diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-08-29 08:33:05 +0200 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2016-09-02 11:16:47 -0400 |
| commit | bc65e12500cbc3381b4e755a4a50214f43049ad3 (patch) | |
| tree | 17e1307b8eab94dddd9a9f4775e642d4d8a3def5 /base/server/python/pki/server | |
| parent | 1195ee9d6e45783d238edc1799363c21590febce (diff) | |
| download | pki-bc65e12500cbc3381b4e755a4a50214f43049ad3.tar.gz pki-bc65e12500cbc3381b4e755a4a50214f43049ad3.tar.xz pki-bc65e12500cbc3381b4e755a4a50214f43049ad3.zip | |
Added support to create system certificates in different tokens.
Previously all system certificates were always created in the same
token specified in the pki_token_name parameter.
To allow creating system certificates in different tokens, the
configuration.py has been modified to store the system certificate
token names specified in pki_<cert>_token parameters into the
CS.cfg before the server is started.
After the server is started, the configuration servlet will read
the token names from the CS.cfg and create the certificates in the
appropriate token.
https://fedorahosted.org/pki/ticket/2449
Diffstat (limited to 'base/server/python/pki/server')
| -rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/configuration.py | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 64ee4e5f6..97f6d3e60 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -39,6 +39,31 @@ import pki.util # PKI Deployment Configuration Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + def store_cert_tokens(self, subsystem, deployer): + + subsystem.config[subsystem.name + '.audit_signing.tokenname'] = ( + deployer.mdict['pki_audit_signing_token']) + subsystem.config[subsystem.name + '.sslserver.tokenname'] = ( + deployer.mdict['pki_ssl_server_token']) + subsystem.config[subsystem.name + '.subsystem.tokenname'] = ( + deployer.mdict['pki_subsystem_token']) + + if subsystem.name == 'ca': + subsystem.config['ca.signing.tokenname'] = ( + deployer.mdict['pki_ca_signing_token']) + subsystem.config['ca.ocsp_signing.tokenname'] = ( + deployer.mdict['pki_ocsp_signing_token']) + + elif subsystem.name == 'kra': + subsystem.config['kra.storage.tokenname'] = ( + deployer.mdict['pki_storage_token']) + subsystem.config['kra.transport.tokenname'] = ( + deployer.mdict['pki_transport_token']) + + elif subsystem.name == 'ocsp': + subsystem.config['ocsp.signing.tokenname'] = ( + deployer.mdict['pki_ocsp_signing_token']) + def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_configuration']): @@ -265,13 +290,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): nickname=signing_nickname, output_format='base64') subsystem.config['ca.signing.nickname'] = signing_nickname - subsystem.config['ca.signing.tokenname'] = ( - deployer.mdict['pki_ca_signing_token']) subsystem.config['ca.signing.cert'] = signing_cert_data subsystem.config['ca.signing.cacertnickname'] = signing_nickname subsystem.config['ca.signing.defaultSigningAlgorithm'] = ( deployer.mdict['pki_ca_signing_signing_algorithm']) + # Store cert tokens in CS.cfg. + self.store_cert_tokens(subsystem, deployer) + subsystem.save() # verify the signing certificate @@ -282,7 +308,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): instance, 'ca') verifier.verify_certificate('signing') - else: # self-signed CA + else: # other installation types # To be implemented in ticket #1692. @@ -290,7 +316,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Self sign CA cert. # Import self-signed CA cert into NSS database. - pass + # Store cert tokens in CS.cfg. + self.store_cert_tokens(subsystem, deployer) + + subsystem.save() finally: nssdb.close() |