summaryrefslogtreecommitdiffstats
path: root/base/server
diff options
context:
space:
mode:
authorMatthew Harmsen <mharmsen@redhat.com>2013-10-15 17:55:05 -0700
committerMatthew Harmsen <mharmsen@redhat.com>2013-10-15 17:59:23 -0700
commit47c77a67d67cb443070137fd9b8d64955d499089 (patch)
tree12b7588f34a80a74c000e77b19017ec941ad5231 /base/server
parent618be8bd7e9488a325789232c94aad109f9b6803 (diff)
downloadpki-47c77a67d67cb443070137fd9b8d64955d499089.tar.gz
pki-47c77a67d67cb443070137fd9b8d64955d499089.tar.xz
pki-47c77a67d67cb443070137fd9b8d64955d499089.zip
Stand-alone DRM
* TRAC Ticket #667 - provide option for ca-less drm install
Diffstat (limited to 'base/server')
-rw-r--r--base/server/config/pkislots.cfg3
-rw-r--r--base/server/etc/default.cfg56
-rw-r--r--base/server/python/pki/server/deployment/pkihelper.py811
-rw-r--r--base/server/python/pki/server/deployment/pkimessages.py44
-rw-r--r--base/server/python/pki/server/deployment/pkiparser.py55
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/configuration.py8
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/finalization.py6
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/initialization.py7
-rwxr-xr-xbase/server/sbin/pkispawn29
-rw-r--r--base/server/scripts/operations40
10 files changed, 711 insertions, 348 deletions
diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg
index 6e13a8971..bb51f5300 100644
--- a/base/server/config/pkislots.cfg
+++ b/base/server/config/pkislots.cfg
@@ -44,6 +44,7 @@ PKI_CLOSE_AJP_PORT_COMMENT_SLOT=[PKI_CLOSE_AJP_PORT_COMMENT]
PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT=[PKI_CLOSE_ENABLE_PROXY_COMMENT]
PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
+PKI_CLOSE_STANDALONE_COMMENT_SLOT=[PKI_CLOSE_STANDALONE_COMMENT]
PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT]
PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME]
PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT]
@@ -63,6 +64,7 @@ PKI_OPEN_AJP_PORT_COMMENT_SLOT=[PKI_OPEN_AJP_PORT_COMMENT]
PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT=[PKI_OPEN_ENABLE_PROXY_COMMENT]
PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT]
PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
+PKI_OPEN_STANDALONE_COMMENT_SLOT=[PKI_OPEN_STANDALONE_COMMENT]
PKI_PIDDIR_SLOT=[PKI_PIDDIR]
PKI_PROXY_SECURE_PORT_SLOT=[PKI_PROXY_SECURE_PORT]
PKI_PROXY_UNSECURE_PORT_SLOT=[PKI_PROXY_UNSECURE_PORT]
@@ -75,6 +77,7 @@ PKI_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_SECURE_PORT_SERVER_COMMENT]
PKI_SECURITY_MANAGER_SLOT=[PKI_SECURITY_MANAGER]
PKI_SERVER_XML_CONF_SLOT=[PKI_SERVER_XML_CONF]
PKI_SSL_SERVER_NICKNAME_SLOT=[PKI_SSL_SERVER_NICKNAME]
+PKI_STANDALONE_SLOT=[PKI_STANDALONE]
PKI_SUBSYSTEM_TYPE_SLOT=[PKI_SUBSYSTEM_TYPE]
PKI_SYSTEMD_SERVICENAME_SLOT=[PKI_SYSTEMD_SERVICENAME]
PKI_TMPDIR_SLOT=[PKI_TMPDIR]
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 88f9f780c..46585ec0a 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -367,10 +367,10 @@ pki_ca_signing_signing_algorithm=SHA256withRSA
pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
pki_ca_signing_token=Internal Key Storage Token
pki_external=False
-pki_external_ca_cert_chain_path=
-pki_external_ca_cert_path=
-pki_external_csr_path=
+pki_external_csr_path=%(pki_instance_configuration_path)s/ca_signing.csr
pki_external_step_two=False
+pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
+pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
pki_import_admin_cert=False
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
@@ -420,11 +420,33 @@ pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles
## KRA Configuration: ##
## ##
## Values in this section are common to KRA subsystems ##
-## including 'PKI KRAs' and 'Cloned KRAs', and contain ##
+## including 'PKI KRAs', 'Cloned KRAs', and 'Stand-alone KRAs' and contain ##
## required information which MAY be overridden by users as necessary. ##
+## ##
+## STAND-ALONE KRAs: To specify a 'Stand-alone KRA', change the value ##
+## of 'pki_standalone' from 'False' to 'True', and ##
+## specify the various 'pki_external' parameters ##
+## as appropriate. ##
+## ##
###############################################################################
[KRA]
pki_import_admin_cert=True
+pki_standalone=False
+pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr
+pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr
+pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr
+pki_external_storage_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.csr
+pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr
+pki_external_transport_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.csr
+pki_external_step_two=False
+pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
+pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
+pki_external_admin_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.cert
+pki_external_audit_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.cert
+pki_external_sslserver_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.cert
+pki_external_storage_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.cert
+pki_external_subsystem_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.cert
+pki_external_transport_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.cert
pki_storage_key_algorithm=SHA256withRSA
pki_storage_key_size=2048
pki_storage_key_type=rsa
@@ -466,11 +488,33 @@ pki_source_transportcert_profile=%(pki_source_conf_path)s/transportCert.profile
## OCSP Configuration: ##
## ##
## Values in this section are common to OCSP subsystems ##
-## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ##
-## required information which MAY be overridden by users as necessary. ##
+## including 'PKI OCSPs', 'Cloned OCSPs', and 'Stand-alone OCSPs' and ##
+## contain required information which MAY be overridden by users as ##
+## necessary. ##
+## ##
+## STAND-ALONE OCSPs: To specify a 'Stand-alone OCSP', change the ##
+## value of 'pki_standalone' from 'False' to ##
+## 'True', and specify the various 'pki_external' ##
+## parameters as appropriate. ##
+## (NOTE: Stand-alone OCSP is not yet supported!) ##
+## ##
###############################################################################
[OCSP]
pki_import_admin_cert=True
+pki_standalone=False
+pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr
+pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr
+pki_external_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_signing.csr
+pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr
+pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr
+pki_external_step_two=False
+pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
+pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
+pki_external_admin_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.cert
+pki_external_audit_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.cert
+pki_external_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_signing.cert
+pki_external_sslserver_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.cert
+pki_external_subsystem_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.cert
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index d98d8ab42..43f5db7bb 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -449,101 +449,119 @@ class ConfigurationFile:
self.master_dict['pki_registry_initscript_command']
print
+ def confirm_external(self):
+ # ALWAYS defined via 'pkiparser.py'
+ if config.str2bool(self.master_dict['pki_external']):
+ # Only allowed for External CA
+ if self.master_dict['pki_subsystem'] != "CA":
+ config.pki_log.error(log.PKI_EXTERNAL_UNSUPPORTED_1,
+ self.master_dict['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise Exception(log.PKI_EXTERNAL_UNSUPPORTED_1,
+ self.master_dict['pki_subsystem'])
+
+ def confirm_standalone(self):
+ # ALWAYS defined via 'pkiparser.py'
+ if config.str2bool(self.master_dict['pki_standalone']):
+ # Only allowed for Stand-alone PKI
+ #
+ # ADD checks for valid types of Stand-alone PKI subsystems here
+ # AND to the 'private void validateData(ConfigurationRequest data)'
+ # Java method located in the file called 'SystemConfigService.java'
+ #
+ if self.master_dict['pki_subsystem'] != "KRA":
+ config.pki_log.error(log.PKI_STANDALONE_UNSUPPORTED_1,
+ self.master_dict['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise Exception(log.PKI_STANDALONE_UNSUPPORTED_1,
+ self.master_dict['pki_subsystem'])
+
+ def confirm_subordinate(self):
+ # ALWAYS defined via 'pkiparser.py'
+ if config.str2bool(self.master_dict['pki_subordinate']):
+ # Only allowed for Subordinate CA
+ if self.master_dict['pki_subsystem'] != "CA":
+ config.pki_log.error(log.PKI_SUBORDINATE_UNSUPPORTED_1,
+ self.master_dict['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise Exception(log.PKI_SUBORDINATE_UNSUPPORTED_1,
+ self.master_dict['pki_subsystem'])
+
+ def confirm_external_step_two(self):
+ # ALWAYS defined via 'pkiparser.py'
+ if config.str2bool(self.master_dict['pki_external_step_two']):
+ # Only allowed for External CA or Stand-alone PKI
+ if self.master_dict['pki_subsystem'] != "CA" and\
+ not config.str2bool(self.master_dict['pki_standalone']):
+ config.pki_log.error(log.PKI_EXTERNAL_STEP_TWO_UNSUPPORTED_1,
+ self.master_dict['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise Exception(log.PKI_EXTERNAL_STEP_TWO_UNSUPPORTED_1,
+ self.master_dict['pki_subsystem'])
+
+ def confirm_data_exists(self, param):
+ if not self.master_dict.has_key(param) or\
+ not len(self.master_dict[param]):
+ config.pki_log.error(
+ log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
+ param,
+ self.master_dict['pki_user_deployment_cfg'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise Exception(
+ log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 %
+ (param, self.master_dict['pki_user_deployment_cfg']))
+
+ def confirm_missing_file(self, param):
+ if os.path.exists(self.master_dict[param]):
+ config.pki_log.error(log.PKI_FILE_ALREADY_EXISTS_1,
+ self.master_dict[param],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise Exception(log.PKI_FILE_ALREADY_EXISTS_1 % param)
+
+ def confirm_file_exists(self, param):
+ if not os.path.exists(self.master_dict[param]) or\
+ not os.path.isfile(self.master_dict[param]):
+ config.pki_log.error(log.PKI_FILE_MISSING_OR_NOT_A_FILE_1,
+ self.master_dict[param],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise Exception(log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 % param)
+
def verify_sensitive_data(self):
# Silently verify the existence of 'sensitive' data
if self.master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
# Verify existence of Directory Server Password
# (unless configuration will not be automatically executed)
if not config.str2bool(self.master_dict['pki_skip_configuration']):
- if not self.master_dict.has_key('pki_ds_password') or\
- not len(self.master_dict['pki_ds_password']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_ds_password",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_ds_password",
- self.master_dict['pki_user_deployment_cfg']))
+ self.confirm_data_exists("pki_ds_password")
# Verify existence of Admin Password (except for Clones)
if not config.str2bool(self.master_dict['pki_clone']):
- if not self.master_dict.has_key('pki_admin_password') or\
- not len(self.master_dict['pki_admin_password']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_admin_password",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_admin_password",
- self.master_dict['pki_user_deployment_cfg']))
+ self.confirm_data_exists("pki_admin_password")
# If required, verify existence of Backup Password
if config.str2bool(self.master_dict['pki_backup_keys']):
- if not self.master_dict.has_key('pki_backup_password') or\
- not len(self.master_dict['pki_backup_password']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_backup_password",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_backup_password",
- self.master_dict['pki_user_deployment_cfg']))
+ self.confirm_data_exists("pki_backup_password")
# Verify existence of Client Pin for NSS client security databases
- if not self.master_dict.has_key('pki_client_database_password') or\
- not len(self.master_dict['pki_client_database_password']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2,
- "pki_client_database_password",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2 % ("pki_client_database_password",
- self.master_dict['pki_user_deployment_cfg']))
+ self.confirm_data_exists("pki_client_database_password")
# Verify existence of Client PKCS #12 Password for Admin Cert
- if not self.master_dict.has_key('pki_client_pkcs12_password') or\
- not len(self.master_dict['pki_client_pkcs12_password']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_client_pkcs12_password",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_client_pkcs12_password",
- self.master_dict['pki_user_deployment_cfg']))
+ self.confirm_data_exists("pki_client_pkcs12_password")
# Verify existence of PKCS #12 Password (ONLY for Clones)
if config.str2bool(self.master_dict['pki_clone']):
- if not self.master_dict.has_key('pki_clone_pkcs12_password') or\
- not len(self.master_dict['pki_clone_pkcs12_password']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_clone_pkcs12_password",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_clone_pkcs12_password",
- self.master_dict['pki_user_deployment_cfg']))
+ self.confirm_data_exists("pki_clone_pkcs12_password")
# Verify existence of Security Domain Password
- # (ONLY for Clones, KRA, OCSP, TKS, TPS, or Subordinate CA
- # that will be automatically configured)
- if config.str2bool(self.master_dict['pki_clone']) or\
- not self.master_dict['pki_subsystem'] == "CA" or\
+ # (ONLY for PKI KRA, PKI OCSP, PKI TKS, PKI TPS, Clones, or
+ # Subordinate CA that will be automatically configured and
+ # are not Stand-alone PKI)
+ if self.master_dict['pki_subsystem'] == "KRA" or\
+ self.master_dict['pki_subsystem'] == "OCSP" or\
+ self.master_dict['pki_subsystem'] == "TKS" or\
+ self.master_dict['pki_subsystem'] == "TPS" or\
+ config.str2bool(self.master_dict['pki_clone']) or\
config.str2bool(self.master_dict['pki_subordinate']):
- if not config.str2bool(self.master_dict['pki_skip_configuration']):
- if not self.master_dict.has_key('pki_security_domain_password') or\
- not len(self.master_dict['pki_security_domain_password']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_security_domain_password",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_security_domain_password",
- self.master_dict['pki_user_deployment_cfg']))
+ if not config.str2bool(self.master_dict['pki_skip_configuration']) and\
+ not config.str2bool(self.master_dict['pki_standalone']):
+ self.confirm_data_exists("pki_security_domain_password")
# If required, verify existence of Token Password
if not self.master_dict['pki_token_name'] == "internal":
- if not self.master_dict.has_key('pki_token_password') or\
- not len(self.master_dict['pki_token_password']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_token_password",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_token_password",
- self.master_dict['pki_user_deployment_cfg']))
+ self.confirm_data_exists("pki_token_password")
return
def verify_mutually_exclusive_data(self):
@@ -579,6 +597,15 @@ class ConfigurationFile:
self.master_dict['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
raise Exception(log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA % self.master_dict['pki_user_deployment_cfg'])
+ elif config.str2bool(self.master_dict['pki_standalone']):
+ if config.str2bool(self.master_dict['pki_clone']):
+ config.pki_log.error(
+ log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_STANDALONE_PKI,
+ self.master_dict['pki_user_deployment_cfg'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise Exception(
+ log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_STANDALONE_PKI %
+ self.master_dict['pki_user_deployment_cfg'])
def verify_predefined_configuration_file_data(self):
# Silently verify the existence of any required 'predefined' data
@@ -592,193 +619,105 @@ class ConfigurationFile:
# 'True' or 'False', etc.) of ALL required "value" parameters.
#
if self.master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ self.confirm_external()
+ self.confirm_standalone()
+ self.confirm_subordinate()
+ self.confirm_external_step_two()
if config.str2bool(self.master_dict['pki_clone']):
# Verify existence of clone parameters
- if not self.master_dict.has_key('pki_ds_base_dn') or\
- not len(self.master_dict['pki_ds_base_dn']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_ds_base_dn",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_ds_base_dn",
- self.master_dict['pki_user_deployment_cfg']))
- if not self.master_dict.has_key('pki_ds_ldap_port') or\
- not len(self.master_dict['pki_ds_ldap_port']):
- # FUTURE: Check for unused port value
- # (e. g. - must be different from master if the
- # master is located on the same host)
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_ds_ldap_port",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_ds_ldap_port",
- self.master_dict['pki_user_deployment_cfg']))
- if not self.master_dict.has_key('pki_ds_ldaps_port') or\
- not len(self.master_dict['pki_ds_ldaps_port']):
- # FUTURE: Check for unused port value
- # (e. g. - must be different from master if the
- # master is located on the same host)
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_ds_ldaps_port",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_ds_ldaps_port",
- self.master_dict['pki_user_deployment_cfg']))
- # NOTE: Although this will be checked prior to getting to
- # this method, this clone's 'pki_instance_name' MUST
- # be different from the master's 'pki_instance_name'
- # IF AND ONLY IF the master and clone are located on
- # the same host!
- if not self.master_dict.has_key('pki_ajp_port') or\
- not len(self.master_dict['pki_ajp_port']):
- # FUTURE: Check for unused port value
- # (e. g. - must be different from master if the
- # master is located on the same host)
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_ajp_port",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_ajp_port",
- self.master_dict['pki_user_deployment_cfg']))
- if not self.master_dict.has_key('pki_http_port') or\
- not len(self.master_dict['pki_http_port']):
- # FUTURE: Check for unused port value
- # (e. g. - must be different from master if the
- # master is located on the same host)
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_http_port",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_http_port",
- self.master_dict['pki_user_deployment_cfg']))
- if not self.master_dict.has_key('pki_https_port') or\
- not len(self.master_dict['pki_https_port']):
- # FUTURE: Check for unused port value
- # (e. g. - must be different from master if the
- # master is located on the same host)
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_https_port",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_https_port",
- self.master_dict['pki_user_deployment_cfg']))
- if not self.master_dict.has_key('pki_tomcat_server_port') or\
- not len(self.master_dict['pki_tomcat_server_port']):
- # FUTURE: Check for unused port value
- # (e. g. - must be different from master if the
- # master is located on the same host)
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_tomcat_server_port",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_tomcat_server_port",
- self.master_dict['pki_user_deployment_cfg']))
- if not self.master_dict.has_key('pki_clone_pkcs12_path') or\
- not len(self.master_dict['pki_clone_pkcs12_path']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_clone_pkcs12_path",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_clone_pkcs12_path",
- self.master_dict['pki_user_deployment_cfg']))
- elif not os.path.isfile(self.master_dict['pki_clone_pkcs12_path']):
- config.pki_log.error(
- log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1,
- self.master_dict['pki_clone_pkcs12_path'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 % "pki_clone_pkcs12_path")
- if not self.master_dict.has_key('pki_clone_replication_security') or\
- not len(self.master_dict['pki_clone_replication_security']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_clone_replication_security",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_clone_replication_security",
- self.master_dict['pki_user_deployment_cfg']))
- if not self.master_dict.has_key('pki_clone_uri') or\
- not len(self.master_dict['pki_clone_uri']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_clone_uri",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_clone_uri",
- self.master_dict['pki_user_deployment_cfg']))
- elif self.master_dict['pki_subsystem'] == "CA" and\
- config.str2bool(self.master_dict['pki_external']):
- if not self.master_dict.has_key('pki_external_step_two') or\
- not len(self.master_dict['pki_external_step_two']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_external_step_two",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_extrenal_step_two",
- self.master_dict['pki_user_deployment_cfg']))
+ #
+ # NOTE: Although this will be checked prior to getting to
+ # this method, this clone's 'pki_instance_name' MUST
+ # be different from the master's 'pki_instance_name'
+ # IF AND ONLY IF the master and clone are located on
+ # the same host!
+ #
+ self.confirm_data_exists("pki_ds_base_dn")
+ # FUTURE: Check for unused port value(s)
+ # (e. g. - must be different from master if the
+ # master is located on the same host)
+ self.confirm_data_exists("pki_ds_ldap_port")
+ self.confirm_data_exists("pki_ds_ldaps_port")
+ self.confirm_data_exists("pki_ajp_port")
+ self.confirm_data_exists("pki_http_port")
+ self.confirm_data_exists("pki_https_port")
+ self.confirm_data_exists("pki_tomcat_server_port")
+ self.confirm_data_exists("pki_clone_pkcs12_path")
+ self.confirm_file_exists("pki_clone_pkcs12_path")
+ self.confirm_data_exists("pki_clone_replication_security")
+ self.confirm_data_exists("pki_clone_uri")
+ elif config.str2bool(self.master_dict['pki_external']):
+ # External CA
if not config.str2bool(self.master_dict['pki_external_step_two']):
# External CA (Step 1)
- if not self.master_dict.has_key('pki_external_csr_path') or\
- not len(self.master_dict['pki_external_csr_path']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_external_csr_path",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_extrenal_csr_path",
- self.master_dict['pki_user_deployment_cfg']))
- elif os.path.exists(self.master_dict['pki_external_csr_path']) and\
- not os.path.isfile(self.master_dict['pki_external_csr_path']):
- config.pki_log.error(
- log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1,
- self.master_dict['pki_external_csr_path'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % "pki_extrenal_csr_path")
+ self.confirm_data_exists("pki_external_csr_path")
+ self.confirm_missing_file("pki_external_csr_path")
else:
# External CA (Step 2)
- if not self.master_dict.has_key('pki_external_ca_cert_chain_path') or\
- not len(self.master_dict['pki_external_ca_cert_chain_path']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_external_ca_cert_chain_path",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_extrenal_ca_cert_chain_path",
- self.master_dict['pki_user_deployment_cfg']))
- elif os.path.exists(
- self.master_dict['pki_external_ca_cert_chain_path']) and\
- not os.path.isfile(
- self.master_dict['pki_external_ca_cert_chain_path']):
- config.pki_log.error(
- log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1,
- self.master_dict['pki_external_ca_cert_chain_path'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % "pki_extrenal_ca_cert_chain_path")
- if not self.master_dict.has_key('pki_external_ca_cert_path') or\
- not len(self.master_dict['pki_external_ca_cert_path']):
- config.pki_log.error(
- log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
- "pki_external_ca_cert_path",
- self.master_dict['pki_user_deployment_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % ("pki_extrenal_ca_cert_path",
- self.master_dict['pki_user_deployment_cfg']))
- elif os.path.exists(self.master_dict['pki_external_ca_cert_path']) and\
- not os.path.isfile(
- self.master_dict['pki_external_ca_cert_path']):
- config.pki_log.error(
- log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1,
- self.master_dict['pki_external_ca_cert_path'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 % "pki_extrenal_ca_cert_path")
+ self.confirm_data_exists("pki_external_ca_cert_chain_path")
+ self.confirm_file_exists("pki_external_ca_cert_chain_path")
+ self.confirm_data_exists("pki_external_ca_cert_path")
+ self.confirm_file_exists("pki_external_ca_cert_path")
+ elif not config.str2bool(self.master_dict['pki_skip_configuration']) and\
+ config.str2bool(self.master_dict['pki_standalone']):
+ if not config.str2bool(self.master_dict['pki_external_step_two']):
+ # Stand-alone PKI Admin CSR (Step 1)
+ self.confirm_data_exists("pki_external_admin_csr_path")
+ self.confirm_missing_file("pki_external_admin_csr_path")
+ # Stand-alone PKI Audit Signing CSR (Step 1)
+ self.confirm_data_exists("pki_external_audit_signing_csr_path")
+ self.confirm_missing_file("pki_external_audit_signing_csr_path")
+ # Stand-alone PKI SSL Server CSR (Step 1)
+ self.confirm_data_exists("pki_external_sslserver_csr_path")
+ self.confirm_missing_file("pki_external_sslserver_csr_path")
+ # Stand-alone PKI Subsystem CSR (Step 1)
+ self.confirm_data_exists("pki_external_subsystem_csr_path")
+ self.confirm_missing_file("pki_external_subsystem_csr_path")
+ # Stand-alone PKI KRA CSRs
+ if self.master_dict['pki_subsystem'] == "KRA":
+ # Stand-alone PKI KRA Storage CSR (Step 1)
+ self.confirm_data_exists("pki_external_storage_csr_path")
+ self.confirm_missing_file("pki_external_storage_csr_path")
+ # Stand-alone PKI KRA Transport CSR (Step 1)
+ self.confirm_data_exists("pki_external_transport_csr_path")
+ self.confirm_missing_file("pki_external_transport_csr_path")
+ # Stand-alone PKI OCSP CSRs
+ if self.master_dict['pki_subsystem'] == "OCSP":
+ # Stand-alone PKI OCSP OCSP Signing CSR (Step 1)
+ self.confirm_data_exists("pki_external_signing_csr_path")
+ self.confirm_missing_file("pki_external_signing_csr_path")
+ else:
+ # Stand-alone PKI External CA Certificate Chain (Step 2)
+ self.confirm_data_exists("pki_external_ca_cert_chain_path")
+ self.confirm_file_exists("pki_external_ca_cert_chain_path")
+ # Stand-alone PKI External CA Certificate (Step 2)
+ self.confirm_data_exists("pki_external_ca_cert_path")
+ self.confirm_file_exists("pki_external_ca_cert_path")
+ # Stand-alone PKI Admin Certificate (Step 2)
+ self.confirm_data_exists("pki_external_admin_cert_path")
+ self.confirm_file_exists("pki_external_admin_cert_path")
+ # Stand-alone PKI Audit Signing Certificate (Step 2)
+ self.confirm_data_exists("pki_external_audit_signing_cert_path")
+ self.confirm_file_exists("pki_external_audit_signing_cert_path")
+ # Stand-alone PKI SSL Server Certificate (Step 2)
+ self.confirm_data_exists("pki_external_sslserver_cert_path")
+ self.confirm_file_exists("pki_external_sslserver_cert_path")
+ # Stand-alone PKI Subsystem Certificate (Step 2)
+ self.confirm_data_exists("pki_external_subsystem_cert_path")
+ self.confirm_file_exists("pki_external_subsystem_cert_path")
+ # Stand-alone PKI KRA Certificates
+ if self.master_dict['pki_subsystem'] == "KRA":
+ # Stand-alone PKI KRA Storage Certificate (Step 2)
+ self.confirm_data_exists("pki_external_storage_cert_path")
+ self.confirm_file_exists("pki_external_storage_cert_path")
+ # Stand-alone PKI KRA Transport Certificate (Step 2)
+ self.confirm_data_exists("pki_external_transport_cert_path")
+ self.confirm_file_exists("pki_external_transport_cert_path")
+ # Stand-alone PKI OCSP Certificates
+ if self.master_dict['pki_subsystem'] == "OCSP":
+ # Stand-alone PKI OCSP OCSP Signing Certificate (Step 2)
+ self.confirm_data_exists("pki_external_signing_cert_path")
+ self.confirm_file_exists("pki_external_signing_cert_path")
return
def populate_non_default_ports(self):
@@ -3235,37 +3174,115 @@ class ConfigClient:
if self.master_dict['pki_subsystem'] == "CA" and\
config.str2bool(self.master_dict['pki_external']) and\
not config.str2bool(self.master_dict['pki_external_step_two']):
- # External CA Step 1
+ # External CA (Step 1)
if cdata['tag'].lower() == "signing":
- config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST + \
- " " + cdata['request'],
- extra=config.PKI_INDENTATION_LEVEL_2)
-
# Save 'External CA Signing Certificate' CSR (Step 1)
config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE + \
" '" + self.master_dict['pki_external_csr_path'] + "'",
extra=config.PKI_INDENTATION_LEVEL_2)
+ config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST + \
+ "\n" + cdata['request'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
self.deployer.directory.create(
os.path.dirname(self.master_dict['pki_external_csr_path']))
with open(self.master_dict['pki_external_csr_path'], "w") as f:
f.write(cdata['request'])
return
+ elif config.str2bool(self.master_dict['pki_standalone']) and\
+ not config.str2bool(self.master_dict['pki_external_step_two']):
+ # Stand-alone PKI (Step 1)
+ if cdata['tag'].lower() == "audit_signing":
+ # Save Stand-alone PKI 'Audit Signing Certificate' CSR
+ # (Step 1)
+ config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_1 + \
+ " '" + self.master_dict['pki_external_audit_signing_csr_path'] + "'",
+ self.master_dict['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ self.deployer.directory.create(
+ os.path.dirname(self.master_dict['pki_external_audit_signing_csr_path']))
+ with open(self.master_dict['pki_external_audit_signing_csr_path'], "w") as f:
+ f.write(cdata['request'])
+ elif cdata['tag'].lower() == "signing":
+ # Save Stand-alone PKI OCSP 'OCSP Signing Certificate'
+ # CSR (Step 1)
+ config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING + \
+ " '" + self.master_dict['pki_external_signing_csr_path'] + "'",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ self.deployer.directory.create(
+ os.path.dirname(self.master_dict['pki_external_signing_csr_path']))
+ with open(self.master_dict['pki_external_signing_csr_path'], "w") as f:
+ f.write(cdata['request'])
+ elif cdata['tag'].lower() == "sslserver":
+ # Save Stand-alone PKI 'SSL Server Certificate' CSR
+ # (Step 1)
+ config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_1 + \
+ " '" + self.master_dict['pki_external_sslserver_csr_path'] + "'",
+ self.master_dict['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ self.deployer.directory.create(
+ os.path.dirname(self.master_dict['pki_external_sslserver_csr_path']))
+ with open(self.master_dict['pki_external_sslserver_csr_path'], "w") as f:
+ f.write(cdata['request'])
+ elif cdata['tag'].lower() == "storage":
+ # Save Stand-alone PKI KRA 'Storage Certificate' CSR
+ # (Step 1)
+ config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE + \
+ " '" + self.master_dict['pki_external_storage_csr_path'] + "'",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ self.deployer.directory.create(
+ os.path.dirname(self.master_dict['pki_external_storage_csr_path']))
+ with open(self.master_dict['pki_external_storage_csr_path'], "w") as f:
+ f.write(cdata['request'])
+ elif cdata['tag'].lower() == "subsystem":
+ # Save Stand-alone PKI 'Subsystem Certificate' CSR
+ # (Step 1)
+ config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_1 + \
+ " '" + self.master_dict['pki_external_subsystem_csr_path'] + "'",
+ self.master_dict['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ self.deployer.directory.create(
+ os.path.dirname(self.master_dict['pki_external_subsystem_csr_path']))
+ with open(self.master_dict['pki_external_subsystem_csr_path'], "w") as f:
+ f.write(cdata['request'])
+ elif cdata['tag'].lower() == "transport":
+ # Save Stand-alone PKI KRA 'Transport Certificate' CSR
+ # (Step 1)
+ config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT + \
+ " '" + self.master_dict['pki_external_transport_csr_path'] + "'",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ self.deployer.directory.create(
+ os.path.dirname(self.master_dict['pki_external_transport_csr_path']))
+ with open(self.master_dict['pki_external_transport_csr_path'], "w") as f:
+ f.write(cdata['request'])
+ # Print this certificate request
+ config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST + \
+ "\n" + cdata['request'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
else:
config.pki_log.debug(log.PKI_CONFIG_CDATA_TAG + \
" " + cdata['tag'],
extra=config.PKI_INDENTATION_LEVEL_2)
config.pki_log.debug(log.PKI_CONFIG_CDATA_CERT + \
- " " + cdata['cert'],
+ "\n" + cdata['cert'],
extra=config.PKI_INDENTATION_LEVEL_2)
config.pki_log.debug(log.PKI_CONFIG_CDATA_REQUEST + \
- " " + cdata['request'],
+ "\n" + cdata['request'],
extra=config.PKI_INDENTATION_LEVEL_2)
# Cloned PKI subsystems do not return an Admin Certificate
- if not config.str2bool(self.master_dict['pki_clone']) and \
- not config.str2bool(self.master_dict['pki_import_admin_cert']):
- admin_cert = response['adminCert']['cert']
- self.process_admin_cert(admin_cert)
+ if not config.str2bool(self.master_dict['pki_clone']):
+ if config.str2bool(self.master_dict['pki_standalone']):
+ if not config.str2bool(self.master_dict['pki_external_step_two']):
+ # NOTE: Do nothing for Stand-alone PKI (Step 1)
+ # as this has already been addressed
+ # in 'set_admin_parameters()'
+ pass
+ else:
+ admin_cert = response['adminCert']['cert']
+ self.process_admin_cert(admin_cert)
+ elif not config.str2bool(self.master_dict['pki_import_admin_cert']):
+ admin_cert = response['adminCert']['cert']
+ self.process_admin_cert(admin_cert)
except Exception, e:
if hasattr(e, 'response'):
@@ -3284,14 +3301,15 @@ class ConfigClient:
def process_admin_cert(self, admin_cert):
config.pki_log.debug(log.PKI_CONFIG_RESPONSE_ADMIN_CERT + \
- " " + admin_cert,
+ "\n" + admin_cert,
extra=config.PKI_INDENTATION_LEVEL_2)
# Store the Administration Certificate in a file
admin_cert_file = self.master_dict['pki_client_admin_cert']
admin_cert_bin_file = admin_cert_file + ".der"
- config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE + \
- " '" + admin_cert_file + "'",
+ config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE_1 + \
+ " '" + admin_cert_file + "'",
+ self.master_dict['pki_subsystem_name'],
extra=config.PKI_INDENTATION_LEVEL_2)
with open(admin_cert_file, "w") as f:
f.write(admin_cert)
@@ -3350,6 +3368,8 @@ class ConfigClient:
# Miscellaneous Configuration Information
data.pin = self.master_dict['pki_one_time_pin']
data.subsystemName = self.master_dict['pki_subsystem_name']
+ data.standAlone = self.master_dict['pki_standalone']
+ data.stepTwo = self.master_dict['pki_external_step_two']
# Cloning parameters
if self.master_dict['pki_instance_type'] == "Tomcat":
@@ -3362,15 +3382,16 @@ class ConfigClient:
self.set_hierarchy_parameters(data)
# Security Domain
- if self.master_dict['pki_subsystem'] != "CA" or\
- config.str2bool(self.master_dict['pki_clone']) or\
- config.str2bool(self.master_dict['pki_subordinate']):
+ if ((self.master_dict['pki_subsystem'] != "CA" or
+ config.str2bool(self.master_dict['pki_clone']) or
+ config.str2bool(self.master_dict['pki_subordinate'])) and
+ (not config.str2bool(self.master_dict['pki_standalone']))):
# PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
# CA Clone, KRA Clone, OCSP Clone, TKS Clone, TPS Clone, or
# Subordinate CA
self.set_existing_security_domain(data)
else:
- # PKI CA or External CA
+ # PKI CA, External CA, or Stand-alone PKI
self.set_new_security_domain(data)
# database
@@ -3401,35 +3422,61 @@ class ConfigClient:
systemCerts = []
# Create 'CA Signing Certificate'
- if self.master_dict['pki_subsystem'] == "CA":
- if not config.str2bool(self.master_dict['pki_clone']):
- cert1 = self.create_system_cert("ca_signing")
- cert1.signingAlgorithm = \
- self.master_dict['pki_ca_signing_signing_algorithm']
+ if not config.str2bool(self.master_dict['pki_clone']):
+ if self.master_dict['pki_subsystem'] == "CA" or\
+ config.str2bool(self.master_dict['pki_standalone']):
+ if self.master_dict['pki_subsystem'] == "CA":
+ # PKI CA, Subordinate CA, or External CA
+ cert1 = self.create_system_cert("ca_signing")
+ cert1.signingAlgorithm = \
+ self.master_dict['pki_ca_signing_signing_algorithm']
if config.str2bool(self.master_dict['pki_external_step_two']):
- # Load the 'External CA Signing Certificate' (Step 2)
- print(
- log.PKI_CONFIG_EXTERNAL_CA_LOAD + " " + \
- "'" + self.master_dict['pki_external_ca_cert_path'] + "'")
- with open(self.master_dict['pki_external_ca_cert_path']) as f:
- external_cert = f.read()
- cert1.cert = external_cert
-
- # Load the 'External CA Signing Certificate Chain' (Step 2)
- print(
- log.PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD + " " + \
- "'" + self.master_dict['pki_external_ca_cert_chain_path'] + \
- "'")
- with open(self.master_dict['pki_external_ca_cert_chain_path']) as f:
- external_cert_chain = f.read()
-
- cert1.certChain = external_cert_chain
- systemCerts.append(cert1)
+ # External CA (Step 2) or Stand-alone PKI (Step 2)
+ if not self.master_dict['pki_subsystem'] == "CA":
+ # Stand-alone PKI (Step 2)
+ cert1 = pki.system.SystemCertData()
+ cert1.tag = self.master_dict['pki_ca_signing_tag']
+ # Load the External CA or Stand-alone PKI
+ # 'External CA Signing Certificate' (Step 2)
+ config.pki_log.info(
+ log.PKI_CONFIG_EXTERNAL_CA_LOAD + " '" +
+ self.master_dict['pki_external_ca_cert_path'] + "'",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ with open(self.master_dict['pki_external_ca_cert_path'], "r") as f:
+ cert1.cert = f.read()
+ # Load the External CA or Stand-alone PKI
+ # 'External CA Signing Certificate Chain' (Step 2)
+ config.pki_log.info(
+ log.PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD + " '" +
+ self.master_dict['pki_external_ca_cert_chain_path'] +
+ "'", extra=config.PKI_INDENTATION_LEVEL_2)
+ with open(self.master_dict['pki_external_ca_cert_chain_path'], "r") as f:
+ cert1.certChain = f.read()
+ systemCerts.append(cert1)
+ elif self.master_dict['pki_subsystem'] == "CA":
+ # PKI CA or Subordinate CA
+ systemCerts.append(cert1)
# Create 'OCSP Signing Certificate'
if not config.str2bool(self.master_dict['pki_clone']):
- if self.master_dict['pki_subsystem'] == "CA" or\
- self.master_dict['pki_subsystem'] == "OCSP":
+ if ((self.master_dict['pki_subsystem'] == "OCSP" and
+ config.str2bool(self.master_dict['pki_standalone'])) and
+ config.str2bool(self.master_dict['pki_external_step_two'])):
+ # Stand-alone PKI OCSP (Step 2)
+ cert2 = self.create_system_cert("ocsp_signing")
+ # Load the Stand-alone PKI OCSP 'OCSP Signing Certificate'
+ # (Step 2)
+ config.pki_log.info(
+ log.PKI_CONFIG_EXTERNAL_CERT_LOAD_OCSP_SIGNING + " '" +
+ self.master_dict['pki_external_signing_cert_path'] + "'",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ with open(self.master_dict['pki_external_signing_cert_path'], "r") as f:
+ cert2.cert = f.read()
+ cert2.signingAlgorithm = \
+ self.master_dict['pki_ocsp_signing_signing_algorithm']
+ systemCerts.append(cert2)
+ elif self.master_dict['pki_subsystem'] == "CA" or\
+ self.master_dict['pki_subsystem'] == "OCSP":
# External CA, Subordinate CA, PKI CA, or PKI OCSP
cert2 = self.create_system_cert("ocsp_signing")
cert2.signingAlgorithm = \
@@ -3440,9 +3487,22 @@ class ConfigClient:
# all subsystems
# create new sslserver cert only if this is a new instance
- cert3 = None
system_list = self.deployer.instance.tomcat_instance_subsystems()
- if len(system_list) >= 2:
+ if (config.str2bool(self.master_dict['pki_standalone']) and
+ config.str2bool(self.master_dict['pki_external_step_two'])):
+ # Stand-alone PKI (Step 2)
+ cert3 = self.create_system_cert("ssl_server")
+ # Load the Stand-alone PKI 'SSL Server Certificate' (Step 2)
+ config.pki_log.info(
+ log.PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_SSLSERVER_1 + " '" +
+ self.master_dict['pki_external_sslserver_cert_path'] + "'",
+ self.master_dict['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ with open(self.master_dict['pki_external_sslserver_cert_path'], "r") as f:
+ cert3.cert = f.read()
+ systemCerts.append(cert3)
+ elif len(system_list) >= 2:
+ # Existing PKI Instance
data.generateServerCert = "false"
for subsystem in system_list:
dst = self.master_dict['pki_instance_path'] + '/conf/' + \
@@ -3450,30 +3510,90 @@ class ConfigClient:
if subsystem != self.master_dict['pki_subsystem'] and \
os.path.exists(dst):
cert3 = self.retrieve_existing_server_cert(dst)
+ systemCerts.append(cert3)
break
else:
+ # PKI CA, PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
+ # CA Clone, KRA Clone, OCSP Clone, TKS Clone, TPS Clone,
+ # Subordinate CA, or External CA
cert3 = self.create_system_cert("ssl_server")
- systemCerts.append(cert3)
+ systemCerts.append(cert3)
# Create 'Subsystem Certificate'
if not config.str2bool(self.master_dict['pki_clone']):
- cert4 = self.create_system_cert("subsystem")
- systemCerts.append(cert4)
+ if (config.str2bool(self.master_dict['pki_standalone']) and
+ config.str2bool(self.master_dict['pki_external_step_two'])):
+ # Stand-alone PKI (Step 2)
+ cert4 = self.create_system_cert("subsystem")
+ # Load the Stand-alone PKI 'Subsystem Certificate' (Step 2)
+ config.pki_log.info(
+ log.PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_SUBSYSTEM_1 + " '" +
+ self.master_dict['pki_external_subsystem_cert_path'] + "'",
+ self.master_dict['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ with open(self.master_dict['pki_external_subsystem_cert_path'], "r") as f:
+ cert4.cert = f.read()
+ systemCerts.append(cert4)
+ else:
+ # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
+ # Subordinate CA, or External CA
+ cert4 = self.create_system_cert("subsystem")
+ systemCerts.append(cert4)
# Create 'Audit Signing Certificate'
if not config.str2bool(self.master_dict['pki_clone']):
- if self.master_dict['pki_subsystem'] != "RA":
+ if (config.str2bool(self.master_dict['pki_standalone']) and
+ config.str2bool(self.master_dict['pki_external_step_two'])):
+ # Stand-alone PKI (Step 2)
+ cert5 = self.create_system_cert("audit_signing")
+ # Load the Stand-alone PKI 'Audit Signing Certificate' (Step 2)
+ config.pki_log.info(
+ log.PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_AUDIT_SIGNING_1 +
+ " '" +
+ self.master_dict['pki_external_audit_signing_cert_path'] +
+ "'", self.master_dict['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ with open(self.master_dict['pki_external_audit_signing_cert_path'], "r") as f:
+ cert5.cert = f.read()
+ cert5.signingAlgorithm = \
+ self.master_dict['pki_audit_signing_signing_algorithm']
+ systemCerts.append(cert5)
+ elif self.master_dict['pki_subsystem'] != "RA":
cert5 = self.create_system_cert("audit_signing")
cert5.signingAlgorithm = \
self.master_dict['pki_audit_signing_signing_algorithm']
systemCerts.append(cert5)
- # Create DRM Transport and storage Certificates
+ # Create 'DRM Transport Certificate' and 'DRM Storage Certificate'
if not config.str2bool(self.master_dict['pki_clone']):
- if self.master_dict['pki_subsystem'] == "KRA":
+ if ((self.master_dict['pki_subsystem'] == "KRA" and
+ config.str2bool(self.master_dict['pki_standalone'])) and
+ config.str2bool(self.master_dict['pki_external_step_two'])):
+ # Stand-alone PKI KRA Transport Certificate (Step 2)
cert6 = self.create_system_cert("transport")
+ # Load the Stand-alone PKI KRA 'Transport Certificate' (Step 2)
+ config.pki_log.info(
+ log.PKI_CONFIG_EXTERNAL_CERT_LOAD_KRA_TRANSPORT + " '" +
+ self.master_dict['pki_external_transport_cert_path'] + "'",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ with open(self.master_dict['pki_external_transport_cert_path'], "r") as f:
+ cert6.cert = f.read()
systemCerts.append(cert6)
-
+ # Stand-alone PKI KRA Storage Certificate (Step 2)
+ cert7 = self.create_system_cert("storage")
+ # Load the Stand-alone PKI KRA 'Storage Certificate' (Step 2)
+ config.pki_log.info(
+ log.PKI_CONFIG_EXTERNAL_CERT_LOAD_KRA_STORAGE + " '" +
+ self.master_dict['pki_external_storage_cert_path'] + "'",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ with open(self.master_dict['pki_external_storage_cert_path'], "r") as f:
+ cert7.cert = f.read()
+ systemCerts.append(cert7)
+ elif self.master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA Transport Certificate
+ cert6 = self.create_system_cert("transport")
+ systemCerts.append(cert6)
+ # PKI KRA Storage Certificate
cert7 = self.create_system_cert("storage")
systemCerts.append(cert7)
@@ -3550,10 +3670,37 @@ class ConfigClient:
data.adminProfileID = self.master_dict['pki_admin_profile_id']
data.adminUID = self.master_dict['pki_admin_uid']
data.adminSubjectDN = self.master_dict['pki_admin_subject_dn']
+ if config.str2bool(self.master_dict['pki_standalone']):
+ if not config.str2bool(self.master_dict['pki_external_step_two']):
+ # IMPORTANT: ALWAYS set 'pki_import_admin_cert' FALSE for
+ # Stand-alone PKI (Step 1)
+ self.master_dict['pki_import_admin_cert'] = "False"
+ else:
+ # IMPORTANT: ALWAYS set 'pki_import_admin_cert' TRUE for
+ # Stand-alone PKI (Step 2)
+ self.master_dict['pki_import_admin_cert'] = "True"
if config.str2bool(self.master_dict['pki_import_admin_cert']):
data.importAdminCert = "true"
+ if config.str2bool(self.master_dict['pki_standalone']):
+ # Stand-alone PKI (Step 2)
+ #
+ # Copy the Stand-alone PKI 'Admin Certificate'
+ # (that was previously generated via an external CA) into
+ # 'ca_admin.cert' under the specified 'pki_client_dir'
+ # stripping the certificate HEADER/FOOTER prior to saving it.
+ imported_admin_cert = ""
+ with open(self.master_dict['pki_external_admin_cert_path'], "r") as f:
+ for line in f:
+ if line.startswith("-----BEGIN CERTIFICATE-----"):
+ continue
+ elif line.startswith("-----END CERTIFICATE-----"):
+ continue
+ else:
+ imported_admin_cert = imported_admin_cert + line
+ with open(self.master_dict['pki_admin_cert_file'], "w") as f:
+ f.write(imported_admin_cert)
# read config from file
- with open(self.master_dict['pki_admin_cert_file']) as f:
+ with open(self.master_dict['pki_admin_cert_file'], "r") as f:
b64 = f.read().replace('\n', '')
data.adminCert = b64
else:
@@ -3591,7 +3738,41 @@ class ConfigClient:
extra=config.PKI_INDENTATION_LEVEL_2)
raise
- with open(output_file + ".asc") as f:
+ if config.str2bool(self.master_dict['pki_standalone']):
+ if not config.str2bool(self.master_dict['pki_external_step_two']):
+ # For convenience and consistency, save a copy of
+ # the Stand-alone PKI 'Admin Certificate' CSR to the
+ # specified "pki_external_admin_csr_path" location
+ # (Step 1)
+ config.pki_log.info(
+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_1 + \
+ " '" + \
+ self.master_dict['pki_external_admin_csr_path'] + \
+ "'", self.master_dict['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ self.deployer.directory.create(
+ os.path.dirname(self.master_dict['pki_external_admin_csr_path']))
+ with open(self.master_dict['pki_external_admin_csr_path'], "w") as f:
+ f.write("-----BEGIN CERTIFICATE REQUEST-----\n")
+ admin_certreq = None
+ with open(os.path.join(
+ self.master_dict['pki_client_database_dir'],
+ "admin_pkcs10.bin.asc"), "r") as f:
+ admin_certreq = f.read()
+ with open(self.master_dict['pki_external_admin_csr_path'], "a") as f:
+ f.write(admin_certreq)
+ f.write("-----END CERTIFICATE REQUEST-----")
+ # Read in and print Admin certificate request
+ with open(self.master_dict['pki_external_admin_csr_path'], "r") as f:
+ admin_certreq = f.read()
+ config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST + \
+ "\n" + admin_certreq,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # IMPORTANT: ALWAYS save the client database for
+ # Stand-alone PKI (Step 1)
+ self.master_dict['pki_client_database_purge'] = "False"
+
+ with open(output_file + ".asc", "r") as f:
b64 = f.read().replace('\n', '')
data.adminCertRequest = b64
@@ -3606,12 +3787,8 @@ class ConfigClient:
config.str2bool(self.master_dict['pki_external']):
# PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
# CA Clone, KRA Clone, OCSP Clone, TKS Clone, TPS Clone,
- # Subordinate CA, or External CA
+ # Subordinate CA, External CA, or Stand-alone PKI
data.issuingCA = self.master_dict['pki_issuing_ca']
- if self.master_dict['pki_subsystem'] == "CA" and\
- config.str2bool(self.master_dict['pki_external_step_two']):
- # External CA Step 2
- data.stepTwo = "true"
def set_tps_parameters(self, data):
data.caUri = self.master_dict['pki_ca_uri']
diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py
index 5e996667d..7e98ff052 100644
--- a/base/server/python/pki/server/deployment/pkimessages.py
+++ b/base/server/python/pki/server/deployment/pkimessages.py
@@ -57,6 +57,10 @@ PKI_VERBOSITY = \
PKI_BADZIPFILE_ERROR_1 = "zipfile.BadZipFile: %s!"
PKI_CONFIGURATION_RESTART_1 = " After configuration, the server can be "\
"operated by the command:\n %s"
+PKI_CONFIGURATION_STANDALONE_1 = " Please obtain the necessary "\
+ "certificates for this stand-alone %s,\n"\
+ " and re-run the configuration for "\
+ "step two."
PKI_CONFIGURATION_URL_1 = " Please start the configuration by accessing:\n %s"
PKI_CONFIGURATION_WIZARD_RESTART_1 = "After configuration, the server can be "\
"operated by the command:\n%s"
@@ -86,6 +90,14 @@ PKI_SUBSYSTEM_ALREADY_EXISTS_2 = "PKI subsystem '%s' for instance '%s' "\
"already exists!"
PKI_SUBSYSTEM_DOES_NOT_EXIST_2 = "PKI subsystem '%s' for instance '%s' "\
"does NOT exist!"
+PKI_EXTERNAL_UNSUPPORTED_1 = "PKI '%s' subsystems do NOT support "\
+ "the 'pki_external' parameter!"
+PKI_EXTERNAL_STEP_TWO_UNSUPPORTED_1 = "PKI '%s' subsystems do NOT support "\
+ "the 'pki_external_step_two' parameter!"
+PKI_STANDALONE_UNSUPPORTED_1 = "PKI '%s' subsystems do NOT support "\
+ "the 'pki_standalone' parameter!"
+PKI_SUBORDINATE_UNSUPPORTED_1 = "PKI '%s' subsystems do NOT support "\
+ "the 'pki_subordinate' parameter!"
PKI_IOERROR_1 = "IOError: %s!"
PKI_KEYERROR_1 = "KeyError: %s!"
@@ -215,6 +227,9 @@ PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\
"CAs, and subordinate CAs"\
"MUST ALL be MUTUALLY "\
"EXCLUSIVE in '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_STANDALONE_PKI = "cloned PKIs and "\
+ "stand-alone PKIs MUST be "\
+ "MUTUALLY EXCLUSIVE in '%s'"
PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\
"CAs MUST be MUTUALLY "\
"EXCLUSIVE in '%s'"
@@ -298,8 +313,8 @@ PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ."
PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s"
PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s"
-PKI_CONFIG_ADMIN_CERT_SAVE = "saving Admin Certificate to file:"
-PKI_CONFIG_ADMIN_CERT_ATOB = "converting Admin Certificate to binary:"
+PKI_CONFIG_ADMIN_CERT_SAVE_1 = "saving %s Admin Certificate to file:"
+PKI_CONFIG_ADMIN_CERT_ATOB_1 = "converting %s Admin Certificate to binary:"
PKI_CONFIG_CDATA_TAG = "tag:"
PKI_CONFIG_CDATA_CERT = "cert:"
PKI_CONFIG_CDATA_REQUEST = "request:"
@@ -311,7 +326,32 @@ PKI_CONFIG_EXTERNAL_CA_LOAD = "loading external CA signing certificate "\
"from file:"
PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD = "loading external CA signing certificate "\
"chain from file:"
+PKI_CONFIG_EXTERNAL_CERT_LOAD_KRA_STORAGE = "loading external CA signed KRA "\
+ "Storage certificate from file:"
+PKI_CONFIG_EXTERNAL_CERT_LOAD_KRA_TRANSPORT = "loading external CA signed KRA "\
+ "Transport certificate from file:"
+PKI_CONFIG_EXTERNAL_CERT_LOAD_OCSP_SIGNING = "loading external CA signed OCSP "\
+ "Signing certificate from file:"
+PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_SSLSERVER_1 = "loading external CA signed "\
+ "%s SSL Server certificate "\
+ "from file:"
+PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_SUBSYSTEM_1 = "loading external CA signed "\
+ "%s Subsystem certificate "\
+ "from file:"
+PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_AUDIT_SIGNING_1 = "loading external CA "\
+ "signed %s Audit Signing "\
+ "certificate from file:"
PKI_CONFIG_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:"
+PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE = "saving KRA Storage CSR to file:"
+PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT = "saving KRA Transport CSR to file:"
+PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING = "saving OCSP Signing CSR to file:"
+PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_1 = "saving %s Admin CSR to file:"
+PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_1 = "saving %s Audit Signing "\
+ "CSR to file:"
+PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_1 = "saving %s SSL Server CSR "\
+ "to file:"
+PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_1 = "saving %s Subsystem CSR "\
+ "to file:"
PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION = \
"Exception from Java Configuration Servlet:"
PKI_CONFIG_RESPONSE_ADMIN_CERT = "adminCert:"
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index ba9c5b836..77004b737 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -535,6 +535,20 @@ class PKIConfigParser:
pkilogging.sensitive_parameters = self.pki_master_dict['sensitive_parameters'].split()
+ # Always create "false" values for these missing "boolean" keys
+ if not self.pki_master_dict.has_key('pki_external') or\
+ not len(self.pki_master_dict['pki_external']):
+ self.pki_master_dict['pki_external'] = "false"
+ if not self.pki_master_dict.has_key('pki_external_step_two') or\
+ not len(self.pki_master_dict['pki_external_step_two']):
+ self.pki_master_dict['pki_external_step_two'] = "false"
+ if not self.pki_master_dict.has_key('pki_standalone') or\
+ not len(self.pki_master_dict['pki_standalone']):
+ self.pki_master_dict['pki_standalone'] = "false"
+ if not self.pki_master_dict.has_key('pki_subordinate') or\
+ not len(self.pki_master_dict['pki_subordinate']):
+ self.pki_master_dict['pki_subordinate'] = "false"
+
# PKI Target (slot substitution) name/value pairs
self.pki_master_dict['pki_target_cs_cfg'] = \
os.path.join(
@@ -543,10 +557,10 @@ class PKIConfigParser:
self.pki_master_dict['pki_target_registry'] = \
os.path.join(self.pki_master_dict['pki_instance_registry_path'],
self.pki_master_dict['pki_instance_name'])
- if self.pki_master_dict['pki_subsystem'] == "CA" and\
- config.str2bool(self.pki_master_dict['pki_external_step_two']):
- # Use the 'pki_one_time_pin' established during the setup of
- # External CA Step 1
+ if (config.str2bool(self.pki_master_dict['pki_external_step_two'])):
+ # For CA (External CA Step 2) and Stand-alone PKI (Step 2),
+ # use the 'pki_one_time_pin' established during the setup
+ # of (Step 1)
if os.path.exists(self.pki_master_dict['pki_target_cs_cfg'])\
and\
os.path.isfile(self.pki_master_dict['pki_target_cs_cfg']):
@@ -807,6 +821,19 @@ class PKIConfigParser:
"<!--"
self.pki_master_dict['PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT'] = \
"<!--"
+ if (config.str2bool(self.pki_master_dict['pki_standalone'])):
+ # Stand-alone PKI
+ self.pki_master_dict['PKI_CLOSE_STANDALONE_COMMENT_SLOT'] = \
+ ""
+ self.pki_master_dict['PKI_OPEN_STANDALONE_COMMENT_SLOT'] = \
+ ""
+ self.pki_master_dict['PKI_STANDALONE_SLOT'] = "true"
+ else:
+ self.pki_master_dict['PKI_CLOSE_STANDALONE_COMMENT_SLOT'] = \
+ "-->"
+ self.pki_master_dict['PKI_OPEN_STANDALONE_COMMENT_SLOT'] = \
+ "<!--"
+ self.pki_master_dict['PKI_STANDALONE_SLOT'] = "false"
self.pki_master_dict['PKI_TMPDIR_SLOT'] = \
self.pki_master_dict['pki_tomcat_tmpdir_path']
self.pki_master_dict['PKI_RESTEASY_LIB_SLOT'] = \
@@ -1026,9 +1053,14 @@ class PKIConfigParser:
else:
self.pki_master_dict['pki_security_domain_user'] = "caadmin"
- if config.pki_subsystem != "CA" or\
- config.str2bool(self.pki_master_dict['pki_clone']) or\
- config.str2bool(self.pki_master_dict['pki_subordinate']):
+ if not config.str2bool(self.pki_master_dict['pki_skip_configuration']) and\
+ (config.str2bool(self.pki_master_dict['pki_standalone'])):
+ # Stand-alone PKI
+ self.pki_master_dict['pki_security_domain_type'] = "new"
+ self.pki_master_dict['pki_issuing_ca'] = "External CA"
+ elif config.pki_subsystem != "CA" or\
+ config.str2bool(self.pki_master_dict['pki_clone']) or\
+ config.str2bool(self.pki_master_dict['pki_subordinate']):
# PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
# CA Clone, KRA Clone, OCSP Clone, TKS Clone, TPS Clone, or
# Subordinate CA
@@ -1084,8 +1116,15 @@ class PKIConfigParser:
if not 'pki_import_admin_cert' in self.pki_master_dict:
self.pki_master_dict['pki_import_admin_cert'] = 'false'
+ elif not config.str2bool(self.pki_master_dict['pki_skip_configuration']) and\
+ (config.str2bool(self.pki_master_dict['pki_standalone'])):
+ # Stand-alone PKI
+ self.pki_master_dict['pki_import_admin_cert'] = 'false'
- self.pki_master_dict['pki_ca_signing_tag'] = "signing"
+ if (config.str2bool(self.pki_master_dict['pki_standalone'])):
+ self.pki_master_dict['pki_ca_signing_tag'] = "external_signing"
+ else:
+ self.pki_master_dict['pki_ca_signing_tag'] = "signing"
if self.pki_master_dict['pki_subsystem'] == "CA":
self.pki_master_dict['pki_ocsp_signing_tag'] = "ocsp_signing"
elif self.pki_master_dict['pki_subsystem'] == "OCSP":
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 004d8c28d..465ccc56e 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -35,6 +35,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
def spawn(self, deployer):
+ # ALWAYS establish the following Tomcat instance symbolic link since
+ # this link is required by both automatic pkispawn instance
+ # configuration as well as manual browser GUI instance configuration
+ deployer.symlink.create(deployer.master_dict['pki_systemd_service'],
+ deployer.master_dict['pki_systemd_service_link'])
+
if config.str2bool(deployer.master_dict['pki_skip_configuration']):
config.pki_log.info(log.SKIP_CONFIGURATION_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
@@ -70,8 +76,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
deployer.master_dict['pki_client_key_database'],
deployer.master_dict['pki_client_secmod_database'],
password_file=deployer.master_dict['pki_client_password_conf'])
- deployer.symlink.create(deployer.master_dict['pki_systemd_service'],
- deployer.master_dict['pki_systemd_service_link'])
# Start/Restart this Apache/Tomcat PKI Process
if deployer.master_dict['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py
index 0573c24ef..5186baa40 100644
--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py
@@ -32,9 +32,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
def spawn(self, deployer):
- if deployer.master_dict['pki_subsystem'] == "CA" and\
+ if (deployer.master_dict['pki_subsystem'] == "CA" or
+ config.str2bool(deployer.master_dict['pki_standalone'])) and\
config.str2bool(deployer.master_dict['pki_external_step_two']):
- # must check for 'External CA Step 2' installation PRIOR to
+ # For External CAs (Step 2), or Stand-alone PKIs (Step 2),
+ # must check for (Step 2) installation PRIOR to
# 'pki_skip_installation' since this value has been set to true
# by the initialization scriptlet
pass
diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py
index ecfb4d195..d9d1d2d7b 100644
--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py
@@ -43,10 +43,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
else:
config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- if deployer.master_dict['pki_subsystem'] == "CA" and\
+ if (deployer.master_dict['pki_subsystem'] == "CA" or
+ config.str2bool(deployer.master_dict['pki_standalone'])) and\
config.str2bool(deployer.master_dict['pki_external_step_two']):
- # verify that this type of "subsystem" currently EXISTS
- # for this "instance" (External CA Step 2)
+ # verify that this External CA (Step 2), or Stand-alone PKI
+ # (Step 2) currently EXISTS for this "instance"
deployer.instance.verify_subsystem_exists()
deployer.master_dict['pki_skip_installation'] = "True"
else:
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index d0ac96716..d048147e3 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -416,9 +416,14 @@ def main(argv):
print 'ERROR: Unable to access directory server: ' + e.message['desc']
sys.exit(1)
- if config.pki_subsystem != "CA" or\
- config.str2bool(parser.pki_master_dict['pki_clone']) or\
- config.str2bool(parser.pki_master_dict['pki_subordinate']):
+ if ((config.pki_subsystem == "KRA" or
+ config.pki_subsystem == "OCSP") and
+ not config.str2bool(parser.pki_master_dict['pki_standalone'])) or\
+ config.pki_subsystem == "TKS" or\
+ config.pki_subsystem == "TPS" or\
+ config.str2bool(parser.pki_master_dict['pki_clone']) or\
+ (config.pki_subsystem == "CA" and
+ config.str2bool(parser.pki_master_dict['pki_subordinate'])):
try:
# Verify existence of Security Domain Password
if not parser.pki_master_dict.has_key('pki_security_domain_password') or\
@@ -486,17 +491,25 @@ def print_install_information(pki_master_dict):
else:
print " Administrator's username: %s" % pki_master_dict['pki_admin_uid']
if os.path.isfile(pki_master_dict['pki_client_admin_cert_p12']):
- print " Administrator's PKCS #12 file:\n %s" % (pki_master_dict['pki_client_dir'] + '/ca_admin_cert.p12')
+ print " Administrator's PKCS #12 file:\n %s" % pki_master_dict['pki_client_admin_cert_p12']
if not config.str2bool(pki_master_dict['pki_client_database_purge']):
print
- print " Administrator's certificate nickname: %s" % pki_master_dict['pki_admin_nickname']
+ print " Administrator's certificate nickname:\n %s" % pki_master_dict['pki_admin_nickname']
print " Administrator's certificate database:\n %s" % pki_master_dict['pki_client_database_dir']
print
print log.PKI_CHECK_STATUS_MESSAGE % pki_master_dict['pki_instance_name']
print log.PKI_INSTANCE_RESTART_MESSAGE % pki_master_dict['pki_instance_name']
- print log.PKI_ACCESS_URL % (pki_master_dict['pki_hostname'],
- pki_master_dict['pki_https_port'],
- config.pki_subsystem.lower())
+ if (((config.pki_subsystem == "KRA" or
+ config.pki_subsystem == "OCSP") and
+ config.str2bool(pki_master_dict['pki_standalone'])) and
+ not config.str2bool(pki_master_dict['pki_external_step_two'])):
+ # Stand-alone PKI KRA/OCSP (External CA Step 1)
+ print
+ print log.PKI_CONFIGURATION_STANDALONE_1 % config.pki_subsystem
+ else:
+ print log.PKI_ACCESS_URL % (pki_master_dict['pki_hostname'],
+ pki_master_dict['pki_https_port'],
+ config.pki_subsystem.lower())
print log.PKI_SPAWN_INFORMATION_FOOTER
def log_error_details():
diff --git a/base/server/scripts/operations b/base/server/scripts/operations
index 6d5ee1476..d2b666a5a 100644
--- a/base/server/scripts/operations
+++ b/base/server/scripts/operations
@@ -672,6 +672,39 @@ get_pki_configuration_definitions()
fi
fi
+ # If ${pki_subsystem} is a DRM or OCSP, check to see if
+ # it is either a Stand-alone DRM or a Stand-alone OCSP
+ #
+ # NOTE: Ignore errors when the '<pki>.standalone' parameter
+ # is not present as this is most likely a legacy instance!
+ #
+ pki_standalone=""
+ if [ "${pki_subsystem}" == "DRM" ] ; then
+ line=`grep -e '^[ \t]*kra.standalone[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_standalone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ if [ "${pki_standalone}" == "true" ] ; then
+ # Set a fixed value for "${pki_standalone}"
+ pki_standalone="(Stand-alone)"
+ else
+ # Reset "${pki_standalone}" to be empty
+ pki_standalone=""
+ fi
+ fi
+ elif [ "${pki_subsystem}" == "OCSP" ] ; then
+ line=`grep -e '^[ \t]*ocsp.standalone[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_standalone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ if [ "${pki_standalone}" == "true" ] ; then
+ # Set a fixed value for "${pki_standalone}"
+ pki_standalone="(Stand-alone)"
+ else
+ # Reset "${pki_standalone}" to be empty
+ pki_standalone=""
+ fi
+ fi
+ fi
+
# Always obtain this PKI instance's "registered"
# security domain information
pki_security_domain_name=""
@@ -737,6 +770,13 @@ get_pki_configuration_definitions()
#
data="${pki_hierarchy} ${pki_subsystem}"
fi
+ elif [ "${pki_standalone}" != "" ] ; then
+ # Possible Values:
+ #
+ # "DRM (Stand-alone)"
+ # "OCSP (Stand-alone)"
+ #
+ data="${pki_subsystem} ${pki_standalone}"
else
# Possible Values:
#
generated by cgit (git 2.34.1) at 2024-06-13 04:55:42 +0000