Add parameters to disable cert or crl publishing

Right now, if publishing is enabled, both CRLs and Cert publishing is enabled. This causes a bunch of spurious error messages on IPA servers as cert publishing is not configured. As it is impossible to determine if cert publishing is not desired or simply misconfigured, we provide options to explicitly disable either cert or crl publishing. Specifically: * to enable/disable both cert and crl publishing: ca.publish.enable = True/False This is the legacy behavior. * to enable CRL publishing only: ca.publish.enable = True ca.publish.cert.enable = False * to enable cert publishing only: ca.publish.enable = True ca.publish.crl.enable = False Ticket 2275
author: Ade Lee <alee@redhat.com> 2016-05-18 15:33:36 -0400
committer: Ade Lee <alee@redhat.com> 2016-05-24 06:04:02 +0200
commit: f0551f75618cd30de3efc3154f37a5f53504896c (patch)
tree: 5fbe6637a673f79d6e3486c29ed872dc46d4880b /base/server/cms/src
parent: f1eef2654de9d2c32f25db4b2d7dccd7fa49b26a (diff)
5 files changed, 53 insertions, 53 deletions
diff --git a/base/server/cms/src/com/netscape/cms/jobs/PublishCertsJob.java b/base/server/cms/src/com/netscape/cms/jobs/PublishCertsJob.java
index 25c80817b..8d75e5ae8 100644
--- a/base/server/cms/src/com/netscape/cms/jobs/PublishCertsJob.java
+++ b/base/server/cms/src/com/netscape/cms/jobs/PublishCertsJob.java
@@ -22,8 +22,6 @@ import java.util.Date;
 import java.util.Enumeration;
 import java.util.Locale;
 
-import netscape.security.x509.X509CertImpl;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
@@ -43,6 +41,8 @@ import com.netscape.certsrv.request.IRequest;
 import com.netscape.certsrv.request.IRequestQueue;
 import com.netscape.certsrv.request.RequestId;
 
+import netscape.security.x509.X509CertImpl;
+
 /**
  * a job for the Jobs Scheduler. This job checks in the internal ldap
  * db for valid certs that have not been published to the
@@ -289,7 +289,7 @@ public class PublishCertsJob extends AJobBase
                 }
                 try {
                     if ((mPublisherProcessor != null) &&
-                            mPublisherProcessor.enabled()) {
+                            mPublisherProcessor.isCertPublishingEnabled()) {
                         mPublisherProcessor.publishCert(cert, req);
                         if (mSummary == true)
                             buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
@@ -312,7 +312,7 @@ public class PublishCertsJob extends AJobBase
             else {
                 try {
                     if ((mPublisherProcessor != null) &&
-                            mPublisherProcessor.enabled()) {
+                            mPublisherProcessor.isCertPublishingEnabled()) {
                         mPublisherProcessor.publishCert(cert, null);
 
                         if (mSummary == true)
diff --git a/base/server/cms/src/com/netscape/cms/jobs/UnpublishExpiredJob.java b/base/server/cms/src/com/netscape/cms/jobs/UnpublishExpiredJob.java
index b28e93751..3a5d780ef 100644
--- a/base/server/cms/src/com/netscape/cms/jobs/UnpublishExpiredJob.java
+++ b/base/server/cms/src/com/netscape/cms/jobs/UnpublishExpiredJob.java
@@ -22,8 +22,6 @@ import java.util.Date;
 import java.util.Enumeration;
 import java.util.Locale;
 
-import netscape.security.x509.X509CertImpl;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
@@ -43,6 +41,8 @@ import com.netscape.certsrv.request.IRequest;
 import com.netscape.certsrv.request.IRequestQueue;
 import com.netscape.certsrv.request.RequestId;
 
+import netscape.security.x509.X509CertImpl;
+
 /**
  * a job for the Jobs Scheduler. This job checks in the internal ldap
  * db for certs that have expired and remove them from the ldap
@@ -284,7 +284,7 @@ public class UnpublishExpiredJob extends AJobBase
                 }
                 try {
                     if ((mPublisherProcessor != null) &&
-                            mPublisherProcessor.enabled()) {
+                            mPublisherProcessor.isCertPublishingEnabled()) {
                         mPublisherProcessor.unpublishCert(cert, req);
                         if (mSummary == true)
                             buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
@@ -307,7 +307,7 @@ public class UnpublishExpiredJob extends AJobBase
             else {
                 try {
                     if ((mPublisherProcessor != null) &&
-                            mPublisherProcessor.enabled()) {
+                            mPublisherProcessor.isCertPublishingEnabled()) {
                         mPublisherProcessor.unpublishCert(cert, null);
                         if (mSummary == true)
                             buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
index e39b66555..d873b1a33 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
@@ -30,12 +30,6 @@ import javax.servlet.ServletOutputStream;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLReasonExtension;
-import netscape.security.x509.InvalidityDateExtension;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.RevokedCertImpl;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.AuthToken;
 import com.netscape.certsrv.authentication.IAuthToken;
@@ -60,6 +54,12 @@ import com.netscape.cms.servlet.common.CMSTemplate;
 import com.netscape.cms.servlet.common.CMSTemplateParams;
 import com.netscape.cms.servlet.common.ECMSGWException;
 
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.InvalidityDateExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+
 /**
  * Force the CRL to be updated now.
  *
@@ -445,7 +445,7 @@ public class UpdateCRL extends CMSServlet {
                             publishError = e;
                         }
 
-                        if (lpm != null && lpm.enabled()) {
+                        if (lpm != null && lpm.isCRLPublishingEnabled()) {
                             Enumeration<ILdapRule> rules = lpm.getRules(IPublisherProcessor.PROP_LOCAL_CRL);
                             if (rules != null && rules.hasMoreElements()) {
                                 if (publishError != null) {
@@ -501,7 +501,7 @@ public class UpdateCRL extends CMSServlet {
                         }
                     } catch (EBaseException e) {
                         log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString()));
-                        if ((lpm != null) && lpm.enabled() && (e instanceof ELdapException)) {
+                        if ((lpm != null) && lpm.isCRLPublishingEnabled() && (e instanceof ELdapException)) {
                             header.addStringValue("crlPublished", "Failure");
                             header.addStringValue("error", e.toString(locale));
                         } else {
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateDir.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateDir.java
index a662f8e7b..079eaf15a 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateDir.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateDir.java
@@ -29,9 +29,6 @@ import javax.servlet.ServletOutputStream;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import netscape.security.x509.X509CRLImpl;
-import netscape.security.x509.X509CertImpl;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authorization.AuthzToken;
@@ -58,6 +55,9 @@ import com.netscape.cms.servlet.common.CMSTemplate;
 import com.netscape.cms.servlet.common.CMSTemplateParams;
 import com.netscape.cms.servlet.common.ECMSGWException;
 
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+
 /**
  * Update the configured LDAP server with specified objects
  *
@@ -176,8 +176,8 @@ public class UpdateDir extends CMSServlet {
         try {
             String crlIssuingPointId = req.getParameter("crlIssuingPoint");
 
-            if (mPublisherProcessor == null ||
-                    !mPublisherProcessor.enabled())
+            if (mPublisherProcessor == null || (!mPublisherProcessor.isCertPublishingEnabled()
+                    && !mPublisherProcessor.isCRLPublishingEnabled()))
                 throw new ECMSGWException(CMS.getUserMessage("CMS_GW_NO_PUB_MODULE"));
 
             String[] updateValue = new String[updateName.length];
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
index 30c07d1c1..744f93472 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
@@ -34,37 +34,6 @@ import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import netscape.ldap.LDAPAttribute;
-import netscape.ldap.LDAPAttributeSet;
-import netscape.ldap.LDAPConnection;
-import netscape.ldap.LDAPEntry;
-import netscape.security.pkcs.PKCS10;
-import netscape.security.pkcs.PKCS10Attribute;
-import netscape.security.pkcs.PKCS10Attributes;
-import netscape.security.util.ObjectIdentifier;
-import netscape.security.x509.AVA;
-import netscape.security.x509.CertAttrSet;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateVersion;
-import netscape.security.x509.CertificateX509Key;
-import netscape.security.x509.DNSName;
-import netscape.security.x509.Extension;
-import netscape.security.x509.GeneralName;
-import netscape.security.x509.GeneralNameInterface;
-import netscape.security.x509.GeneralNames;
-import netscape.security.x509.IPAddressName;
-import netscape.security.x509.KeyUsageExtension;
-import netscape.security.x509.OIDMap;
-import netscape.security.x509.RDN;
-import netscape.security.x509.SubjectAlternativeNameExtension;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X500NameAttrMap;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-import netscape.security.x509.X509Key;
-
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.NoSuchTokenException;
 import org.mozilla.jss.asn1.ANY;
@@ -122,6 +91,37 @@ import com.netscape.cms.servlet.profile.SSLClientCertProvider;
 import com.netscape.cmsutil.scep.CRSPKIMessage;
 import com.netscape.cmsutil.util.Utils;
 
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.security.pkcs.PKCS10;
+import netscape.security.pkcs.PKCS10Attribute;
+import netscape.security.pkcs.PKCS10Attributes;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AVA;
+import netscape.security.x509.CertAttrSet;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.DNSName;
+import netscape.security.x509.Extension;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNameInterface;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.IPAddressName;
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.OIDMap;
+import netscape.security.x509.RDN;
+import netscape.security.x509.SubjectAlternativeNameExtension;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X500NameAttrMap;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
 /**
  * This servlet deals with PKCS#10-based certificate requests from
  * CRS, now called SCEP, and defined at:
@@ -1057,7 +1057,7 @@ public class CRSEnrollment extends HttpServlet {
         boolean result = false;
 
         IPublisherProcessor ldapPub = mAuthority.getPublisherProcessor();
-        if (ldapPub == null || !ldapPub.enabled()) {
+        if (ldapPub == null || !ldapPub.isCertPublishingEnabled()) {
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_CREATE_ENTRY_FROM_CEP"));
 
             return result;
author	Ade Lee <alee@redhat.com>	2016-05-18 15:33:36 -0400
committer	Ade Lee <alee@redhat.com>	2016-05-24 06:04:02 +0200
commit	f0551f75618cd30de3efc3154f37a5f53504896c (patch)
tree	5fbe6637a673f79d6e3486c29ed872dc46d4880b /base/server/cms/src
parent	f1eef2654de9d2c32f25db4b2d7dccd7fa49b26a (diff)