diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-02-19 08:42:30 +0100 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2016-02-26 13:12:01 -0500 |
| commit | 1d58b883ff9d0056d89d74d30f1375ab12d01f03 (patch) | |
| tree | a91fabd83ddfb0e3424badb49a883acab5c71f72 /base/server/python | |
| parent | 1f2d7dbab0e6a7b26f7aa12b8a58fb4c3a6da825 (diff) | |
| download | pki-1d58b883ff9d0056d89d74d30f1375ab12d01f03.tar.gz pki-1d58b883ff9d0056d89d74d30f1375ab12d01f03.tar.xz pki-1d58b883ff9d0056d89d74d30f1375ab12d01f03.zip | |
Added mechanism to import system certs via PKCS #12 file.
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.
If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.
For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.
The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.
https://fedorahosted.org/pki/ticket/1742
Diffstat (limited to 'base/server/python')
3 files changed, 55 insertions, 7 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 429e1e93e..cd4e3e26f 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -632,10 +632,17 @@ class ConfigurationFile: self.confirm_data_exists("pki_client_database_password") # Verify existence of Client PKCS #12 Password for Admin Cert self.confirm_data_exists("pki_client_pkcs12_password") + if self.clone: + # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones) if not config.str2bool(self.mdict['pki_hsm_enable']): - self.confirm_data_exists("pki_clone_pkcs12_password") + + # If system certificates are already provided via pki_server_pkcs12 + # there's no need to provide pki_clone_pkcs12. + if not self.mdict['pki_server_pkcs12_path']: + self.confirm_data_exists("pki_clone_pkcs12_password") + # Verify absence of all PKCS #12 clone parameters for HSMs elif (os.path.exists(self.mdict['pki_clone_pkcs12_path']) or ('pki_clone_pkcs12_password' in self.mdict and @@ -645,6 +652,7 @@ class ConfigurationFile: extra=config.PKI_INDENTATION_LEVEL_2) raise Exception( log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS) + # Verify existence of Security Domain Password # (ONLY for PKI KRA, PKI OCSP, PKI TKS, PKI TPS, Clones, or # Subordinate CA that will be automatically configured and @@ -749,11 +757,18 @@ class ConfigurationFile: self.confirm_data_exists("pki_http_port") self.confirm_data_exists("pki_https_port") self.confirm_data_exists("pki_tomcat_server_port") + + # Check clone parameters for non-HSM clone if not config.str2bool(self.mdict['pki_hsm_enable']): - # Check clone parameters for non-HSM clone - self.confirm_data_exists("pki_clone_pkcs12_path") - self.confirm_file_exists("pki_clone_pkcs12_path") + + # If system certificates are already provided via pki_server_pkcs12 + # there's no need to provide pki_clone_pkcs12. + if not self.mdict['pki_server_pkcs12_path']: + self.confirm_data_exists("pki_clone_pkcs12_path") + self.confirm_file_exists("pki_clone_pkcs12_path") + self.confirm_data_exists("pki_clone_replication_security") + elif self.external: # External CA if not self.external_step_two: @@ -4032,6 +4047,8 @@ class ConfigClient: # Issuing CA Information self.set_issuing_ca_parameters(data) + data.systemCertsImported = self.mdict['pki_server_pkcs12_path'] != '' + # Create system certs self.set_system_certs(data) @@ -4308,10 +4325,15 @@ class ConfigClient: def set_cloning_parameters(self, data): data.isClone = "true" data.cloneUri = self.mdict['pki_clone_uri'] + + # Set these clone parameters for non-HSM clones only if not config.str2bool(self.mdict['pki_hsm_enable']): - # Set these clone parameters for non-HSM clones only - data.p12File = self.mdict['pki_clone_pkcs12_path'] - data.p12Password = self.mdict['pki_clone_pkcs12_password'] + # If system certificates are already provided via pki_server_pkcs12 + # there's no need to provide pki_clone_pkcs12. + if not self.mdict['pki_server_pkcs12_path']: + data.p12File = self.mdict['pki_clone_pkcs12_path'] + data.p12Password = self.mdict['pki_clone_pkcs12_password'] + if config.str2bool(self.mdict['pki_clone_replicate_schema']): data.replicateSchema = "true" else: diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 77a1cdf2d..ca9ef998f 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -346,6 +346,7 @@ class PKIConfigParser: 'pki_pin', 'pki_replication_password', 'pki_security_domain_password', + 'pki_server_pkcs12_password', 'pki_token_password') print('Loading deployment configuration from ' + diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index 94ecbc2f0..a723b1da9 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -20,6 +20,8 @@ from __future__ import absolute_import +import pki.nssdb + # PKI Deployment Imports from .. import pkiconfig as config from .. import pkimessages as log @@ -36,8 +38,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.SKIP_SECURITY_DATABASES_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) return self.rv + config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) + if config.str2bool(deployer.mdict['pki_hsm_enable']): deployer.password.create_hsm_password_conf( deployer.mdict['pki_shared_password_conf'], @@ -47,6 +51,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.password.create_password_conf( deployer.mdict['pki_shared_password_conf'], deployer.mdict['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a temporary server 'pfile' # which ONLY contains the 'password' for the purposes of @@ -55,12 +60,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_shared_pfile'], deployer.mdict['pki_pin'], pin_sans_token=True) deployer.file.modify(deployer.mdict['pki_shared_password_conf']) + deployer.certutil.create_security_databases( deployer.mdict['pki_database_path'], deployer.mdict['pki_cert_database'], deployer.mdict['pki_key_database'], deployer.mdict['pki_secmod_database'], password_file=deployer.mdict['pki_shared_pfile']) + if config.str2bool(deployer.mdict['pki_hsm_enable']): deployer.modutil.register_security_module( deployer.mdict['pki_database_path'], @@ -76,6 +83,24 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_secmod_database'], perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path'] + + if pki_server_pkcs12_path: + + # importing system certificates + + pki_server_pkcs12_password = deployer.mdict['pki_server_pkcs12_password'] + if not pki_server_pkcs12_password: + raise Exception('Missing pki_server_pkcs12_password property.') + + nssdb = pki.nssdb.NSSDatabase( + directory=deployer.mdict['pki_database_path'], + password_file=deployer.mdict['pki_shared_pfile']) + + nssdb.import_pkcs12( + pkcs12_file=pki_server_pkcs12_path, + pkcs12_password=pki_server_pkcs12_password) + if len(deployer.instance.tomcat_instance_subsystems()) < 2: # only create a self signed cert for a new instance # |