Added mechanism to import system certs via PKCS #12 file.

The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742
author: Endi S. Dewata <edewata@redhat.com> 2016-02-19 08:42:30 +0100
committer: Endi S. Dewata <edewata@redhat.com> 2016-04-02 06:22:41 +0200
commit: 58406095925cd3d26ab8eab0c7c7e99cdddf21ea (patch)
tree: 2b07bdc6952c06b86b257cbb99b3f361172f5245 /base/server/python/pki/server/deployment/pkihelper.py
parent: 9667921a5a2489a3fccc6f4f7f7af88f60eadbd2 (diff)
download: pki-58406095925cd3d26ab8eab0c7c7e99cdddf21ea.tar.gz
pki-58406095925cd3d26ab8eab0c7c7e99cdddf21ea.tar.xz
pki-58406095925cd3d26ab8eab0c7c7e99cdddf21ea.zip
1 files changed, 29 insertions, 7 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index e8591398d..ab6562ba0 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -619,10 +619,17 @@ class ConfigurationFile:
             self.confirm_data_exists("pki_client_database_password")
         # Verify existence of Client PKCS #12 Password for Admin Cert
         self.confirm_data_exists("pki_client_pkcs12_password")
+
         if self.clone:
+
             # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones)
             if not config.str2bool(self.mdict['pki_hsm_enable']):
-                self.confirm_data_exists("pki_clone_pkcs12_password")
+
+                # If system certificates are already provided via pki_server_pkcs12
+                # there's no need to provide pki_clone_pkcs12.
+                if not self.mdict['pki_server_pkcs12_path']:
+                    self.confirm_data_exists("pki_clone_pkcs12_password")
+
             # Verify absence of all PKCS #12 clone parameters for HSMs
             elif (os.path.exists(self.mdict['pki_clone_pkcs12_path']) or
                     ('pki_clone_pkcs12_password' in self.mdict and
@@ -632,6 +639,7 @@ class ConfigurationFile:
                     extra=config.PKI_INDENTATION_LEVEL_2)
                 raise Exception(
                     log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS)
+
         # Verify existence of Security Domain Password
         # (ONLY for PKI KRA, PKI OCSP, PKI TKS, PKI TPS, Clones, or
         #  Subordinate CA that will be automatically configured and
@@ -736,11 +744,18 @@ class ConfigurationFile:
             self.confirm_data_exists("pki_http_port")
             self.confirm_data_exists("pki_https_port")
             self.confirm_data_exists("pki_tomcat_server_port")
+
+            # Check clone parameters for non-HSM clone
             if not config.str2bool(self.mdict['pki_hsm_enable']):
-                # Check clone parameters for non-HSM clone
-                self.confirm_data_exists("pki_clone_pkcs12_path")
-                self.confirm_file_exists("pki_clone_pkcs12_path")
+
+                # If system certificates are already provided via pki_server_pkcs12
+                # there's no need to provide pki_clone_pkcs12.
+                if not self.mdict['pki_server_pkcs12_path']:
+                    self.confirm_data_exists("pki_clone_pkcs12_path")
+                    self.confirm_file_exists("pki_clone_pkcs12_path")
+
             self.confirm_data_exists("pki_clone_replication_security")
+
         elif self.external:
             # External CA
             if not self.external_step_two:
@@ -3996,6 +4011,8 @@ class ConfigClient:
         # Issuing CA Information
         self.set_issuing_ca_parameters(data)
 
+        data.systemCertsImported = self.mdict['pki_server_pkcs12_path'] != ''
+
         # Create system certs
         self.set_system_certs(data)
 
@@ -4268,10 +4285,15 @@ class ConfigClient:
     def set_cloning_parameters(self, data):
         data.isClone = "true"
         data.cloneUri = self.mdict['pki_clone_uri']
+
+        # Set these clone parameters for non-HSM clones only
         if not config.str2bool(self.mdict['pki_hsm_enable']):
-            # Set these clone parameters for non-HSM clones only
-            data.p12File = self.mdict['pki_clone_pkcs12_path']
-            data.p12Password = self.mdict['pki_clone_pkcs12_password']
+            # If system certificates are already provided via pki_server_pkcs12
+            # there's no need to provide pki_clone_pkcs12.
+            if not self.mdict['pki_server_pkcs12_path']:
+                data.p12File = self.mdict['pki_clone_pkcs12_path']
+                data.p12Password = self.mdict['pki_clone_pkcs12_password']
+
         if config.str2bool(self.mdict['pki_clone_replicate_schema']):
             data.replicateSchema = "true"
         else:
author	Endi S. Dewata <edewata@redhat.com>	2016-02-19 08:42:30 +0100
committer	Endi S. Dewata <edewata@redhat.com>	2016-04-02 06:22:41 +0200
commit	58406095925cd3d26ab8eab0c7c7e99cdddf21ea (patch)
tree	2b07bdc6952c06b86b257cbb99b3f361172f5245 /base/server/python/pki/server/deployment/pkihelper.py
parent	9667921a5a2489a3fccc6f4f7f7af88f60eadbd2 (diff)
download	pki-58406095925cd3d26ab8eab0c7c7e99cdddf21ea.tar.gz pki-58406095925cd3d26ab8eab0c7c7e99cdddf21ea.tar.xz pki-58406095925cd3d26ab8eab0c7c7e99cdddf21ea.zip