Stand-alone DRM

* TRAC Ticket #667 - provide option for ca-less drm install
author: Matthew Harmsen <mharmsen@redhat.com> 2013-10-15 17:55:05 -0700
committer: Matthew Harmsen <mharmsen@redhat.com> 2013-10-15 17:59:23 -0700
commit: 47c77a67d67cb443070137fd9b8d64955d499089 (patch)
tree: 12b7588f34a80a74c000e77b19017ec941ad5231 /base/ocsp
parent: 618be8bd7e9488a325789232c94aad109f9b6803 (diff)
download: pki-47c77a67d67cb443070137fd9b8d64955d499089.tar.gz
pki-47c77a67d67cb443070137fd9b8d64955d499089.tar.xz
pki-47c77a67d67cb443070137fd9b8d64955d499089.zip
5 files changed, 197 insertions, 0 deletions
diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in
index 8c4d68dc7..65b8b4c22 100644
--- a/base/ocsp/shared/conf/CS.cfg.in
+++ b/base/ocsp/shared/conf/CS.cfg.in
@@ -48,6 +48,7 @@ ocsp.cert.signing.certusage=StatusResponder
 ocsp.cert.sslserver.certusage=SSLServer
 ocsp.cert.subsystem.certusage=SSLClient
 ocsp.cert.audit_signing.certusage=ObjectSigner
+ocsp.standalone=[PKI_STANDALONE]
 preop.cert.ocsp_signing.enable=true
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
diff --git a/base/ocsp/shared/conf/acl.ldif b/base/ocsp/shared/conf/acl.ldif
index b1dbc4c5b..14221f8bb 100644
--- a/base/ocsp/shared/conf/acl.ldif
+++ b/base/ocsp/shared/conf/acl.ldif
@@ -10,6 +10,7 @@ cn: aclResources
 resourceACLS: certServer.general.configuration:read,modify,delete:allow (read) group="Administrators" || group="Auditors" || group="Online Certificate Status Manager Agents";allow (modify,delete) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify and delete
 resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify
 resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify
+resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise OCSP Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
 resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter
 #resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter
 resourceACLS: certServer.log.content.signedAudit:read:allow (read) group="Auditors":Only auditor is allowed to read the signed audit log
diff --git a/base/ocsp/shared/conf/db.ldif b/base/ocsp/shared/conf/db.ldif
index ec159e02f..2e0eec44c 100644
--- a/base/ocsp/shared/conf/db.ldif
+++ b/base/ocsp/shared/conf/db.ldif
@@ -50,6 +50,18 @@ objectClass: groupOfUniqueNames
 cn: ClonedSubsystems
 description: People who can clone the master subsystem
 
+dn: cn=Security Domain Administrators,ou=groups,{rootSuffix}
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: Security Domain Administrators
+description: People who are the Security Domain administrators
+
+dn: cn=Enterprise OCSP Administrators,ou=groups,{rootSuffix}
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: Enterprise OCSP Administrators
+description: People who are the administrators for the security domain for OCSP
+
 dn: ou=requests,{rootSuffix}
 objectClass: top
 objectClass: organizationalUnit
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
index b9b874513..9c86fa1f1 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
@@ -404,6 +404,121 @@
                          <param-value> ocspGetStatus </param-value> </init-param>
    </servlet>
 
+   [PKI_OPEN_STANDALONE_COMMENT]
+   <servlet>
+      <servlet-name>  ocspGetDomainXML  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.csadmin.GetDomainXML  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  authority   </param-name>
+                         <param-value> ocsp        </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> ocspGetDomainXML </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  ocspUpdateDomainXML  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.csadmin.UpdateDomainXML  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> true       </param-value> </init-param>
+             <init-param><param-name>  authority   </param-name>
+                         <param-value> ocsp        </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> ocspUpdateDomainXML </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> agent          </param-value> </init-param>
+             <init-param><param-name>  AuthMgr     </param-name>
+                         <param-value> certUserDBAuthMgr </param-value> </init-param>
+             <init-param><param-name>  AuthzMgr    </param-name>
+                         <param-value> BasicAclAuthz </param-value> </init-param>
+             <init-param><param-name>  resourceID  </param-name>
+                         <param-value> certServer.securitydomain.domainxml </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  ocspUpdateDomainXML-admin  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.csadmin.UpdateDomainXML  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  authority   </param-name>
+                         <param-value> ocsp        </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> ocspUpdateDomainXML </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> admin          </param-value> </init-param>
+             <init-param><param-name>  AuthMgr     </param-name>
+                         <param-value> TokenAuth </param-value> </init-param>
+             <init-param><param-name>  AuthzMgr    </param-name>
+                         <param-value> BasicAclAuthz </param-value> </init-param>
+             <init-param><param-name>  resourceID  </param-name>
+                         <param-value> certServer.securitydomain.domainxml </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  ocspSecurityDomainLogin  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.csadmin.SecurityDomainLogin  </servlet-class>
+            <init-param> <param-name>properties</param-name>
+                         <param-value>/WEB-INF/velocity.properties</param-value> </init-param>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  AuthzMgr    </param-name>
+                         <param-value> BasicAclAuthz </param-value> </init-param>
+             <init-param><param-name>  authority   </param-name>
+                         <param-value> ocsp        </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> ocspSecurityDomainLogin  </param-value> </init-param>
+             <init-param><param-name>  resourceID  </param-name>
+                         <param-value> certServer.ee.certificates </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  ocspGetCookie  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.csadmin.GetCookie  </servlet-class>
+            <init-param> <param-name>properties</param-name>
+                         <param-value>/WEB-INF/velocity.properties</param-value> </init-param>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  AuthzMgr    </param-name>
+                         <param-value> BasicAclAuthz </param-value> </init-param>
+             <init-param><param-name>  authority   </param-name>
+                         <param-value> ocsp        </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> ocspGetCookie  </param-value> </init-param>
+             <init-param><param-name>  AuthMgr     </param-name>
+                         <param-value> passwdUserDBAuthMgr </param-value> </init-param>
+             <init-param><param-name>  templatePath  </param-name>
+                         <param-value> /admin/ocsp/sendCookie.template </param-value> </init-param>
+             <init-param><param-name>  errorTemplatePath  </param-name>
+                         <param-value> /admin/ocsp/securitydomainlogin.template </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  ocspTokenAuthenticate  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.csadmin.TokenAuthenticate  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  authority   </param-name>
+                         <param-value> ocsp        </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> ocspTokenAuthenticate  </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> ee          </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  ocspTokenAuthenticate-admin  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.csadmin.TokenAuthenticate  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  authority   </param-name>
+                         <param-value> ocsp        </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> ocspTokenAuthenticate  </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> admin          </param-value> </init-param>
+   </servlet>
+   [PKI_CLOSE_STANDALONE_COMMENT]
+
    <listener>
       <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
    </listener>
@@ -576,6 +691,43 @@
       <url-pattern>   /admin/ocsp/getStatus  </url-pattern>
    </servlet-mapping>
 
+   [PKI_OPEN_STANDALONE_COMMENT]
+   <servlet-mapping>
+      <servlet-name>  ocspGetDomainXML </servlet-name>
+      <url-pattern>   /admin/ocsp/getDomainXML  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>
+      <servlet-name>  ocspUpdateDomainXML </servlet-name>
+      <url-pattern>   /agent/ocsp/updateDomainXML  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>
+      <servlet-name>  ocspUpdateDomainXML-admin </servlet-name>
+      <url-pattern>   /admin/ocsp/updateDomainXML  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>
+      <servlet-name>  ocspSecurityDomainLogin </servlet-name>
+      <url-pattern>   /admin/ocsp/securityDomainLogin  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>
+      <servlet-name>  ocspGetCookie </servlet-name>
+      <url-pattern>   /admin/ocsp/getCookie  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>
+      <servlet-name>  ocspTokenAuthenticate </servlet-name>
+      <url-pattern>   /ee/ocsp/tokenAuthenticate  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>
+      <servlet-name>  ocspTokenAuthenticate-admin </servlet-name>
+      <url-pattern>   /admin/ocsp/tokenAuthenticate  </url-pattern>
+   </servlet-mapping>
+   [PKI_CLOSE_STANDALONE_COMMENT]
+
 
    <!-- ==================== Default Session Configuration =============== -->
    <!-- You can set the default session timeout (in minutes) for all newly -->
@@ -613,6 +765,21 @@
         </user-data-constraint>
     </security-constraint>
 
+   [PKI_OPEN_STANDALONE_COMMENT]
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Security Domain Services</web-resource-name>
+            <url-pattern>/rest/securityDomain/installToken</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+   [PKI_CLOSE_STANDALONE_COMMENT]
+
     <login-config>
         <realm-name>Online Certificate Status Protocol Manager</realm-name>
     </login-config>
diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
index 39c17cede..2d1ffa7d3 100644
--- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
+++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
@@ -5,6 +5,9 @@ import java.util.Set;
 
 import javax.ws.rs.core.Application;
 
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.cms.authorization.ACLInterceptor;
 import com.netscape.cms.authorization.AuthMethodInterceptor;
@@ -17,6 +20,7 @@ import com.netscape.cms.servlet.admin.UserMembershipService;
 import com.netscape.cms.servlet.admin.UserService;
 import com.netscape.cms.servlet.csadmin.SystemConfigService;
 import com.netscape.cmscore.logging.AuditService;
+import com.netscape.cms.servlet.csadmin.SecurityDomainService;
 import com.netscape.cmscore.selftests.SelfTestService;
 
 public class OCSPApplication extends Application {
@@ -35,6 +39,18 @@ public class OCSPApplication extends Application {
         // installer
         classes.add(SystemConfigService.class);
 
+        // security domain
+        IConfigStore cs = CMS.getConfigStore();
+        try {
+            boolean standalone = cs.getBoolean("ocsp.standalone", false);
+            if (standalone) {
+                classes.add(SecurityDomainService.class);
+            }
+        } catch (EBaseException e) {
+            CMS.debug(e);
+            throw new RuntimeException(e);
+        }
+
         // selftests
         classes.add(SelfTestService.class);
author	Matthew Harmsen <mharmsen@redhat.com>	2013-10-15 17:55:05 -0700
committer	Matthew Harmsen <mharmsen@redhat.com>	2013-10-15 17:59:23 -0700
commit	47c77a67d67cb443070137fd9b8d64955d499089 (patch)
tree	12b7588f34a80a74c000e77b19017ec941ad5231 /base/ocsp
parent	618be8bd7e9488a325789232c94aad109f9b6803 (diff)
download	pki-47c77a67d67cb443070137fd9b8d64955d499089.tar.gz pki-47c77a67d67cb443070137fd9b8d64955d499089.tar.xz pki-47c77a67d67cb443070137fd9b8d64955d499089.zip