Added mechanism to import system certs via PKCS #12 file.

The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.

If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.

For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.

The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.

https://fedorahosted.org/pki/ticket/1742

1 files changed, 24 insertions, 31 deletions

diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 697196a6e..f7e5a6b05 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -662,7 +662,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 response.setAdminCert(admincerts[0]);
 
             } catch (Exception e) {
-                e.printStackTrace();
+                CMS.debug(e);
                 throw new PKIException("Error in creating admin user: " + e);
             }
         }
@@ -818,7 +818,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                     cs.putInteger("preop.ca.httpsport", port);
                     cs.putInteger("preop.ca.httpsadminport", admin_port);
 
-                    if (!data.isClone()) {
+                    if (!data.isClone() && !data.getSystemCertsImported()) {
                         ConfigurationUtils.importCertChain(host, admin_port, "/ca/admin/ca/getCertChain", "ca");
                     }
 
@@ -855,7 +855,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                     "Clone URI does not match available subsystems: " + url);
         }
 
-        if (csType.equals("CA")) {
+        if (csType.equals("CA") && !data.getSystemCertsImported()) {
             CMS.debug("SystemConfigService: import certificate chain from master");
             int masterAdminPort = ConfigurationUtils.getPortFromSecurityDomain(domainXML,
                     masterHost, masterPort, "CA", "SecurePort", "SecureAdminPort");
@@ -867,10 +867,12 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         ConfigurationUtils.getConfigEntriesFromMaster();
 
         if (token.equals(ConfigurationRequest.TOKEN_DEFAULT)) {
-            CMS.debug("SystemConfigService: restore certificates from P12 file");
-            String p12File = data.getP12File();
-            String p12Pass = data.getP12Password();
-            ConfigurationUtils.restoreCertsFromP12(p12File, p12Pass);
+            if (!data.getSystemCertsImported()) {
+                CMS.debug("SystemConfigService: restore certificates from P12 file");
+                String p12File = data.getP12File();
+                String p12Pass = data.getP12Password();
+                ConfigurationUtils.restoreCertsFromP12(p12File, p12Pass);
+            }
 
         } else {
             CMS.debug("SystemConfigService: import certificates from HSM and set permission");
@@ -878,15 +880,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         }
 
         CMS.debug("SystemConfigService: verify certificates");
-        boolean cloneReady = ConfigurationUtils.isCertdbCloned();
-
-        if (!cloneReady) {
-            CMS.debug("SystemConfigService: clone does not have all the certificates.");
-            throw new PKIException("Clone does not have all the required certificates");
-        }
+        ConfigurationUtils.verifySystemCertificates();
     }
 
-    public String configureSecurityDomain(ConfigurationRequest data) {
+    public String configureSecurityDomain(ConfigurationRequest data) throws Exception {
 
         String domainXML = null;
 
@@ -932,7 +929,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         cs.putString("preop.cert.subsystem.profile", "subsystemCert.profile");
     }
 
-    private String logIntoSecurityDomain(ConfigurationRequest data, String securityDomainURL) {
+    private String logIntoSecurityDomain(ConfigurationRequest data, String securityDomainURL) throws Exception {
         URL secdomainURL;
         String host;
         int port;
@@ -948,7 +945,11 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             throw new PKIException("Failed to resolve security domain URL", e);
         }
 
-        getCertChainFromSecurityDomain(host, port);
+        if (!data.getSystemCertsImported()) {
+            CMS.debug("Getting security domain cert chain");
+            ConfigurationUtils.importCertChain(host, port, "/ca/admin/ca/getCertChain", "securitydomain");
+        }
+
         getInstallToken(data, host, port);
 
         return getDomainXML(host, port);
@@ -967,16 +968,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         return domainXML;
     }
 
-    private void getCertChainFromSecurityDomain(String host, int port) {
-        CMS.debug("Getting security domain cert chain");
-        try {
-            ConfigurationUtils.importCertChain(host, port, "/ca/admin/ca/getCertChain", "securitydomain");
-        } catch (Exception e) {
-            CMS.debug(e);
-            throw new PKIException("Failed to import certificate chain from security domain master: " + e, e);
-        }
-    }
-
     private void getInstallToken(ConfigurationRequest data, String host, int port) {
         CMS.debug("Getting install token");
         // log onto security domain and get token
@@ -1129,12 +1120,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             }
 
             if (data.getToken().equals(ConfigurationRequest.TOKEN_DEFAULT)) {
-                if (data.getP12File() == null) {
-                    throw new BadRequestException("P12 filename not provided");
-                }
+                if (!data.getSystemCertsImported()) {
+                    if (data.getP12File() == null) {
+                        throw new BadRequestException("P12 filename not provided");
+                    }
 
-                if (data.getP12Password() == null) {
-                    throw new BadRequestException("P12 password not provided");
+                    if (data.getP12Password() == null) {
+                        throw new BadRequestException("P12 password not provided");
+                    }
                 }
             } else {
                 if (data.getP12File() != null) {