag(master['pki_ssl_server_tag']) - cert3.setKeyAlgorithm(master['pki_ssl_server_key_algorithm']) - cert3.setKeySize(master['pki_ssl_server_key_size']) - cert3.setKeyType(master['pki_ssl_server_key_type']) - cert3.setNickname(master['pki_ssl_server_nickname']) - cert3.setSubjectDN(master['pki_ssl_server_subject_dn']) - cert3.setToken(master['pki_ssl_server_token']) + # all subsystems + cert3 = self.create_system_cert("ssl_server") systemCerts.add(cert3) + # Create 'Subsystem Certificate' - if master['pki_instance_type'] == "Apache": - # PKI RA or PKI TPS - cert4 = SystemCertData() - cert4.setTag(master['pki_subsystem_tag']) - cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm']) - cert4.setKeySize(master['pki_subsystem_key_size']) - cert4.setKeyType(master['pki_subsystem_key_type']) - cert4.setNickname(master['pki_subsystem_nickname']) - cert4.setSubjectDN(master['pki_subsystem_subject_dn']) - cert4.setToken(master['pki_subsystem_token']) + if not config.str2bool(master['pki_clone']): + cert4 = self.create_system_cert("subsystem") systemCerts.add(cert4) - elif master['pki_instance_type'] == "Tomcat": - if not config.str2bool(master['pki_clone']): - # PKI CA, PKI KRA, PKI OCSP, PKI TKS, - # External CA, or Subordinate CA - cert4 = SystemCertData() - cert4.setTag(master['pki_subsystem_tag']) - cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm']) - cert4.setKeySize(master['pki_subsystem_key_size']) - cert4.setKeyType(master['pki_subsystem_key_type']) - cert4.setNickname(master['pki_subsystem_nickname']) - cert4.setSubjectDN(master['pki_subsystem_subject_dn']) - cert4.setToken(master['pki_subsystem_token']) - systemCerts.add(cert4) + # Create 'Audit Signing Certificate' - if master['pki_instance_type'] == "Apache": + if not config.str2bool(master['pki_clone']): if master['pki_subsystem'] != "RA": - # PKI TPS - cert5 = SystemCertData() - cert5.setTag(master['pki_audit_signing_tag']) - cert5.setKeyAlgorithm( - master['pki_audit_signing_key_algorithm']) - cert5.setKeySize(master['pki_audit_signing_key_size']) - cert5.setKeyType(master['pki_audit_signing_key_type']) - cert5.setNickname(master['pki_audit_signing_nickname']) - cert5.setKeyAlgorithm( + cert5 = self.create_system_cert("audit_signing") + cert5.setSigningAlgorithm( master['pki_audit_signing_signing_algorithm']) - cert5.setSubjectDN(master['pki_audit_signing_subject_dn']) - cert5.setToken(master['pki_audit_signing_token']) systemCerts.add(cert5) - elif master['pki_instance_type'] == "Tomcat": - if not config.str2bool(master['pki_clone']): - # PKI CA, PKI KRA, PKI OCSP, PKI TKS, - # External CA, or Subordinate CA - cert5 = SystemCertData() - cert5.setTag(master['pki_audit_signing_tag']) - cert5.setKeyAlgorithm( - master['pki_audit_signing_key_algorithm']) - cert5.setKeySize(master['pki_audit_signing_key_size']) - cert5.setKeyType(master['pki_audit_signing_key_type']) - cert5.setNickname(master['pki_audit_signing_nickname']) - cert5.setKeyAlgorithm( - master['pki_audit_signing_signing_algorithm']) - cert5.setSubjectDN(master['pki_audit_signing_subject_dn']) - cert5.setToken(master['pki_audit_signing_token']) - systemCerts.add(cert5) - # Create 'DRM Transport Certificate' - if master['pki_instance_type'] == "Tomcat": - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "KRA": - # PKI KRA - cert6 = SystemCertData() - cert6.setTag(master['pki_transport_tag']) - cert6.setKeyAlgorithm( - master['pki_transport_key_algorithm']) - cert6.setKeySize(master['pki_transport_key_size']) - cert6.setKeyType(master['pki_transport_key_type']) - cert6.setNickname(master['pki_transport_nickname']) - cert6.setKeyAlgorithm( - master['pki_transport_signing_algorithm']) - cert6.setSubjectDN(master['pki_transport_subject_dn']) - cert6.setToken(master['pki_transport_token']) - systemCerts.add(cert6) - # Create 'DRM Storage Certificate' - if master['pki_instance_type'] == "Tomcat": - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "KRA": - # PKI KRA - cert7 = SystemCertData() - cert7.setTag(master['pki_storage_tag']) - cert7.setKeyAlgorithm( - master['pki_storage_key_algorithm']) - cert7.setKeySize(master['pki_storage_key_size']) - cert7.setKeyType(master['pki_storage_key_type']) - cert7.setNickname(master['pki_storage_nickname']) - cert7.setKeyAlgorithm( - master['pki_storage_signing_algorithm']) - cert7.setSubjectDN(master['pki_storage_subject_dn']) - cert7.setToken(master['pki_storage_token']) - systemCerts.add(cert7) - # Create system certs + + # Create DRM Transport and storage Certificates + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "KRA": + cert6 = self.create_system_cert("transport") + systemCerts.add(cert6) + + cert7 = self.create_system_cert("storage") + systemCerts.add(cert7) + data.setSystemCerts(systemCerts) return data - def configure_pki_data(self, data, master, sensitive): + def configure_pki_data(self, data): + master = self.master if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL: print "%s %s '%s'" %\ (log.PKI_JYTHON_INDENTATION_2, |