diff options
author | Endi S. Dewata <edewata@redhat.com> | 2016-04-14 23:12:17 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2016-04-15 20:03:40 +0200 |
commit | 88e963d55bdf4cb9799ef665a72f8855fc00c4da (patch) | |
tree | 63226d009c6e6f9b07468058bedb956fac1d7387 /base/server | |
parent | d3bbfe07b1cb2d65a7af6530ea01374b20a761e4 (diff) | |
download | pki-88e963d55bdf4cb9799ef665a72f8855fc00c4da.tar.gz pki-88e963d55bdf4cb9799ef665a72f8855fc00c4da.tar.xz pki-88e963d55bdf4cb9799ef665a72f8855fc00c4da.zip |
Moved self-signed SSL server certificate creation.
To avoid possible conflicts imported external certificates, the
self-signed SSL server certificate creation has been moved after
the external certificates have been imported into the NSS database
and before the server is started.
https://fedorahosted.org/pki/ticket/1736
Diffstat (limited to 'base/server')
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/configuration.py | 55 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/security_databases.py | 41 |
2 files changed, 55 insertions, 41 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index cc8c7f9b6..5f77ac523 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -236,6 +236,61 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if external and step_one: return self.rv + if len(deployer.instance.tomcat_instance_subsystems()) < 2: + + deployer.password.create_password_conf( + deployer.mdict['pki_shared_pfile'], + deployer.mdict['pki_pin'], pin_sans_token=True) + + # only create a self signed cert for a new instance + # + # NOTE: ALWAYS create the temporary sslserver certificate + # in the software DB regardless of whether the + # instance will utilize 'softokn' or an HSM + # + rv = deployer.certutil.verify_certificate_exists( + deployer.mdict['pki_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], + deployer.mdict['pki_self_signed_token'], + deployer.mdict['pki_self_signed_nickname'], + password_file=deployer.mdict['pki_shared_pfile']) + + if not rv: + + # note: in the function below, certutil is used to generate + # the request for the self signed cert. The keys are generated + # by NSS, which does not actually use the data in the noise + # file, so it does not matter what is in this file. Certutil + # still requires it though, otherwise it waits for keyboard + # input + with open( + deployer.mdict['pki_self_signed_noise_file'], 'w') as f: + f.write("not_so_random_data") + + deployer.certutil.generate_self_signed_certificate( + deployer.mdict['pki_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], + deployer.mdict['pki_self_signed_token'], + deployer.mdict['pki_self_signed_nickname'], + deployer.mdict['pki_self_signed_subject'], + deployer.mdict['pki_self_signed_serial_number'], + deployer.mdict['pki_self_signed_validity_period'], + deployer.mdict['pki_self_signed_issuer_name'], + deployer.mdict['pki_self_signed_trustargs'], + deployer.mdict['pki_self_signed_noise_file'], + password_file=deployer.mdict['pki_shared_pfile']) + + # Delete the temporary 'noise' file + deployer.file.delete( + deployer.mdict['pki_self_signed_noise_file']) + + # Always delete the temporary 'pfile' + deployer.file.delete(deployer.mdict['pki_shared_pfile']) + # Start/Restart this Tomcat PKI Process # Optionally prepare to enable a java debugger # (e. g. - 'eclipse'): diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index a567b7cdf..ed8c0ce09 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -128,47 +128,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): no_user_certs=True) if len(deployer.instance.tomcat_instance_subsystems()) < 2: - # only create a self signed cert for a new instance - # - # NOTE: ALWAYS create the temporary sslserver certificate - # in the software DB regardless of whether the - # instance will utilize 'softokn' or an HSM - # - rv = deployer.certutil.verify_certificate_exists( - deployer.mdict['pki_database_path'], - deployer.mdict['pki_cert_database'], - deployer.mdict['pki_key_database'], - deployer.mdict['pki_secmod_database'], - deployer.mdict['pki_self_signed_token'], - deployer.mdict['pki_self_signed_nickname'], - password_file=deployer.mdict['pki_shared_pfile']) - if not rv: - # note: in the function below, certutil is used to generate - # the request for the self signed cert. The keys are generated - # by NSS, which does not actually use the data in the noise - # file, so it does not matter what is in this file. Certutil - # still requires it though, otherwise it waits for keyboard - # input - with open( - deployer.mdict['pki_self_signed_noise_file'], 'w') as f: - f.write("not_so_random_data") - deployer.certutil.generate_self_signed_certificate( - deployer.mdict['pki_database_path'], - deployer.mdict['pki_cert_database'], - deployer.mdict['pki_key_database'], - deployer.mdict['pki_secmod_database'], - deployer.mdict['pki_self_signed_token'], - deployer.mdict['pki_self_signed_nickname'], - deployer.mdict['pki_self_signed_subject'], - deployer.mdict['pki_self_signed_serial_number'], - deployer.mdict['pki_self_signed_validity_period'], - deployer.mdict['pki_self_signed_issuer_name'], - deployer.mdict['pki_self_signed_trustargs'], - deployer.mdict['pki_self_signed_noise_file'], - password_file=deployer.mdict['pki_shared_pfile']) - # Delete the temporary 'noise' file - deployer.file.delete( - deployer.mdict['pki_self_signed_noise_file']) # Check to see if a secure connection is being used for the DS if config.str2bool(deployer.mdict['pki_ds_secure_connection']): |