diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2015-04-21 00:49:11 -0600 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-04-21 14:43:06 -0600 |
commit | ab5f54371519010c72f4947901c3a76cb5105e41 (patch) | |
tree | 77e80a6e48ec82e20e60fb1498da4824fdf42c08 /base/server/python/pki/server/deployment/scriptlets | |
parent | 16e4a5cc0133533afe1a04711cc671466170e01a (diff) | |
download | pki-ab5f54371519010c72f4947901c3a76cb5105e41.tar.gz pki-ab5f54371519010c72f4947901c3a76cb5105e41.tar.xz pki-ab5f54371519010c72f4947901c3a76cb5105e41.zip |
Add HSM passwords to pkispawn
- PKI TRAC Ticket #1200 - make sure pkispawn works with hsm (passwords)
Diffstat (limited to 'base/server/python/pki/server/deployment/scriptlets')
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/security_databases.py | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index 16cd92da0..83ecdf130 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -37,9 +37,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): return self.rv config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - deployer.password.create_password_conf( - deployer.mdict['pki_shared_password_conf'], - deployer.mdict['pki_pin']) + if config.str2bool(deployer.mdict['pki_hsm_enable']): + deployer.password.create_hsm_password_conf( + deployer.mdict['pki_shared_password_conf'], + deployer.mdict['pki_pin'], + deployer.mdict['pki_token_password']) + else: + deployer.password.create_password_conf( + deployer.mdict['pki_shared_password_conf'], + deployer.mdict['pki_pin']) # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a temporary server 'pfile' # which ONLY contains the 'password' for the purposes of @@ -71,6 +77,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if len(deployer.instance.tomcat_instance_subsystems()) < 2: # only create a self signed cert for a new instance + # + # NOTE: ALWAYS create the temporary sslserver certificate + # in the software DB regardless of whether the + # instance will utilize 'softokn' or an HSM + # rv = deployer.certutil.verify_certificate_exists( deployer.mdict['pki_database_path'], deployer.mdict['pki_cert_database'], @@ -105,6 +116,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if config.str2bool(deployer.mdict['pki_ds_secure_connection']): # Check to see if a directory server CA certificate # using the same nickname already exists + # + # NOTE: ALWAYS use the software DB regardless of whether + # the instance will utilize 'softokn' or an HSM + # rv = deployer.certutil.verify_certificate_exists( deployer.mdict['pki_database_path'], deployer.mdict['pki_cert_database'], @@ -120,7 +135,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_ds_secure_connection_ca_trustargs'], deployer.mdict['pki_ds_secure_connection_ca_pem_file'], password_file=deployer.mdict['pki_shared_pfile'], - path=deployer.mdict['pki_database_path']) + path=deployer.mdict['pki_database_path'], + token=deployer.mdict['pki_self_signed_token']) # Always delete the temporary 'pfile' deployer.file.delete(deployer.mdict['pki_shared_pfile']) |