diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2013-10-15 17:55:05 -0700 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2013-10-15 17:59:23 -0700 |
commit | 47c77a67d67cb443070137fd9b8d64955d499089 (patch) | |
tree | 12b7588f34a80a74c000e77b19017ec941ad5231 /base/server | |
parent | 618be8bd7e9488a325789232c94aad109f9b6803 (diff) | |
download | pki-47c77a67d67cb443070137fd9b8d64955d499089.tar.gz pki-47c77a67d67cb443070137fd9b8d64955d499089.tar.xz pki-47c77a67d67cb443070137fd9b8d64955d499089.zip |
Stand-alone DRM
* TRAC Ticket #667 - provide option for ca-less drm install
Diffstat (limited to 'base/server')
-rw-r--r-- | base/server/config/pkislots.cfg | 3 | ||||
-rw-r--r-- | base/server/etc/default.cfg | 56 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/pkihelper.py | 811 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/pkimessages.py | 44 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/pkiparser.py | 55 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/configuration.py | 8 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/finalization.py | 6 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/initialization.py | 7 | ||||
-rwxr-xr-x | base/server/sbin/pkispawn | 29 | ||||
-rw-r--r-- | base/server/scripts/operations | 40 |
10 files changed, 711 insertions, 348 deletions
diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg index 6e13a8971..bb51f5300 100644 --- a/base/server/config/pkislots.cfg +++ b/base/server/config/pkislots.cfg @@ -44,6 +44,7 @@ PKI_CLOSE_AJP_PORT_COMMENT_SLOT=[PKI_CLOSE_AJP_PORT_COMMENT] PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT=[PKI_CLOSE_ENABLE_PROXY_COMMENT] PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] +PKI_CLOSE_STANDALONE_COMMENT_SLOT=[PKI_CLOSE_STANDALONE_COMMENT] PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT] PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME] PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT] @@ -63,6 +64,7 @@ PKI_OPEN_AJP_PORT_COMMENT_SLOT=[PKI_OPEN_AJP_PORT_COMMENT] PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT=[PKI_OPEN_ENABLE_PROXY_COMMENT] PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT] PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] +PKI_OPEN_STANDALONE_COMMENT_SLOT=[PKI_OPEN_STANDALONE_COMMENT] PKI_PIDDIR_SLOT=[PKI_PIDDIR] PKI_PROXY_SECURE_PORT_SLOT=[PKI_PROXY_SECURE_PORT] PKI_PROXY_UNSECURE_PORT_SLOT=[PKI_PROXY_UNSECURE_PORT] @@ -75,6 +77,7 @@ PKI_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_SECURE_PORT_SERVER_COMMENT] PKI_SECURITY_MANAGER_SLOT=[PKI_SECURITY_MANAGER] PKI_SERVER_XML_CONF_SLOT=[PKI_SERVER_XML_CONF] PKI_SSL_SERVER_NICKNAME_SLOT=[PKI_SSL_SERVER_NICKNAME] +PKI_STANDALONE_SLOT=[PKI_STANDALONE] PKI_SUBSYSTEM_TYPE_SLOT=[PKI_SUBSYSTEM_TYPE] PKI_SYSTEMD_SERVICENAME_SLOT=[PKI_SYSTEMD_SERVICENAME] PKI_TMPDIR_SLOT=[PKI_TMPDIR] diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 88f9f780c..46585ec0a 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -367,10 +367,10 @@ pki_ca_signing_signing_algorithm=SHA256withRSA pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s pki_ca_signing_token=Internal Key Storage Token pki_external=False -pki_external_ca_cert_chain_path= -pki_external_ca_cert_path= -pki_external_csr_path= +pki_external_csr_path=%(pki_instance_configuration_path)s/ca_signing.csr pki_external_step_two=False +pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert +pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert pki_import_admin_cert=False pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 @@ -420,11 +420,33 @@ pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles ## KRA Configuration: ## ## ## ## Values in this section are common to KRA subsystems ## -## including 'PKI KRAs' and 'Cloned KRAs', and contain ## +## including 'PKI KRAs', 'Cloned KRAs', and 'Stand-alone KRAs' and contain ## ## required information which MAY be overridden by users as necessary. ## +## ## +## STAND-ALONE KRAs: To specify a 'Stand-alone KRA', change the value ## +## of 'pki_standalone' from 'False' to 'True', and ## +## specify the various 'pki_external' parameters ## +## as appropriate. ## +## ## ############################################################################### [KRA] pki_import_admin_cert=True +pki_standalone=False +pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr +pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr +pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr +pki_external_storage_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.csr +pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr +pki_external_transport_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.csr +pki_external_step_two=False +pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert +pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert +pki_external_admin_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.cert +pki_external_audit_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.cert +pki_external_sslserver_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.cert +pki_external_storage_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.cert +pki_external_subsystem_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.cert +pki_external_transport_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.cert pki_storage_key_algorithm=SHA256withRSA pki_storage_key_size=2048 pki_storage_key_type=rsa @@ -466,11 +488,33 @@ pki_source_transportcert_profile=%(pki_source_conf_path)s/transportCert.profile ## OCSP Configuration: ## ## ## ## Values in this section are common to OCSP subsystems ## -## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## -## required information which MAY be overridden by users as necessary. ## +## including 'PKI OCSPs', 'Cloned OCSPs', and 'Stand-alone OCSPs' and ## +## contain required information which MAY be overridden by users as ## +## necessary. ## +## ## +## STAND-ALONE OCSPs: To specify a 'Stand-alone OCSP', change the ## +## value of 'pki_standalone' from 'False' to ## +## 'True', and specify the various 'pki_external' ## +## parameters as appropriate. ## +## (NOTE: Stand-alone OCSP is not yet supported!) ## +## ## ############################################################################### [OCSP] pki_import_admin_cert=True +pki_standalone=False +pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr +pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr +pki_external_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_signing.csr +pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr +pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr +pki_external_step_two=False +pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert +pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert +pki_external_admin_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.cert +pki_external_audit_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.cert +pki_external_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_signing.cert +pki_external_sslserver_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.cert +pki_external_subsystem_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.cert pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index d98d8ab42..43f5db7bb 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -449,101 +449,119 @@ class ConfigurationFile: self.master_dict['pki_registry_initscript_command'] print + def confirm_external(self): + # ALWAYS defined via 'pkiparser.py' + if config.str2bool(self.master_dict['pki_external']): + # Only allowed for External CA + if self.master_dict['pki_subsystem'] != "CA": + config.pki_log.error(log.PKI_EXTERNAL_UNSUPPORTED_1, + self.master_dict['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKI_EXTERNAL_UNSUPPORTED_1, + self.master_dict['pki_subsystem']) + + def confirm_standalone(self): + # ALWAYS defined via 'pkiparser.py' + if config.str2bool(self.master_dict['pki_standalone']): + # Only allowed for Stand-alone PKI + # + # ADD checks for valid types of Stand-alone PKI subsystems here + # AND to the 'private void validateData(ConfigurationRequest data)' + # Java method located in the file called 'SystemConfigService.java' + # + if self.master_dict['pki_subsystem'] != "KRA": + config.pki_log.error(log.PKI_STANDALONE_UNSUPPORTED_1, + self.master_dict['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKI_STANDALONE_UNSUPPORTED_1, + self.master_dict['pki_subsystem']) + + def confirm_subordinate(self): + # ALWAYS defined via 'pkiparser.py' + if config.str2bool(self.master_dict['pki_subordinate']): + # Only allowed for Subordinate CA + if self.master_dict['pki_subsystem'] != "CA": + config.pki_log.error(log.PKI_SUBORDINATE_UNSUPPORTED_1, + self.master_dict['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKI_SUBORDINATE_UNSUPPORTED_1, + self.master_dict['pki_subsystem']) + + def confirm_external_step_two(self): + # ALWAYS defined via 'pkiparser.py' + if config.str2bool(self.master_dict['pki_external_step_two']): + # Only allowed for External CA or Stand-alone PKI + if self.master_dict['pki_subsystem'] != "CA" and\ + not config.str2bool(self.master_dict['pki_standalone']): + config.pki_log.error(log.PKI_EXTERNAL_STEP_TWO_UNSUPPORTED_1, + self.master_dict['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKI_EXTERNAL_STEP_TWO_UNSUPPORTED_1, + self.master_dict['pki_subsystem']) + + def confirm_data_exists(self, param): + if not self.master_dict.has_key(param) or\ + not len(self.master_dict[param]): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + param, + self.master_dict['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % + (param, self.master_dict['pki_user_deployment_cfg'])) + + def confirm_missing_file(self, param): + if os.path.exists(self.master_dict[param]): + config.pki_log.error(log.PKI_FILE_ALREADY_EXISTS_1, + self.master_dict[param], + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKI_FILE_ALREADY_EXISTS_1 % param) + + def confirm_file_exists(self, param): + if not os.path.exists(self.master_dict[param]) or\ + not os.path.isfile(self.master_dict[param]): + config.pki_log.error(log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + self.master_dict[param], + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 % param) + def verify_sensitive_data(self): # Silently verify the existence of 'sensitive' data if self.master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: # Verify existence of Directory Server Password # (unless configuration will not be automatically executed) if not config.str2bool(self.master_dict['pki_skip_configuration']): - if not self.master_dict.has_key('pki_ds_password') or\ - not len(self.master_dict['pki_ds_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_password", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_ds_password", - self.master_dict['pki_user_deployment_cfg'])) + self.confirm_data_exists("pki_ds_password") # Verify existence of Admin Password (except for Clones) if not config.str2bool(self.master_dict['pki_clone']): - if not self.master_dict.has_key('pki_admin_password') or\ - not len(self.master_dict['pki_admin_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_admin_password", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_admin_password", - self.master_dict['pki_user_deployment_cfg'])) + self.confirm_data_exists("pki_admin_password") # If required, verify existence of Backup Password if config.str2bool(self.master_dict['pki_backup_keys']): - if not self.master_dict.has_key('pki_backup_password') or\ - not len(self.master_dict['pki_backup_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_backup_password", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_backup_password", - self.master_dict['pki_user_deployment_cfg'])) + self.confirm_data_exists("pki_backup_password") # Verify existence of Client Pin for NSS client security databases - if not self.master_dict.has_key('pki_client_database_password') or\ - not len(self.master_dict['pki_client_database_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2, - "pki_client_database_password", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2 % ("pki_client_database_password", - self.master_dict['pki_user_deployment_cfg'])) + self.confirm_data_exists("pki_client_database_password") # Verify existence of Client PKCS #12 Password for Admin Cert - if not self.master_dict.has_key('pki_client_pkcs12_password') or\ - not len(self.master_dict['pki_client_pkcs12_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_client_pkcs12_password", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_client_pkcs12_password", - self.master_dict['pki_user_deployment_cfg'])) + self.confirm_data_exists("pki_client_pkcs12_password") # Verify existence of PKCS #12 Password (ONLY for Clones) if config.str2bool(self.master_dict['pki_clone']): - if not self.master_dict.has_key('pki_clone_pkcs12_password') or\ - not len(self.master_dict['pki_clone_pkcs12_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_pkcs12_password", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_clone_pkcs12_password", - self.master_dict['pki_user_deployment_cfg'])) + self.confirm_data_exists("pki_clone_pkcs12_password") # Verify existence of Security Domain Password - # (ONLY for Clones, KRA, OCSP, TKS, TPS, or Subordinate CA - # that will be automatically configured) - if config.str2bool(self.master_dict['pki_clone']) or\ - not self.master_dict['pki_subsystem'] == "CA" or\ + # (ONLY for PKI KRA, PKI OCSP, PKI TKS, PKI TPS, Clones, or + # Subordinate CA that will be automatically configured and + # are not Stand-alone PKI) + if self.master_dict['pki_subsystem'] == "KRA" or\ + self.master_dict['pki_subsystem'] == "OCSP" or\ + self.master_dict['pki_subsystem'] == "TKS" or\ + self.master_dict['pki_subsystem'] == "TPS" or\ + config.str2bool(self.master_dict['pki_clone']) or\ config.str2bool(self.master_dict['pki_subordinate']): - if not config.str2bool(self.master_dict['pki_skip_configuration']): - if not self.master_dict.has_key('pki_security_domain_password') or\ - not len(self.master_dict['pki_security_domain_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_security_domain_password", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_security_domain_password", - self.master_dict['pki_user_deployment_cfg'])) + if not config.str2bool(self.master_dict['pki_skip_configuration']) and\ + not config.str2bool(self.master_dict['pki_standalone']): + self.confirm_data_exists("pki_security_domain_password") # If required, verify existence of Token Password if not self.master_dict['pki_token_name'] == "internal": - if not self.master_dict.has_key('pki_token_password') or\ - not len(self.master_dict['pki_token_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_token_password", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_token_password", - self.master_dict['pki_user_deployment_cfg'])) + self.confirm_data_exists("pki_token_password") return def verify_mutually_exclusive_data(self): @@ -579,6 +597,15 @@ class ConfigurationFile: self.master_dict['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) raise Exception(log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA % self.master_dict['pki_user_deployment_cfg']) + elif config.str2bool(self.master_dict['pki_standalone']): + if config.str2bool(self.master_dict['pki_clone']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_STANDALONE_PKI, + self.master_dict['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_STANDALONE_PKI % + self.master_dict['pki_user_deployment_cfg']) def verify_predefined_configuration_file_data(self): # Silently verify the existence of any required 'predefined' data @@ -592,193 +619,105 @@ class ConfigurationFile: # 'True' or 'False', etc.) of ALL required "value" parameters. # if self.master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + self.confirm_external() + self.confirm_standalone() + self.confirm_subordinate() + self.confirm_external_step_two() if config.str2bool(self.master_dict['pki_clone']): # Verify existence of clone parameters - if not self.master_dict.has_key('pki_ds_base_dn') or\ - not len(self.master_dict['pki_ds_base_dn']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_base_dn", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_ds_base_dn", - self.master_dict['pki_user_deployment_cfg'])) - if not self.master_dict.has_key('pki_ds_ldap_port') or\ - not len(self.master_dict['pki_ds_ldap_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_ldap_port", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_ds_ldap_port", - self.master_dict['pki_user_deployment_cfg'])) - if not self.master_dict.has_key('pki_ds_ldaps_port') or\ - not len(self.master_dict['pki_ds_ldaps_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_ldaps_port", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_ds_ldaps_port", - self.master_dict['pki_user_deployment_cfg'])) - # NOTE: Although this will be checked prior to getting to - # this method, this clone's 'pki_instance_name' MUST - # be different from the master's 'pki_instance_name' - # IF AND ONLY IF the master and clone are located on - # the same host! - if not self.master_dict.has_key('pki_ajp_port') or\ - not len(self.master_dict['pki_ajp_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ajp_port", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_ajp_port", - self.master_dict['pki_user_deployment_cfg'])) - if not self.master_dict.has_key('pki_http_port') or\ - not len(self.master_dict['pki_http_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_http_port", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_http_port", - self.master_dict['pki_user_deployment_cfg'])) - if not self.master_dict.has_key('pki_https_port') or\ - not len(self.master_dict['pki_https_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_https_port", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_https_port", - self.master_dict['pki_user_deployment_cfg'])) - if not self.master_dict.has_key('pki_tomcat_server_port') or\ - not len(self.master_dict['pki_tomcat_server_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_tomcat_server_port", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_tomcat_server_port", - self.master_dict['pki_user_deployment_cfg'])) - if not self.master_dict.has_key('pki_clone_pkcs12_path') or\ - not len(self.master_dict['pki_clone_pkcs12_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_pkcs12_path", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_clone_pkcs12_path", - self.master_dict['pki_user_deployment_cfg'])) - elif not os.path.isfile(self.master_dict['pki_clone_pkcs12_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - self.master_dict['pki_clone_pkcs12_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 % "pki_clone_pkcs12_path") - if not self.master_dict.has_key('pki_clone_replication_security') or\ - not len(self.master_dict['pki_clone_replication_security']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_replication_security", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_clone_replication_security", - self.master_dict['pki_user_deployment_cfg'])) - if not self.master_dict.has_key('pki_clone_uri') or\ - not len(self.master_dict['pki_clone_uri']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_uri", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_clone_uri", - self.master_dict['pki_user_deployment_cfg'])) - elif self.master_dict['pki_subsystem'] == "CA" and\ - config.str2bool(self.master_dict['pki_external']): - if not self.master_dict.has_key('pki_external_step_two') or\ - not len(self.master_dict['pki_external_step_two']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_step_two", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_extrenal_step_two", - self.master_dict['pki_user_deployment_cfg'])) + # + # NOTE: Although this will be checked prior to getting to + # this method, this clone's 'pki_instance_name' MUST + # be different from the master's 'pki_instance_name' + # IF AND ONLY IF the master and clone are located on + # the same host! + # + self.confirm_data_exists("pki_ds_base_dn") + # FUTURE: Check for unused port value(s) + # (e. g. - must be different from master if the + # master is located on the same host) + self.confirm_data_exists("pki_ds_ldap_port") + self.confirm_data_exists("pki_ds_ldaps_port") + self.confirm_data_exists("pki_ajp_port") + self.confirm_data_exists("pki_http_port") + self.confirm_data_exists("pki_https_port") + self.confirm_data_exists("pki_tomcat_server_port") + self.confirm_data_exists("pki_clone_pkcs12_path") + self.confirm_file_exists("pki_clone_pkcs12_path") + self.confirm_data_exists("pki_clone_replication_security") + self.confirm_data_exists("pki_clone_uri") + elif config.str2bool(self.master_dict['pki_external']): + # External CA if not config.str2bool(self.master_dict['pki_external_step_two']): # External CA (Step 1) - if not self.master_dict.has_key('pki_external_csr_path') or\ - not len(self.master_dict['pki_external_csr_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_csr_path", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_extrenal_csr_path", - self.master_dict['pki_user_deployment_cfg'])) - elif os.path.exists(self.master_dict['pki_external_csr_path']) and\ - not os.path.isfile(self.master_dict['pki_external_csr_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - self.master_dict['pki_external_csr_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % "pki_extrenal_csr_path") + self.confirm_data_exists("pki_external_csr_path") + self.confirm_missing_file("pki_external_csr_path") else: # External CA (Step 2) - if not self.master_dict.has_key('pki_external_ca_cert_chain_path') or\ - not len(self.master_dict['pki_external_ca_cert_chain_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_ca_cert_chain_path", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_extrenal_ca_cert_chain_path", - self.master_dict['pki_user_deployment_cfg'])) - elif os.path.exists( - self.master_dict['pki_external_ca_cert_chain_path']) and\ - not os.path.isfile( - self.master_dict['pki_external_ca_cert_chain_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - self.master_dict['pki_external_ca_cert_chain_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % "pki_extrenal_ca_cert_chain_path") - if not self.master_dict.has_key('pki_external_ca_cert_path') or\ - not len(self.master_dict['pki_external_ca_cert_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_ca_cert_path", - self.master_dict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_extrenal_ca_cert_path", - self.master_dict['pki_user_deployment_cfg'])) - elif os.path.exists(self.master_dict['pki_external_ca_cert_path']) and\ - not os.path.isfile( - self.master_dict['pki_external_ca_cert_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - self.master_dict['pki_external_ca_cert_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % "pki_extrenal_ca_cert_path") + self.confirm_data_exists("pki_external_ca_cert_chain_path") + self.confirm_file_exists("pki_external_ca_cert_chain_path") + self.confirm_data_exists("pki_external_ca_cert_path") + self.confirm_file_exists("pki_external_ca_cert_path") + elif not config.str2bool(self.master_dict['pki_skip_configuration']) and\ + config.str2bool(self.master_dict['pki_standalone']): + if not config.str2bool(self.master_dict['pki_external_step_two']): + # Stand-alone PKI Admin CSR (Step 1) + self.confirm_data_exists("pki_external_admin_csr_path") + self.confirm_missing_file("pki_external_admin_csr_path") + # Stand-alone PKI Audit Signing CSR (Step 1) + self.confirm_data_exists("pki_external_audit_signing_csr_path") + self.confirm_missing_file("pki_external_audit_signing_csr_path") + # Stand-alone PKI SSL Server CSR (Step 1) + self.confirm_data_exists("pki_external_sslserver_csr_path") + self.confirm_missing_file("pki_external_sslserver_csr_path") + # Stand-alone PKI Subsystem CSR (Step 1) + self.confirm_data_exists("pki_external_subsystem_csr_path") + self.confirm_missing_file("pki_external_subsystem_csr_path") + # Stand-alone PKI KRA CSRs + if self.master_dict['pki_subsystem'] == "KRA": + # Stand-alone PKI KRA Storage CSR (Step 1) + self.confirm_data_exists("pki_external_storage_csr_path") + self.confirm_missing_file("pki_external_storage_csr_path") + # Stand-alone PKI KRA Transport CSR (Step 1) + self.confirm_data_exists("pki_external_transport_csr_path") + self.confirm_missing_file("pki_external_transport_csr_path") + # Stand-alone PKI OCSP CSRs + if self.master_dict['pki_subsystem'] == "OCSP": + # Stand-alone PKI OCSP OCSP Signing CSR (Step 1) + self.confirm_data_exists("pki_external_signing_csr_path") + self.confirm_missing_file("pki_external_signing_csr_path") + else: + # Stand-alone PKI External CA Certificate Chain (Step 2) + self.confirm_data_exists("pki_external_ca_cert_chain_path") + self.confirm_file_exists("pki_external_ca_cert_chain_path") + # Stand-alone PKI External CA Certificate (Step 2) + self.confirm_data_exists("pki_external_ca_cert_path") + self.confirm_file_exists("pki_external_ca_cert_path") + # Stand-alone PKI Admin Certificate (Step 2) + self.confirm_data_exists("pki_external_admin_cert_path") + self.confirm_file_exists("pki_external_admin_cert_path") + # Stand-alone PKI Audit Signing Certificate (Step 2) + self.confirm_data_exists("pki_external_audit_signing_cert_path") + self.confirm_file_exists("pki_external_audit_signing_cert_path") + # Stand-alone PKI SSL Server Certificate (Step 2) + self.confirm_data_exists("pki_external_sslserver_cert_path") + self.confirm_file_exists("pki_external_sslserver_cert_path") + # Stand-alone PKI Subsystem Certificate (Step 2) + self.confirm_data_exists("pki_external_subsystem_cert_path") + self.confirm_file_exists("pki_external_subsystem_cert_path") + # Stand-alone PKI KRA Certificates + if self.master_dict['pki_subsystem'] == "KRA": + # Stand-alone PKI KRA Storage Certificate (Step 2) + self.confirm_data_exists("pki_external_storage_cert_path") + self.confirm_file_exists("pki_external_storage_cert_path") + # Stand-alone PKI KRA Transport Certificate (Step 2) + self.confirm_data_exists("pki_external_transport_cert_path") + self.confirm_file_exists("pki_external_transport_cert_path") + # Stand-alone PKI OCSP Certificates + if self.master_dict['pki_subsystem'] == "OCSP": + # Stand-alone PKI OCSP OCSP Signing Certificate (Step 2) + self.confirm_data_exists("pki_external_signing_cert_path") + self.confirm_file_exists("pki_external_signing_cert_path") return def populate_non_default_ports(self): @@ -3235,37 +3174,115 @@ class ConfigClient: if self.master_dict['pki_subsystem'] == "CA" and\ config.str2bool(self.master_dict['pki_external']) and\ not config.str2bool(self.master_dict['pki_external_step_two']): - # External CA Step 1 + # External CA (Step 1) if cdata['tag'].lower() == "signing": - config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST + \ - " " + cdata['request'], - extra=config.PKI_INDENTATION_LEVEL_2) - # Save 'External CA Signing Certificate' CSR (Step 1) config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE + \ " '" + self.master_dict['pki_external_csr_path'] + "'", extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST + \ + "\n" + cdata['request'], + extra=config.PKI_INDENTATION_LEVEL_2) self.deployer.directory.create( os.path.dirname(self.master_dict['pki_external_csr_path'])) with open(self.master_dict['pki_external_csr_path'], "w") as f: f.write(cdata['request']) return + elif config.str2bool(self.master_dict['pki_standalone']) and\ + not config.str2bool(self.master_dict['pki_external_step_two']): + # Stand-alone PKI (Step 1) + if cdata['tag'].lower() == "audit_signing": + # Save Stand-alone PKI 'Audit Signing Certificate' CSR + # (Step 1) + config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_1 + \ + " '" + self.master_dict['pki_external_audit_signing_csr_path'] + "'", + self.master_dict['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + self.deployer.directory.create( + os.path.dirname(self.master_dict['pki_external_audit_signing_csr_path'])) + with open(self.master_dict['pki_external_audit_signing_csr_path'], "w") as f: + f.write(cdata['request']) + elif cdata['tag'].lower() == "signing": + # Save Stand-alone PKI OCSP 'OCSP Signing Certificate' + # CSR (Step 1) + config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING + \ + " '" + self.master_dict['pki_external_signing_csr_path'] + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + self.deployer.directory.create( + os.path.dirname(self.master_dict['pki_external_signing_csr_path'])) + with open(self.master_dict['pki_external_signing_csr_path'], "w") as f: + f.write(cdata['request']) + elif cdata['tag'].lower() == "sslserver": + # Save Stand-alone PKI 'SSL Server Certificate' CSR + # (Step 1) + config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_1 + \ + " '" + self.master_dict['pki_external_sslserver_csr_path'] + "'", + self.master_dict['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + self.deployer.directory.create( + os.path.dirname(self.master_dict['pki_external_sslserver_csr_path'])) + with open(self.master_dict['pki_external_sslserver_csr_path'], "w") as f: + f.write(cdata['request']) + elif cdata['tag'].lower() == "storage": + # Save Stand-alone PKI KRA 'Storage Certificate' CSR + # (Step 1) + config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE + \ + " '" + self.master_dict['pki_external_storage_csr_path'] + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + self.deployer.directory.create( + os.path.dirname(self.master_dict['pki_external_storage_csr_path'])) + with open(self.master_dict['pki_external_storage_csr_path'], "w") as f: + f.write(cdata['request']) + elif cdata['tag'].lower() == "subsystem": + # Save Stand-alone PKI 'Subsystem Certificate' CSR + # (Step 1) + config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_1 + \ + " '" + self.master_dict['pki_external_subsystem_csr_path'] + "'", + self.master_dict['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + self.deployer.directory.create( + os.path.dirname(self.master_dict['pki_external_subsystem_csr_path'])) + with open(self.master_dict['pki_external_subsystem_csr_path'], "w") as f: + f.write(cdata['request']) + elif cdata['tag'].lower() == "transport": + # Save Stand-alone PKI KRA 'Transport Certificate' CSR + # (Step 1) + config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT + \ + " '" + self.master_dict['pki_external_transport_csr_path'] + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + self.deployer.directory.create( + os.path.dirname(self.master_dict['pki_external_transport_csr_path'])) + with open(self.master_dict['pki_external_transport_csr_path'], "w") as f: + f.write(cdata['request']) + # Print this certificate request + config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST + \ + "\n" + cdata['request'], + extra=config.PKI_INDENTATION_LEVEL_2) else: config.pki_log.debug(log.PKI_CONFIG_CDATA_TAG + \ " " + cdata['tag'], extra=config.PKI_INDENTATION_LEVEL_2) config.pki_log.debug(log.PKI_CONFIG_CDATA_CERT + \ - " " + cdata['cert'], + "\n" + cdata['cert'], extra=config.PKI_INDENTATION_LEVEL_2) config.pki_log.debug(log.PKI_CONFIG_CDATA_REQUEST + \ - " " + cdata['request'], + "\n" + cdata['request'], extra=config.PKI_INDENTATION_LEVEL_2) # Cloned PKI subsystems do not return an Admin Certificate - if not config.str2bool(self.master_dict['pki_clone']) and \ - not config.str2bool(self.master_dict['pki_import_admin_cert']): - admin_cert = response['adminCert']['cert'] - self.process_admin_cert(admin_cert) + if not config.str2bool(self.master_dict['pki_clone']): + if config.str2bool(self.master_dict['pki_standalone']): + if not config.str2bool(self.master_dict['pki_external_step_two']): + # NOTE: Do nothing for Stand-alone PKI (Step 1) + # as this has already been addressed + # in 'set_admin_parameters()' + pass + else: + admin_cert = response['adminCert']['cert'] + self.process_admin_cert(admin_cert) + elif not config.str2bool(self.master_dict['pki_import_admin_cert']): + admin_cert = response['adminCert']['cert'] + self.process_admin_cert(admin_cert) except Exception, e: if hasattr(e, 'response'): @@ -3284,14 +3301,15 @@ class ConfigClient: def process_admin_cert(self, admin_cert): config.pki_log.debug(log.PKI_CONFIG_RESPONSE_ADMIN_CERT + \ - " " + admin_cert, + "\n" + admin_cert, extra=config.PKI_INDENTATION_LEVEL_2) # Store the Administration Certificate in a file admin_cert_file = self.master_dict['pki_client_admin_cert'] admin_cert_bin_file = admin_cert_file + ".der" - config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE + \ - " '" + admin_cert_file + "'", + config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE_1 + \ + " '" + admin_cert_file + "'", + self.master_dict['pki_subsystem_name'], extra=config.PKI_INDENTATION_LEVEL_2) with open(admin_cert_file, "w") as f: f.write(admin_cert) @@ -3350,6 +3368,8 @@ class ConfigClient: # Miscellaneous Configuration Information data.pin = self.master_dict['pki_one_time_pin'] data.subsystemName = self.master_dict['pki_subsystem_name'] + data.standAlone = self.master_dict['pki_standalone'] + data.stepTwo = self.master_dict['pki_external_step_two'] # Cloning parameters if self.master_dict['pki_instance_type'] == "Tomcat": @@ -3362,15 +3382,16 @@ class ConfigClient: self.set_hierarchy_parameters(data) # Security Domain - if self.master_dict['pki_subsystem'] != "CA" or\ - config.str2bool(self.master_dict['pki_clone']) or\ - config.str2bool(self.master_dict['pki_subordinate']): + if ((self.master_dict['pki_subsystem'] != "CA" or + config.str2bool(self.master_dict['pki_clone']) or + config.str2bool(self.master_dict['pki_subordinate'])) and + (not config.str2bool(self.master_dict['pki_standalone']))): # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, # CA Clone, KRA Clone, OCSP Clone, TKS Clone, TPS Clone, or # Subordinate CA self.set_existing_security_domain(data) else: - # PKI CA or External CA + # PKI CA, External CA, or Stand-alone PKI self.set_new_security_domain(data) # database @@ -3401,35 +3422,61 @@ class ConfigClient: systemCerts = [] # Create 'CA Signing Certificate' - if self.master_dict['pki_subsystem'] == "CA": - if not config.str2bool(self.master_dict['pki_clone']): - cert1 = self.create_system_cert("ca_signing") - cert1.signingAlgorithm = \ - self.master_dict['pki_ca_signing_signing_algorithm'] + if not config.str2bool(self.master_dict['pki_clone']): + if self.master_dict['pki_subsystem'] == "CA" or\ + config.str2bool(self.master_dict['pki_standalone']): + if self.master_dict['pki_subsystem'] == "CA": + # PKI CA, Subordinate CA, or External CA + cert1 = self.create_system_cert("ca_signing") + cert1.signingAlgorithm = \ + self.master_dict['pki_ca_signing_signing_algorithm'] if config.str2bool(self.master_dict['pki_external_step_two']): - # Load the 'External CA Signing Certificate' (Step 2) - print( - log.PKI_CONFIG_EXTERNAL_CA_LOAD + " " + \ - "'" + self.master_dict['pki_external_ca_cert_path'] + "'") - with open(self.master_dict['pki_external_ca_cert_path']) as f: - external_cert = f.read() - cert1.cert = external_cert - - # Load the 'External CA Signing Certificate Chain' (Step 2) - print( - log.PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD + " " + \ - "'" + self.master_dict['pki_external_ca_cert_chain_path'] + \ - "'") - with open(self.master_dict['pki_external_ca_cert_chain_path']) as f: - external_cert_chain = f.read() - - cert1.certChain = external_cert_chain - systemCerts.append(cert1) + # External CA (Step 2) or Stand-alone PKI (Step 2) + if not self.master_dict['pki_subsystem'] == "CA": + # Stand-alone PKI (Step 2) + cert1 = pki.system.SystemCertData() + cert1.tag = self.master_dict['pki_ca_signing_tag'] + # Load the External CA or Stand-alone PKI + # 'External CA Signing Certificate' (Step 2) + config.pki_log.info( + log.PKI_CONFIG_EXTERNAL_CA_LOAD + " '" + + self.master_dict['pki_external_ca_cert_path'] + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + with open(self.master_dict['pki_external_ca_cert_path'], "r") as f: + cert1.cert = f.read() + # Load the External CA or Stand-alone PKI + # 'External CA Signing Certificate Chain' (Step 2) + config.pki_log.info( + log.PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD + " '" + + self.master_dict['pki_external_ca_cert_chain_path'] + + "'", extra=config.PKI_INDENTATION_LEVEL_2) + with open(self.master_dict['pki_external_ca_cert_chain_path'], "r") as f: + cert1.certChain = f.read() + systemCerts.append(cert1) + elif self.master_dict['pki_subsystem'] == "CA": + # PKI CA or Subordinate CA + systemCerts.append(cert1) # Create 'OCSP Signing Certificate' if not config.str2bool(self.master_dict['pki_clone']): - if self.master_dict['pki_subsystem'] == "CA" or\ - self.master_dict['pki_subsystem'] == "OCSP": + if ((self.master_dict['pki_subsystem'] == "OCSP" and + config.str2bool(self.master_dict['pki_standalone'])) and + config.str2bool(self.master_dict['pki_external_step_two'])): + # Stand-alone PKI OCSP (Step 2) + cert2 = self.create_system_cert("ocsp_signing") + # Load the Stand-alone PKI OCSP 'OCSP Signing Certificate' + # (Step 2) + config.pki_log.info( + log.PKI_CONFIG_EXTERNAL_CERT_LOAD_OCSP_SIGNING + " '" + + self.master_dict['pki_external_signing_cert_path'] + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + with open(self.master_dict['pki_external_signing_cert_path'], "r") as f: + cert2.cert = f.read() + cert2.signingAlgorithm = \ + self.master_dict['pki_ocsp_signing_signing_algorithm'] + systemCerts.append(cert2) + elif self.master_dict['pki_subsystem'] == "CA" or\ + self.master_dict['pki_subsystem'] == "OCSP": # External CA, Subordinate CA, PKI CA, or PKI OCSP cert2 = self.create_system_cert("ocsp_signing") cert2.signingAlgorithm = \ @@ -3440,9 +3487,22 @@ class ConfigClient: # all subsystems # create new sslserver cert only if this is a new instance - cert3 = None system_list = self.deployer.instance.tomcat_instance_subsystems() - if len(system_list) >= 2: + if (config.str2bool(self.master_dict['pki_standalone']) and + config.str2bool(self.master_dict['pki_external_step_two'])): + # Stand-alone PKI (Step 2) + cert3 = self.create_system_cert("ssl_server") + # Load the Stand-alone PKI 'SSL Server Certificate' (Step 2) + config.pki_log.info( + log.PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_SSLSERVER_1 + " '" + + self.master_dict['pki_external_sslserver_cert_path'] + "'", + self.master_dict['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + with open(self.master_dict['pki_external_sslserver_cert_path'], "r") as f: + cert3.cert = f.read() + systemCerts.append(cert3) + elif len(system_list) >= 2: + # Existing PKI Instance data.generateServerCert = "false" for subsystem in system_list: dst = self.master_dict['pki_instance_path'] + '/conf/' + \ @@ -3450,30 +3510,90 @@ class ConfigClient: if subsystem != self.master_dict['pki_subsystem'] and \ os.path.exists(dst): cert3 = self.retrieve_existing_server_cert(dst) + systemCerts.append(cert3) break else: + # PKI CA, PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, TPS Clone, + # Subordinate CA, or External CA cert3 = self.create_system_cert("ssl_server") - systemCerts.append(cert3) + systemCerts.append(cert3) # Create 'Subsystem Certificate' if not config.str2bool(self.master_dict['pki_clone']): - cert4 = self.create_system_cert("subsystem") - systemCerts.append(cert4) + if (config.str2bool(self.master_dict['pki_standalone']) and + config.str2bool(self.master_dict['pki_external_step_two'])): + # Stand-alone PKI (Step 2) + cert4 = self.create_system_cert("subsystem") + # Load the Stand-alone PKI 'Subsystem Certificate' (Step 2) + config.pki_log.info( + log.PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_SUBSYSTEM_1 + " '" + + self.master_dict['pki_external_subsystem_cert_path'] + "'", + self.master_dict['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + with open(self.master_dict['pki_external_subsystem_cert_path'], "r") as f: + cert4.cert = f.read() + systemCerts.append(cert4) + else: + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # Subordinate CA, or External CA + cert4 = self.create_system_cert("subsystem") + systemCerts.append(cert4) # Create 'Audit Signing Certificate' if not config.str2bool(self.master_dict['pki_clone']): - if self.master_dict['pki_subsystem'] != "RA": + if (config.str2bool(self.master_dict['pki_standalone']) and + config.str2bool(self.master_dict['pki_external_step_two'])): + # Stand-alone PKI (Step 2) + cert5 = self.create_system_cert("audit_signing") + # Load the Stand-alone PKI 'Audit Signing Certificate' (Step 2) + config.pki_log.info( + log.PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_AUDIT_SIGNING_1 + + " '" + + self.master_dict['pki_external_audit_signing_cert_path'] + + "'", self.master_dict['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + with open(self.master_dict['pki_external_audit_signing_cert_path'], "r") as f: + cert5.cert = f.read() + cert5.signingAlgorithm = \ + self.master_dict['pki_audit_signing_signing_algorithm'] + systemCerts.append(cert5) + elif self.master_dict['pki_subsystem'] != "RA": cert5 = self.create_system_cert("audit_signing") cert5.signingAlgorithm = \ self.master_dict['pki_audit_signing_signing_algorithm'] systemCerts.append(cert5) - # Create DRM Transport and storage Certificates + # Create 'DRM Transport Certificate' and 'DRM Storage Certificate' if not config.str2bool(self.master_dict['pki_clone']): - if self.master_dict['pki_subsystem'] == "KRA": + if ((self.master_dict['pki_subsystem'] == "KRA" and + config.str2bool(self.master_dict['pki_standalone'])) and + config.str2bool(self.master_dict['pki_external_step_two'])): + # Stand-alone PKI KRA Transport Certificate (Step 2) cert6 = self.create_system_cert("transport") + # Load the Stand-alone PKI KRA 'Transport Certificate' (Step 2) + config.pki_log.info( + log.PKI_CONFIG_EXTERNAL_CERT_LOAD_KRA_TRANSPORT + " '" + + self.master_dict['pki_external_transport_cert_path'] + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + with open(self.master_dict['pki_external_transport_cert_path'], "r") as f: + cert6.cert = f.read() systemCerts.append(cert6) - + # Stand-alone PKI KRA Storage Certificate (Step 2) + cert7 = self.create_system_cert("storage") + # Load the Stand-alone PKI KRA 'Storage Certificate' (Step 2) + config.pki_log.info( + log.PKI_CONFIG_EXTERNAL_CERT_LOAD_KRA_STORAGE + " '" + + self.master_dict['pki_external_storage_cert_path'] + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + with open(self.master_dict['pki_external_storage_cert_path'], "r") as f: + cert7.cert = f.read() + systemCerts.append(cert7) + elif self.master_dict['pki_subsystem'] == "KRA": + # PKI KRA Transport Certificate + cert6 = self.create_system_cert("transport") + systemCerts.append(cert6) + # PKI KRA Storage Certificate cert7 = self.create_system_cert("storage") systemCerts.append(cert7) @@ -3550,10 +3670,37 @@ class ConfigClient: data.adminProfileID = self.master_dict['pki_admin_profile_id'] data.adminUID = self.master_dict['pki_admin_uid'] data.adminSubjectDN = self.master_dict['pki_admin_subject_dn'] + if config.str2bool(self.master_dict['pki_standalone']): + if not config.str2bool(self.master_dict['pki_external_step_two']): + # IMPORTANT: ALWAYS set 'pki_import_admin_cert' FALSE for + # Stand-alone PKI (Step 1) + self.master_dict['pki_import_admin_cert'] = "False" + else: + # IMPORTANT: ALWAYS set 'pki_import_admin_cert' TRUE for + # Stand-alone PKI (Step 2) + self.master_dict['pki_import_admin_cert'] = "True" if config.str2bool(self.master_dict['pki_import_admin_cert']): data.importAdminCert = "true" + if config.str2bool(self.master_dict['pki_standalone']): + # Stand-alone PKI (Step 2) + # + # Copy the Stand-alone PKI 'Admin Certificate' + # (that was previously generated via an external CA) into + # 'ca_admin.cert' under the specified 'pki_client_dir' + # stripping the certificate HEADER/FOOTER prior to saving it. + imported_admin_cert = "" + with open(self.master_dict['pki_external_admin_cert_path'], "r") as f: + for line in f: + if line.startswith("-----BEGIN CERTIFICATE-----"): + continue + elif line.startswith("-----END CERTIFICATE-----"): + continue + else: + imported_admin_cert = imported_admin_cert + line + with open(self.master_dict['pki_admin_cert_file'], "w") as f: + f.write(imported_admin_cert) # read config from file - with open(self.master_dict['pki_admin_cert_file']) as f: + with open(self.master_dict['pki_admin_cert_file'], "r") as f: b64 = f.read().replace('\n', '') data.adminCert = b64 else: @@ -3591,7 +3738,41 @@ class ConfigClient: extra=config.PKI_INDENTATION_LEVEL_2) raise - with open(output_file + ".asc") as f: + if config.str2bool(self.master_dict['pki_standalone']): + if not config.str2bool(self.master_dict['pki_external_step_two']): + # For convenience and consistency, save a copy of + # the Stand-alone PKI 'Admin Certificate' CSR to the + # specified "pki_external_admin_csr_path" location + # (Step 1) + config.pki_log.info( + log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_1 + \ + " '" + \ + self.master_dict['pki_external_admin_csr_path'] + \ + "'", self.master_dict['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + self.deployer.directory.create( + os.path.dirname(self.master_dict['pki_external_admin_csr_path'])) + with open(self.master_dict['pki_external_admin_csr_path'], "w") as f: + f.write("-----BEGIN CERTIFICATE REQUEST-----\n") + admin_certreq = None + with open(os.path.join( + self.master_dict['pki_client_database_dir'], + "admin_pkcs10.bin.asc"), "r") as f: + admin_certreq = f.read() + with open(self.master_dict['pki_external_admin_csr_path'], "a") as f: + f.write(admin_certreq) + f.write("-----END CERTIFICATE REQUEST-----") + # Read in and print Admin certificate request + with open(self.master_dict['pki_external_admin_csr_path'], "r") as f: + admin_certreq = f.read() + config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST + \ + "\n" + admin_certreq, + extra=config.PKI_INDENTATION_LEVEL_2) + # IMPORTANT: ALWAYS save the client database for + # Stand-alone PKI (Step 1) + self.master_dict['pki_client_database_purge'] = "False" + + with open(output_file + ".asc", "r") as f: b64 = f.read().replace('\n', '') data.adminCertRequest = b64 @@ -3606,12 +3787,8 @@ class ConfigClient: config.str2bool(self.master_dict['pki_external']): # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, # CA Clone, KRA Clone, OCSP Clone, TKS Clone, TPS Clone, - # Subordinate CA, or External CA + # Subordinate CA, External CA, or Stand-alone PKI data.issuingCA = self.master_dict['pki_issuing_ca'] - if self.master_dict['pki_subsystem'] == "CA" and\ - config.str2bool(self.master_dict['pki_external_step_two']): - # External CA Step 2 - data.stepTwo = "true" def set_tps_parameters(self, data): data.caUri = self.master_dict['pki_ca_uri'] diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index 5e996667d..7e98ff052 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -57,6 +57,10 @@ PKI_VERBOSITY = \ PKI_BADZIPFILE_ERROR_1 = "zipfile.BadZipFile: %s!" PKI_CONFIGURATION_RESTART_1 = " After configuration, the server can be "\ "operated by the command:\n %s" +PKI_CONFIGURATION_STANDALONE_1 = " Please obtain the necessary "\ + "certificates for this stand-alone %s,\n"\ + " and re-run the configuration for "\ + "step two." PKI_CONFIGURATION_URL_1 = " Please start the configuration by accessing:\n %s" PKI_CONFIGURATION_WIZARD_RESTART_1 = "After configuration, the server can be "\ "operated by the command:\n%s" @@ -86,6 +90,14 @@ PKI_SUBSYSTEM_ALREADY_EXISTS_2 = "PKI subsystem '%s' for instance '%s' "\ "already exists!" PKI_SUBSYSTEM_DOES_NOT_EXIST_2 = "PKI subsystem '%s' for instance '%s' "\ "does NOT exist!" +PKI_EXTERNAL_UNSUPPORTED_1 = "PKI '%s' subsystems do NOT support "\ + "the 'pki_external' parameter!" +PKI_EXTERNAL_STEP_TWO_UNSUPPORTED_1 = "PKI '%s' subsystems do NOT support "\ + "the 'pki_external_step_two' parameter!" +PKI_STANDALONE_UNSUPPORTED_1 = "PKI '%s' subsystems do NOT support "\ + "the 'pki_standalone' parameter!" +PKI_SUBORDINATE_UNSUPPORTED_1 = "PKI '%s' subsystems do NOT support "\ + "the 'pki_subordinate' parameter!" PKI_IOERROR_1 = "IOError: %s!" PKI_KEYERROR_1 = "KeyError: %s!" @@ -215,6 +227,9 @@ PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\ "CAs, and subordinate CAs"\ "MUST ALL be MUTUALLY "\ "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_STANDALONE_PKI = "cloned PKIs and "\ + "stand-alone PKIs MUST be "\ + "MUTUALLY EXCLUSIVE in '%s'" PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\ "CAs MUST be MUTUALLY "\ "EXCLUSIVE in '%s'" @@ -298,8 +313,8 @@ PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ." PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s" PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s" -PKI_CONFIG_ADMIN_CERT_SAVE = "saving Admin Certificate to file:" -PKI_CONFIG_ADMIN_CERT_ATOB = "converting Admin Certificate to binary:" +PKI_CONFIG_ADMIN_CERT_SAVE_1 = "saving %s Admin Certificate to file:" +PKI_CONFIG_ADMIN_CERT_ATOB_1 = "converting %s Admin Certificate to binary:" PKI_CONFIG_CDATA_TAG = "tag:" PKI_CONFIG_CDATA_CERT = "cert:" PKI_CONFIG_CDATA_REQUEST = "request:" @@ -311,7 +326,32 @@ PKI_CONFIG_EXTERNAL_CA_LOAD = "loading external CA signing certificate "\ "from file:" PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD = "loading external CA signing certificate "\ "chain from file:" +PKI_CONFIG_EXTERNAL_CERT_LOAD_KRA_STORAGE = "loading external CA signed KRA "\ + "Storage certificate from file:" +PKI_CONFIG_EXTERNAL_CERT_LOAD_KRA_TRANSPORT = "loading external CA signed KRA "\ + "Transport certificate from file:" +PKI_CONFIG_EXTERNAL_CERT_LOAD_OCSP_SIGNING = "loading external CA signed OCSP "\ + "Signing certificate from file:" +PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_SSLSERVER_1 = "loading external CA signed "\ + "%s SSL Server certificate "\ + "from file:" +PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_SUBSYSTEM_1 = "loading external CA signed "\ + "%s Subsystem certificate "\ + "from file:" +PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_AUDIT_SIGNING_1 = "loading external CA "\ + "signed %s Audit Signing "\ + "certificate from file:" PKI_CONFIG_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:" +PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE = "saving KRA Storage CSR to file:" +PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT = "saving KRA Transport CSR to file:" +PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING = "saving OCSP Signing CSR to file:" +PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_1 = "saving %s Admin CSR to file:" +PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_1 = "saving %s Audit Signing "\ + "CSR to file:" +PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_1 = "saving %s SSL Server CSR "\ + "to file:" +PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_1 = "saving %s Subsystem CSR "\ + "to file:" PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION = \ "Exception from Java Configuration Servlet:" PKI_CONFIG_RESPONSE_ADMIN_CERT = "adminCert:" diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index ba9c5b836..77004b737 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -535,6 +535,20 @@ class PKIConfigParser: pkilogging.sensitive_parameters = self.pki_master_dict['sensitive_parameters'].split() + # Always create "false" values for these missing "boolean" keys + if not self.pki_master_dict.has_key('pki_external') or\ + not len(self.pki_master_dict['pki_external']): + self.pki_master_dict['pki_external'] = "false" + if not self.pki_master_dict.has_key('pki_external_step_two') or\ + not len(self.pki_master_dict['pki_external_step_two']): + self.pki_master_dict['pki_external_step_two'] = "false" + if not self.pki_master_dict.has_key('pki_standalone') or\ + not len(self.pki_master_dict['pki_standalone']): + self.pki_master_dict['pki_standalone'] = "false" + if not self.pki_master_dict.has_key('pki_subordinate') or\ + not len(self.pki_master_dict['pki_subordinate']): + self.pki_master_dict['pki_subordinate'] = "false" + # PKI Target (slot substitution) name/value pairs self.pki_master_dict['pki_target_cs_cfg'] = \ os.path.join( @@ -543,10 +557,10 @@ class PKIConfigParser: self.pki_master_dict['pki_target_registry'] = \ os.path.join(self.pki_master_dict['pki_instance_registry_path'], self.pki_master_dict['pki_instance_name']) - if self.pki_master_dict['pki_subsystem'] == "CA" and\ - config.str2bool(self.pki_master_dict['pki_external_step_two']): - # Use the 'pki_one_time_pin' established during the setup of - # External CA Step 1 + if (config.str2bool(self.pki_master_dict['pki_external_step_two'])): + # For CA (External CA Step 2) and Stand-alone PKI (Step 2), + # use the 'pki_one_time_pin' established during the setup + # of (Step 1) if os.path.exists(self.pki_master_dict['pki_target_cs_cfg'])\ and\ os.path.isfile(self.pki_master_dict['pki_target_cs_cfg']): @@ -807,6 +821,19 @@ class PKIConfigParser: "<!--" self.pki_master_dict['PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT'] = \ "<!--" + if (config.str2bool(self.pki_master_dict['pki_standalone'])): + # Stand-alone PKI + self.pki_master_dict['PKI_CLOSE_STANDALONE_COMMENT_SLOT'] = \ + "" + self.pki_master_dict['PKI_OPEN_STANDALONE_COMMENT_SLOT'] = \ + "" + self.pki_master_dict['PKI_STANDALONE_SLOT'] = "true" + else: + self.pki_master_dict['PKI_CLOSE_STANDALONE_COMMENT_SLOT'] = \ + "-->" + self.pki_master_dict['PKI_OPEN_STANDALONE_COMMENT_SLOT'] = \ + "<!--" + self.pki_master_dict['PKI_STANDALONE_SLOT'] = "false" self.pki_master_dict['PKI_TMPDIR_SLOT'] = \ self.pki_master_dict['pki_tomcat_tmpdir_path'] self.pki_master_dict['PKI_RESTEASY_LIB_SLOT'] = \ @@ -1026,9 +1053,14 @@ class PKIConfigParser: else: self.pki_master_dict['pki_security_domain_user'] = "caadmin" - if config.pki_subsystem != "CA" or\ - config.str2bool(self.pki_master_dict['pki_clone']) or\ - config.str2bool(self.pki_master_dict['pki_subordinate']): + if not config.str2bool(self.pki_master_dict['pki_skip_configuration']) and\ + (config.str2bool(self.pki_master_dict['pki_standalone'])): + # Stand-alone PKI + self.pki_master_dict['pki_security_domain_type'] = "new" + self.pki_master_dict['pki_issuing_ca'] = "External CA" + elif config.pki_subsystem != "CA" or\ + config.str2bool(self.pki_master_dict['pki_clone']) or\ + config.str2bool(self.pki_master_dict['pki_subordinate']): # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, # CA Clone, KRA Clone, OCSP Clone, TKS Clone, TPS Clone, or # Subordinate CA @@ -1084,8 +1116,15 @@ class PKIConfigParser: if not 'pki_import_admin_cert' in self.pki_master_dict: self.pki_master_dict['pki_import_admin_cert'] = 'false' + elif not config.str2bool(self.pki_master_dict['pki_skip_configuration']) and\ + (config.str2bool(self.pki_master_dict['pki_standalone'])): + # Stand-alone PKI + self.pki_master_dict['pki_import_admin_cert'] = 'false' - self.pki_master_dict['pki_ca_signing_tag'] = "signing" + if (config.str2bool(self.pki_master_dict['pki_standalone'])): + self.pki_master_dict['pki_ca_signing_tag'] = "external_signing" + else: + self.pki_master_dict['pki_ca_signing_tag'] = "signing" if self.pki_master_dict['pki_subsystem'] == "CA": self.pki_master_dict['pki_ocsp_signing_tag'] = "ocsp_signing" elif self.pki_master_dict['pki_subsystem'] == "OCSP": diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 004d8c28d..465ccc56e 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -35,6 +35,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def spawn(self, deployer): + # ALWAYS establish the following Tomcat instance symbolic link since + # this link is required by both automatic pkispawn instance + # configuration as well as manual browser GUI instance configuration + deployer.symlink.create(deployer.master_dict['pki_systemd_service'], + deployer.master_dict['pki_systemd_service_link']) + if config.str2bool(deployer.master_dict['pki_skip_configuration']): config.pki_log.info(log.SKIP_CONFIGURATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) @@ -70,8 +76,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.master_dict['pki_client_key_database'], deployer.master_dict['pki_client_secmod_database'], password_file=deployer.master_dict['pki_client_password_conf']) - deployer.symlink.create(deployer.master_dict['pki_systemd_service'], - deployer.master_dict['pki_systemd_service_link']) # Start/Restart this Apache/Tomcat PKI Process if deployer.master_dict['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py index 0573c24ef..5186baa40 100644 --- a/base/server/python/pki/server/deployment/scriptlets/finalization.py +++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py @@ -32,9 +32,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def spawn(self, deployer): - if deployer.master_dict['pki_subsystem'] == "CA" and\ + if (deployer.master_dict['pki_subsystem'] == "CA" or + config.str2bool(deployer.master_dict['pki_standalone'])) and\ config.str2bool(deployer.master_dict['pki_external_step_two']): - # must check for 'External CA Step 2' installation PRIOR to + # For External CAs (Step 2), or Stand-alone PKIs (Step 2), + # must check for (Step 2) installation PRIOR to # 'pki_skip_installation' since this value has been set to true # by the initialization scriptlet pass diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py index ecfb4d195..d9d1d2d7b 100644 --- a/base/server/python/pki/server/deployment/scriptlets/initialization.py +++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py @@ -43,10 +43,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): else: config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - if deployer.master_dict['pki_subsystem'] == "CA" and\ + if (deployer.master_dict['pki_subsystem'] == "CA" or + config.str2bool(deployer.master_dict['pki_standalone'])) and\ config.str2bool(deployer.master_dict['pki_external_step_two']): - # verify that this type of "subsystem" currently EXISTS - # for this "instance" (External CA Step 2) + # verify that this External CA (Step 2), or Stand-alone PKI + # (Step 2) currently EXISTS for this "instance" deployer.instance.verify_subsystem_exists() deployer.master_dict['pki_skip_installation'] = "True" else: diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn index d0ac96716..d048147e3 100755 --- a/base/server/sbin/pkispawn +++ b/base/server/sbin/pkispawn @@ -416,9 +416,14 @@ def main(argv): print 'ERROR: Unable to access directory server: ' + e.message['desc'] sys.exit(1) - if config.pki_subsystem != "CA" or\ - config.str2bool(parser.pki_master_dict['pki_clone']) or\ - config.str2bool(parser.pki_master_dict['pki_subordinate']): + if ((config.pki_subsystem == "KRA" or + config.pki_subsystem == "OCSP") and + not config.str2bool(parser.pki_master_dict['pki_standalone'])) or\ + config.pki_subsystem == "TKS" or\ + config.pki_subsystem == "TPS" or\ + config.str2bool(parser.pki_master_dict['pki_clone']) or\ + (config.pki_subsystem == "CA" and + config.str2bool(parser.pki_master_dict['pki_subordinate'])): try: # Verify existence of Security Domain Password if not parser.pki_master_dict.has_key('pki_security_domain_password') or\ @@ -486,17 +491,25 @@ def print_install_information(pki_master_dict): else: print " Administrator's username: %s" % pki_master_dict['pki_admin_uid'] if os.path.isfile(pki_master_dict['pki_client_admin_cert_p12']): - print " Administrator's PKCS #12 file:\n %s" % (pki_master_dict['pki_client_dir'] + '/ca_admin_cert.p12') + print " Administrator's PKCS #12 file:\n %s" % pki_master_dict['pki_client_admin_cert_p12'] if not config.str2bool(pki_master_dict['pki_client_database_purge']): print - print " Administrator's certificate nickname: %s" % pki_master_dict['pki_admin_nickname'] + print " Administrator's certificate nickname:\n %s" % pki_master_dict['pki_admin_nickname'] print " Administrator's certificate database:\n %s" % pki_master_dict['pki_client_database_dir'] print print log.PKI_CHECK_STATUS_MESSAGE % pki_master_dict['pki_instance_name'] print log.PKI_INSTANCE_RESTART_MESSAGE % pki_master_dict['pki_instance_name'] - print log.PKI_ACCESS_URL % (pki_master_dict['pki_hostname'], - pki_master_dict['pki_https_port'], - config.pki_subsystem.lower()) + if (((config.pki_subsystem == "KRA" or + config.pki_subsystem == "OCSP") and + config.str2bool(pki_master_dict['pki_standalone'])) and + not config.str2bool(pki_master_dict['pki_external_step_two'])): + # Stand-alone PKI KRA/OCSP (External CA Step 1) + print + print log.PKI_CONFIGURATION_STANDALONE_1 % config.pki_subsystem + else: + print log.PKI_ACCESS_URL % (pki_master_dict['pki_hostname'], + pki_master_dict['pki_https_port'], + config.pki_subsystem.lower()) print log.PKI_SPAWN_INFORMATION_FOOTER def log_error_details(): diff --git a/base/server/scripts/operations b/base/server/scripts/operations index 6d5ee1476..d2b666a5a 100644 --- a/base/server/scripts/operations +++ b/base/server/scripts/operations @@ -672,6 +672,39 @@ get_pki_configuration_definitions() fi fi + # If ${pki_subsystem} is a DRM or OCSP, check to see if + # it is either a Stand-alone DRM or a Stand-alone OCSP + # + # NOTE: Ignore errors when the '<pki>.standalone' parameter + # is not present as this is most likely a legacy instance! + # + pki_standalone="" + if [ "${pki_subsystem}" == "DRM" ] ; then + line=`grep -e '^[ \t]*kra.standalone[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_standalone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${pki_standalone}" == "true" ] ; then + # Set a fixed value for "${pki_standalone}" + pki_standalone="(Stand-alone)" + else + # Reset "${pki_standalone}" to be empty + pki_standalone="" + fi + fi + elif [ "${pki_subsystem}" == "OCSP" ] ; then + line=`grep -e '^[ \t]*ocsp.standalone[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_standalone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${pki_standalone}" == "true" ] ; then + # Set a fixed value for "${pki_standalone}" + pki_standalone="(Stand-alone)" + else + # Reset "${pki_standalone}" to be empty + pki_standalone="" + fi + fi + fi + # Always obtain this PKI instance's "registered" # security domain information pki_security_domain_name="" @@ -737,6 +770,13 @@ get_pki_configuration_definitions() # data="${pki_hierarchy} ${pki_subsystem}" fi + elif [ "${pki_standalone}" != "" ] ; then + # Possible Values: + # + # "DRM (Stand-alone)" + # "OCSP (Stand-alone)" + # + data="${pki_subsystem} ${pki_standalone}" else # Possible Values: # |