diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-05-06 16:19:19 -0400 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2015-05-11 10:20:04 -0400 |
commit | 6ee510efe491b1e2afd7e9901eee690365fd8bbb (patch) | |
tree | d7c07b1380f92589adba578dff810744b17cbe52 /base | |
parent | 7dca020819b7573cd05bd54482fb5d1afe9bb658 (diff) | |
download | pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.tar.gz pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.tar.xz pki-6ee510efe491b1e2afd7e9901eee690365fd8bbb.zip |
Added options for internal token and replication passwords.
The installation code has been modified such that the admin can
optionally specify passwords for internal token and replication.
Otherwise the code will generate random passwords like before.
https://fedorahosted.org/pki/ticket/1354
Diffstat (limited to 'base')
6 files changed, 41 insertions, 165 deletions
diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java index 0caa215fb..0682ac98f 100644 --- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java @@ -21,7 +21,6 @@ import java.net.URI; import java.net.URISyntaxException; import java.util.List; -import javax.ws.rs.core.MultivaluedMap; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlElement; @@ -29,8 +28,6 @@ import javax.xml.bind.annotation.XmlRootElement; import javax.xml.bind.annotation.adapters.XmlAdapter; import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; -import org.apache.commons.lang.StringUtils; - /** * @author alee * @@ -38,69 +35,6 @@ import org.apache.commons.lang.StringUtils; @XmlRootElement(name="ConfigurationRequest") @XmlAccessorType(XmlAccessType.FIELD) public class ConfigurationRequest { - private static final String PIN = "pin"; - private static final String TOKEN = "token"; - private static final String TOKEN_PASSWORD = "tokenPassword"; - private static final String SECURITY_DOMAIN_TYPE = "securityDomainType"; - private static final String SECURITY_DOMAIN_URI = "securityDomainUri"; - private static final String SECURITY_DOMAIN_NAME = "securityDomainName"; - private static final String SECURITY_DOMAIN_USER = "securityDomainUser"; - private static final String SECURITY_DOMAIN_PASSWORD = "securityDomainPassword"; - private static final String IS_CLONE = "isClone"; - private static final String CLONE_URI = "cloneUri"; - private static final String SUBSYSTEM_NAME = "subsystemName"; - private static final String P12_FILE = "p12File"; - private static final String P12_PASSWORD = "p12Password"; - private static final String HIERARCHY = "hierarchy"; - private static final String DSHOST = "dsHost"; - private static final String DSPORT = "dsPort"; - private static final String BASEDN = "basedn"; - private static final String CREATE_NEW_DB = "createNewDB"; - private static final String BINDDN = "binddn"; - private static final String DATABASE = "database"; - private static final String SECURECONN = "secureConn"; - private static final String REMOVEDATA = "removeData"; - private static final String MASTER_REPLICATION_PORT = "masterReplicationPort"; - private static final String CLONE_REPLICATION_PORT = "cloneReplicationPort"; - private static final String REPLICATE_SCHEMA = "replicateSchema"; - private static final String REPLICATION_SECURITY = "replicationSecurity"; - private static final String SETUP_REPLICATION = "setupReplication"; - private static final String ISSUING_CA = "issuingCa"; - private static final String BACKUP_KEYS = "backupKeys"; - private static final String BACKUP_FILE = "backupFile"; - private static final String BACKUP_PASSWORD = "backupPassword"; - private static final String ADMIN_UID = "adminUid"; - private static final String ADMIN_EMAIL = "adminEmail"; - private static final String ADMIN_PASSWORD = "adminPassword"; - private static final String ADMIN_CERT_REQUEST = "adminCertRequest"; - private static final String ADMIN_CERT_REQUEST_TYPE = "adminCertRequestType"; - private static final String ADMIN_SUBJECT_DN = "adminSubjectDN"; - private static final String ADMIN_NAME = "adminName"; - private static final String ADMIN_PROFILE_ID = "adminProfileID"; - private static final String IMPORT_ADMIN_CERT = "importAdminCert"; - private static final String ADMIN_CERT = "adminCert"; - private static final String STANDALONE = "standAlone"; - private static final String STEP_TWO = "stepTwo"; - private static final String GENERATE_SERVER_CERT = "generateServerCert"; - private static final String SUBORDINATE_SECURITY_DOMAIN_NAME = "subordinateSecurityDomainName"; - - // TPS specific parameters - private static final String AUTHDB_BASEDN = "authdbBaseDN"; - private static final String AUTHDB_HOST = "authdbHost"; - private static final String AUTHDB_PORT = "authdbPort"; - private static final String AUTHDB_SECURE_CONN = "authdbSecureConn"; - private static final String CA_URI = "caUri"; - private static final String TKS_URI = "tksUri"; - private static final String KRA_URI = "kraUri"; - private static final String ENABLE_SERVER_SIDE_KEYGEN = "enableServerSideKeygen"; - - // TKS/TPS shared secret parameters - private static final String IMPORT_SHARED_SECRET = "importSharedSecret"; - - // Parameters for shared tomcat instances - private static final String GENERATE_SUBSYSTEM_CERT="generateSubsystemCert"; - private static final String SHARED_DB = "sharedDB"; - private static final String SHARED_DBUSER_DN = "sharedDBUserDN"; //defaults public static final String TOKEN_DEFAULT = "Internal Key Storage Token"; @@ -190,6 +124,9 @@ public class ConfigurationRequest { protected String replicationSecurity; @XmlElement + protected String replicationPassword; + + @XmlElement protected String setupReplication; @XmlElement @@ -292,75 +229,6 @@ public class ConfigurationRequest { // required for JAXB } - public ConfigurationRequest(MultivaluedMap<String, String> form) throws URISyntaxException { - pin = form.getFirst(PIN); - token = form.getFirst(TOKEN); - tokenPassword = form.getFirst(TOKEN_PASSWORD); - securityDomainType = form.getFirst(SECURITY_DOMAIN_TYPE); - securityDomainUri = form.getFirst(SECURITY_DOMAIN_URI); - securityDomainName = form.getFirst(SECURITY_DOMAIN_NAME); - securityDomainUser = form.getFirst(SECURITY_DOMAIN_USER); - securityDomainPassword = form.getFirst(SECURITY_DOMAIN_PASSWORD); - isClone = form.getFirst(IS_CLONE); - cloneUri = form.getFirst(CLONE_URI); - subsystemName = form.getFirst(SUBSYSTEM_NAME); - p12File = form.getFirst(P12_FILE); - p12Password = form.getFirst(P12_PASSWORD); - hierarchy = form.getFirst(HIERARCHY); - dsHost = form.getFirst(DSHOST); - dsPort = form.getFirst(DSPORT); - baseDN = form.getFirst(BASEDN); - createNewDB = form.getFirst(CREATE_NEW_DB); - bindDN = form.getFirst(BINDDN); - database = form.getFirst(DATABASE); - secureConn = form.getFirst(SECURECONN); - removeData = form.getFirst(REMOVEDATA); - masterReplicationPort = form.getFirst(MASTER_REPLICATION_PORT); - cloneReplicationPort = form.getFirst(CLONE_REPLICATION_PORT); - replicateSchema = form.getFirst(REPLICATE_SCHEMA); - replicationSecurity = form.getFirst(REPLICATION_SECURITY); - setupReplication = form.getFirst(SETUP_REPLICATION); - //TODO - figure out how to get the cert requests - issuingCA = form.getFirst(ISSUING_CA); - backupFile = form.getFirst(BACKUP_FILE); - backupPassword = form.getFirst(BACKUP_PASSWORD); - backupKeys = form.getFirst(BACKUP_KEYS); - adminUID = form.getFirst(ADMIN_UID); - adminEmail = form.getFirst(ADMIN_EMAIL); - adminPassword = form.getFirst(ADMIN_PASSWORD); - adminCertRequest = form.getFirst(ADMIN_CERT_REQUEST); - adminCertRequestType = form.getFirst(ADMIN_CERT_REQUEST_TYPE); - adminSubjectDN = form.getFirst(ADMIN_SUBJECT_DN); - adminName = form.getFirst(ADMIN_NAME); - adminProfileID = form.getFirst(ADMIN_PROFILE_ID); - adminCert = form.getFirst(ADMIN_CERT); - importAdminCert = form.getFirst(IMPORT_ADMIN_CERT); - standAlone = form.getFirst(STANDALONE); - stepTwo = form.getFirst(STEP_TWO); - generateServerCert = form.getFirst(GENERATE_SERVER_CERT); - authdbBaseDN = form.getFirst(AUTHDB_BASEDN); - authdbHost = form.getFirst(AUTHDB_HOST); - authdbPort = form.getFirst(AUTHDB_PORT); - authdbSecureConn = form.getFirst(AUTHDB_SECURE_CONN); - subordinateSecurityDomainName = form.getFirst(SUBORDINATE_SECURITY_DOMAIN_NAME); - - String value = form.getFirst(CA_URI); - if (!StringUtils.isEmpty(value)) setCaUri(new URI(value)); - - value = form.getFirst(TKS_URI); - if (!StringUtils.isEmpty(value)) setTksUri(new URI(value)); - - value = form.getFirst(KRA_URI); - if (!StringUtils.isEmpty(value)) setKraUri(new URI(value)); - - enableServerSideKeyGen = form.getFirst(ENABLE_SERVER_SIDE_KEYGEN); - importSharedSecret = form.getFirst(IMPORT_SHARED_SECRET); - - generateSubsystemCert = form.getFirst(GENERATE_SUBSYSTEM_CERT); - sharedDB = form.getFirst(SHARED_DB); - sharedDBUserDN = form.getFirst(SHARED_DBUSER_DN); - } - public String getSubsystemName() { return subsystemName; } @@ -637,6 +505,14 @@ public class ConfigurationRequest { this.replicationSecurity = replicationSecurity; } + public String getReplicationPassword() { + return replicationPassword; + } + + public void setReplicationPassword(String replicationPassword) { + this.replicationPassword = replicationPassword; + } + public boolean getSetupReplication() { // default to true if (setupReplication == null) { diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java index 2a490805d..0cebb6074 100644 --- a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java +++ b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java @@ -17,13 +17,8 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.system; -import java.net.URISyntaxException; - -import javax.ws.rs.Consumes; import javax.ws.rs.POST; import javax.ws.rs.Path; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.MultivaluedMap; /** @@ -34,10 +29,5 @@ public interface SystemConfigResource { @POST @Path("configure") - @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) - public ConfigurationResponse configure(MultivaluedMap<String, String> form) throws URISyntaxException; - - @POST - @Path("configure") public ConfigurationResponse configure(ConfigurationRequest data); } diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 12dd54dac..c341d14f7 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -19,7 +19,6 @@ package org.dogtagpki.server.rest; import java.math.BigInteger; import java.net.MalformedURLException; -import java.net.URISyntaxException; import java.net.URL; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; @@ -31,7 +30,6 @@ import java.util.Random; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; -import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Request; import javax.ws.rs.core.UriInfo; @@ -110,15 +108,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } /* (non-Javadoc) - * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(javax.ws.rs.core.MultivaluedMap) - */ - @Override - public ConfigurationResponse configure(MultivaluedMap<String, String> form) throws URISyntaxException { - ConfigurationRequest data = new ConfigurationRequest(form); - return configure(data); - } - - /* (non-Javadoc) * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(com.netscape.cms.servlet.csadmin.data.ConfigurationData) */ @Override @@ -697,7 +686,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou try { /* BZ 430745 create password for replication manager */ - String replicationpwd = Integer.toString(new Random().nextInt()); + // use user-provided password if specified + String replicationPassword = data.getReplicationPassword(); + + if (StringUtils.isEmpty(replicationPassword)) { + // generate random password + replicationPassword = Integer.toString(new Random().nextInt()); + } IConfigStore psStore = null; String passwordFile = null; @@ -705,14 +700,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou psStore = CMS.createFileConfigStore(passwordFile); psStore.putString("internaldb", data.getBindpwd()); if (data.getSetupReplication()) { - psStore.putString("replicationdb", replicationpwd); + psStore.putString("replicationdb", replicationPassword); } psStore.commit(false); if (!data.getStepTwo()) { ConfigurationUtils.populateDB(); - cs.putString("preop.internaldb.replicationpwd", replicationpwd); + cs.putString("preop.internaldb.replicationpwd", replicationPassword); cs.putString("preop.database.removeData", "false"); if (data.getSharedDB()) { cs.putString("preop.internaldb.dbuser", data.getSharedDBUserDN()); diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 3b082020d..18b8527b2 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -24,6 +24,7 @@ sensitive_parameters= pki_ds_password pki_one_time_pin pki_pin + pki_replication_password pki_security_domain_password pki_token_password @@ -98,6 +99,8 @@ pki_issuing_ca_hostname=%(pki_security_domain_hostname)s pki_issuing_ca_https_port=%(pki_security_domain_https_port)s pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s pki_issuing_ca=%(pki_issuing_ca_uri)s +pki_pin= +pki_replication_password= pki_restart_configured_instance=True pki_security_domain_hostname=%(pki_hostname)s pki_security_domain_https_port=8443 diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 1521ef339..5527d7f94 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -3821,6 +3821,8 @@ class ConfigClient: if not self.clone: self.set_admin_parameters(data) + data.replicationPassword = self.mdict['pki_replication_password'] + # Issuing CA Information self.set_issuing_ca_parameters(data) diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 39cef9413..fe1a54a3a 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -327,10 +327,14 @@ class PKIConfigParser: # means that we need to deal with escaping '%' characters # that might be present. no_interpolation = ( - 'pki_admin_password', 'pki_backup_password', + 'pki_admin_password', + 'pki_backup_password', 'pki_client_database_password', 'pki_client_pkcs12_password', - 'pki_ds_password', 'pki_security_domain_password') + 'pki_ds_password', + 'pki_pin', + 'pki_replicationdb_password', + 'pki_security_domain_password') print 'Loading deployment configuration from ' + \ config.user_deployment_cfg + '.' @@ -552,18 +556,24 @@ class PKIConfigParser: self.mdict['pki_user_deployment_cfg'] = config.user_deployment_cfg self.mdict['pki_deployed_instance_name'] = \ config.pki_deployed_instance_name + + self.flatten_master_dict() + # Generate random 'pin's for use as security database passwords # and add these to the "sensitive" key value pairs read in from # the configuration file pin_low = 100000000000 pin_high = 999999999999 - self.mdict['pki_pin'] = \ - random.randint(pin_low, pin_high) + + # use user-provided PIN if specified + if not self.mdict['pki_pin']: + # otherwise generate a random password + self.mdict['pki_pin'] = \ + random.randint(pin_low, pin_high) + self.mdict['pki_client_pin'] = \ random.randint(pin_low, pin_high) - self.flatten_master_dict() - pkilogging.sensitive_parameters = \ self.mdict['sensitive_parameters'].split() |