Fix sub-CA installation with own security domain

Installation code failed to anticipate installation of a subordinate CA that would host its own security domain. This patch includes changes to python installation code, java configuration servlet and changes to man pages. Ticket 1132
author: Ade Lee <alee@redhat.com> 2014-09-09 15:06:31 -0400
committer: Ade Lee <alee@redhat.com> 2014-10-01 12:43:59 -0400
commit: b644429de7d9649e98737113182d9fcd6912e92a (patch)
tree: 6448bc5712d3f28430870ab9c7b971eded8b7fbc /base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
parent: 67f8c07d29a329f091a6c527f8d0dc9d52439cbd (diff)
download: pki-b644429de7d9649e98737113182d9fcd6912e92a.tar.gz
pki-b644429de7d9649e98737113182d9fcd6912e92a.tar.xz
pki-b644429de7d9649e98737113182d9fcd6912e92a.zip
1 files changed, 141 insertions, 83 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index fa762774a..7ba345d8d 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -222,28 +222,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         // Done Panel
         // Create or update security domain
         CMS.debug("=== Done Panel ===");
-        try {
-            String securityDomainType = data.getSecurityDomainType();
-            if (securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) {
-                ConfigurationUtils.createSecurityDomain();
-            } else {
-                ConfigurationUtils.updateSecurityDomain();
-            }
-            cs.putString("service.securityDomainPort", CMS.getAgentPort());
-            cs.putString("securitydomain.store", "ldap");
-            cs.commit(false);
-        } catch (Exception e) {
-            e.printStackTrace();
-            throw new PKIException("Error while updating security domain: " + e);
-        }
-
-        try {
-            if (!data.getSharedDB()) ConfigurationUtils.setupDBUser();
-        } catch (Exception e) {
-            CMS.debug(e);
-            throw new PKIException("Errors in creating or updating dbuser: " + e);
-        }
-
+        setupSecurityDomain(data);
+        setupDBUser(data);
         finalizeConfiguration(data);
 
         cs.putInteger("cs.state", 1);
@@ -268,6 +248,46 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         response.setStatus(SUCCESS);
     }
 
+    private void setupDBUser(ConfigurationRequest data) {
+        try {
+            if (!data.getSharedDB()) ConfigurationUtils.setupDBUser();
+        } catch (Exception e) {
+            CMS.debug(e);
+            throw new PKIException("Errors in creating or updating dbuser: " + e);
+        }
+    }
+
+    private void setupSecurityDomain(ConfigurationRequest data) {
+        try {
+            String securityDomainType = data.getSecurityDomainType();
+            if (securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) {
+                CMS.debug("Creating new security domain");
+                ConfigurationUtils.createSecurityDomain();
+            } else if (securityDomainType.equals(ConfigurationRequest.NEW_SUBDOMAIN)) {
+                CMS.debug("Creating subordinate CA security domain");
+
+                // switch out security domain parameters from issuing CA security domain
+                // to subordinate CA hosted security domain
+                cs.putString("securitydomain.name", data.getSubordinateSecurityDomainName());
+                cs.putString("securitydomain.host", CMS.getEENonSSLHost());
+                cs.putString("securitydomain.httpport", CMS.getEENonSSLPort());
+                cs.putString("securitydomain.httpsagentport", CMS.getAgentPort());
+                cs.putString("securitydomain.httpseeport", CMS.getEESSLPort());
+                cs.putString("securitydomain.httpsadminport", CMS.getAdminPort());
+                ConfigurationUtils.createSecurityDomain();
+            } else {
+                CMS.debug("Updating existing security domain");
+                ConfigurationUtils.updateSecurityDomain();
+            }
+            cs.putString("service.securityDomainPort", CMS.getAgentPort());
+            cs.putString("securitydomain.store", "ldap");
+            cs.commit(false);
+        } catch (Exception e) {
+            e.printStackTrace();
+            throw new PKIException("Error while updating security domain: " + e);
+        }
+    }
+
     public Collection<String> getCertList(ConfigurationRequest request) {
 
         Collection<String> certList = new ArrayList<String>();
@@ -737,10 +757,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                     CMS.debug("local CA selected");
                     url = url.substring(url.indexOf("https"));
                     cs.putString("preop.ca.url", url);
-
                     URL urlx = new URL(url);
                     String host = urlx.getHost();
                     int port = urlx.getPort();
+
                     int admin_port = ConfigurationUtils.getPortFromSecurityDomain(domainXML,
                             host, port, "CA", "SecurePort", "SecureAdminPort");
 
@@ -841,81 +861,111 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
 
         String securityDomainType = data.getSecurityDomainType();
         String securityDomainName = data.getSecurityDomainName();
-        String securityDomainURL = data.getSecurityDomainUri();
 
         if (securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) {
-            CMS.debug("Creating new security domain");
-            cs.putString("preop.securitydomain.select", "new");
-            cs.putString("securitydomain.select", "new");
-            cs.putString("preop.securitydomain.name", securityDomainName);
-            cs.putString("securitydomain.name", securityDomainName);
-            cs.putString("securitydomain.host", CMS.getEENonSSLHost());
-            cs.putString("securitydomain.httpport", CMS.getEENonSSLPort());
-            cs.putString("securitydomain.httpsagentport", CMS.getAgentPort());
-            cs.putString("securitydomain.httpseeport", CMS.getEESSLPort());
-            cs.putString("securitydomain.httpsadminport", CMS.getAdminPort());
-            // Stand-alone PKI (Step 1)
-            if (data.getStandAlone()) {
-                cs.putString("preop.cert.subsystem.type", "remote");
-            } else {
-                cs.putString("preop.cert.subsystem.type", "local");
-            }
-            cs.putString("preop.cert.subsystem.profile", "subsystemCert.profile");
-
+            configureNewSecurityDomain(data, securityDomainName);
+        } else if (securityDomainType.equals(ConfigurationRequest.NEW_SUBDOMAIN)){
+            CMS.debug("Configuring new subordinate root CA");
+            configureNewSecurityDomain(data, data.getSubordinateSecurityDomainName());
+            String securityDomainURL = data.getSecurityDomainUri();
+            domainXML = logIntoSecurityDomain(data, securityDomainURL);
         } else {
             CMS.debug("Joining existing security domain");
             cs.putString("preop.securitydomain.select", "existing");
             cs.putString("securitydomain.select", "existing");
             cs.putString("preop.cert.subsystem.type", "remote");
             cs.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert");
+            String securityDomainURL = data.getSecurityDomainUri();
+            domainXML = logIntoSecurityDomain(data, securityDomainURL);
+        }
+        return domainXML;
+    }
 
-            CMS.debug("Getting certificate chain");
-            // contact and log onto security domain
-            URL secdomainURL;
-            String host;
-            int port;
-            try {
-                secdomainURL = new URL(securityDomainURL);
-                host = secdomainURL.getHost();
-                port = secdomainURL.getPort();
-                cs.putString("securitydomain.host", host);
-                cs.putInteger("securitydomain.httpsadminport",port);
-                ConfigurationUtils.importCertChain(host, port, "/ca/admin/ca/getCertChain", "securitydomain");
-            } catch (Exception e) {
-                e.printStackTrace();
-                throw new PKIException("Failed to import certificate chain from security domain master: " + e);
-            }
+    private void configureNewSecurityDomain(ConfigurationRequest data, String securityDomainName) {
+        CMS.debug("Creating new security domain");
+        cs.putString("preop.securitydomain.select", "new");
+        cs.putString("securitydomain.select", "new");
+        cs.putString("preop.securitydomain.name", securityDomainName);
+        cs.putString("securitydomain.name", securityDomainName);
+        cs.putString("securitydomain.host", CMS.getEENonSSLHost());
+        cs.putString("securitydomain.httpport", CMS.getEENonSSLPort());
+        cs.putString("securitydomain.httpsagentport", CMS.getAgentPort());
+        cs.putString("securitydomain.httpseeport", CMS.getEESSLPort());
+        cs.putString("securitydomain.httpsadminport", CMS.getAdminPort());
+        // Stand-alone PKI (Step 1)
+        if (data.getStandAlone()) {
+            cs.putString("preop.cert.subsystem.type", "remote");
+        } else {
+            cs.putString("preop.cert.subsystem.type", "local");
+        }
+        cs.putString("preop.cert.subsystem.profile", "subsystemCert.profile");
+    }
 
-            CMS.debug("Getting install token");
-            // log onto security domain and get token
-            String user = data.getSecurityDomainUser();
-            String pass = data.getSecurityDomainPassword();
-            String installToken;
-            try {
-                installToken = ConfigurationUtils.getInstallToken(host, port, user, pass);
-            } catch (Exception e) {
-                e.printStackTrace();
-                throw new PKIException("Failed to obtain installation token from security domain: " + e);
-            }
+    private String logIntoSecurityDomain(ConfigurationRequest data, String securityDomainURL) {
+        URL secdomainURL;
+        String host;
+        int port;
+        try {
+            CMS.debug("Resolving security domain URL" + securityDomainURL);
+            secdomainURL = new URL(securityDomainURL);
+            host = secdomainURL.getHost();
+            port = secdomainURL.getPort();
+            cs.putString("securitydomain.host", host);
+            cs.putInteger("securitydomain.httpsadminport",port);
+        } catch (Exception e) {
+            e.printStackTrace();
+            throw new PKIException("Failed to resolve security domain URL");
+        }
 
-            if (installToken == null) {
-                CMS.debug("Install token is null");
-                throw new PKIException("Failed to obtain installation token from security domain");
-            }
-            CMS.setConfigSDSessionId(installToken);
+        getCertChainFromSecurityDomain(host, port);
+        getInstallToken(data, host, port);
 
-            CMS.debug("Getting domain XML");
-            try {
-                domainXML = ConfigurationUtils.getDomainXML(host, port, true);
-                ConfigurationUtils.getSecurityDomainPorts(domainXML, host, port);
-            } catch (Exception e) {
-                e.printStackTrace();
-                throw new PKIException("Failed to obtain security domain decriptor from security domain master: " + e);
-            }
+        return getDomainXML(host, port);
+    }
+
+    private String getDomainXML(String host, int port) {
+        CMS.debug("Getting domain XML");
+        String domainXML = null;
+        try {
+            domainXML = ConfigurationUtils.getDomainXML(host, port, true);
+            ConfigurationUtils.getSecurityDomainPorts(domainXML, host, port);
+        } catch (Exception e) {
+            e.printStackTrace();
+            throw new PKIException("Failed to obtain security domain decriptor from security domain master: " + e);
         }
         return domainXML;
     }
 
+    private void getCertChainFromSecurityDomain(String host, int port) {
+        CMS.debug("Getting security domain cert chain");
+        try {
+            ConfigurationUtils.importCertChain(host, port, "/ca/admin/ca/getCertChain", "securitydomain");
+        } catch (Exception e) {
+            e.printStackTrace();
+            throw new PKIException("Failed to import certificate chain from security domain master: " + e);
+        }
+    }
+
+    private void getInstallToken(ConfigurationRequest data, String host, int port) {
+        CMS.debug("Getting install token");
+        // log onto security domain and get token
+        String user = data.getSecurityDomainUser();
+        String pass = data.getSecurityDomainPassword();
+        String installToken;
+        try {
+            installToken = ConfigurationUtils.getInstallToken(host, port, user, pass);
+        } catch (Exception e) {
+            e.printStackTrace();
+            throw new PKIException("Failed to obtain installation token from security domain: " + e);
+        }
+
+        if (installToken == null) {
+            CMS.debug("Install token is null");
+            throw new PKIException("Failed to obtain installation token from security domain");
+        }
+        CMS.setConfigSDSessionId(installToken);
+    }
+
     public void configureSubsystem(ConfigurationRequest request,
             Collection<String> certList, String token, String domainXML) {
 
@@ -1002,7 +1052,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             if (data.getSecurityDomainName() == null) {
                 throw new BadRequestException("Security Domain Name is not provided");
             }
-        } else if (domainType.equals(ConfigurationRequest.EXISTING_DOMAIN)) {
+        } else if (domainType.equals(ConfigurationRequest.EXISTING_DOMAIN) ||
+                   domainType.equals(ConfigurationRequest.NEW_SUBDOMAIN)) {
             if (data.getStandAlone()) {
                 throw new BadRequestException("Existing security domains are not valid for stand-alone PKI subsytems");
             }
@@ -1026,6 +1077,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             throw new BadRequestException("Invalid security domain URI provided");
         }
 
+        // validate subordinate CA security domain settings
+        if (domainType.equals(ConfigurationRequest.NEW_SUBDOMAIN)) {
+            if (StringUtils.isEmpty(data.getSubordinateSecurityDomainName())) {
+                throw new BadRequestException("Subordinate CA security domain name not provided");
+            }
+        }
+
         if ((data.getSubsystemName() == null) || (data.getSubsystemName().length() ==0)) {
             throw new BadRequestException("Invalid or no subsystem name provided");
         }
author	Ade Lee <alee@redhat.com>	2014-09-09 15:06:31 -0400
committer	Ade Lee <alee@redhat.com>	2014-10-01 12:43:59 -0400
commit	b644429de7d9649e98737113182d9fcd6912e92a (patch)
tree	6448bc5712d3f28430870ab9c7b971eded8b7fbc /base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
parent	67f8c07d29a329f091a6c527f8d0dc9d52439cbd (diff)
download	pki-b644429de7d9649e98737113182d9fcd6912e92a.tar.gz pki-b644429de7d9649e98737113182d9fcd6912e92a.tar.xz pki-b644429de7d9649e98737113182d9fcd6912e92a.zip