diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-05-06 16:19:19 -0400 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2015-05-11 10:20:04 -0400 |
commit | 6ee510efe491b1e2afd7e9901eee690365fd8bbb (patch) | |
tree | d7c07b1380f92589adba578dff810744b17cbe52 /base/server | |
parent | 7dca020819b7573cd05bd54482fb5d1afe9bb658 (diff) | |
download | pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.tar.gz pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.tar.xz pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.zip |
Added options for internal token and replication passwords.
The installation code has been modified such that the admin can
optionally specify passwords for internal token and replication.
Otherwise the code will generate random passwords like before.
https://fedorahosted.org/pki/ticket/1354
Diffstat (limited to 'base/server')
4 files changed, 30 insertions, 20 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 12dd54dac..c341d14f7 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -19,7 +19,6 @@ package org.dogtagpki.server.rest; import java.math.BigInteger; import java.net.MalformedURLException; -import java.net.URISyntaxException; import java.net.URL; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; @@ -31,7 +30,6 @@ import java.util.Random; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; -import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Request; import javax.ws.rs.core.UriInfo; @@ -110,15 +108,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } /* (non-Javadoc) - * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(javax.ws.rs.core.MultivaluedMap) - */ - @Override - public ConfigurationResponse configure(MultivaluedMap<String, String> form) throws URISyntaxException { - ConfigurationRequest data = new ConfigurationRequest(form); - return configure(data); - } - - /* (non-Javadoc) * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(com.netscape.cms.servlet.csadmin.data.ConfigurationData) */ @Override @@ -697,7 +686,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou try { /* BZ 430745 create password for replication manager */ - String replicationpwd = Integer.toString(new Random().nextInt()); + // use user-provided password if specified + String replicationPassword = data.getReplicationPassword(); + + if (StringUtils.isEmpty(replicationPassword)) { + // generate random password + replicationPassword = Integer.toString(new Random().nextInt()); + } IConfigStore psStore = null; String passwordFile = null; @@ -705,14 +700,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou psStore = CMS.createFileConfigStore(passwordFile); psStore.putString("internaldb", data.getBindpwd()); if (data.getSetupReplication()) { - psStore.putString("replicationdb", replicationpwd); + psStore.putString("replicationdb", replicationPassword); } psStore.commit(false); if (!data.getStepTwo()) { ConfigurationUtils.populateDB(); - cs.putString("preop.internaldb.replicationpwd", replicationpwd); + cs.putString("preop.internaldb.replicationpwd", replicationPassword); cs.putString("preop.database.removeData", "false"); if (data.getSharedDB()) { cs.putString("preop.internaldb.dbuser", data.getSharedDBUserDN()); diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 3b082020d..18b8527b2 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -24,6 +24,7 @@ sensitive_parameters= pki_ds_password pki_one_time_pin pki_pin + pki_replication_password pki_security_domain_password pki_token_password @@ -98,6 +99,8 @@ pki_issuing_ca_hostname=%(pki_security_domain_hostname)s pki_issuing_ca_https_port=%(pki_security_domain_https_port)s pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s pki_issuing_ca=%(pki_issuing_ca_uri)s +pki_pin= +pki_replication_password= pki_restart_configured_instance=True pki_security_domain_hostname=%(pki_hostname)s pki_security_domain_https_port=8443 diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 1521ef339..5527d7f94 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -3821,6 +3821,8 @@ class ConfigClient: if not self.clone: self.set_admin_parameters(data) + data.replicationPassword = self.mdict['pki_replication_password'] + # Issuing CA Information self.set_issuing_ca_parameters(data) diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 39cef9413..fe1a54a3a 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -327,10 +327,14 @@ class PKIConfigParser: # means that we need to deal with escaping '%' characters # that might be present. no_interpolation = ( - 'pki_admin_password', 'pki_backup_password', + 'pki_admin_password', + 'pki_backup_password', 'pki_client_database_password', 'pki_client_pkcs12_password', - 'pki_ds_password', 'pki_security_domain_password') + 'pki_ds_password', + 'pki_pin', + 'pki_replicationdb_password', + 'pki_security_domain_password') print 'Loading deployment configuration from ' + \ config.user_deployment_cfg + '.' @@ -552,18 +556,24 @@ class PKIConfigParser: self.mdict['pki_user_deployment_cfg'] = config.user_deployment_cfg self.mdict['pki_deployed_instance_name'] = \ config.pki_deployed_instance_name + + self.flatten_master_dict() + # Generate random 'pin's for use as security database passwords # and add these to the "sensitive" key value pairs read in from # the configuration file pin_low = 100000000000 pin_high = 999999999999 - self.mdict['pki_pin'] = \ - random.randint(pin_low, pin_high) + + # use user-provided PIN if specified + if not self.mdict['pki_pin']: + # otherwise generate a random password + self.mdict['pki_pin'] = \ + random.randint(pin_low, pin_high) + self.mdict['pki_client_pin'] = \ random.randint(pin_low, pin_high) - self.flatten_master_dict() - pkilogging.sensitive_parameters = \ self.mdict['sensitive_parameters'].split() |