diff options
| author | Ade Lee <alee@redhat.com> | 2013-03-18 11:29:52 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2013-03-21 12:11:31 -0400 |
| commit | c9a081037aa5bf15cf6226f06ea54ea98deba5bc (patch) | |
| tree | ba095458c940b4db7923719ce6cf6e14a2c1da8e /base | |
| parent | 22d50cc526c7fd4224a4d5a0ae9ebf66afd8e83a (diff) | |
| download | pki-c9a081037aa5bf15cf6226f06ea54ea98deba5bc.tar.gz pki-c9a081037aa5bf15cf6226f06ea54ea98deba5bc.tar.xz pki-c9a081037aa5bf15cf6226f06ea54ea98deba5bc.zip | |
Refactor installation code to remove dependency on jython
Connection is now made to the installation servlet through a python
client using JSON. The code to construct the ConfgurationRequest and
parse the results has been moved to pkihelper.py, and configuration.py
no longer calls a separate jython process to create the Configuration
object and parse the results. The jython code has therefore been removed.
Also added status servlet to other java subsystems, to be tested prior
to starting configuration.
Trac Ticket 532
Diffstat (limited to 'base')
24 files changed, 886 insertions, 970 deletions
diff --git a/base/common/functional/src/com/netscape/cms/servlet/test/ConfigurationTest.java b/base/common/functional/src/com/netscape/cms/servlet/test/ConfigurationTest.java index c23081513..e0110b5c8 100644 --- a/base/common/functional/src/com/netscape/cms/servlet/test/ConfigurationTest.java +++ b/base/common/functional/src/com/netscape/cms/servlet/test/ConfigurationTest.java @@ -25,8 +25,8 @@ import java.net.URISyntaxException; import java.security.KeyPair; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; -import java.util.Collection; import java.util.Iterator; +import java.util.List; import netscape.security.x509.X500Name; @@ -230,7 +230,7 @@ public class ConfigurationTest { System.out.println("status: " + response.getStatus()); System.out.println("adminCert: " + response.getAdminCert().getCert()); - Collection<SystemCertData> certs = response.getSystemCerts(); + List<SystemCertData> certs = response.getSystemCerts(); Iterator<SystemCertData> iterator = certs.iterator(); while (iterator.hasNext()) { SystemCertData cdata = iterator.next(); @@ -279,7 +279,7 @@ public class ConfigurationTest { data.setAdminCertRequestType("crmf"); // create system certs - Collection<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); + List<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); SystemCertData cert1 = new SystemCertData(); cert1.setTag("signing"); cert1.setKeyAlgorithm("SHA256withRSA"); @@ -383,7 +383,7 @@ public class ConfigurationTest { data.setIssuingCA("https://" + host + ":9224"); // create system certs - Collection<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); + List<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); SystemCertData cert1 = new SystemCertData(); cert1.setTag("signing"); cert1.setKeyAlgorithm("SHA256withRSA"); @@ -485,7 +485,7 @@ public class ConfigurationTest { data.setIssuingCA("External CA"); // create system certs - Collection<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); + List<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); SystemCertData cert1 = new SystemCertData(); cert1.setTag("signing"); cert1.setKeyAlgorithm("SHA256withRSA"); @@ -588,7 +588,7 @@ public class ConfigurationTest { data.setStepTwo("true"); // create system certs - Collection<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); + List<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); SystemCertData cert1 = new SystemCertData(); cert1.setTag("signing"); cert1.setKeyAlgorithm("SHA256withRSA"); @@ -695,7 +695,7 @@ public class ConfigurationTest { data.setBackupKeys("false"); // create system certs - Collection<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); + List<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); SystemCertData cert3 = new SystemCertData(); cert3.setTag("sslserver"); cert3.setKeyAlgorithm("SHA256withRSA"); @@ -754,7 +754,7 @@ public class ConfigurationTest { data.setIssuingCA("https://" + host + ":9224"); // create system certs - Collection<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); + List<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); SystemCertData cert1 = new SystemCertData(); cert1.setTag("transport"); cert1.setKeyAlgorithm("SHA256withRSA"); @@ -857,7 +857,7 @@ public class ConfigurationTest { data.setIssuingCA("https://" + host + ":9224"); // create system certs - Collection<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); + List<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); SystemCertData cert1 = new SystemCertData(); cert1.setTag("signing"); cert1.setKeyAlgorithm("SHA256withRSA"); @@ -949,7 +949,7 @@ public class ConfigurationTest { data.setIssuingCA("https://" + host + ":9224"); // create system certs - Collection<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); + List<SystemCertData> systemCerts = new ArrayList<SystemCertData>(); SystemCertData cert3 = new SystemCertData(); cert3.setTag("sslserver"); diff --git a/base/common/python/pki/account.py b/base/common/python/pki/account.py index 84f2d0ef0..be87f8343 100644 --- a/base/common/python/pki/account.py +++ b/base/common/python/pki/account.py @@ -25,7 +25,7 @@ class AccountClient: self.connection = connection def login(self): - self.connection.get('account/login') + self.connection.get('/rest/account/login') def logout(self): - self.connection.get('account/logout') + self.connection.get('/rest/account/logout') diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py index 7635fe879..05f42ba06 100644 --- a/base/common/python/pki/client.py +++ b/base/common/python/pki/client.py @@ -27,7 +27,8 @@ class PKIConnection: protocol='http', hostname='localhost', port=80, - subsystem='ca'): + subsystem='ca', + accept='application/json'): self.protocol = protocol self.hostname = hostname @@ -39,15 +40,26 @@ class PKIConnection: self.subsystem self.session = requests.Session() - self.session.headers.update({'Accept': 'application/json'}) + if accept: + self.session.headers.update({'Accept': accept}) def authenticate(self, username=None, password=None): if username is not None and password is not None: self.session.auth = (username, password) - def get(self, path): + def get(self, path, headers=None): r = self.session.get( - self.serverURI + '/rest/' + path, - verify=False) + self.serverURI + path, + verify=False, + headers=headers) r.raise_for_status() - return r
\ No newline at end of file + return r + + def post(self, path, payload, headers=None): + r = self.session.post( + self.serverURI + path, + verify=False, + data=payload, + headers=headers) + r.raise_for_status() + return r diff --git a/base/common/python/pki/encoder.py b/base/common/python/pki/encoder.py new file mode 100644 index 000000000..7fee57e71 --- /dev/null +++ b/base/common/python/pki/encoder.py @@ -0,0 +1,31 @@ +import json +import pki.system + +TYPES = {} +NOTYPES = {} + +class CustomTypeEncoder(json.JSONEncoder): + """A custom JSONEncoder class that knows how to encode core custom + objects. + + Custom objects are encoded as JSON object literals (ie, dicts) with + one key, 'TypeName' where 'TypeName' is the actual name of the + type to which the object belongs. That single key maps to another + object literal which is just the __dict__ of the object encoded.""" + + def default(self, obj): + for k, v in TYPES.items(): + if isinstance(obj, v): + return { k: obj.__dict__ } + for k, v in NOTYPES.items(): + if isinstance(obj, v): + return obj.__dict__ + return json.JSONEncoder.default(self, obj) + + +def CustomTypeDecoder(dct): + if len(dct) == 1: + type_name, value = dct.items()[0] + if type_name in TYPES: + return TYPES[type_name].from_dict(value) + return dct diff --git a/base/common/python/pki/system.py b/base/common/python/pki/system.py index f49cc402e..23ad06bb2 100644 --- a/base/common/python/pki/system.py +++ b/base/common/python/pki/system.py @@ -19,6 +19,12 @@ # All rights reserved. # +import pki.encoder as encoder + +encoder.TYPES['ConfigurationRequest'] = ConfigurationRequest +encoder.TYPES['ConfigurationResponse'] = ConfigurationResponse +encoder.NOTYPES['SystemCertData'] = SystemCertData + class SecurityDomainInfo: def __init__(self): @@ -30,10 +36,54 @@ class SecurityDomainClient: self.connection = connection def getSecurityDomainInfo(self): - r = self.connection.get('securityDomain/domainInfo') + r = self.connection.get('/rest/securityDomain/domainInfo') j = r.json() info = SecurityDomainInfo() info.name = j['DomainInfo']['@id'] return info + +class ConfigurationRequest: + + def __init__(self): + self.token = "Internal Key Storage Token" + self.isClone = "false" + self.secureConn = "off" + self.importAdminCert = "false" + self.generateServerCert = "true" + +class ConfigurationResponse: + + def __init__(self): + pass + +class SystemCertData: + + def __init__(self): + pass + +class SystemConfigClient: + + def __init__(self, connection): + self.connection = connection + + def configure(self, data): + headers = {'Content-type': 'application/json', + 'Accept': 'application/json'} + r = self.connection.post('/rest/installer/configure', data, headers) + info = r.json()['ConfigurationResponse'] + return info + +class SystemStatusClient: + + def __init__(self, connection): + self.connection = connection + + def getStatus(self): + r = self.connection.get('/admin/' +\ + self.connection.subsystem + '/getStatus') + return r.text + + + diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java index 217f84b90..170e1c031 100644 --- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java @@ -17,13 +17,12 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.system; -import java.util.Collection; +import java.util.List; import javax.ws.rs.core.MultivaluedMap; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlElement; -import javax.xml.bind.annotation.XmlElementRef; import javax.xml.bind.annotation.XmlRootElement; /** @@ -158,8 +157,8 @@ public class ConfigurationRequest { @XmlElement protected String replicationSecurity; - @XmlElementRef - protected Collection<SystemCertData> systemCerts; + @XmlElement + protected List<SystemCertData> systemCerts; @XmlElement protected String issuingCA; @@ -553,7 +552,7 @@ public class ConfigurationRequest { * * @return systemCerts */ - public Collection<SystemCertData> getSystemCerts() { + public List<SystemCertData> getSystemCerts() { return systemCerts; } @@ -561,7 +560,7 @@ public class ConfigurationRequest { * * @param systemCerts */ - public void setSystemCerts(Collection<SystemCertData> systemCerts) { + public void setSystemCerts(List<SystemCertData> systemCerts) { this.systemCerts = systemCerts; } diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationResponse.java b/base/common/src/com/netscape/certsrv/system/ConfigurationResponse.java index 6d3275a51..e967914ce 100644 --- a/base/common/src/com/netscape/certsrv/system/ConfigurationResponse.java +++ b/base/common/src/com/netscape/certsrv/system/ConfigurationResponse.java @@ -19,12 +19,11 @@ package com.netscape.certsrv.system; import java.security.cert.CertificateEncodingException; import java.util.ArrayList; -import java.util.Collection; +import java.util.List; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlElement; -import javax.xml.bind.annotation.XmlElementRef; import javax.xml.bind.annotation.XmlRootElement; import netscape.security.x509.X509CertImpl; @@ -39,8 +38,8 @@ import com.netscape.certsrv.apps.CMS; @XmlAccessorType(XmlAccessType.FIELD) public class ConfigurationResponse { - @XmlElementRef - protected Collection<SystemCertData> systemCerts; + @XmlElement + protected List<SystemCertData> systemCerts; @XmlElement protected SystemCertData adminCert; @@ -56,14 +55,14 @@ public class ConfigurationResponse { /** * @return the systemCerts */ - public Collection<SystemCertData> getSystemCerts() { + public List<SystemCertData> getSystemCerts() { return systemCerts; } /** * @param systemCerts the systemCerts to set */ - public void setSystemCerts(Collection<SystemCertData> systemCerts) { + public void setSystemCerts(List<SystemCertData> systemCerts) { this.systemCerts = systemCerts; } diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemCertDataFactory.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemCertDataFactory.java index bd23c8f16..aaaf17163 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemCertDataFactory.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemCertDataFactory.java @@ -20,6 +20,7 @@ package com.netscape.cms.servlet.csadmin; import java.util.ArrayList; import java.util.Collection; +import java.util.List; import com.netscape.certsrv.system.SystemCertData; @@ -37,8 +38,8 @@ public class SystemCertDataFactory { return data; } - public static Collection<SystemCertData> create(Collection<Cert> certs) { - Collection<SystemCertData> result = new ArrayList<SystemCertData>(); + public static List<SystemCertData> create(Collection<Cert> certs) { + List<SystemCertData> result = new ArrayList<SystemCertData>(); for (Cert cert : certs) { result.add(create(cert)); } diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt index ff9d64545..8483482c2 100644 --- a/base/deploy/CMakeLists.txt +++ b/base/deploy/CMakeLists.txt @@ -107,7 +107,6 @@ install( install( FILES - src/scriptlets/configuration.jy src/scriptlets/configuration.py src/scriptlets/finalization.py src/scriptlets/infrastructure_layout.py @@ -115,7 +114,6 @@ install( src/scriptlets/instance_layout.py src/scriptlets/pkiconfig.py src/scriptlets/pkihelper.py - src/scriptlets/pkijython.py src/scriptlets/pkilogging.py src/scriptlets/pkimanifest.py src/scriptlets/pkimessages.py diff --git a/base/deploy/etc/default.cfg b/base/deploy/etc/default.cfg index 32e744762..e848363ab 100644 --- a/base/deploy/etc/default.cfg +++ b/base/deploy/etc/default.cfg @@ -67,7 +67,7 @@ destroy_scriplets= # pki_http_port=80 pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert -pki_admin_cert_request_type=crmf +pki_admin_cert_request_type=pkcs10 pki_admin_dualkey=False pki_admin_keysize=2048 pki_admin_password= diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy deleted file mode 100644 index d6af9b1ca..000000000 --- a/base/deploy/src/scriptlets/configuration.jy +++ /dev/null @@ -1,111 +0,0 @@ -#!/usr/bin/jython - -# System Python Imports -import os -import pickle -import sys - - -# PKI Python Imports -import pkijython as jyutil -import pkiconfig as config -import pkimessages as log - - -# System Java Imports -from java.lang import System as javasystem - - -# PKI Java Imports -from com.netscape.certsrv.client import ClientConfig - - -def main(argv): - rv = 0 - - # Import the master dictionary from 'pkispawn' - master = pickle.loads(argv[1]) - sensitive_parameters = master['sensitive_parameters'].split() - - # Optionally enable a java debugger (e. g. - 'eclipse'): - if config.str2bool(master['pki_enable_java_debugger']): - config.wait_to_attach_an_external_java_debugger() - - - # IMPORTANT: Unfortunately, 'jython 2.2' does NOT support logging! - # - # Until, and unless, 'jython 2.5' or later is used, - # debugging will basically be limited to using 'print' - # since creating a logging mechanism for 'jython 2.2' - # would not make sense at this point in time, although - # a 'customized' manual log process could be created. - # - # Regardless of 'jython' version, the log file generated - # by this standalone 'jython' process would be unique and - # separate to the log file generated for the PKI - # deployment scriptlets 'python' process, as they exist - # as two separate processes (until and unless 'jython 2.7' - # could be used to completely replace 'python 2.7', - # in which case a single process could be executed - # end-to-end from installation through configuration). - # - if master['pki_jython_log_level'] >= config.PKI_JYTHON_DEBUG_LOG_LEVEL: - # javasystem.out.println("Hello") - print "%s %s" %\ - (log.PKI_JYTHON_INDENTATION_2, sys.path) - print "%s %s" %\ - (log.PKI_JYTHON_INDENTATION_2, - javasystem.getProperties()['java.class.path']) - for key in master: - if key in sensitive_parameters: - value = 'XXXXXXXX' - else: - value = master[key] - print "%s '%s' = '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, key, value) - - # Initialize token - jyutil.security_databases.initialize_token( - master['pki_client_database_dir'], - master['pki_jython_log_level']) - - # Log into token - token = jyutil.security_databases.log_into_token( - master['pki_client_database_dir'], - master['pki_client_password_conf'], - master['pki_jython_log_level']) - - # Setup connection parameters - client_config = ClientConfig() - client_config.setInstanceCreationMode(True) - client_config.setServerURI(master['pki_jython_base_uri']) - - # Establish REST Client - client = jyutil.rest_client.initialize( - client_config, - master) - - # Construct PKI Subsystem Configuration Data - data = None - if master['pki_instance_type'] == "Apache": - if master['pki_subsystem'] == "RA": - print "%s '%s' %s" %\ - (log.PKI_JYTHON_INDENTATION_2, - master['pki_subsystem'], - log.PKI_JYTHON_NOT_YET_IMPLEMENTED) - return rv - elif master['pki_subsystem'] == "TPS": - print "%s '%s' %s" %\ - (log.PKI_JYTHON_INDENTATION_2, - master['pki_subsystem'], - log.PKI_JYTHON_NOT_YET_IMPLEMENTED) - return rv - elif master['pki_instance_type'] == "Tomcat": - # PKI or Cloned CA, KRA, OCSP, or TKS, Subordinate CA, or External CA - data = jyutil.rest_client.construct_pki_configuration_data(token) - - # Formulate PKI Subsystem Configuration Data Response - jyutil.rest_client.configure_pki_data(data) - -if __name__ == "__main__": - main(sys.argv) diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py index 248a43cf7..7bd1b017a 100644 --- a/base/deploy/src/scriptlets/configuration.py +++ b/base/deploy/src/scriptlets/configuration.py @@ -25,6 +25,9 @@ from pkiconfig import pki_master_dict as master import pkihelper as util import pkimessages as log import pkiscriptlet +import json +import pki.system +import pki.encoder # PKI Deployment Configuration Scriptlet @@ -85,16 +88,45 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.prepare_for_an_external_java_debugger( master['pki_target_tomcat_conf_instance_id']) tomcat_instance_subsystems =\ - util.instance.tomcat_instance_subsystems() + len(util.instance.tomcat_instance_subsystems()) if tomcat_instance_subsystems == 1: util.systemd.start() elif tomcat_instance_subsystems > 1: util.systemd.restart() - # Pass control to the Java servlet via Jython 2.2 'configuration.jy' - util.jython.invoke( - master['pki_jython_configuration_scriptlet'], - master['resteasy_lib']) + # wait for startup + status = util.instance.wait_for_startup(60) + if status == None: + config.pki_log.error("server failed to restart", + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + # Optionally wait for debugger to attach (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.wait_to_attach_an_external_java_debugger() + + config_client = util.config_client() + # Construct PKI Subsystem Configuration Data + data = None + if master['pki_instance_type'] == "Apache": + if master['pki_subsystem'] == "RA": + config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, + master['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + return rv + elif master['pki_subsystem'] == "TPS": + config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, + master['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + return rv + elif master['pki_instance_type'] == "Tomcat": + # CA, KRA, OCSP, or TKS + data = config_client.construct_pki_configuration_data() + + # Configure the substem + config_client.configure_pki_data( + json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) + return self.rv def respawn(self): @@ -111,7 +143,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.delete(master['pki_client_dir']) util.symlink.delete(master['pki_systemd_service_link']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 1: + len(util.instance.tomcat_instance_subsystems()) == 1: if util.directory.exists(master['pki_client_dir']): util.directory.delete(master['pki_client_dir']) util.symlink.delete(master['pki_systemd_service_link']) diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py index 8fe643e15..6ddc98d03 100644 --- a/base/deploy/src/scriptlets/finalization.py +++ b/base/deploy/src/scriptlets/finalization.py @@ -105,7 +105,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.instance.apache_instance_subsystems() >= 1: util.systemd.start() elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() >= 1: + len(util.instance.tomcat_instance_subsystems()) >= 1: util.systemd.start() config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2, master['pki_subsystem'], diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py index 773305c13..843227a84 100644 --- a/base/deploy/src/scriptlets/instance_layout.py +++ b/base/deploy/src/scriptlets/instance_layout.py @@ -170,7 +170,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.delete( master['pki_instance_type_registry_path']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 0: + len(util.instance.tomcat_instance_subsystems()) == 0: # remove Tomcat instance base util.directory.delete(master['pki_instance_path']) # remove Tomcat instance logs diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 1a4c77cb1..ad6c22251 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -94,14 +94,6 @@ PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT = 8443 PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT = 8005 PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT = 8009 -# PKI Deployment Jython 2.2 Constants -PKI_JYTHON_CRITICAL_LOG_LEVEL = 1 -PKI_JYTHON_ERROR_LOG_LEVEL = 2 -PKI_JYTHON_WARNING_LOG_LEVEL = 3 -PKI_JYTHON_INFO_LOG_LEVEL = 4 -PKI_JYTHON_DEBUG_LOG_LEVEL = 5 - - # PKI Deployment Global Variables pki_install_time = None pki_timestamp = None @@ -173,7 +165,6 @@ def wait_to_attach_an_external_java_debugger(): # PKI Deployment Logger Variables -pki_jython_log_level = None pki_log = None pki_log_dir = None pki_log_name = None @@ -184,7 +175,6 @@ pki_console_log_level = None # PKI Deployment Global Dictionaries pki_master_dict = {} pki_slots_dict = None -pki_master_jython_dict = None # PKI Selinux Constants and parameters PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t" diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index 7eae9324d..92707c553 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -28,13 +28,16 @@ import fileinput import pickle import random import re +import requests import shutil import string import subprocess +import time from grp import getgrgid from grp import getgrnam from pwd import getpwnam from pwd import getpwuid +import xml.etree.ElementTree as ET import zipfile import selinux if selinux.is_selinux_enabled(): @@ -49,7 +52,9 @@ from pkiconfig import pki_selinux_config_ports as ports import pkimanifest as manifest import pkimessages as log from pkiparser import PKIConfigParser - +import pki.account +import pki.client +import pki.system # PKI Deployment Helper Functions def pki_copytree(src, dst, symlinks=False, ignore=None): @@ -921,19 +926,15 @@ class instance: return rv def tomcat_instance_subsystems(self): - rv = 0 + # Return list of PKI subsystems in the specified tomcat instance + rv = [] try: - # count number of PKI subsystems present - # within the specified Tomcat instance for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: path = master['pki_instance_path'] + "/" + subsystem.lower() if os.path.exists(path) and os.path.isdir(path): - rv = rv + 1 - config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], - rv, extra=config.PKI_INDENTATION_LEVEL_2) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, + rv.append(subsystem) + except OSErr as e: + config.pki_log.error(log.PKI_OSERROR_1, str(e), extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) return rv @@ -991,6 +992,38 @@ class instance: extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) + def get_instance_status(self): + self.connection = pki.client.PKIConnection( + protocol='https', + hostname=master['pki_hostname'], + port=master['pki_https_port'], + subsystem=master['pki_subsystem_type'], + accept = 'application/xml') + + try: + client = pki.system.SystemStatusClient(self.connection) + response = client.getStatus() + config.pki_log.debug(response, + extra=config.PKI_INDENTATION_LEVEL_3) + + root = ET.fromstring(response) + status = root.findtext("Status") + return status + except requests.exceptions.ConnectionError: + config.pki_log.debug("No connection", + extra=config.PKI_INDENTATION_LEVEL_3) + return None + + def wait_for_startup(self, timeout): + tries = 1 + status = self.get_instance_status() + while status != "running": + if tries >= timeout: + return None + time.sleep(1) + status = self.get_instance_status() + tries = tries + 1 + return status # PKI Deployment Directory Class class directory: @@ -2282,6 +2315,198 @@ class certutil: sys.exit(1) return + def import_cert(self, nickname, trust, input_file, password_file, + path=None, token=None, critical_failure=True): + try: + command = ["certutil","-A"] + if path: + command.extend(["-d", path]) + + if token: + command.extend(["-h", token]) + + if nickname: + command.extend(["-n", nickname ]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if trust: + command.extend(["-t", trust]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if input_file: + command.extend(["-i", input_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_INPUT_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if password_file: + command.extend(["-f", password_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def generate_certificate_request(self, subject, key_size, + password_file, noise_file, + output_file = None, path = None, + ascii_format = None, token = None, + critical_failure=True): + try: + command = ["certutil", "-R"] + if path: + command.extend(["-d", path]) + else: + command.extend(["-d", "."]) + + if token: + command.extend(["-h", token]) + + if subject: + command.extend(["-s", subject]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if key_size: + command.extend(["-g", str(key_size)]) + + if noise_file: + command.extend(["-z", noise_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if password_file: + command.extend(["-f", password_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if output_file: + command.extend(["-o", output_file]) + + # set acsii output + if ascii_format: + command.append("-a") + + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CERTUTIL_GENERATE_CSR_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not os.path.exists(noise_file): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + noise_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Execute this "certutil" command + with open(os.devnull, "w") as fnull: + subprocess.call(command, stdout=fnull, stderr=fnull) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + +# pk12util class +class pk12util: + def create_file(self, out_file, nickname, out_pwfile, + db_pwfile, path=None): + try: + command = ["pk12util"] + if path: + command.extend(["-d", path]) + if out_file: + command.extend(["-o", out_file]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_OUTFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if nickname: + command.extend(["-n", nickname]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if out_pwfile: + command.extend(["-w", out_pwfile]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_OUTPWFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if db_pwfile: + command.extend(["-k", db_pwfile]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + with open(os.devnull, "w") as fnull: + subprocess.call(command, stdout=fnull, stderr=fnull) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + # KRA Connector Class class kra_connector: def deregister(self, critical_failure=False): @@ -2748,73 +2973,411 @@ class systemd: return -# PKI Deployment 'jython' Class -class jython: - def invoke(self, scriptlet, resteasy_lib, critical_failure=True): +class config_client: + + def configure_pki_data(self, data): + config.pki_log.info(log.PKI_CONFIG_CONFIGURING_PKI_DATA, + extra=config.PKI_INDENTATION_LEVEL_2) + + self.connection = pki.client.PKIConnection( + protocol='https', + hostname=master['pki_hostname'], + port=master['pki_https_port'], + subsystem=master['pki_subsystem_type']) + try: - # JSS JNI Jars - # - # NOTE: Always load 64-bit JNI 'jss4.jar' - # PRIOR to 32-bit JNI 'jss4.jar' - # - classpath = "/usr/lib64/java/jss4.jar" +\ - ":/usr/lib/java/jss4.jar" +\ - ":/usr/share/java/httpcomponents/httpclient.jar" +\ - ":/usr/share/java/httpcomponents/httpcore.jar" +\ - ":/usr/share/java/apache-commons-cli.jar" +\ - ":/usr/share/java/apache-commons-codec.jar" +\ - ":/usr/share/java/apache-commons-logging.jar" +\ - ":/usr/share/java/istack-commons-runtime.jar" +\ - ":/usr/share/java/glassfish-jaxb/jaxb-impl.jar" +\ - ":/usr/share/java/scannotation.jar" - - # RESTEasy Jars - classpath = classpath +\ - ":" + resteasy_lib + "/jaxrs-api.jar" +\ - ":" + resteasy_lib + "/resteasy-atom-provider.jar" +\ - ":" + resteasy_lib + "/resteasy-jaxb-provider.jar" +\ - ":" + resteasy_lib + "/resteasy-jaxrs.jar" +\ - ":" + resteasy_lib + "/resteasy-jettison-provider.jar" - - # PKI Jars - classpath = classpath +\ - ":/usr/share/java/pki/pki-certsrv.jar" +\ - ":/usr/share/java/pki/pki-client.jar" +\ - ":/usr/share/java/pki/pki-cmsutil.jar" +\ - ":/usr/share/java/pki/pki-nsutil.jar" - - properties = "" - - # From 'http://www.jython.org/archive/22/userfaq.html': - # Setting this to false will allow Jython to provide access to - # non-public fields, methods, and constructors of Java objects. - # properties = properties + " -Dpython.security.respectJavaAccessibility=false" - - # Compose this "jython" command - data = pickle.dumps(master) - if master['pki_architecture'] == 64: - ld_library_path = "/usr/lib64/jss:/usr/lib64:/lib64:" +\ - "/usr/lib/jss:/usr/lib:/lib" - else: - ld_library_path = "/usr/lib/jss:/usr/lib:/lib" - command = "export LD_LIBRARY_PATH=" + ld_library_path +\ - ";export CLASSPATH=" + classpath +\ - ";jython " + properties + " " + scriptlet - # Display this "jython" command - config.pki_log.info( - log.PKIHELPER_INVOKE_JYTHON_1, - command, - extra=config.PKI_INDENTATION_LEVEL_2) - # Invoke this "jython" command - subprocess.call(command + " \"" + data + "\"", shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + client = pki.system.SystemConfigClient(self.connection) + response = client.configure(data) + + config.pki_log.debug(log.PKI_CONFIG_RESPONSE_STATUS +\ + " " + str(response['status']), extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) + certs = response['systemCerts'] + for cdata in certs: + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external']) and\ + not config.str2bool(master['pki_external_step_two']): + # External CA Step 1 + if cdata['tag'].lower() == "signing": + config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST +\ + " " + cdata['request'], + extra=config.PKI_INDENTATION_LEVEL_2) + + # Save 'External CA Signing Certificate' CSR (Step 1) + config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE +\ + " '" + master['pki_external_csr_path'] + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + directory.create( + os.path.dirname(master['pki_external_csr_path'])) + with open(master['pki_external_csr_path'], "w") as f: + f.write(cdata['request']) + return + else: + config.pki_log.debug(log.PKI_CONFIG_CDATA_TAG +\ + " " + cdata['tag'], + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKI_CONFIG_CDATA_CERT +\ + " " + cdata['cert'], + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKI_CONFIG_CDATA_REQUEST +\ + " " + cdata['request'], + extra=config.PKI_INDENTATION_LEVEL_2) + + # Cloned PKI subsystems do not return an Admin Certificate + if not config.str2bool(master['pki_clone']) and \ + not config.str2bool(master['pki_import_admin_cert']): + admin_cert = response['adminCert']['cert'] + self.process_admin_cert(admin_cert) + except Exception, e: + config.pki_log.error( + log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " + str(e), + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) return + def process_admin_cert(self, admin_cert): + config.pki_log.debug(log.PKI_CONFIG_RESPONSE_ADMIN_CERT +\ + " " + admin_cert, + extra=config.PKI_INDENTATION_LEVEL_2) + + # Store the Administration Certificate in a file + admin_cert_file = master['pki_client_admin_cert'] + admin_cert_bin_file = admin_cert_file + ".der" + config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE +\ + " '" + admin_cert_file + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + with open(admin_cert_file, "w") as f: + f.write(admin_cert) + + # convert the cert file to binary + command = ["AtoB", admin_cert_file, admin_cert_bin_file] + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + + os.chmod(admin_cert_file, + config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + + os.chmod(admin_cert_bin_file, + config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + + # Import the Administration Certificate + # into the client NSS security database + certutil.import_cert( + re.sub("'", "'", master['pki_admin_nickname']), + "u,u,u", + admin_cert_bin_file, + master['pki_client_password_conf'], + master['pki_client_database_dir'], + None, + True) + + # create directory for p12 file if it does not exist + directory.create(os.path.dirname( + master['pki_client_admin_cert_p12'])) + + # Export the Administration Certificate from the + # client NSS security database into a PKCS #12 file + pk12util.create_file( + master['pki_client_admin_cert_p12'], + re.sub("'","'", master['pki_admin_nickname']), + master['pki_client_pkcs12_password_conf'], + master['pki_client_password_conf'], + master['pki_client_database_dir']) + + os.chmod(master['pki_client_admin_cert_p12'], + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + + + def construct_pki_configuration_data(self): + config.pki_log.info(log.PKI_CONFIG_CONSTRUCTING_PKI_DATA, + extra=config.PKI_INDENTATION_LEVEL_2) + + data = pki.system.ConfigurationRequest() + + # Miscellaneous Configuration Information + data.pin = master['pki_one_time_pin'] + data.subsystemName = master['pki_subsystem_name'] + # Cloning parameters + if master['pki_instance_type'] == "Tomcat": + if config.str2bool(master['pki_clone']): + self.set_cloning_parameters(data) + else: + data.isClone = "false" + + # Hierarchy + self.set_hierarchy_parameters(data) + + # Security Domain + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or + # Subordinate CA + self.set_existing_security_domain(data) + else: + # PKI CA or External CA + self.set_new_security_domain(data) + + # database + if master['pki_subsystem'] != "RA": + self.set_database_parameters(data) + + # backup + if master['pki_instance_type'] == "Tomcat": + self.set_backup_parameters(data) + + # admin user + if not config.str2bool(master['pki_clone']): + self.set_admin_parameters(data) + + # Issuing CA Information + self.set_issuing_ca_parameters(data) + + # Create system certs + self.set_system_certs(data) + + return data + + def set_system_certs(self, data): + systemCerts = [] + + # Create 'CA Signing Certificate' + if master['pki_subsystem'] == "CA": + if not config.str2bool(master['pki_clone']): + cert1 = self.create_system_cert("ca_signing") + cert1.signingAlgorithm =\ + master['pki_ca_signing_signing_algorithm'] + if config.str2bool(master['pki_external_step_two']): + # Load the 'External CA Signing Certificate' (Step 2) + print( + log.PKI_CONFIG_EXTERNAL_CA_LOAD + " " +\ + "'" + master['pki_external_ca_cert_path'] + "'") + with open(master['pki_external_ca_cert_path']) as f: + external_cert = f.read() + cert1.cert = external_cert + + # Load the 'External CA Signing Certificate Chain' (Step 2) + print( + log.PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD + " " +\ + "'" + master['pki_external_ca_cert_chain_path'] +\ + "'") + with open(master['pki_external_ca_cert_chain_path']) as f: + external_cert_chain = f.read() + + cert1.certChain = external_cert_chain + systemCerts.append(cert1) + + # Create 'OCSP Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "CA" or\ + master['pki_subsystem'] == "OCSP": + # External CA, Subordinate CA, PKI CA, or PKI OCSP + cert2 = self.create_system_cert("ocsp_signing") + cert2.signingAlgorithm =\ + master['pki_ocsp_signing_signing_algorithm'] + systemCerts.append(cert2) + + # Create 'SSL Server Certificate' + # all subsystems + + # create new sslserver cert only if this is a new instance + cert3 = None + system_list = instance.tomcat_instance_subsystems() + if len(system_list) >= 2: + data.generateServerCert = "false" + for subsystem in system_list: + dst = master['pki_instance_path'] + '/conf/' +\ + subsystem.lower() + '/CS.cfg' + if subsystem != master['pki_subsystem'] and \ + os.path.exists(dst): + cert3 = self.retrieve_existing_server_cert(dst) + break + else: + cert3 = self.create_system_cert("ssl_server") + systemCerts.append(cert3) + + # Create 'Subsystem Certificate' + if not config.str2bool(master['pki_clone']): + cert4 = self.create_system_cert("subsystem") + systemCerts.append(cert4) + + # Create 'Audit Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] != "RA": + cert5 = self.create_system_cert("audit_signing") + cert5.signingAlgorithm =\ + master['pki_audit_signing_signing_algorithm'] + systemCerts.append(cert5) + + # Create DRM Transport and storage Certificates + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "KRA": + cert6 = self.create_system_cert("transport") + systemCerts.append(cert6) + + cert7 = self.create_system_cert("storage") + systemCerts.append(cert7) + + data.systemCerts = systemCerts + + def set_cloning_parameters(self, data): + data.isClone = "true" + data.cloneUri = master['pki_clone_uri'] + data.p12File = master['pki_clone_pkcs12_path'] + data.p12Password = master['pki_clone_pkcs12_password'] + data.replicateSchema = master['pki_clone_replicate_schema'] + data.replicationSecurity =\ + master['pki_clone_replication_security'] + if master['pki_clone_replication_master_port']: + data.masterReplicationPort =\ + master['pki_clone_replication_master_port'] + if master['pki_clone_replication_clone_port']: + data.cloneReplicationPort =\ + master['pki_clone_replication_clone_port'] + + def set_hierarchy_parameters(self, data): + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']): + # Cloned CA + data.hierarchy = "root" + elif config.str2bool(master['pki_external']): + # External CA + data.hierarchy = "join" + elif config.str2bool(master['pki_subordinate']): + # Subordinate CA + data.hierarchy = "join" + else: + # PKI CA + data.hierarchy = "root" + + def set_existing_security_domain(self, data): + data.securityDomainType = "existingdomain" + data.securityDomainUri = master['pki_security_domain_uri'] + data.securityDomainUser = master['pki_security_domain_user'] + data.securityDomainPassword = master['pki_security_domain_password'] + + def set_new_security_domain(self, data): + data.securityDomainType = "newdomain" + data.securityDomainName = master['pki_security_domain_name'] + + def set_database_parameters(self, data): + data.dsHost = master['pki_ds_hostname'] + data.dsPort = master['pki_ds_ldap_port'] + data.baseDN = master['pki_ds_base_dn'] + data.bindDN = master['pki_ds_bind_dn'] + data.database = master['pki_ds_database'] + data.bindpwd = master['pki_ds_password'] + if config.str2bool(master['pki_ds_remove_data']): + data.removeData = "true" + else: + data.removeData = "false" + if config.str2bool(master['pki_ds_secure_connection']): + data.secureConn = "true" + else: + data.secureConn = "false" + + def set_backup_parameters(self, data): + if config.str2bool(master['pki_backup_keys']): + data.backupKeys = "true" + data.backupFile = master['pki_backup_keys_p12'] + data.backupPassword = master['pki_backup_password'] + else: + data.backupKeys = "false" + + def set_admin_parameters(self, data): + data.adminEmail = master['pki_admin_email'] + data.adminName = master['pki_admin_name'] + data.adminPassword = master['pki_admin_password'] + data.adminProfileID = master['pki_admin_profile_id'] + data.adminUID = master['pki_admin_uid'] + data.adminSubjectDN = master['pki_admin_subject_dn'] + if config.str2bool(master['pki_import_admin_cert']): + data.importAdminCert = "true" + # read config from file + with open(master['pki_admin_cert_file']) as f: + b64 = f.read().replace('\n','') + data.adminCert = b64 + else: + data.importAdminCert = "false" + data.adminSubjectDN = master['pki_admin_subject_dn'] + if master['pki_admin_cert_request_type'] == "pkcs10": + data.adminCertRequestType = "pkcs10" + + noise_file = os.path.join( + master['pki_client_database_dir'], "noise") + + output_file = os.path.join( + master['pki_client_database_dir'], "admin_pkcs10.bin") + + file.generate_noise_file( + noise_file, int(master['pki_admin_keysize'])) + + certutil.generate_certificate_request( + master['pki_admin_subject_dn'], + master['pki_admin_keysize'], + master['pki_client_password_conf'], + noise_file, + output_file, + master['pki_client_database_dir'], + None, None, True) + + # convert output to ascii + command = ["BtoA", output_file, output_file + ".asc"] + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + + with open(output_file + ".asc") as f: + b64 = f.read().replace('\n','') + + data.adminCertRequest = b64 + else: + print "log.PKI_CONFIG_PKCS10_SUPPORT_ONLY" + sys.exit(1) + + def set_issuing_ca_parameters(self, data): + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']) or\ + config.str2bool(master['pki_external']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, + # Subordinate CA, or External CA + data.issuingCA = master['pki_issuing_ca'] + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external_step_two']): + # External CA Step 2 + data.stepTwo = "true"; + + def create_system_cert(self, tag): + cert = pki.system.SystemCertData() + cert.tag = master["pki_%s_tag" % tag] + cert.keyAlgorithm = master["pki_%s_key_algorithm" % tag] + cert.keySize = master["pki_%s_key_size" % tag] + cert.keyType = master["pki_%s_key_type" % tag] + cert.nickname = master["pki_%s_nickname" % tag] + cert.subjectDN = master["pki_%s_subject_dn" % tag] + cert.token = master["pki_%s_token" % tag] + return cert + + def retrieve_existing_server_cert(self, cfg_file): + cs_cfg = PKIConfigParser.read_simple_configuration_file(cfg_file) + cstype = cs_cfg.get('cs.type').lower() + cert = pki.system.SystemCertData() + cert.tag = master["pki_ssl_server_tag"] + cert.keyAlgorithm = master["pki_ssl_server_key_algorithm"] + cert.keySize = master["pki_ssl_server_key_size"] + cert.keyType = master["pki_ssl_server_key_type"] + cert.nickname = cs_cfg.get(cstype + ".sslserver.nickname") + cert.cert = cs_cfg.get(cstype + ".sslserver.cert") + cert.request = cs_cfg.get(cstype + ".sslserver.certreq") + cert.subjectDN = master["pki_ssl_server_subject_dn"] + cert.token = cs_cfg.get(cstype + ".sslserver.tokenname") + return cert + # PKI Deployment Helper Class Instances identity = identity() namespace = namespace() @@ -2827,7 +3390,7 @@ symlink = symlink() war = war() password = password() certutil = certutil() +pk12util = pk12util() security_domain = security_domain() kra_connector = kra_connector() systemd = systemd() -jython = jython() diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py deleted file mode 100644 index 4768d8af9..000000000 --- a/base/deploy/src/scriptlets/pkijython.py +++ /dev/null @@ -1,667 +0,0 @@ -#!/usr/bin/jython - -# System Java Imports -from java.io import BufferedReader -from java.io import ByteArrayInputStream -from java.io import FileReader -from java.io import IOException -from java.lang import Integer -from java.lang import String as javastring -from java.lang import System as javasystem -from java.net import URISyntaxException -from java.security import KeyPair -from java.security import NoSuchAlgorithmException -from java.util import ArrayList -from java.util import Collection -from java.util import Iterator -from org.python.core import PyDictionary -import jarray - - -# System Python Imports -import ConfigParser -import errno -import os -import re -import sys -pki_python_module_path = os.path.join(sys.prefix, - "lib", - "python" + str(sys.version_info[0]) + - "." + str(sys.version_info[1]), - "site-packages", - "pki", - "deployment", - "configuration.jy") -sys.path.append(pki_python_module_path) - - -# PKI Python Imports -import pkiconfig as config -import pkimessages as log - -# Apache Commons Java Imports -from org.apache.commons.cli import CommandLine -from org.apache.commons.cli import CommandLineParser -from org.apache.commons.cli import HelpFormatter -from org.apache.commons.cli import Options -from org.apache.commons.cli import ParseException -from org.apache.commons.cli import PosixParser - -# JSS Java Imports -from org.mozilla.jss import CryptoManager -from org.mozilla.jss.asn1 import ASN1Util -from org.mozilla.jss.asn1 import BIT_STRING -from org.mozilla.jss.asn1 import INTEGER -from org.mozilla.jss.asn1 import InvalidBERException -from org.mozilla.jss.asn1 import SEQUENCE -from org.mozilla.jss.crypto import AlreadyInitializedException -from org.mozilla.jss.crypto import CryptoToken -from org.mozilla.jss.crypto import KeyPairAlgorithm -from org.mozilla.jss.crypto import KeyPairGenerator -from org.mozilla.jss.crypto import TokenException -from org.mozilla.jss.pkix.crmf import CertReqMsg -from org.mozilla.jss.pkix.crmf import CertRequest -from org.mozilla.jss.pkix.crmf import CertTemplate -from org.mozilla.jss.pkix.crmf import POPOPrivKey -from org.mozilla.jss.pkix.crmf import ProofOfPossession -from org.mozilla.jss.pkix.primitive import Name -from org.mozilla.jss.pkix.primitive import SubjectPublicKeyInfo -from org.mozilla.jss.util import Password - -# PKI Java Imports -from com.netscape.certsrv.system import SystemConfigClient -from com.netscape.certsrv.system import SystemCertData -from com.netscape.certsrv.system import ConfigurationRequest -from com.netscape.certsrv.system import ConfigurationResponse -from com.netscape.cmsutil.util import Utils -from netscape.security.x509 import X500Name - -# PKI Deployment Jython Helper Functions -def generateCRMFRequest(token, keysize, subjectdn, dualkey): - kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA) - x = Integer(keysize) - key_len = x.intValue() - kg.initialize(key_len) - # 1st key pair - pair = kg.genKeyPair() - # create CRMF - certTemplate = CertTemplate() - certTemplate.setVersion(INTEGER(2)) - if not subjectdn is None: - name = X500Name(subjectdn) - cs = ByteArrayInputStream(name.getEncoded()) - n = Name.getTemplate().decode(cs) - certTemplate.setSubject(n) - certTemplate.setPublicKey(SubjectPublicKeyInfo(pair.getPublic())) - seq = SEQUENCE() - certReq = CertRequest(INTEGER(1), certTemplate, seq) - popdata = jarray.array([0x0,0x3,0x0], 'b') - pop = ProofOfPossession.createKeyEncipherment( - POPOPrivKey.createThisMessage(BIT_STRING(popdata, 3))) - crmfMsg = CertReqMsg(certReq, pop, None) - s1 = SEQUENCE() - # 1st : Encryption key - s1.addElement(crmfMsg) - # 2nd : Signing Key - if config.str2bool(dualkey): - javasystem.out.println(log.PKI_JYTHON_IS_DUALKEY) - seq1 = SEQUENCE() - certReqSigning = CertRequest(INTEGER(1), certTemplate, seq1) - signingMsg = CertReqMsg(certReqSigning, pop, None) - s1.addElement(signingMsg) - encoded = jarray.array(ASN1Util.encode(s1), 'b') - # encoder = BASE64Encoder() - # Req1 = encoder.encodeBuffer(encoded) - Req1 = Utils.base64encode(encoded) - return Req1 - -COMMENT_CHAR = '#' -OPTION_CHAR = '=' -def read_simple_configuration_file(filename): - values = {} - f = open(filename) - for line in f: - # First, remove comments: - if COMMENT_CHAR in line: - # split on comment char, keep only the part before - line, comment = line.split(COMMENT_CHAR, 1) - # Second, find lines with an name=value: - if OPTION_CHAR in line: - # split on name char: - name, value = line.split(OPTION_CHAR, 1) - # strip spaces: - name = name.strip() - value = value.strip() - # store in dictionary: - values[name] = value - f.close() - return values - - -# PKI Deployment 'security databases' Class -class security_databases: - def initialize_token(self, pki_database_path, log_level): - try: - if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: - print "%s %s '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, - log.PKI_JYTHON_INITIALIZING_TOKEN, - pki_database_path) - CryptoManager.initialize(pki_database_path) - except AlreadyInitializedException, e: - # it is ok if it is already initialized - pass - except Exception, e: - javasystem.out.println(log.PKI_JYTHON_INITIALIZATION_ERROR +\ - " " + str(e)) - javasystem.exit(1) - - def log_into_token(self, pki_database_path, password_conf, log_level): - token = None - try: - if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: - print "%s %s '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, - log.PKI_JYTHON_LOG_INTO_TOKEN, - pki_database_path) - manager = CryptoManager.getInstance() - token = manager.getInternalKeyStorageToken() - # Retrieve 'password' from client-side 'password_conf' - # - # NOTE: For now, ONLY read the first line - # (which contains "password") - # - fd = open(password_conf, "r") - token_pwd = fd.readline() - fd.close - # Convert 'token_pwd' into a 'java char[]' - jtoken_pwd = jarray.array(token_pwd, 'c') - password = Password(jtoken_pwd) - try: - token.login(password) - except Exception, e: - javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\ - " " + str(e)) - if not token.isLoggedIn(): - token.initPassword(password, password) - javasystem.exit(1) - except Exception, e: - javasystem.out.println(log.PKI_JYTHON_TOKEN_LOGIN_EXCEPTION +\ - " " + str(e)) - javasystem.exit(1) - return token - - -# PKI Deployment 'REST Client' Class -class rest_client: - client = None - master = None - - def initialize(self, client_config, master): - try: - self.master = master - log_level = master['pki_jython_log_level'] - if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: - print "%s %s '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, - log.PKI_JYTHON_INITIALIZING_REST_CLIENT, - client_config.serverURI) - self.client = SystemConfigClient(client_config) - return self.client - except URISyntaxException, e: - e.printStackTrace() - javasystem.exit(1) - - def set_existing_security_domain(self, data): - data.setSecurityDomainType(ConfigurationRequest.EXISTING_DOMAIN) - data.setSecurityDomainUri(self.master['pki_security_domain_uri']) - data.setSecurityDomainUser(self.master['pki_security_domain_user']) - data.setSecurityDomainPassword( - self.master['pki_security_domain_password']) - - def set_new_security_domain(self, data): - data.setSecurityDomainType(ConfigurationRequest.NEW_DOMAIN) - data.setSecurityDomainName(self.master['pki_security_domain_name']) - - def set_cloning_parameters(self, data): - data.setIsClone("true") - data.setCloneUri(self.master['pki_clone_uri']) - data.setP12File(self.master['pki_clone_pkcs12_path']) - data.setP12Password(self.master['pki_clone_pkcs12_password']) - data.setReplicateSchema(self.master['pki_clone_replicate_schema']) - data.setReplicationSecurity( - self.master['pki_clone_replication_security']) - if self.master['pki_clone_replication_master_port']: - data.setMasterReplicationPort( - self.master['pki_clone_replication_master_port']) - if self.master['pki_clone_replication_clone_port']: - data.setCloneReplicationPort( - self.master['pki_clone_replication_clone_port']) - - def set_database_parameters(self, data): - data.setDsHost(self.master['pki_ds_hostname']) - data.setDsPort(self.master['pki_ds_ldap_port']) - data.setBaseDN(self.master['pki_ds_base_dn']) - data.setBindDN(self.master['pki_ds_bind_dn']) - data.setDatabase(self.master['pki_ds_database']) - data.setBindpwd(self.master['pki_ds_password']) - if config.str2bool(self.master['pki_ds_remove_data']): - data.setRemoveData("true") - else: - data.setRemoveData("false") - if config.str2bool(self.master['pki_ds_secure_connection']): - data.setSecureConn("true") - else: - data.setSecureConn("false") - - def set_backup_parameters(self, data): - if config.str2bool(self.master['pki_backup_keys']): - data.setBackupKeys("true") - data.setBackupFile(self.master['pki_backup_keys_p12']) - data.setBackupPassword(self.master['pki_backup_password']) - else: - data.setBackupKeys("false") - - def set_admin_parameters(self, token, data): - data.setAdminEmail(self.master['pki_admin_email']) - data.setAdminName(self.master['pki_admin_name']) - data.setAdminPassword(self.master['pki_admin_password']) - data.setAdminProfileID(self.master['pki_admin_profile_id']) - data.setAdminUID(self.master['pki_admin_uid']) - data.setAdminSubjectDN(self.master['pki_admin_subject_dn']) - if config.str2bool(self.master['pki_import_admin_cert']): - data.setImportAdminCert("true") - # read config from file - f = open(self.master['pki_admin_cert_file']) - b64 = f.read().replace('\n','') - f.close() - data.setAdminCert(b64) - else: - data.setImportAdminCert("false") - data.setAdminSubjectDN(self.master['pki_admin_subject_dn']) - if self.master['pki_admin_cert_request_type'] == "crmf": - data.setAdminCertRequestType("crmf") - if config.str2bool(self.master['pki_admin_dualkey']): - crmf_request = generateCRMFRequest( - token, - self.master['pki_admin_keysize'], - self.master['pki_admin_subject_dn'], - "true") - else: - crmf_request = generateCRMFRequest( - token, - self.master['pki_admin_keysize'], - self.master['pki_admin_subject_dn'], - "false") - data.setAdminCertRequest(crmf_request) - else: - javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY) - javasystem.exit(1) - - def create_system_cert(self, tag): - cert = SystemCertData() - cert.setTag(self.master["pki_%s_tag" % tag]) - cert.setKeyAlgorithm(self.master["pki_%s_key_algorithm" % tag]) - cert.setKeySize(self.master["pki_%s_key_size" % tag]) - cert.setKeyType(self.master["pki_%s_key_type" % tag]) - cert.setNickname(self.master["pki_%s_nickname" % tag]) - cert.setSubjectDN(self.master["pki_%s_subject_dn" % tag]) - cert.setToken(self.master["pki_%s_token" % tag]) - return cert - - def mkdirs(self, path): - try: - os.makedirs(path) - except OSError, e: - if e.errno == 0: - # Avoid the following weird python/jython exception: - # - # [Errno 0] couldn't make directories: <path> - # - pass - elif e.errno == errno.EEXIST and os.path.isdir(path): - pass - else: - raise - - def write_data_to_file(self, filename, data): - FILE = open(filename, "w") - FILE.write(data) - FILE.close() - - def read_data_from_file(self, filename): - FILE = open(filename, "r") - data = FILE.read() - FILE.close() - return data - - def retrieve_existing_server_cert(self, cfg_file): - cs_cfg = read_simple_configuration_file(cfg_file) - cstype = cs_cfg.get('cs.type').lower() - cert = SystemCertData() - cert.setTag(self.master["pki_ssl_server_tag"]) - cert.setKeyAlgorithm(self.master["pki_ssl_server_key_algorithm"]) - cert.setKeySize(self.master["pki_ssl_server_key_size"]) - cert.setKeyType(self.master["pki_ssl_server_key_type"]) - cert.setNickname(cs_cfg.get(cstype + ".sslserver.nickname")) - cert.setCert(cs_cfg.get(cstype + ".sslserver.cert")) - cert.setRequest(cs_cfg.get(cstype + ".sslserver.certreq")) - cert.setSubjectDN(self.master["pki_ssl_server_subject_dn"]) - cert.setToken(cs_cfg.get(cstype + ".sslserver.tokenname")) - return cert - - def tomcat_instance_subsystems(self): - # Return list of PKI subsystems in the specified tomcat instance - rv = [] - try: - for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - path = self.master['pki_instance_path'] + "/" + subsystem.lower() - if os.path.exists(path) and os.path.isdir(path): - rv.append(subsystem) - except Exception, e: - javasystem.out.println( - log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e)) - javasystem.exit(1) - return rv - - - def construct_pki_configuration_data(self, token): - data = None - master = self.master - if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL: - print "%s %s '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, - log.PKI_JYTHON_CONSTRUCTING_PKI_DATA, - master['pki_subsystem']) - data = ConfigurationRequest() - - # Miscellaneous Configuration Information - data.setPin(master['pki_one_time_pin']) - data.setToken(ConfigurationRequest.TOKEN_DEFAULT) - data.setSubsystemName(master['pki_subsystem_name']) - - # Hierarchy - if master['pki_instance_type'] == "Tomcat": - if master['pki_subsystem'] == "CA": - if config.str2bool(master['pki_clone']): - # Cloned CA - data.setHierarchy("root") - elif config.str2bool(master['pki_external']): - # External CA - data.setHierarchy("join") - elif config.str2bool(master['pki_subordinate']): - # Subordinate CA - data.setHierarchy("join") - else: - # PKI CA - data.setHierarchy("root") - - # Cloning parameters - if master['pki_instance_type'] == "Tomcat": - if config.str2bool(master['pki_clone']): - self.set_cloning_parameters(data) - else: - data.setIsClone("false") - - # Security Domain - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or - # Subordinate CA - self.set_existing_security_domain(data) - else: - # PKI CA or External CA - self.set_new_security_domain(data) - - if master['pki_subsystem'] != "RA": - self.set_database_parameters(data) - - if master['pki_instance_type'] == "Tomcat": - self.set_backup_parameters(data) - - if not config.str2bool(master['pki_clone']): - self.set_admin_parameters(token, data) - - # Issuing CA Information - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']) or\ - config.str2bool(master['pki_external']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, - # Subordinate CA, or External CA - data.setIssuingCA(master['pki_issuing_ca']) - if master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external_step_two']): - # External CA Step 2 - data.setStepTwo("true"); - - # Create system certs - systemCerts = ArrayList() - - # Create 'CA Signing Certificate' - if master['pki_subsystem'] == "CA": - if not config.str2bool(master['pki_clone']): - cert1 = self.create_system_cert("ca_signing") - cert1.setSigningAlgorithm( - master['pki_ca_signing_signing_algorithm']) - if config.str2bool(master['pki_external_step_two']): - # Load the 'External CA Signing Certificate' (Step 2) - javasystem.out.println( - log.PKI_JYTHON_EXTERNAL_CA_LOAD + " " +\ - "'" + master['pki_external_ca_cert_path'] + "'") - external_cert = self.read_data_from_file( - master['pki_external_ca_cert_path']) - cert1.setCert(external_cert); - # Load the 'External CA Signing Certificate Chain' (Step 2) - javasystem.out.println( - log.PKI_JYTHON_EXTERNAL_CA_CHAIN_LOAD + " " +\ - "'" + master['pki_external_ca_cert_chain_path'] +\ - "'") - external_cert_chain = self.read_data_from_file( - master['pki_external_ca_cert_chain_path']) - cert1.setCertChain(external_cert_chain); - systemCerts.add(cert1) - - # Create 'OCSP Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "CA" or\ - master['pki_subsystem'] == "OCSP": - # External CA, Subordinate CA, PKI CA, or PKI OCSP - cert2 = self.create_system_cert("ocsp_signing") - cert2.setSigningAlgorithm( - master['pki_ocsp_signing_signing_algorithm']) - systemCerts.add(cert2) - - # Create 'SSL Server Certificate' - # all subsystems - - # create new sslserver cert only if this is a new instance - cert3 = None - system_list = self.tomcat_instance_subsystems() - if len(system_list) >= 2: - data.setGenerateServerCert("false") - for subsystem in system_list: - dst = master['pki_instance_path'] + '/conf/' +\ - subsystem.lower() + '/CS.cfg' - if subsystem != master['pki_subsystem'] and \ - os.path.exists(dst): - cert3 = self.retrieve_existing_server_cert(dst) - break - else: - cert3 = self.create_system_cert("ssl_server") - systemCerts.add(cert3) - - # Create 'Subsystem Certificate' - if not config.str2bool(master['pki_clone']): - cert4 = self.create_system_cert("subsystem") - systemCerts.add(cert4) - - # Create 'Audit Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] != "RA": - cert5 = self.create_system_cert("audit_signing") - cert5.setSigningAlgorithm( - master['pki_audit_signing_signing_algorithm']) - systemCerts.add(cert5) - - # Create DRM Transport and storage Certificates - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "KRA": - cert6 = self.create_system_cert("transport") - systemCerts.add(cert6) - - cert7 = self.create_system_cert("storage") - systemCerts.add(cert7) - - data.setSystemCerts(systemCerts) - - return data - - def configure_pki_data(self, data): - master = self.master - if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL: - print "%s %s '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, - log.PKI_JYTHON_CONFIGURING_PKI_DATA, - master['pki_subsystem']) - try: - response = self.client.configure(data) - javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\ - " " + response.getStatus()) - certs = response.getSystemCerts() - iterator = certs.iterator() - while iterator.hasNext(): - cdata = iterator.next() - if master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external']) and\ - not config.str2bool(master['pki_external_step_two']): - # External CA Step 1 - if cdata.getTag().lower() == "signing": - javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST +\ - " " + cdata.getRequest()) - # Save 'External CA Signing Certificate' CSR (Step 1) - javasystem.out.println(log.PKI_JYTHON_EXTERNAL_CSR_SAVE\ - + " " + "'" +\ - master['pki_external_csr_path']\ - + "'") - self.mkdirs( - os.path.dirname(master['pki_external_csr_path'])) - self.write_data_to_file(master['pki_external_csr_path'], - cdata.getRequest()) - return - else: - javasystem.out.println(log.PKI_JYTHON_CDATA_TAG +\ - " " + cdata.getTag()) - javasystem.out.println(log.PKI_JYTHON_CDATA_CERT +\ - " " + cdata.getCert()) - javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST +\ - " " + cdata.getRequest()) - # Cloned PKI subsystems do not return an Admin Certificate - if not config.str2bool(master['pki_clone']) and \ - not config.str2bool(master['pki_import_admin_cert']): - admin_cert = response.getAdminCert().getCert() - javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\ - " " + admin_cert) - # Store the Administration Certificate in a file - admin_cert_file = master['pki_client_admin_cert'] - admin_cert_bin_file = admin_cert_file + ".der" - javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\ - " " + "'" + admin_cert_file + "'") - self.write_data_to_file(admin_cert_file, admin_cert) - # convert the cert file to binary - command = "AtoB "+ admin_cert_file + " " + admin_cert_bin_file - javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_ATOB +\ - " " + "'" + command + "'") - os.system(command) - - # Since Jython runs under Java, it does NOT support the - # following operating system specific command: - # - # os.chmod( - # admin_cert_file, - # config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) - # - # Emulate it with a system call. - command = "chmod" + " 660 " + admin_cert_file - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - - command = "chmod" + " 660 " + admin_cert_bin_file - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - - # Import the Administration Certificate - # into the client NSS security database - command = "certutil" + " " +\ - "-A" + " " +\ - "-n" + " " + "\"" +\ - re.sub("'", - "'", master['pki_admin_nickname']) +\ - "\"" + " " +\ - "-t" + " " +\ - "\"" + "u,u,u" + "\"" + " " +\ - "-f" + " " +\ - master['pki_client_password_conf'] + " " +\ - "-d" + " " +\ - master['pki_client_database_dir'] + " " +\ - "-i" + " " +\ - admin_cert_bin_file - javasystem.out.println( - log.PKI_JYTHON_ADMIN_CERT_IMPORT +\ - " " + "'" + command + "'") - os.system(command) - - # create directory for p12 file if it does not exist - self.mkdirs(os.path.dirname( - master['pki_client_admin_cert_p12'])) - - # Export the Administration Certificate from the - # client NSS security database into a PKCS #12 file - command = "pk12util" + " " +\ - "-o" + " " +\ - master['pki_client_admin_cert_p12'] + " " +\ - "-n" + " " + "\"" +\ - re.sub("'", - "'", master['pki_admin_nickname']) +\ - "\"" + " " +\ - "-d" + " " +\ - master['pki_client_database_dir'] + " " +\ - "-k" + " " +\ - master['pki_client_password_conf'] + " " +\ - "-w" + " " +\ - master['pki_client_pkcs12_password_conf'] - javasystem.out.println( - log.PKI_JYTHON_ADMIN_CERT_EXPORT +\ - " " + "'" + command + "'") - os.system(command) - # Since Jython runs under Java, it does NOT support the - # following operating system specific command: - # - # os.chmod(master['pki_client_admin_cert_p12'], - # config.\ - # PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - # - # Emulate it with a system call. - command = "chmod" + " " + "664" + " " +\ - master['pki_client_admin_cert_p12'] - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - except Exception, e: - javasystem.out.println( - log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e)) - javasystem.exit(1) - return - - -# PKI Deployment Jython Class Instances -security_databases = security_databases() -rest_client = rest_client() diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index c16d3ce46..a6361dc8b 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -149,12 +149,17 @@ PKIHELPER_APACHE_INSTANCES_2 = "PKI Apache registry '%s' contains '%d' "\ "Apache PKI instances" PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\ "slot substitutions on '%s'" +PKIHELPER_CERTUTIL_GENERATE_CSR_1 = "executing '%s'" +PKIHELPER_CERTUTIL_MISSING_INPUT_FILE = "certutil: Missing "\ + "'-i input-file' option!" PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = "certutil: Missing "\ "'-c issuer-name' option!" PKIHELPER_CERTUTIL_MISSING_NICKNAME = "certutil: Missing "\ "'-n nickname' option!" PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = "certutil: Missing "\ "'-z noise-file' option!" +PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE = "certutil: Missing "\ + "'-f password-file' option!" PKIHELPER_CERTUTIL_MISSING_PATH = "certutil: Missing '-d path' option!" PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER = "certutil: Missing "\ "'-m serial-number' option!" @@ -189,7 +194,6 @@ PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\ "context %s" -PKIHELPER_INVOKE_JYTHON_1 = "executing '%s'" PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" PKIHELPER_IS_A_FILE_1 = "'%s' is a file" PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink" @@ -224,6 +228,15 @@ PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\ "filling it with '%d' random bytes" PKIHELPER_PASSWORD_CONF_1 = "generating '%s'" PKIHELPER_PASSWORD_NOT_FOUND_1 = "no password found for '%s'!" +PKIHELPER_PK12UTIL_MISSING_DBPWFILE = "pk12util missing "\ + "-k db-password-file option!" +PKIHELPER_PK12UTIL_MISSING_NICKNAME = "pk12util missing "\ + "-n nickname option!" +PKIHELPER_PK12UTIL_MISSING_OUTFILE = "pk12util missing "\ + "-o output-file option!" +PKIHELPER_PK12UTIL_MISSING_PWFILE = "pk12util missing "\ + "-w pw-file option!" + PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ "PKI subsystems" PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'" @@ -279,47 +292,25 @@ PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ." PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s" PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s" - -# PKI Deployment Jython "Scriptlet" Messages -# (MUST contain NO embedded formats since Jython 2.2 does not support logging!) -PKI_JYTHON_ADMIN_CERT_EXPORT = "exporting Admin Certificate from "\ - "NSS client security database:" -PKI_JYTHON_ADMIN_CERT_IMPORT = "importing Admin Certificate into "\ - "NSS client security database:" -PKI_JYTHON_ADMIN_CERT_SAVE = "saving Admin Certificate to file:" -PKI_JYTHON_ADMIN_CERT_ATOB = "converting Admin Certificate to binary:" -PKI_JYTHON_CDATA_TAG = "tag:" -PKI_JYTHON_CDATA_CERT = "cert:" -PKI_JYTHON_CDATA_REQUEST = "request:" -PKI_JYTHON_CHMOD = "performing chmod:" -PKI_JYTHON_CONFIGURING_PKI_DATA = "configuring PKI configuration data for" -PKI_JYTHON_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data for" -PKI_JYTHON_CRMF_SUPPORT_ONLY = "only the 'crmf' certificate request type "\ +PKI_CONFIG_ADMIN_CERT_SAVE = "saving Admin Certificate to file:" +PKI_CONFIG_ADMIN_CERT_ATOB = "converting Admin Certificate to binary:" +PKI_CONFIG_CDATA_TAG = "tag:" +PKI_CONFIG_CDATA_CERT = "cert:" +PKI_CONFIG_CDATA_REQUEST = "request:" +PKI_CONFIG_CONFIGURING_PKI_DATA = "configuring PKI configuration data." +PKI_CONFIG_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data." +PKI_CONFIG_PKCS10_SUPPORT_ONLY = "only the 'pkcs10' certificate request type "\ "is currently supported" -PKI_JYTHON_IS_DUALKEY = "dualkey = true" -PKI_JYTHON_EXCEPTION_PARSER = "Problem parsing" -PKI_JYTHON_EXTERNAL_CA_LOAD = "loading external CA signing certificate "\ +PKI_CONFIG_EXTERNAL_CA_LOAD = "loading external CA signing certificate "\ "from file:" -PKI_JYTHON_EXTERNAL_CA_CHAIN_LOAD = "loading external CA signing certificate "\ +PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD = "loading external CA signing certificate "\ "chain from file:" -PKI_JYTHON_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:" -PKI_JYTHON_INDENTATION_0 = "pkispawn : JYTHON " -PKI_JYTHON_INDENTATION_1 = "pkispawn : JYTHON ..." -PKI_JYTHON_INDENTATION_2 = "pkispawn : JYTHON ......." -PKI_JYTHON_INDENTATION_3 = "pkispawn : JYTHON ..........." -PKI_JYTHON_INDENTATION_4 = "pkispawn : JYTHON ..............." -PKI_JYTHON_INITIALIZATION_ERROR = "INITIALIZATION ERROR:" -PKI_JYTHON_INITIALIZING_REST_CLIENT = "initializing REST client via" -PKI_JYTHON_INITIALIZING_TOKEN = "initializing token located in" -PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION =\ +PKI_CONFIG_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:" +PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION =\ "Exception from Java Configuration Servlet:" -PKI_JYTHON_LOG_INTO_TOKEN = "logging into token located in" -PKI_JYTHON_LOGIN_EXCEPTION = "login Exception:" -PKI_JYTHON_RESPONSE_ADMIN_CERT = "adminCert:" -PKI_JYTHON_RESPONSE_STATUS = "status:" -PKI_JYTHON_TOKEN_LOGIN_EXCEPTION = "Exception in logging into token:" -PKI_JYTHON_NOT_YET_IMPLEMENTED = "NOT YET IMPLEMENTED" - +PKI_CONFIG_RESPONSE_ADMIN_CERT = "adminCert:" +PKI_CONFIG_RESPONSE_STATUS = "status:" +PKI_CONFIG_NOT_YET_IMPLEMENTED_1 = " %s NOT YET IMPLEMENTED" # PKI Deployment "Scriptlet" Messages ADMIN_DOMAIN_DESTROY_1 = "depopulating '%s'" diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 639b11820..c4bf9b886 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -96,15 +96,12 @@ class PKIConfigParser: # Process 'Optional' command-line options # '-v' if args.pki_verbosity == 1: - config.pki_jython_log_level = config.PKI_JYTHON_INFO_LOG_LEVEL config.pki_console_log_level = logging.INFO config.pki_log_level = logging.INFO elif args.pki_verbosity == 2: - config.pki_jython_log_level = config.PKI_JYTHON_INFO_LOG_LEVEL config.pki_console_log_level = logging.INFO config.pki_log_level = logging.DEBUG elif args.pki_verbosity == 3: - config.pki_jython_log_level = config.PKI_JYTHON_DEBUG_LOG_LEVEL config.pki_console_log_level = logging.DEBUG config.pki_log_level = logging.DEBUG elif args.pki_verbosity > 3: @@ -114,7 +111,6 @@ class PKIConfigParser: self.arg_parser.exit(-1); else: # Set default log levels - config.pki_jython_log_level = config.PKI_JYTHON_WARNING_LOG_LEVEL config.pki_console_log_level = logging.WARNING config.pki_log_level = logging.INFO @@ -424,8 +420,6 @@ class PKIConfigParser: config.pki_master_dict['pki_certificate_timestamp'] =\ config.pki_certificate_timestamp config.pki_master_dict['pki_architecture'] = config.pki_architecture - config.pki_master_dict['pki_jython_log_level'] =\ - config.pki_jython_log_level config.pki_master_dict['pki_default_deployment_cfg'] = config.default_deployment_cfg config.pki_master_dict['pki_user_deployment_cfg'] = config.user_deployment_cfg config.pki_master_dict['pki_deployed_instance_name'] =\ @@ -857,21 +851,7 @@ class PKIConfigParser: config.pki_master_dict['pki_client_database_password'] =\ str(config.pki_master_dict['pki_client_pin']) - # Jython scriptlet name/value pairs - config.pki_master_dict['pki_jython_configuration_scriptlet'] =\ - os.path.join(sys.prefix, - "lib", - "python" + str(sys.version_info[0]) + "." + - str(sys.version_info[1]), - "site-packages", - "pki", - "deployment", - "configuration.jy") - config.pki_master_dict['pki_jython_base_uri'] =\ - "https" + "://" + config.pki_master_dict['pki_hostname'] + ":" +\ - config.pki_master_dict['pki_https_port'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() - # Jython scriptlet + # Configuration scriptlet # 'Security Domain' Configuration name/value pairs # 'Subsystem Name' Configuration name/value pairs # 'Token' Configuration name/value pairs @@ -945,7 +925,6 @@ class PKIConfigParser: # PKI CA config.pki_master_dict['pki_security_domain_type'] = "new" - # Jython scriptlet # 'External CA' Configuration name/value pairs # # Tomcat - [External CA] @@ -959,7 +938,6 @@ class PKIConfigParser: # config.pki_master_dict['pki_external_step_two'] # - # Jython scriptlet # 'Backup' Configuration name/value pairs # # Apache - [RA], [TPS] diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index a74a4c157..9ac4784e5 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -62,7 +62,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.modify(master['pki_secmod_database'], perms=\ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - if util.instance.tomcat_instance_subsystems() < 2: + if len(util.instance.tomcat_instance_subsystems()) < 2: # only create a self signed cert for a new instance rv = util.certutil.verify_certificate_exists( master['pki_database_path'], @@ -111,7 +111,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.delete(master['pki_secmod_database']) util.file.delete(master['pki_shared_password_conf']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 0: + len(util.instance.tomcat_instance_subsystems()) == 0: util.file.delete(master['pki_cert_database']) util.file.delete(master['pki_key_database']) util.file.delete(master['pki_secmod_database']) diff --git a/base/deploy/src/scriptlets/selinux_setup.py b/base/deploy/src/scriptlets/selinux_setup.py index f3b7d1273..552ab3f41 100644 --- a/base/deploy/src/scriptlets/selinux_setup.py +++ b/base/deploy/src/scriptlets/selinux_setup.py @@ -66,7 +66,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ util.instance.apache_instance_subsystems() == 1 or\ master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 1: + len(util.instance.tomcat_instance_subsystems()) == 1: trans = seobject.semanageRecords("targeted") trans.start() @@ -133,7 +133,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ util.instance.apache_instance_subsystems() == 0 or\ master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 0: + len(util.instance.tomcat_instance_subsystems()) == 0: trans = seobject.semanageRecords("targeted") trans.start() diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml index 5ef28fc31..57c62561f 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/web.xml +++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml @@ -680,6 +680,18 @@ <param-value> certServer.clone.configuration </param-value> </init-param> </servlet> + <servlet> + <servlet-name> kraGetStatus </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetStatus </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraGetStatus </param-value> </init-param> + </servlet> + + <!-- ==================== RESTEasy Configuration =============== --> <listener> @@ -926,6 +938,11 @@ <url-pattern> /admin/console/config/savepkcs12 </url-pattern> </servlet-mapping> + <servlet-mapping> + <servlet-name> kraGetStatus </servlet-name> + <url-pattern> /admin/kra/getStatus </url-pattern> + </servlet-mapping> + <!-- ==================== Default Session Configuration =============== --> <!-- You can set the default session timeout (in minutes) for all newly --> <!-- created sessions by modifying the value below. --> diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml index eb29dc154..68f482b47 100644 --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml @@ -393,6 +393,17 @@ <param-value> BasicAclAuthz </param-value> </init-param> </servlet> + <servlet> + <servlet-name> ocspGetStatus </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetStatus </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ocsp </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> ocspGetStatus </param-value> </init-param> + </servlet> + <listener> <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class> </listener> @@ -560,6 +571,12 @@ <url-pattern> /admin/console/config/savepkcs12 </url-pattern> </servlet-mapping> + <servlet-mapping> + <servlet-name> ocspGetStatus </servlet-name> + <url-pattern> /admin/ocsp/getStatus </url-pattern> + </servlet-mapping> + + <!-- ==================== Default Session Configuration =============== --> <!-- You can set the default session timeout (in minutes) for all newly --> <!-- created sessions by modifying the value below. --> diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml index 7cfb24b15..bc1685ddb 100644 --- a/base/tks/shared/webapps/tks/WEB-INF/web.xml +++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml @@ -263,6 +263,17 @@ <param-value> certServer.clone.configuration.GetConfigEntries </param-value> </init-param> </servlet> + <servlet> + <servlet-name> tksGetStatus </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetStatus </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> tks </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> tksGetStatus </param-value> </init-param> + </servlet> + <listener> <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class> </listener> @@ -391,6 +402,11 @@ <url-pattern> /admin/console/config/savepkcs12 </url-pattern> </servlet-mapping> + <servlet-mapping> + <servlet-name> tksGetStatus </servlet-name> + <url-pattern> /admin/tks/getStatus </url-pattern> + </servlet-mapping> + <!-- ==================== Default Session Configuration =============== --> <!-- You can set the default session timeout (in minutes) for all newly --> <!-- created sessions by modifying the value below. --> |