diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2015-05-22 18:15:31 -0600 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-05-22 19:00:00 -0600 |
commit | 0bf9c6bc326de463f7ec35efb0ae448419ec579a (patch) | |
tree | 3126cd5d552311e67e045c2951c25dfe2249f744 /base/server/python/pki/server/deployment/pkihelper.py | |
parent | c6d781ee897deb213411f6caba9ae8a1770af732 (diff) | |
download | pki-0bf9c6bc326de463f7ec35efb0ae448419ec579a.tar.gz pki-0bf9c6bc326de463f7ec35efb0ae448419ec579a.tar.xz pki-0bf9c6bc326de463f7ec35efb0ae448419ec579a.zip |
disable backup keys and share master keys when using an HSM
- PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an
HSM (and provide recommendation); allow clones to share keys
Diffstat (limited to 'base/server/python/pki/server/deployment/pkihelper.py')
-rw-r--r-- | base/server/python/pki/server/deployment/pkihelper.py | 36 |
1 files changed, 30 insertions, 6 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 696e3d75a..0363b084e 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -559,6 +559,16 @@ class ConfigurationFile: # Verify existence of Admin Password (except for Clones) if not self.clone: self.confirm_data_exists("pki_admin_password") + # If HSM, verify absence of all PKCS #12 backup parameters + if (config.str2bool(self.mdict['pki_hsm_enable']) and + (config.str2bool(self.mdict['pki_backup_keys']) or + ('pki_backup_password' in self.mdict and + len(self.mdict['pki_backup_password'])))): + config.pki_log.error( + log.PKIHELPER_HSM_KEYS_CANNOT_BE_BACKED_UP_TO_PKCS12_FILES, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception( + log.PKIHELPER_HSM_KEYS_CANNOT_BE_BACKED_UP_TO_PKCS12_FILES) # If required, verify existence of Backup Password if config.str2bool(self.mdict['pki_backup_keys']): self.confirm_data_exists("pki_backup_password") @@ -568,9 +578,19 @@ class ConfigurationFile: self.confirm_data_exists("pki_client_database_password") # Verify existence of Client PKCS #12 Password for Admin Cert self.confirm_data_exists("pki_client_pkcs12_password") - # Verify existence of PKCS #12 Password (ONLY for Clones) if self.clone: - self.confirm_data_exists("pki_clone_pkcs12_password") + # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones) + if not config.str2bool(self.mdict['pki_hsm_enable']): + self.confirm_data_exists("pki_clone_pkcs12_password") + # Verify absence of all PKCS #12 clone parameters for HSMs + elif (os.path.exists(self.mdict['pki_clone_pkcs12_path']) or + ('pki_clone_pkcs12_password' in self.mdict and + len(self.mdict['pki_clone_pkcs12_password']))): + config.pki_log.error( + log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception( + log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS) # Verify existence of Security Domain Password # (ONLY for PKI KRA, PKI OCSP, PKI TKS, PKI TPS, Clones, or # Subordinate CA that will be automatically configured and @@ -675,8 +695,10 @@ class ConfigurationFile: self.confirm_data_exists("pki_http_port") self.confirm_data_exists("pki_https_port") self.confirm_data_exists("pki_tomcat_server_port") - self.confirm_data_exists("pki_clone_pkcs12_path") - self.confirm_file_exists("pki_clone_pkcs12_path") + if not config.str2bool(self.mdict['pki_hsm_enable']): + # Check clone parameters for non-HSM clone + self.confirm_data_exists("pki_clone_pkcs12_path") + self.confirm_file_exists("pki_clone_pkcs12_path") self.confirm_data_exists("pki_clone_replication_security") elif self.external: # External CA @@ -4119,8 +4141,10 @@ class ConfigClient: def set_cloning_parameters(self, data): data.isClone = "true" data.cloneUri = self.mdict['pki_clone_uri'] - data.p12File = self.mdict['pki_clone_pkcs12_path'] - data.p12Password = self.mdict['pki_clone_pkcs12_password'] + if not config.str2bool(self.mdict['pki_hsm_enable']): + # Set these clone parameters for non-HSM clones only + data.p12File = self.mdict['pki_clone_pkcs12_path'] + data.p12Password = self.mdict['pki_clone_pkcs12_password'] if config.str2bool(self.mdict['pki_clone_replicate_schema']): data.replicateSchema = "true" else: |