diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2013-10-15 17:55:05 -0700 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2013-10-15 17:59:23 -0700 |
commit | 47c77a67d67cb443070137fd9b8d64955d499089 (patch) | |
tree | 12b7588f34a80a74c000e77b19017ec941ad5231 /base/kra | |
parent | 618be8bd7e9488a325789232c94aad109f9b6803 (diff) | |
download | pki-47c77a67d67cb443070137fd9b8d64955d499089.tar.gz pki-47c77a67d67cb443070137fd9b8d64955d499089.tar.xz pki-47c77a67d67cb443070137fd9b8d64955d499089.zip |
Stand-alone DRM
* TRAC Ticket #667 - provide option for ca-less drm install
Diffstat (limited to 'base/kra')
-rw-r--r-- | base/kra/shared/conf/CS.cfg.in | 1 | ||||
-rw-r--r-- | base/kra/shared/conf/acl.ldif | 1 | ||||
-rw-r--r-- | base/kra/shared/conf/db.ldif | 12 | ||||
-rw-r--r-- | base/kra/shared/webapps/kra/WEB-INF/web.xml | 167 | ||||
-rw-r--r-- | base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java | 16 |
5 files changed, 197 insertions, 0 deletions
diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in index 9045eb904..5262f8c55 100644 --- a/base/kra/shared/conf/CS.cfg.in +++ b/base/kra/shared/conf/CS.cfg.in @@ -49,6 +49,7 @@ kra.cert.storage.certusage=SSLClient kra.cert.sslserver.certusage=SSLServer kra.cert.subsystem.certusage=SSLClient kra.cert.audit_signing.certusage=ObjectSigner +kra.standalone=[PKI_STANDALONE] preop.cert.list=transport,storage,sslserver,subsystem,audit_signing preop.cert.rsalist=transport,storage,audit_signing preop.cert.transport.enable=true diff --git a/base/kra/shared/conf/acl.ldif b/base/kra/shared/conf/acl.ldif index 89db3c1c9..76da45db3 100644 --- a/base/kra/shared/conf/acl.ldif +++ b/base/kra/shared/conf/acl.ldif @@ -5,6 +5,7 @@ cn: aclResources resourceACLS: certServer.general.configuration:read,modify,delete:allow (read) group="Administrators" || group="Auditors" || group="Data Recovery Manager Agents";allow (modify,delete) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify and delete resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Data Recovery Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Data Recovery Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify +resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise KRA Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Data Recovery Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter #resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Data Recovery Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter resourceACLS: certServer.log.content.signedAudit:read:allow (read) group="Auditors":Only auditor is allowed to read the signed audit log diff --git a/base/kra/shared/conf/db.ldif b/base/kra/shared/conf/db.ldif index c07e9f1a6..61054458e 100644 --- a/base/kra/shared/conf/db.ldif +++ b/base/kra/shared/conf/db.ldif @@ -45,6 +45,18 @@ objectClass: groupOfUniqueNames cn: ClonedSubsystems description: People who can clone the master subsystem +dn: cn=Security Domain Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Security Domain Administrators +description: People who are the Security Domain administrators + +dn: cn=Enterprise KRA Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise KRA Administrators +description: People who are the administrators for the security domain for KRA + dn: ou=requests,{rootSuffix} objectClass: top objectClass: organizationalUnit diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml index bcd4513c0..12f18848e 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/web.xml +++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml @@ -691,6 +691,121 @@ <param-value> kraGetStatus </param-value> </init-param> </servlet> + [PKI_OPEN_STANDALONE_COMMENT] + <servlet> + <servlet-name> kraGetDomainXML </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetDomainXML </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraGetDomainXML </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraUpdateDomainXML </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.UpdateDomainXML </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraUpdateDomainXML </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.securitydomain.domainxml </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraUpdateDomainXML-admin </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.UpdateDomainXML </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraUpdateDomainXML </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> admin </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.securitydomain.domainxml </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraSecurityDomainLogin </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.SecurityDomainLogin </servlet-class> + <init-param> <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraSecurityDomainLogin </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certificates </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraGetCookie </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetCookie </servlet-class> + <init-param> <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraGetCookie </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> passwdUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /admin/kra/sendCookie.template </param-value> </init-param> + <init-param><param-name> errorTemplatePath </param-name> + <param-value> /admin/kra/securitydomainlogin.template </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraTokenAuthenticate </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.TokenAuthenticate </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraTokenAuthenticate </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraTokenAuthenticate-admin </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.TokenAuthenticate </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraTokenAuthenticate </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> admin </param-value> </init-param> + </servlet> + [PKI_CLOSE_STANDALONE_COMMENT] + <!-- ==================== RESTEasy Configuration =============== --> @@ -943,6 +1058,43 @@ <url-pattern> /admin/kra/getStatus </url-pattern> </servlet-mapping> + [PKI_OPEN_STANDALONE_COMMENT] + <servlet-mapping> + <servlet-name> kraGetDomainXML </servlet-name> + <url-pattern> /admin/kra/getDomainXML </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraUpdateDomainXML </servlet-name> + <url-pattern> /agent/kra/updateDomainXML </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraUpdateDomainXML-admin </servlet-name> + <url-pattern> /admin/kra/updateDomainXML </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraSecurityDomainLogin </servlet-name> + <url-pattern> /admin/kra/securityDomainLogin </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraGetCookie </servlet-name> + <url-pattern> /admin/kra/getCookie </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraTokenAuthenticate </servlet-name> + <url-pattern> /ee/kra/tokenAuthenticate </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraTokenAuthenticate-admin </servlet-name> + <url-pattern> /admin/kra/tokenAuthenticate </url-pattern> + </servlet-mapping> + [PKI_CLOSE_STANDALONE_COMMENT] + <!-- ==================== Default Session Configuration =============== --> <!-- You can set the default session timeout (in minutes) for all newly --> <!-- created sessions by modifying the value below. --> @@ -992,6 +1144,21 @@ </user-data-constraint> </security-constraint> + [PKI_OPEN_STANDALONE_COMMENT] + <security-constraint> + <web-resource-collection> + <web-resource-name>Security Domain Services</web-resource-name> + <url-pattern>/rest/securityDomain/installToken</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + [PKI_CLOSE_STANDALONE_COMMENT] + <login-config> <realm-name>Key Recovery Authority</realm-name> </login-config> diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java index 04b4989ef..213e41e50 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java @@ -5,6 +5,9 @@ import java.util.Set; import javax.ws.rs.core.Application; +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.authorization.ACLInterceptor; import com.netscape.cms.authorization.AuthMethodInterceptor; @@ -16,6 +19,7 @@ import com.netscape.cms.servlet.admin.UserCertService; import com.netscape.cms.servlet.admin.UserMembershipService; import com.netscape.cms.servlet.admin.UserService; import com.netscape.cms.servlet.csadmin.SystemConfigService; +import com.netscape.cms.servlet.csadmin.SecurityDomainService; import com.netscape.cms.servlet.key.KeyService; import com.netscape.cms.servlet.request.KeyRequestService; import com.netscape.cmscore.logging.AuditService; @@ -37,6 +41,18 @@ public class KeyRecoveryAuthorityApplication extends Application { // installer classes.add(SystemConfigService.class); + // security domain + IConfigStore cs = CMS.getConfigStore(); + try { + boolean standalone = cs.getBoolean("kra.standalone", false); + if (standalone) { + classes.add(SecurityDomainService.class); + } + } catch (EBaseException e) { + CMS.debug(e); + throw new RuntimeException(e); + } + // keys and keyrequests classes.add(KeyService.class); classes.add(KeyRequestService.class); |