diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2014-03-19 14:31:12 -0700 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2014-03-20 16:55:06 -0700 |
commit | 81af8ae1230e8447e7cc0d24ea9a9b8dadf6c08d (patch) | |
tree | 35f6860540929451a99953e5523e921da88c0464 /base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | |
parent | 905b83fe6359a64029e697989312d49c33dd6f88 (diff) | |
download | pki-81af8ae1230e8447e7cc0d24ea9a9b8dadf6c08d.tar.gz pki-81af8ae1230e8447e7cc0d24ea9a9b8dadf6c08d.tar.xz pki-81af8ae1230e8447e7cc0d24ea9a9b8dadf6c08d.zip |
Sign CA clone sslserver certificate using CA master.
* Dogtag TRAC Ticket #816 - pki-tomcat cannot be started after installation of
ipa replica with ca
Diffstat (limited to 'base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 66 |
1 files changed, 64 insertions, 2 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 3019716db..5da4dddfe 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -2222,6 +2222,45 @@ public class ConfigurationUtils { String certTag = certObj.getCertTag(); try { + String selection = config.getString("preop.subsystem.select"); + String csType = config.getString("cs.type"); + String preop_ca_type = null; + String preop_cert_signing_type = null; + String preop_cert_signing_profile = null; + String preop_cert_sslserver_type = null; + String preop_cert_sslserver_profile = null; + String original_caType = null; + boolean sign_clone_sslserver_cert_using_master = false; + + if (selection.equals("clone") && csType.equals("CA") && certTag.equals("sslserver")) { + // retrieve and store original 'CS.cfg' entries + preop_ca_type = config.getString("preop.ca.type", ""); + preop_cert_signing_type = config.getString("preop.cert.signing.type", ""); + preop_cert_signing_profile = config.getString("preop.cert.signing.profile",""); + preop_cert_sslserver_type = config.getString("preop.cert.sslserver.type", ""); + preop_cert_sslserver_profile = config.getString("preop.cert.sslserver.profile",""); + + // add/modify 'CS.cfg' entries + config.putString("preop.ca.type", "sdca"); + config.putString("preop.cert.signing.type", "remote"); + config.putString("preop.cert.signing.profile","caInstallCACert"); + config.putString("preop.cert.sslserver.type", "remote"); + config.putString("preop.cert.sslserver.profile","caInternalAuthServerCert"); + + // store original caType + original_caType = caType; + + // modify caType + certObj.setType("remote"); + + // fetch revised caType + caType = certObj.getType(); + CMS.debug("configCert: caType is " + caType + " (revised)"); + + // set master/clone signature flag + sign_clone_sslserver_cert_using_master = true; + } + updateConfig(config, certTag); if (caType.equals("remote")) { String v = config.getString("preop.ca.type", ""); @@ -2266,8 +2305,16 @@ public class ConfigurationUtils { String ca_hostname = ""; int ca_port = -1; try { - ca_hostname = config.getString("preop.ca.hostname", ""); - ca_port = config.getInteger("preop.ca.httpsport", -1); + if (sign_clone_sslserver_cert_using_master) { + CMS.debug("NamePanel: For this Cloned CA, always use its Master CA to generate " + + "the 'sslserver' certificate to avoid any changes which may have been " + + "made to the X500Name directory string encoding order."); + ca_hostname = config.getString("preop.master.hostname", ""); + ca_port = config.getInteger("preop.master.httpsport", -1); + } else { + ca_hostname = config.getString("preop.ca.hostname", ""); + ca_port = config.getInteger("preop.ca.httpsport", -1); + } } catch (Exception ee) { } @@ -2281,6 +2328,21 @@ public class ConfigurationUtils { if (cert == null) { throw new IOException("Error: remote certificate is null"); } + + if (sign_clone_sslserver_cert_using_master) { + // restore original 'CS.cfg' entries + config.putString("preop.ca.type", preop_ca_type); + config.putString("preop.cert.signing.type", preop_cert_signing_type); + config.putString("preop.cert.signing.profile", preop_cert_signing_profile); + config.putString("preop.cert.sslserver.type", preop_cert_sslserver_type); + config.putString("preop.cert.sslserver.profile", preop_cert_sslserver_profile); + + // restore original 'caType' + caType = original_caType; + + // reset master/clone signature flag + sign_clone_sslserver_cert_using_master = false; + } } else if (v.equals("otherca")) { config.putString(subsystem + "." + certTag + ".cert", "...paste certificate here..."); |