Added options for internal token and replication passwords.

The installation code has been modified such that the admin can optionally specify passwords for internal token and replication. Otherwise the code will generate random passwords like before. https://fedorahosted.org/pki/ticket/1354
author: Endi S. Dewata <edewata@redhat.com> 2015-05-06 16:19:19 -0400
committer: Endi S. Dewata <edewata@redhat.com> 2015-05-11 10:20:04 -0400
commit: 6ee510efe491b1e2afd7e9901eee690365fd8bbb (patch)
tree: d7c07b1380f92589adba578dff810744b17cbe52 /base/server
parent: 7dca020819b7573cd05bd54482fb5d1afe9bb658 (diff)
download: pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.tar.gz
pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.tar.xz
pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.zip
4 files changed, 30 insertions, 20 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 12dd54dac..c341d14f7 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -19,7 +19,6 @@ package org.dogtagpki.server.rest;
 
 import java.math.BigInteger;
 import java.net.MalformedURLException;
-import java.net.URISyntaxException;
 import java.net.URL;
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
@@ -31,7 +30,6 @@ import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Request;
 import javax.ws.rs.core.UriInfo;
 
@@ -110,15 +108,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
     }
 
     /* (non-Javadoc)
-     * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(javax.ws.rs.core.MultivaluedMap)
-     */
-    @Override
-    public ConfigurationResponse configure(MultivaluedMap<String, String> form) throws URISyntaxException {
-        ConfigurationRequest data = new ConfigurationRequest(form);
-        return configure(data);
-    }
-
-    /* (non-Javadoc)
      * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(com.netscape.cms.servlet.csadmin.data.ConfigurationData)
      */
     @Override
@@ -697,7 +686,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
 
         try {
             /* BZ 430745 create password for replication manager */
-            String replicationpwd = Integer.toString(new Random().nextInt());
+            // use user-provided password if specified
+            String replicationPassword = data.getReplicationPassword();
+
+            if (StringUtils.isEmpty(replicationPassword)) {
+                // generate random password
+                replicationPassword = Integer.toString(new Random().nextInt());
+            }
 
             IConfigStore psStore = null;
             String passwordFile = null;
@@ -705,14 +700,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             psStore = CMS.createFileConfigStore(passwordFile);
             psStore.putString("internaldb", data.getBindpwd());
             if (data.getSetupReplication()) {
-                psStore.putString("replicationdb", replicationpwd);
+                psStore.putString("replicationdb", replicationPassword);
             }
             psStore.commit(false);
 
             if (!data.getStepTwo()) {
                 ConfigurationUtils.populateDB();
 
-                cs.putString("preop.internaldb.replicationpwd", replicationpwd);
+                cs.putString("preop.internaldb.replicationpwd", replicationPassword);
                 cs.putString("preop.database.removeData", "false");
                 if (data.getSharedDB()) {
                     cs.putString("preop.internaldb.dbuser", data.getSharedDBUserDN());
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 3b082020d..18b8527b2 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -24,6 +24,7 @@ sensitive_parameters=
     pki_ds_password
     pki_one_time_pin
     pki_pin
+    pki_replication_password
     pki_security_domain_password
     pki_token_password
 
@@ -98,6 +99,8 @@ pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
 pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
 pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s
 pki_issuing_ca=%(pki_issuing_ca_uri)s
+pki_pin=
+pki_replication_password=
 pki_restart_configured_instance=True
 pki_security_domain_hostname=%(pki_hostname)s
 pki_security_domain_https_port=8443
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 1521ef339..5527d7f94 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3821,6 +3821,8 @@ class ConfigClient:
         if not self.clone:
             self.set_admin_parameters(data)
 
+        data.replicationPassword = self.mdict['pki_replication_password']
+
         # Issuing CA Information
         self.set_issuing_ca_parameters(data)
 
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 39cef9413..fe1a54a3a 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -327,10 +327,14 @@ class PKIConfigParser:
                 # means that we need to deal with escaping '%' characters
                 # that might be present.
                 no_interpolation = (
-                    'pki_admin_password', 'pki_backup_password',
+                    'pki_admin_password',
+                    'pki_backup_password',
                     'pki_client_database_password',
                     'pki_client_pkcs12_password',
-                    'pki_ds_password', 'pki_security_domain_password')
+                    'pki_ds_password',
+                    'pki_pin',
+                    'pki_replicationdb_password',
+                    'pki_security_domain_password')
 
                 print 'Loading deployment configuration from ' + \
                       config.user_deployment_cfg + '.'
@@ -552,18 +556,24 @@ class PKIConfigParser:
             self.mdict['pki_user_deployment_cfg'] = config.user_deployment_cfg
             self.mdict['pki_deployed_instance_name'] = \
                 config.pki_deployed_instance_name
+
+            self.flatten_master_dict()
+
             # Generate random 'pin's for use as security database passwords
             # and add these to the "sensitive" key value pairs read in from
             # the configuration file
             pin_low = 100000000000
             pin_high = 999999999999
-            self.mdict['pki_pin'] = \
-                random.randint(pin_low, pin_high)
+
+            # use user-provided PIN if specified
+            if not self.mdict['pki_pin']:
+                # otherwise generate a random password
+                self.mdict['pki_pin'] = \
+                    random.randint(pin_low, pin_high)
+
             self.mdict['pki_client_pin'] = \
                 random.randint(pin_low, pin_high)
 
-            self.flatten_master_dict()
-
             pkilogging.sensitive_parameters = \
                 self.mdict['sensitive_parameters'].split()
author	Endi S. Dewata <edewata@redhat.com>	2015-05-06 16:19:19 -0400
committer	Endi S. Dewata <edewata@redhat.com>	2015-05-11 10:20:04 -0400
commit	6ee510efe491b1e2afd7e9901eee690365fd8bbb (patch)
tree	d7c07b1380f92589adba578dff810744b17cbe52 /base/server
parent	7dca020819b7573cd05bd54482fb5d1afe9bb658 (diff)
download	pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.tar.gz pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.tar.xz pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.zip