diff options
author | Ade Lee <alee@redhat.com> | 2014-09-09 15:06:31 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2014-10-01 12:43:59 -0400 |
commit | b644429de7d9649e98737113182d9fcd6912e92a (patch) | |
tree | 6448bc5712d3f28430870ab9c7b971eded8b7fbc /base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java | |
parent | 67f8c07d29a329f091a6c527f8d0dc9d52439cbd (diff) | |
download | pki-b644429de7d9649e98737113182d9fcd6912e92a.tar.gz pki-b644429de7d9649e98737113182d9fcd6912e92a.tar.xz pki-b644429de7d9649e98737113182d9fcd6912e92a.zip |
Fix sub-CA installation with own security domain
Installation code failed to anticipate installation of a subordinate
CA that would host its own security domain. This patch includes changes
to python installation code, java configuration servlet and
changes to man pages.
Ticket 1132
Diffstat (limited to 'base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java')
-rw-r--r-- | base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 224 |
1 files changed, 141 insertions, 83 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index fa762774a..7ba345d8d 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -222,28 +222,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou // Done Panel // Create or update security domain CMS.debug("=== Done Panel ==="); - try { - String securityDomainType = data.getSecurityDomainType(); - if (securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) { - ConfigurationUtils.createSecurityDomain(); - } else { - ConfigurationUtils.updateSecurityDomain(); - } - cs.putString("service.securityDomainPort", CMS.getAgentPort()); - cs.putString("securitydomain.store", "ldap"); - cs.commit(false); - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Error while updating security domain: " + e); - } - - try { - if (!data.getSharedDB()) ConfigurationUtils.setupDBUser(); - } catch (Exception e) { - CMS.debug(e); - throw new PKIException("Errors in creating or updating dbuser: " + e); - } - + setupSecurityDomain(data); + setupDBUser(data); finalizeConfiguration(data); cs.putInteger("cs.state", 1); @@ -268,6 +248,46 @@ public class SystemConfigService extends PKIService implements SystemConfigResou response.setStatus(SUCCESS); } + private void setupDBUser(ConfigurationRequest data) { + try { + if (!data.getSharedDB()) ConfigurationUtils.setupDBUser(); + } catch (Exception e) { + CMS.debug(e); + throw new PKIException("Errors in creating or updating dbuser: " + e); + } + } + + private void setupSecurityDomain(ConfigurationRequest data) { + try { + String securityDomainType = data.getSecurityDomainType(); + if (securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) { + CMS.debug("Creating new security domain"); + ConfigurationUtils.createSecurityDomain(); + } else if (securityDomainType.equals(ConfigurationRequest.NEW_SUBDOMAIN)) { + CMS.debug("Creating subordinate CA security domain"); + + // switch out security domain parameters from issuing CA security domain + // to subordinate CA hosted security domain + cs.putString("securitydomain.name", data.getSubordinateSecurityDomainName()); + cs.putString("securitydomain.host", CMS.getEENonSSLHost()); + cs.putString("securitydomain.httpport", CMS.getEENonSSLPort()); + cs.putString("securitydomain.httpsagentport", CMS.getAgentPort()); + cs.putString("securitydomain.httpseeport", CMS.getEESSLPort()); + cs.putString("securitydomain.httpsadminport", CMS.getAdminPort()); + ConfigurationUtils.createSecurityDomain(); + } else { + CMS.debug("Updating existing security domain"); + ConfigurationUtils.updateSecurityDomain(); + } + cs.putString("service.securityDomainPort", CMS.getAgentPort()); + cs.putString("securitydomain.store", "ldap"); + cs.commit(false); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Error while updating security domain: " + e); + } + } + public Collection<String> getCertList(ConfigurationRequest request) { Collection<String> certList = new ArrayList<String>(); @@ -737,10 +757,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou CMS.debug("local CA selected"); url = url.substring(url.indexOf("https")); cs.putString("preop.ca.url", url); - URL urlx = new URL(url); String host = urlx.getHost(); int port = urlx.getPort(); + int admin_port = ConfigurationUtils.getPortFromSecurityDomain(domainXML, host, port, "CA", "SecurePort", "SecureAdminPort"); @@ -841,81 +861,111 @@ public class SystemConfigService extends PKIService implements SystemConfigResou String securityDomainType = data.getSecurityDomainType(); String securityDomainName = data.getSecurityDomainName(); - String securityDomainURL = data.getSecurityDomainUri(); if (securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) { - CMS.debug("Creating new security domain"); - cs.putString("preop.securitydomain.select", "new"); - cs.putString("securitydomain.select", "new"); - cs.putString("preop.securitydomain.name", securityDomainName); - cs.putString("securitydomain.name", securityDomainName); - cs.putString("securitydomain.host", CMS.getEENonSSLHost()); - cs.putString("securitydomain.httpport", CMS.getEENonSSLPort()); - cs.putString("securitydomain.httpsagentport", CMS.getAgentPort()); - cs.putString("securitydomain.httpseeport", CMS.getEESSLPort()); - cs.putString("securitydomain.httpsadminport", CMS.getAdminPort()); - // Stand-alone PKI (Step 1) - if (data.getStandAlone()) { - cs.putString("preop.cert.subsystem.type", "remote"); - } else { - cs.putString("preop.cert.subsystem.type", "local"); - } - cs.putString("preop.cert.subsystem.profile", "subsystemCert.profile"); - + configureNewSecurityDomain(data, securityDomainName); + } else if (securityDomainType.equals(ConfigurationRequest.NEW_SUBDOMAIN)){ + CMS.debug("Configuring new subordinate root CA"); + configureNewSecurityDomain(data, data.getSubordinateSecurityDomainName()); + String securityDomainURL = data.getSecurityDomainUri(); + domainXML = logIntoSecurityDomain(data, securityDomainURL); } else { CMS.debug("Joining existing security domain"); cs.putString("preop.securitydomain.select", "existing"); cs.putString("securitydomain.select", "existing"); cs.putString("preop.cert.subsystem.type", "remote"); cs.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert"); + String securityDomainURL = data.getSecurityDomainUri(); + domainXML = logIntoSecurityDomain(data, securityDomainURL); + } + return domainXML; + } - CMS.debug("Getting certificate chain"); - // contact and log onto security domain - URL secdomainURL; - String host; - int port; - try { - secdomainURL = new URL(securityDomainURL); - host = secdomainURL.getHost(); - port = secdomainURL.getPort(); - cs.putString("securitydomain.host", host); - cs.putInteger("securitydomain.httpsadminport",port); - ConfigurationUtils.importCertChain(host, port, "/ca/admin/ca/getCertChain", "securitydomain"); - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Failed to import certificate chain from security domain master: " + e); - } + private void configureNewSecurityDomain(ConfigurationRequest data, String securityDomainName) { + CMS.debug("Creating new security domain"); + cs.putString("preop.securitydomain.select", "new"); + cs.putString("securitydomain.select", "new"); + cs.putString("preop.securitydomain.name", securityDomainName); + cs.putString("securitydomain.name", securityDomainName); + cs.putString("securitydomain.host", CMS.getEENonSSLHost()); + cs.putString("securitydomain.httpport", CMS.getEENonSSLPort()); + cs.putString("securitydomain.httpsagentport", CMS.getAgentPort()); + cs.putString("securitydomain.httpseeport", CMS.getEESSLPort()); + cs.putString("securitydomain.httpsadminport", CMS.getAdminPort()); + // Stand-alone PKI (Step 1) + if (data.getStandAlone()) { + cs.putString("preop.cert.subsystem.type", "remote"); + } else { + cs.putString("preop.cert.subsystem.type", "local"); + } + cs.putString("preop.cert.subsystem.profile", "subsystemCert.profile"); + } - CMS.debug("Getting install token"); - // log onto security domain and get token - String user = data.getSecurityDomainUser(); - String pass = data.getSecurityDomainPassword(); - String installToken; - try { - installToken = ConfigurationUtils.getInstallToken(host, port, user, pass); - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Failed to obtain installation token from security domain: " + e); - } + private String logIntoSecurityDomain(ConfigurationRequest data, String securityDomainURL) { + URL secdomainURL; + String host; + int port; + try { + CMS.debug("Resolving security domain URL" + securityDomainURL); + secdomainURL = new URL(securityDomainURL); + host = secdomainURL.getHost(); + port = secdomainURL.getPort(); + cs.putString("securitydomain.host", host); + cs.putInteger("securitydomain.httpsadminport",port); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Failed to resolve security domain URL"); + } - if (installToken == null) { - CMS.debug("Install token is null"); - throw new PKIException("Failed to obtain installation token from security domain"); - } - CMS.setConfigSDSessionId(installToken); + getCertChainFromSecurityDomain(host, port); + getInstallToken(data, host, port); - CMS.debug("Getting domain XML"); - try { - domainXML = ConfigurationUtils.getDomainXML(host, port, true); - ConfigurationUtils.getSecurityDomainPorts(domainXML, host, port); - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Failed to obtain security domain decriptor from security domain master: " + e); - } + return getDomainXML(host, port); + } + + private String getDomainXML(String host, int port) { + CMS.debug("Getting domain XML"); + String domainXML = null; + try { + domainXML = ConfigurationUtils.getDomainXML(host, port, true); + ConfigurationUtils.getSecurityDomainPorts(domainXML, host, port); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Failed to obtain security domain decriptor from security domain master: " + e); } return domainXML; } + private void getCertChainFromSecurityDomain(String host, int port) { + CMS.debug("Getting security domain cert chain"); + try { + ConfigurationUtils.importCertChain(host, port, "/ca/admin/ca/getCertChain", "securitydomain"); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Failed to import certificate chain from security domain master: " + e); + } + } + + private void getInstallToken(ConfigurationRequest data, String host, int port) { + CMS.debug("Getting install token"); + // log onto security domain and get token + String user = data.getSecurityDomainUser(); + String pass = data.getSecurityDomainPassword(); + String installToken; + try { + installToken = ConfigurationUtils.getInstallToken(host, port, user, pass); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Failed to obtain installation token from security domain: " + e); + } + + if (installToken == null) { + CMS.debug("Install token is null"); + throw new PKIException("Failed to obtain installation token from security domain"); + } + CMS.setConfigSDSessionId(installToken); + } + public void configureSubsystem(ConfigurationRequest request, Collection<String> certList, String token, String domainXML) { @@ -1002,7 +1052,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou if (data.getSecurityDomainName() == null) { throw new BadRequestException("Security Domain Name is not provided"); } - } else if (domainType.equals(ConfigurationRequest.EXISTING_DOMAIN)) { + } else if (domainType.equals(ConfigurationRequest.EXISTING_DOMAIN) || + domainType.equals(ConfigurationRequest.NEW_SUBDOMAIN)) { if (data.getStandAlone()) { throw new BadRequestException("Existing security domains are not valid for stand-alone PKI subsytems"); } @@ -1026,6 +1077,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou throw new BadRequestException("Invalid security domain URI provided"); } + // validate subordinate CA security domain settings + if (domainType.equals(ConfigurationRequest.NEW_SUBDOMAIN)) { + if (StringUtils.isEmpty(data.getSubordinateSecurityDomainName())) { + throw new BadRequestException("Subordinate CA security domain name not provided"); + } + } + if ((data.getSubsystemName() == null) || (data.getSubsystemName().length() ==0)) { throw new BadRequestException("Invalid or no subsystem name provided"); } |