Share subsystem cert in shared tomcat instances

In shared tomcat instances, we need to share the subsystem cert and not create a new one for each additional subsystem added to the instance. In addition, if the instances share the same database, then only one pkidbuser should be created with the relevant subsystem cert and seeAlso attribute. Ticket 893
author: Ade Lee <alee@redhat.com> 2014-03-27 11:08:32 -0400
committer: Ade Lee <alee@redhat.com> 2014-03-31 10:26:12 -0400
commit: b834efbaa8c929c10cf00252b71ebc29e2f10456 (patch)
tree: e218ae6b2045cd5aa0f137efcdbd940f7de7333e /base/server/cms/src
parent: 86f4022cc0598353d16901fa2d1ef90f474baaca (diff)
download: pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.tar.gz
pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.tar.xz
pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.zip
2 files changed, 67 insertions, 15 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 5da4dddfe..51c42b7b9 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -1425,8 +1425,8 @@ public class ConfigurationUtils {
         String instancePath = cs.getString("instanceRoot");
         String instanceId = cs.getString("instanceId");
         String cstype = cs.getString("cs.type");
-
-        String dbuser = "uid=" + DBUSER + ",ou= people," + baseDN;
+        String dbuser = cs.getString("preop.internaldb.dbuser",
+                "uid=" + DBUSER + ",ou=people," + baseDN);
 
         String configDir = instancePath + File.separator + cstype.toLowerCase() + File.separator + "conf";
 
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 901d51769..61f672c3d 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -23,6 +23,7 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
 import java.util.Collection;
 import java.util.Enumeration;
 import java.util.Iterator;
@@ -39,11 +40,15 @@ import javax.ws.rs.core.UriInfo;
 
 import netscape.security.x509.X509CertImpl;
 
+import org.apache.commons.lang.StringUtils;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.CryptoManager.NotInitializedException;
 import org.mozilla.jss.NoSuchTokenException;
 import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.ObjectNotFoundException;
+import org.mozilla.jss.crypto.PrivateKey;
 import org.mozilla.jss.crypto.TokenException;
+import org.mozilla.jss.crypto.X509Certificate;
 import org.mozilla.jss.util.IncorrectPasswordException;
 
 import com.netscape.certsrv.apps.CMS;
@@ -205,8 +210,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             // CA Info Panel
             caInfoPanel(data, subsystemNick);
 
-            // retrieve and import CA cert
-
             // TKS Info Panel
             tksInfoPanel(data, subsystemNick);
 
@@ -269,6 +272,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         }
 
         boolean generateServerCert = data.getGenerateServerCert().equalsIgnoreCase("false")? false : true;
+        boolean generateSubsystemCert = data.getGenerateSubsystemCert();
+
         boolean hasSigningCert = false;
         Vector<Cert> certs = new Vector<Cert>();
         try {
@@ -323,16 +328,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 }
 
                 if (!generateServerCert && ct.equals("sslserver")) {
-                    if (!cdata.getToken().equals("internal")) {
-                        cs.putString(csSubsystem + ".cert.sslserver.nickname", cdata.getNickname());
-                    } else {
-                        cs.putString(csSubsystem + ".cert.sslserver.nickname", data.getToken() +
-                                ":" + cdata.getNickname());
-                    }
-                    cs.putString(csSubsystem + ".sslserver.nickname", cdata.getNickname());
-                    cs.putString(csSubsystem + ".sslserver.cert", cdata.getCert());
-                    cs.putString(csSubsystem + ".sslserver.certreq", cdata.getRequest());
-                    cs.putString(csSubsystem + ".sslserver.tokenname", cdata.getToken());
+                    updateConfiguration(data, cdata, "sslserver");
+                    continue;
+                }
+
+                if (!generateSubsystemCert && ct.equals("subsystem")) {
+                    // update the details for the shared subsystem cert here.
+                    updateConfiguration(data, cdata, "subsystem");
+
+                    // get parameters needed for cloning
+                    updateCloneConfiguration(cdata, "subsystem");
                     continue;
                 }
 
@@ -574,7 +579,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         }
 
         try {
-            ConfigurationUtils.setupDBUser();
+            if (!data.getSharedDB()) ConfigurationUtils.setupDBUser();
         } catch (Exception e) {
             e.printStackTrace();
             throw new PKIException("Errors in creating or updating dbuser: " + e);
@@ -638,6 +643,40 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         return response;
     }
 
+    private void updateCloneConfiguration(SystemCertData cdata, String tag) throws NotInitializedException,
+            ObjectNotFoundException, TokenException {
+        // TODO - some of these parameters may only be valid for RSA
+        CryptoManager cryptoManager = CryptoManager.getInstance();
+        X509Certificate cert = cryptoManager.findCertByNickname(cdata.getNickname());
+        PublicKey pubk = cert.getPublicKey();
+        byte[] exponent = CryptoUtil.getPublicExponent(pubk);
+        byte[] modulus = CryptoUtil.getModulus(pubk);
+        PrivateKey privk = cryptoManager.findPrivKeyByCert(cert);
+
+        cs.putString("preop.cert." + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus));
+        cs.putString("preop.cert." + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent));
+        cs.putString("preop.cert." + tag + ".privkey.id", CryptoUtil.byte2string(privk.getUniqueID()));
+        cs.putString("preop.cert." + tag + ".dn", cdata.getSubjectDN());
+        cs.putString("preop.cert." + tag + ".keyalgorithm", cdata.getKeyAlgorithm());
+        cs.putString("preop.cert." + tag + ".keytype", cdata.getKeyType());
+        cs.putString("preop.cert." + tag + ".nickname", cdata.getNickname());
+    }
+
+    private void updateConfiguration(ConfigurationRequest data, SystemCertData cdata, String tag) {
+        if (cdata.getToken().equals("Internal Key Storage Token")) {
+            cs.putString(csSubsystem + ".cert." + tag + ".nickname", cdata.getNickname());
+        } else {
+            cs.putString(csSubsystem + ".cert." + tag + ".nickname", data.getToken() +
+                    ":" + cdata.getNickname());
+        }
+
+        cs.putString(csSubsystem + "." + tag + ".nickname", cdata.getNickname());
+        cs.putString(csSubsystem + "." + tag + ".tokenname", cdata.getToken());
+        cs.putString(csSubsystem + "." + tag + ".certreq", cdata.getRequest());
+        cs.putString(csSubsystem + "." + tag + ".cert", cdata.getCert());
+        cs.putString(csSubsystem + "." + tag + ".dn", cdata.getSubjectDN());
+    }
+
     private void caInfoPanel(ConfigurationRequest data, String subsystemNick) {
         URI caUri = null;
         try {
@@ -816,6 +855,9 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
 
                 cs.putString("preop.internaldb.replicationpwd", replicationpwd);
                 cs.putString("preop.database.removeData", "false");
+                if (data.getSharedDB()) {
+                    cs.putString("preop.internaldb.dbuser", data.getSharedDBUserDN());
+                }
                 cs.commit(false);
 
                 if (data.getIsClone().equals("true")) {
@@ -1234,6 +1276,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             data.setGenerateServerCert("true");
         }
 
+        if (! data.getGenerateSubsystemCert()) {
+            // No subsystem cert to be generated.  All interactions use a shared subsystem cert.
+            if (data.getSharedDB() && StringUtils.isEmpty(data.getSharedDBUserDN())) {
+                throw new BadRequestException("Shared db user DN not provided");
+            }
+        } else {
+            // if the subsystem cert is not shared, we do not need to worry about sharing the db
+            data.setSharedDB("false");
+        }
+
         if (csType.equals("TPS")) {
             if ((data.getCaUri() == null) || data.getCaUri().isEmpty()) {
                 throw new BadRequestException("CA URI not provided");
author	Ade Lee <alee@redhat.com>	2014-03-27 11:08:32 -0400
committer	Ade Lee <alee@redhat.com>	2014-03-31 10:26:12 -0400
commit	b834efbaa8c929c10cf00252b71ebc29e2f10456 (patch)
tree	e218ae6b2045cd5aa0f137efcdbd940f7de7333e /base/server/cms/src
parent	86f4022cc0598353d16901fa2d1ef90f474baaca (diff)
download	pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.tar.gz pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.tar.xz pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.zip