diff options
| author | Ade Lee <alee@redhat.com> | 2014-03-27 11:08:32 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2014-03-31 10:26:12 -0400 |
| commit | b834efbaa8c929c10cf00252b71ebc29e2f10456 (patch) | |
| tree | e218ae6b2045cd5aa0f137efcdbd940f7de7333e /base/server/python/pki/server | |
| parent | 86f4022cc0598353d16901fa2d1ef90f474baaca (diff) | |
| download | pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.tar.gz pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.tar.xz pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.zip | |
Share subsystem cert in shared tomcat instances
In shared tomcat instances, we need to share the subsystem cert and
not create a new one for each additional subsystem added to the instance.
In addition, if the instances share the same database, then only one
pkidbuser should be created with the relevant subsystem cert and seeAlso
attribute.
Ticket 893
Diffstat (limited to 'base/server/python/pki/server')
| -rw-r--r-- | base/server/python/pki/server/deployment/pkihelper.py | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 66ea3620f..8a225ba1f 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -3690,6 +3690,7 @@ class ConfigClient: # Create 'Subsystem Certificate' if not self.clone: if self.standalone and self.external_step_two: + data.generateSubsystemCert = "true" # Stand-alone PKI (Step 2) cert4 = self.create_system_cert("subsystem") # Load the Stand-alone PKI 'Subsystem Certificate' (Step 2) @@ -3698,9 +3699,20 @@ class ConfigClient: self.master_dict['pki_external_subsystem_cert_path'], self.subsystem) systemCerts.append(cert4) + elif len(system_list) >= 2: + # Existing PKI Instance + data.generateSubsystemCert = "false" + for subsystem in system_list: + dst = self.master_dict['pki_instance_path'] + '/conf/' + \ + subsystem.lower() + '/CS.cfg' + if subsystem != self.subsystem and os.path.exists(dst): + cert4 = self.retrieve_existing_subsystem_cert(dst) + systemCerts.append(cert4) + break else: # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, # Subordinate CA, or External CA + data.generateSubsystemCert = "true" cert4 = self.create_system_cert("subsystem") systemCerts.append(cert4) @@ -3807,6 +3819,11 @@ class ConfigClient: data.secureConn = "true" else: data.secureConn = "false" + if config.str2bool(self.master_dict['pki_share_db']): + data.sharedDB = "true" + data.sharedDBUserDN = self.master_dict['pki_share_dbuser_dn'] + else: + data.sharedDB = "false" def set_backup_parameters(self, data): if config.str2bool(self.master_dict['pki_backup_keys']): @@ -3957,6 +3974,21 @@ class ConfigClient: cert.token = cs_cfg.get(cstype + ".sslserver.tokenname") return cert + def retrieve_existing_subsystem_cert(self, cfg_file): + cs_cfg = PKIConfigParser.read_simple_configuration_file(cfg_file) + cstype = cs_cfg.get('cs.type').lower() + cert = pki.system.SystemCertData() + cert.tag = self.master_dict["pki_subsystem_tag"] + cert.keyAlgorithm = cs_cfg.get("cloning.subsystem.keyalgorithm") + cert.keySize = self.master_dict["pki_subsystem_key_size"] + cert.keyType = cs_cfg.get("cloning.subsystem.keytype") + cert.nickname = cs_cfg.get(cstype + ".subsystem.nickname") + cert.cert = cs_cfg.get(cstype + ".subsystem.cert") + cert.request = cs_cfg.get(cstype + ".subsystem.certreq") + cert.subjectDN = cs_cfg.get("cloning.subsystem.dn") + cert.token = cs_cfg.get(cstype + ".subsystem.tokenname") + return cert + class PKIDeployer: """Holds the global dictionaries and the utility objects""" |