diff options
| author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2008-10-14 18:43:16 +0000 |
|---|---|---|
| committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2008-10-14 18:43:16 +0000 |
| commit | 948bfc4c428b49d3931e2f037307e53d80fc77f0 (patch) | |
| tree | 9da7df6c422bc4485ba7bc7dbc15bb1e4f3b1d18 /pki/base | |
| parent | e94a77f77f6020cd8557366b42017ef6d7f5f669 (diff) | |
| download | pki-948bfc4c428b49d3931e2f037307e53d80fc77f0.tar.gz pki-948bfc4c428b49d3931e2f037307e53d80fc77f0.tar.xz pki-948bfc4c428b49d3931e2f037307e53d80fc77f0.zip | |
bz223361 - security domains in ldap
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@127 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base')
| -rw-r--r-- | pki/base/ca/shared/conf/schema.ldif | 37 | ||||
| -rw-r--r-- | pki/base/common/src/com/netscape/certsrv/util/HttpInput.java | 7 | ||||
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java | 164 | ||||
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/csadmin/GetDomainXML.java | 145 | ||||
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java | 33 | ||||
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java | 313 | ||||
| -rw-r--r-- | pki/base/migrate/80/MigrateSecurityDomain.class | bin | 0 -> 6951 bytes | |||
| -rw-r--r-- | pki/base/migrate/80/MigrateSecurityDomain.java | 215 | ||||
| -rw-r--r-- | pki/base/migrate/80/readme | 29 | ||||
| -rw-r--r-- | pki/base/migrate/80/schema-add.ldif | 36 | ||||
| -rw-r--r-- | pki/base/migrate/build.xml | 4 | ||||
| -rwxr-xr-x | pki/base/setup/pkiremove | 94 | ||||
| -rw-r--r-- | pki/base/util/src/com/netscape/cmsutil/xml/XMLObject.java | 10 |
13 files changed, 935 insertions, 152 deletions
diff --git a/pki/base/ca/shared/conf/schema.ldif b/pki/base/ca/shared/conf/schema.ldif index 4431a2730..7331749ce 100644 --- a/pki/base/ca/shared/conf/schema.ldif +++ b/pki/base/ca/shared/conf/schema.ldif @@ -350,6 +350,26 @@ attributeTypes: ( version-oid NAME 'version' DESC 'CMS defined attribute' SYNTAX dn: cn=schema changetype: modify +add: attributeTypes +attributeTypes: ( Clone-oid NAME 'Clone' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( DomainManager-oid NAME 'DomainManager' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify add: objectClasses objectClasses: ( CertACLS-oid NAME 'CertACLS' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN 'user defined' ) @@ -392,3 +412,20 @@ dn: cn=schema changetype: modify add: objectClasses objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiSecurityDomain-oid NAME 'pkiSecurityDomain' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( ou $ name ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' ) + + diff --git a/pki/base/common/src/com/netscape/certsrv/util/HttpInput.java b/pki/base/common/src/com/netscape/certsrv/util/HttpInput.java index 78852cff4..034cfd6cd 100644 --- a/pki/base/common/src/com/netscape/certsrv/util/HttpInput.java +++ b/pki/base/common/src/com/netscape/certsrv/util/HttpInput.java @@ -276,13 +276,14 @@ public class HttpInput return getString(request, name); } - public static String getSecurityDomainName(HttpServletRequest request, String name) throws IOException + public static String getSecurityDomainName(HttpServletRequest request, String name) + throws IOException { String v = getName(request, name); - Pattern p = Pattern.compile("[A-Za-z0-9 ]+"); + Pattern p = Pattern.compile("[A-Za-z0-9]+[A-Za-z0-9 -]*"); Matcher m = p.matcher(v); if (!m.matches()) { - throw new IOException("Invalid characters found in Security Domain Name " + v + ". Valid characters are A-Z, a-z, 0-9 and space"); + throw new IOException("Invalid characters found in Security Domain Name " + v + ". Valid characters are A-Z, a-z, 0-9, dash and space"); } return v; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index 28008a451..a4a0687a1 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -34,6 +34,7 @@ import com.netscape.certsrv.dbs.crldb.*; import com.netscape.certsrv.ocsp.*; import com.netscape.certsrv.logging.*; import com.netscape.cmsutil.util.Cert; +import com.netscape.cmsutil.password.*; import netscape.security.x509.*; import netscape.ldap.*; import java.net.*; @@ -82,6 +83,69 @@ public class DonePanel extends WizardPanelBase { return set; } + private LDAPConnection getLDAPConn(Context context) + throws IOException + { + IConfigStore cs = CMS.getConfigStore(); + + String host = ""; + String port = ""; + String pwd = null; + String binddn = ""; + String security = ""; + + IPasswordStore pwdStore = CMS.getPasswordStore(); + + if (pwdStore != null) { + CMS.debug("DonePanel: getLDAPConn: password store available"); + pwd = pwdStore.getPassword("internaldb"); + } + + if ( pwd == null) { + throw new IOException("DonePanel: Failed to obtain password from password store"); + } + + try { + host = cs.getString("internaldb.ldapconn.host"); + port = cs.getString("internaldb.ldapconn.port"); + binddn = cs.getString("internaldb.ldapauth.bindDN"); + security = cs.getString("internaldb.ldapconn.secureConn"); + } catch (Exception e) { + CMS.debug("DonePanel: getLDAPConn" + e.toString()); + throw new IOException( + "Failed to retrieve LDAP information from CS.cfg."); + } + + int p = -1; + + try { + p = Integer.parseInt(port); + } catch (Exception e) { + CMS.debug("DonePanel getLDAPConn: " + e.toString()); + throw new IOException("Port is not valid"); + } + + LDAPConnection conn = null; + if (security.equals("true")) { + CMS.debug("DonePanel getLDAPConn: creating secure (SSL) connection for internal ldap"); + conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); + } else { + CMS.debug("DonePanel getLDAPConn: creating non-secure (non-SSL) connection for internal ldap"); + conn = new LDAPConnection(); + } + + CMS.debug("DonePanel connecting to " + host + ":" + p); + try { + conn.connect(host, p, binddn, pwd); + } catch (LDAPException e) { + CMS.debug("DonePanel getLDAPConn: " + e.toString()); + throw new IOException("Failed to connect to the internal database."); + } + + return conn; + } + + /** * Display the panel. */ @@ -158,46 +222,72 @@ public class DonePanel extends WizardPanelBase { String s = getSubsystemNodeName(type); if (sdtype.equals("new")) { try { - String instanceRoot = cs.getString("instanceRoot", ""); - String domainxml = instanceRoot+"/conf/domain.xml"; - XMLObject obj = new XMLObject(new FileInputStream(domainxml)); - Node n = obj.getContainer(s); - NodeList nlist = n.getChildNodes(); - String countS = ""; - Node countnode = null; - for (int i=0; i<nlist.getLength(); i++) { - Element nn = (Element)nlist.item(i); - String tagname = nn.getTagName(); - if (tagname.equals("SubsystemCount")) { - countnode = nn; - NodeList nlist1 = nn.getChildNodes(); - Node nn1 = nlist1.item(0); - countS = nn1.getNodeValue(); - break; - } + LDAPConnection conn = getLDAPConn(context); + + String basedn = cs.getString("internaldb.basedn"); + String secdomain = cs.getString("preop.securitydomain.name"); + + try { + // Create security domain ldap entry + String dn = "ou=Security Domain," + basedn; + CMS.debug("DonePanel: creating ldap entry : " + dn); + + LDAPEntry entry = null; + LDAPAttributeSet attrs = null; + attrs = new LDAPAttributeSet(); + attrs.add(new LDAPAttribute("objectclass", "top")); + attrs.add(new LDAPAttribute("objectclass", "pkiSecurityDomain")); + attrs.add(new LDAPAttribute("name", secdomain)); + attrs.add(new LDAPAttribute("ou", "Security Domain")); + entry = new LDAPEntry(dn, attrs); + conn.add(entry); + } catch (Exception e) { + CMS.debug("Unable to create security domain"); + throw e; } - Node parent = obj.createContainer(n, type); - obj.addItemToContainer(parent, "SubsystemName", subsystemName); - obj.addItemToContainer(parent, "Host", sd_host); - obj.addItemToContainer(parent, "SecurePort", sd_port); - obj.addItemToContainer(parent, "DomainManager", "true"); - obj.addItemToContainer(parent, "Clone", "false"); - - CMS.debug("DonePanel display: SubsystemCount="+countS); - int count = 0; + + try { + // create list containers + String clist[] = {"CAList", "OCSPList", "KRAList", "RAList", "TKSList", "TPSList"}; + for (int i=0; i< clist.length; i++) { + LDAPEntry entry = null; + LDAPAttributeSet attrs = null; + String dn = "cn=" + clist[i] + ",ou=Security Domain," + basedn; + attrs = new LDAPAttributeSet(); + attrs.add(new LDAPAttribute("objectclass", "top")); + attrs.add(new LDAPAttribute("objectclass", "pkiSecurityGroup")); + attrs.add(new LDAPAttribute("cn", clist[i])); + entry = new LDAPEntry(dn, attrs); + conn.add(entry); + } + } catch (Exception e) { + CMS.debug("Unable to create security domain list groups" ); + throw e; + } + try { - count = Integer.parseInt(countS); - count++; - } catch (Exception ee) { + // Add this host (only CA can create new domain) + String cn = ownhost + ":" + ownsport; + String dn = "cn=" + cn + ",cn=CAList,ou=Security Domain," + basedn; + LDAPEntry entry = null; + LDAPAttributeSet attrs = null; + attrs = new LDAPAttributeSet(); + attrs.add(new LDAPAttribute("objectclass", "top")); + attrs.add(new LDAPAttribute("objectclass", "pkiSubsystem")); + attrs.add(new LDAPAttribute("Host", ownhost)); + attrs.add(new LDAPAttribute("SecurePort", ownsport)); + attrs.add(new LDAPAttribute("Clone", "false")); + attrs.add(new LDAPAttribute("SubsystemName", subsystemName)); + attrs.add(new LDAPAttribute("cn", cn)); + attrs.add(new LDAPAttribute("DomainManager", "true")); + entry = new LDAPEntry(dn, attrs); + conn.add(entry); + } catch (Exception e) { + CMS.debug("Unable to create host entry in security domain"); + throw e; } - - Node nn2 = n.removeChild(countnode); - obj.addItemToContainer(n, "SubsystemCount", ""+count); - CMS.debug("DonePanel display: finish updating domain.xml"); - byte[] b = obj.toByteArray(); - FileOutputStream fos = new FileOutputStream(domainxml); - fos.write(b); - fos.close(); + cs.putString("securitydomain.store", "ldap"); + CMS.debug("DonePanel display: finish updating domain info"); } catch (Exception e) { CMS.debug("DonePanel display: "+e.toString()); } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetDomainXML.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetDomainXML.java index 09fb91c6a..bd4d6b7ab 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetDomainXML.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetDomainXML.java @@ -82,39 +82,136 @@ public class GetDomainXML extends CMSServlet { HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); + ServletContext context = cmsReq.getServletContext(); - String outputString = null; - - String path = CMS.getConfigStore().getString("instanceRoot", "") - + "/conf/domain.xml"; - - CMS.debug("GetDomainXML: got path=" + path); + String status = SUCCESS; + String basedn = null; + String secstore = null; + IConfigStore cs = CMS.getConfigStore(); try { - CMS.debug("GetDomainXML: Reading domain.xml..."); - FileInputStream fis = new FileInputStream(path); - int s = fis.available(); - - CMS.debug("GetDomainXML: size " + s); - byte buf[] = new byte[s]; - - fis.read(buf, 0, s); - fis.close(); - CMS.debug("GetDomainXML: Done Reading domain.xml..."); - - XMLObject xmlObj = new XMLObject(); - Node root = xmlObj.createRoot("XMLResponse"); - - xmlObj.addItemToContainer(root, "Status", SUCCESS); - xmlObj.addItemToContainer(root, "DomainInfo", new String(buf)); - byte[] cb = xmlObj.toByteArray(); + secstore = cs.getString("securitydomain.store"); + basedn = cs.getString("internaldb.basedn"); + } + catch (Exception e) { + CMS.debug("Unable to determine the security domain name or internal basedn. Please run the domaininfo migration script"); + } + try { + XMLObject response = new XMLObject(); + Node root = response.createRoot("XMLResponse"); + + if ((secstore != null) && (basedn != null) && (secstore.equals("ldap"))) { + ILdapConnFactory connFactory = null; + LDAPConnection conn = null; + try { + // get data from ldap + String[] entries = {}; + String filter = "objectclass=*"; + LDAPSearchConstraints cons = null; + String[] attrs = null; + String dn = "ou=Security Domain," + basedn; + + IConfigStore ldapConfig = cs.getSubStore("internaldb"); + connFactory = CMS.getLdapBoundConnFactory(); + connFactory.init(ldapConfig); + conn = connFactory.getConn(); + + // get the security domain name + String secdomain = (String) conn.read(dn).getAttribute("name").getStringValues().nextElement(); + + XMLObject xmlObj = new XMLObject(); + Node domainInfo = xmlObj.createRoot("DomainInfo"); + xmlObj.addItemToContainer(domainInfo, "Name", secdomain); + + // this should return CAList, KRAList etc. + LDAPSearchResults res = conn.search(dn, LDAPConnection.SCOPE_ONE, filter, + attrs, true, cons); + + while (res.hasMoreElements()) { + int count = 0; + dn = res.next().getDN(); + String listName = dn.substring(3, dn.indexOf(",")); + String subType = listName.substring(0, listName.indexOf("List")); + Node listNode = xmlObj.createContainer(domainInfo, listName); + + filter = "objectclass=pkiSubsystem"; + LDAPSearchResults res2 = conn.search(dn, LDAPConnection.SCOPE_ONE, filter, + attrs, false, cons); + while (res2.hasMoreElements()) { + Node node = xmlObj.createContainer(listNode, subType); + LDAPEntry entry = res2.next(); + LDAPAttributeSet entryAttrs = entry.getAttributeSet(); + Enumeration attrsInSet = entryAttrs.getAttributes(); + while (attrsInSet.hasMoreElements()) { + LDAPAttribute nextAttr = (LDAPAttribute) attrsInSet.nextElement(); + String attrName = nextAttr.getName(); + if ((! attrName.equals("cn")) && (! attrName.equals("objectClass"))) { + String attrValue = (String) nextAttr.getStringValues().nextElement(); + xmlObj.addItemToContainer(node, securityDomainLDAPtoXML(attrName), attrValue); + } + } + count ++; + } + xmlObj.addItemToContainer(listNode, "SubsystemCount", Integer.toString(count)); + } + + // Add new xml object as string to response. + response.addItemToContainer(root, "DomainInfo", xmlObj.toXMLString()); + } + catch (Exception e) { + CMS.debug("GetDomainXML: Failed to read domain.xml from ldap " + e.toString()); + status = FAILED; + } + finally { + if ((conn != null) && (connFactory!= null)) { + CMS.debug("Releasing ldap connection"); + connFactory.returnConn(conn); + } + } + } + else { + // get data from file store + + String path = CMS.getConfigStore().getString("instanceRoot", "") + + "/conf/domain.xml"; + + CMS.debug("GetDomainXML: got path=" + path); + + try { + CMS.debug("GetDomainXML: Reading domain.xml from file ..."); + FileInputStream fis = new FileInputStream(path); + int s = fis.available(); + + CMS.debug("GetDomainXML: size " + s); + byte buf[] = new byte[s]; + + fis.read(buf, 0, s); + fis.close(); + CMS.debug("GetDomainXML: Done Reading domain.xml..."); + + response.addItemToContainer(root, "DomainInfo", new String(buf)); + } + catch (Exception e) { + CMS.debug("Failed to read domain.xml from file" + e.toString()); + status = FAILED; + } + } + + response.addItemToContainer(root, "Status", status); + byte[] cb = response.toByteArray(); outputResult(httpResp, "application/xml", cb); + } catch (Exception e) { - CMS.debug("GetDomainXML: Failed to send the XML output"); + CMS.debug("GetDomainXML: Failed to send the XML output" + e.toString()); } } + protected String securityDomainLDAPtoXML(String attribute) { + if (attribute.equals("host")) return "Host"; + else return attribute; + } + protected void setDefaultTemplates(ServletConfig sc) {} protected void renderTemplate( diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java index e5bf90343..830d346e9 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java @@ -302,39 +302,6 @@ public class SecurityDomainPanel extends WizardPanelBase { } catch (Exception e) { } - String domainxml = instanceRoot+"/conf/domain.xml"; - - // generate security domain file - try { - XMLObject xmlObj = new XMLObject(); - - CMS.debug("Building Domain Info..."); - Node root = xmlObj.createRoot("DomainInfo"); - - xmlObj.addItemToContainer(root, "Name", - HttpInput.getDomainName(request, "sdomainName")); - - // put our own info to the file (maybe we should do this later) - Node kraList = xmlObj.createContainer(root, "KRAList"); - Node tpsList = xmlObj.createContainer(root, "TPSList"); - Node ocspList = xmlObj.createContainer(root, "OCSPList"); - Node raList = xmlObj.createContainer(root, "RAList"); - Node tksList = xmlObj.createContainer(root, "TKSList"); - Node caList = xmlObj.createContainer(root, "CAList"); - xmlObj.addItemToContainer(caList, "SubsystemCount", "0"); - xmlObj.addItemToContainer(tksList, "SubsystemCount", "0"); - xmlObj.addItemToContainer(raList, "SubsystemCount", "0"); - xmlObj.addItemToContainer(ocspList, "SubsystemCount", "0"); - xmlObj.addItemToContainer(tpsList, "SubsystemCount", "0"); - xmlObj.addItemToContainer(kraList, "SubsystemCount", "0"); - - byte[] cb = xmlObj.toByteArray(); - FileOutputStream fos = new FileOutputStream(domainxml); - fos.write(cb); - fos.close(); - } catch (Exception e) { - CMS.debug("Failed to send the XML output"); - } } else if (select.equals("existingdomain")) { config.putString("preop.securitydomain.select", "existing"); config.putString("securitydomain.select", "existing"); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java index 2102e2fb7..21cf773c8 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java @@ -69,6 +69,120 @@ public class UpdateDomainXML extends CMSServlet { CMS.debug("UpdateDomainXML: done initializing..."); } + private String remove_from_ldap(String dn) { + CMS.debug("UpdateDomainXML: delete_from_ldap: starting dn: " + dn); + String status = SUCCESS; + ILdapConnFactory connFactory = null; + LDAPConnection conn = null; + IConfigStore cs = CMS.getConfigStore(); + + try { + IConfigStore ldapConfig = cs.getSubStore("internaldb"); + connFactory = CMS.getLdapBoundConnFactory(); + connFactory.init(ldapConfig); + conn = connFactory.getConn(); + conn.delete(dn); + } catch (LDAPException e) { + if (e.getLDAPResultCode() != LDAPException.NO_SUCH_OBJECT) { + status = FAILED; + CMS.debug("Failed to delete entry" + e.toString()); + } + } catch (Exception e) { + CMS.debug("Failed to delete entry" + e.toString()); + } finally { + try { + if ((conn != null) && (connFactory!= null)) { + CMS.debug("Releasing ldap connection"); + connFactory.returnConn(conn); + } + } + catch (Exception e) { + CMS.debug("Error releasing the ldap connection" + e.toString()); + } + } + return status; + } + + private String modify_ldap(String dn, LDAPModification mod) { + CMS.debug("UpdateDomainXML: modify_ldap: starting dn: " + dn); + String status = SUCCESS; + ILdapConnFactory connFactory = null; + LDAPConnection conn = null; + IConfigStore cs = CMS.getConfigStore(); + + try { + IConfigStore ldapConfig = cs.getSubStore("internaldb"); + connFactory = CMS.getLdapBoundConnFactory(); + connFactory.init(ldapConfig); + conn = connFactory.getConn(); + conn.modify(dn, mod); + } catch (LDAPException e) { + if (e.getLDAPResultCode() != LDAPException.NO_SUCH_OBJECT) { + status = FAILED; + CMS.debug("Failed to modify entry" + e.toString()); + } + } catch (Exception e) { + CMS.debug("Failed to modify entry" + e.toString()); + } finally { + try { + if ((conn != null) && (connFactory!= null)) { + CMS.debug("Releasing ldap connection"); + connFactory.returnConn(conn); + } + } + catch (Exception e) { + CMS.debug("Error releasing the ldap connection" + e.toString()); + } + } + return status; + } + + + private String add_to_ldap(LDAPEntry entry, String dn) { + CMS.debug("UpdateDomainXML: add_to_ldap: starting"); + String status = SUCCESS; + ILdapConnFactory connFactory = null; + LDAPConnection conn = null; + IConfigStore cs = CMS.getConfigStore(); + + try { + IConfigStore ldapConfig = cs.getSubStore("internaldb"); + connFactory = CMS.getLdapBoundConnFactory(); + connFactory.init(ldapConfig); + conn = connFactory.getConn(); + conn.add(entry); + } catch (LDAPException e) { + if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) { + CMS.debug("UpdateDomainXML: Entry already exists"); + try { + conn.delete(dn); + conn.add(entry); + } catch (LDAPException ee) { + CMS.debug("UpdateDomainXML: Error when replacing existing entry "+ee.toString()); + status = FAILED; + } + } else { + CMS.debug("UpdateDomainXML: Failed to update ldap domain info. Exception: "+e.toString()); + status = FAILED; + } + } catch (Exception e) { + CMS.debug("Failed to add entry" + e.toString()); + } finally { + try { + if ((conn != null) && (connFactory!= null)) { + CMS.debug("Releasing ldap connection"); + connFactory.returnConn(conn); + } + } + catch (Exception e) { + CMS.debug("Error releasing the ldap connection" + e.toString()); + } + } + return status; + } + + + /** * Process the HTTP request. * <ul> @@ -79,6 +193,7 @@ public class UpdateDomainXML extends CMSServlet { */ protected void process(CMSRequest cmsReq) throws EBaseException { CMS.debug("UpdateDomainXML: processing..."); + String status = SUCCESS; HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); @@ -114,80 +229,172 @@ public class UpdateDomainXML extends CMSServlet { return; } - String path = CMS.getConfigStore().getString("instanceRoot", "") - + "/conf/domain.xml"; + String list = httpReq.getParameter("list"); + String type = httpReq.getParameter("type"); + String host = httpReq.getParameter("host"); + String name = httpReq.getParameter("name"); + String sport = httpReq.getParameter("sport"); + String domainmgr = httpReq.getParameter("dm"); + String clone = httpReq.getParameter("clone"); + String operation = httpReq.getParameter("operation"); - CMS.debug("UpdateDomainXML: got path=" + path); + String basedn = null; + String secstore = null; + + IConfigStore cs = CMS.getConfigStore(); try { - // set info into domain.xml - String list = httpReq.getParameter("list"); - - String type = httpReq.getParameter("type"); - String host = httpReq.getParameter("host"); - String name = httpReq.getParameter("name"); - String sport = httpReq.getParameter("sport"); - String domainmgr = httpReq.getParameter("dm"); - String clone = httpReq.getParameter("clone"); - - // insert info - CMS.debug("UpdateDomainXML: Inserting new domain info"); - XMLObject parser = new XMLObject(new FileInputStream(path)); - Node n = parser.getContainer(list); - Node parent = parser.createContainer(n, type); - parser.addItemToContainer(parent, "SubsystemName", name); - parser.addItemToContainer(parent, "Host", host); - parser.addItemToContainer(parent, "SecurePort", sport); - parser.addItemToContainer(parent, "DomainManager", domainmgr); - parser.addItemToContainer(parent, "Clone", clone); - - String countS = ""; - NodeList nlist = n.getChildNodes(); - Node countnode = null; - for (int i=0; i<nlist.getLength(); i++) { - Element nn = (Element)nlist.item(i); - String tagname = nn.getTagName(); - if (tagname.equals("SubsystemCount")) { - countnode = nn; - NodeList nlist1 = nn.getChildNodes(); - Node nn1 = nlist1.item(0); - countS = nn1.getNodeValue(); - break; - } + basedn = cs.getString("internaldb.basedn"); + secstore = cs.getString("securitydomain.store"); + } + catch (Exception e) { + CMS.debug("Unable to determine security domain name or basedn. Please run the domaininfo migration script"); + } + + if ((basedn != null) && (secstore != null) && (secstore.equals("ldap"))) { + // update in ldap + + LDAPEntry entry = null; + ILdapConnFactory connFactory = null; + LDAPConnection conn = null; + String listName = type + "List"; + String cn = host + ":" + sport; + String dn = "cn=" + cn + ",cn=" + listName + ",ou=Security Domain," + basedn; + CMS.debug("UpdateDomainXML: updating LDAP entry: " + dn); + + LDAPAttributeSet attrs = null; + attrs = new LDAPAttributeSet(); + attrs.add(new LDAPAttribute("objectclass", "top")); + attrs.add(new LDAPAttribute("objectclass", "pkiSubsystem")); + attrs.add(new LDAPAttribute("cn", cn)); + attrs.add(new LDAPAttribute("Host", host)); + attrs.add(new LDAPAttribute("SecurePort", sport)); + attrs.add(new LDAPAttribute("DomainManager", domainmgr)); + attrs.add(new LDAPAttribute("clone", clone)); + attrs.add(new LDAPAttribute("SubsystemName", name)); + entry = new LDAPEntry(dn, attrs); + + if ((operation != null) && (operation.equals("remove"))) { + status = remove_from_ldap(dn); + String adminUserDN = "uid=" + type + "-" + host + "-" + sport + ",ou=People," + basedn; + if (status.equals(SUCCESS)) { + // remove the client cert for this subsystem's admin + status = remove_from_ldap(adminUserDN); + if (status.equals(SUCCESS)) { + // remove this user from the subsystem group + dn = "cn=Subsystem Group, ou=groups," + basedn; + LDAPModification mod = new LDAPModification(LDAPModification.DELETE, + new LDAPAttribute("uniqueMember", adminUserDN)); + status = modify_ldap(dn, mod); + } + } + } else { + status = add_to_ldap(entry, dn); } - CMS.debug("UpdateDomainXML process: SubsystemCount="+countS); - int count = 0; + } + else { + // update the domain.xml file + String path = CMS.getConfigStore().getString("instanceRoot", "") + + "/conf/domain.xml"; + + CMS.debug("UpdateDomainXML: got path=" + path); + try { - count = Integer.parseInt(countS); - count++; - } catch (Exception ee) { - } + // using domain.xml file + CMS.debug("UpdateDomainXML: Inserting new domain info"); + XMLObject parser = new XMLObject(new FileInputStream(path)); + Node n = parser.getContainer(list); + int count =0; + + if ((operation != null) && (operation.equals("remove"))) { + // delete node + Document doc = parser.getDocument(); + NodeList nodeList = doc.getElementsByTagName(type); + int len = nodeList.getLength(); + + for (int i = 0; i < len; i++) { + Node nn = (Node) nodeList.item(i); + Vector v_name = parser.getValuesFromContainer(nn, "SubsystemName"); + Vector v_host = parser.getValuesFromContainer(nn, "Host"); + Vector v_port = parser.getValuesFromContainer(nn, "SecurePort"); + if ((v_name.elementAt(0).equals(name)) && (v_host.elementAt(0).equals(host)) + && (v_port.elementAt(0).equals(sport))) { + Node parent = nn.getParentNode(); + Node remNode = parent.removeChild(nn); + count --; + break; + } + } + } else { + // add node + Node parent = parser.createContainer(n, type); + parser.addItemToContainer(parent, "SubsystemName", name); + parser.addItemToContainer(parent, "Host", host); + parser.addItemToContainer(parent, "SecurePort", sport); + parser.addItemToContainer(parent, "DomainManager", domainmgr); + parser.addItemToContainer(parent, "Clone", clone); + count ++; + } + //update count - Node nn2 = n.removeChild(countnode); - parser.addItemToContainer(n, "SubsystemCount", ""+count); + String countS = ""; + NodeList nlist = n.getChildNodes(); + Node countnode = null; + for (int i=0; i<nlist.getLength(); i++) { + Element nn = (Element)nlist.item(i); + String tagname = nn.getTagName(); + if (tagname.equals("SubsystemCount")) { + countnode = nn; + NodeList nlist1 = nn.getChildNodes(); + Node nn1 = nlist1.item(0); + countS = nn1.getNodeValue(); + break; + } + } + + CMS.debug("UpdateDomainXML process: SubsystemCount="+countS); + try { + count += Integer.parseInt(countS); + } catch (Exception ee) { + } - // recreate domain.xml - CMS.debug("UpdateDomainXML: Recreating domain.xml"); - byte[] b = parser.toByteArray(); - FileOutputStream fos = new FileOutputStream(path); - fos.write(b); - fos.close(); + Node nn2 = n.removeChild(countnode); + parser.addItemToContainer(n, "SubsystemCount", ""+count); + // recreate domain.xml + CMS.debug("UpdateDomainXML: Recreating domain.xml"); + byte[] b = parser.toByteArray(); + FileOutputStream fos = new FileOutputStream(path); + fos.write(b); + fos.close(); + } catch (Exception e) { + CMS.debug("Failed to update domain.xml file" + e.toString()); + status = FAILED; + } + } + + try { // send success status back to the requestor CMS.debug("UpdateDomainXML: Sending response"); XMLObject xmlObj = new XMLObject(); Node root = xmlObj.createRoot("XMLResponse"); - xmlObj.addItemToContainer(root, "Status", SUCCESS); + xmlObj.addItemToContainer(root, "Status", status); byte[] cb = xmlObj.toByteArray(); outputResult(httpResp, "application/xml", cb); } catch (Exception e) { - CMS.debug("UpdateDomainXML: Failed to send the XML output"); + CMS.debug("UpdateDomainXML: Failed to send the XML output" + e.toString()); } } + protected String securityDomainXMLtoLDAP(String xmltag) { + if (xmltag.equals("Host")) return "host"; + else return xmltag; + } + + protected void setDefaultTemplates(ServletConfig sc) {} protected void renderTemplate( diff --git a/pki/base/migrate/80/MigrateSecurityDomain.class b/pki/base/migrate/80/MigrateSecurityDomain.class Binary files differnew file mode 100644 index 000000000..f2a174dab --- /dev/null +++ b/pki/base/migrate/80/MigrateSecurityDomain.class diff --git a/pki/base/migrate/80/MigrateSecurityDomain.java b/pki/base/migrate/80/MigrateSecurityDomain.java new file mode 100644 index 000000000..5cfdf584a --- /dev/null +++ b/pki/base/migrate/80/MigrateSecurityDomain.java @@ -0,0 +1,215 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2008 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +import com.netscape.cmsutil.xml.*; +import com.netscape.cmscore.base.*; +import com.netscape.cmscore.ldapconn.*; +import com.netscape.cmsutil.ldap.*; +import netscape.ldap.*; +import java.io.*; +import java.util.*; +import org.w3c.dom.*; + +public class MigrateSecurityDomain { + + private static LDAPConnection getLDAPConn(FileConfigStore cs, String passwd) + throws IOException + { + + String host = ""; + String port = ""; + String binddn = ""; + String security = ""; + + try { + host = cs.getString("internaldb.ldapconn.host"); + port = cs.getString("internaldb.ldapconn.port"); + binddn = cs.getString("internaldb.ldapauth.bindDN"); + security = cs.getString("internaldb.ldapconn.secureConn"); + } catch (Exception e) { + System.out.println("MigrateSecurityDomain: getLDAPConnection" + e.toString()); + throw new IOException( + "Failed to retrieve LDAP information from CS.cfg."); + } + + int p = -1; + + try { + p = Integer.parseInt(port); + } catch (Exception e) { + System.out.println("MigrateSecurityDomain getLDAPConn: " + e.toString()); + throw new IOException("Port is not valid"); + } + + LDAPConnection conn = null; + if (security.equals("true")) { + System.out.println("MigrateSecurityDomain getLDAPConn: creating secure (SSL) connection for internal ldap"); + conn = new LDAPConnection(new LdapJssSSLSocketFactory()); + } else { + System.out.println("MigrateSecurityDomain getLDAPConn: creating non-secure (non-SSL) connection for internal ldap"); + conn = new LDAPConnection(); + } + + System.out.println("MigrateSecurityDomain connecting to " + host + ":" + p); + try { + conn.connect(host, p, binddn, passwd); + } catch (LDAPException e) { + System.out.println("MigrateSecurityDomain getLDAPConn: " + e.toString()); + throw new IOException("Failed to connect to the internal database."); + } + + return conn; + } + + + public static void main(String args[]) throws Exception + { + if (args.length != 2) { + System.out.println("Usage: MigrateSecurityDomain <instance root path> <directory manager password>"); + System.exit(0); + } + + String instRoot = args[0]; + String dmPass = args[1]; + + XMLObject parser = null; + // get the security domain data from the domain.xml file + try { + String path = instRoot + "/conf/domain.xml"; + System.out.println("MigrateSecurityDomain: Reading domain.xml from file ..."); + parser = new XMLObject(new FileInputStream(path)); + + } + catch (Exception e) { + System.out.println("MigrateSecurityDomain: Unable to get domain info from domain.xml file"); + System.out.println(e.toString()); + System.exit(1); + } + + try { + String configFile = instRoot + "/conf/CS.cfg"; + FileConfigStore cs = new FileConfigStore(configFile); + + LDAPConnection conn = null; + conn = MigrateSecurityDomain.getLDAPConn(cs, dmPass); + if (conn == null) { + System.out.println("MigrateSecurityDomain: Failed to connect to internal database"); + System.exit(1); + } + + // add new schema elements + String importFile = "./schema-add.ldif"; + try { + LDAPUtil.importLDIF(conn, importFile); + } catch (Exception e) { + System.out.println("MigrateSecurityDomain: Error in adding new schema elements"); + System.exit(1); + } + // create the containers + String basedn = cs.getString("internaldb.basedn"); + String secdomain = parser.getValue("Name"); + + try { + String dn = "ou=Security Domain," + basedn; + System.out.println("MigrateSecurityDomain: creating ldap entry : " + dn); + + LDAPEntry entry = null; + LDAPAttributeSet attrs = null; + attrs = new LDAPAttributeSet(); + attrs.add(new LDAPAttribute("objectclass", "top")); + attrs.add(new LDAPAttribute("objectclass", "organizationalUnit")); + attrs.add(new LDAPAttribute("name", secdomain)); + attrs.add(new LDAPAttribute("ou", "Security Domain")); + entry = new LDAPEntry(dn, attrs); + conn.add(entry); + } catch (LDAPException e) { + if (e.getLDAPResultCode() != 68) { + System.out.println("Unable to create security domain" + e.toString()); + System.exit(1); + } + } + + // create list containers + String clist[] = {"CAList", "OCSPList", "KRAList", "RAList", "TKSList", "TPSList"}; + for (int i=0; i< 6; i++) { + LDAPEntry entry = null; + LDAPAttributeSet attrs = null; + String dn = "cn=" + clist[i] + ",ou=Security Domain," + basedn; + attrs = new LDAPAttributeSet(); + attrs.add(new LDAPAttribute("objectclass", "top")); + attrs.add(new LDAPAttribute("objectclass", "pkiSecurityGroup")); + attrs.add(new LDAPAttribute("cn", clist[i])); + entry = new LDAPEntry(dn, attrs); + try { + conn.add(entry); + } catch (LDAPException e) { + if (e.getLDAPResultCode() != 68) { + System.out.println("Unable to create security domain list entry " + dn +": "+ e.toString()); + System.exit(1); + } + } + } + + // create system entries + String tlist[] = {"CA", "OCSP", "KRA", "RA", "TKS", "TPS"}; + Document doc = parser.getDocument(); + for (int j=0; j<6; j++) { + String type = tlist[j]; + NodeList nodeList = doc.getElementsByTagName(type); + int len = nodeList.getLength(); + for (int i = 0; i < len; i++) { + Vector v_clone = parser.getValuesFromContainer(nodeList.item(i), "Clone"); + Vector v_name = parser.getValuesFromContainer(nodeList.item(i), "SubsystemName"); + Vector v_host = parser.getValuesFromContainer(nodeList.item(i), "Host"); + Vector v_port = parser.getValuesFromContainer(nodeList.item(i), "SecurePort"); + + String cn = (String)v_host.elementAt(0) + ":" + (String)v_port.elementAt(0); + String dn = "cn=" + cn + ",cn=" + type +"List,ou=Security Domain," + basedn; + LDAPEntry entry = null; + LDAPAttributeSet attrs = null; + attrs = new LDAPAttributeSet(); + attrs.add(new LDAPAttribute("objectclass", "top")); + attrs.add(new LDAPAttribute("objectclass", "pkiSubsystem")); + attrs.add(new LDAPAttribute("Host", (String)v_host.elementAt(0))); + attrs.add(new LDAPAttribute("SecurePort", (String)v_port.elementAt(0))); + attrs.add(new LDAPAttribute("Clone", (String)v_clone.elementAt(0))); + attrs.add(new LDAPAttribute("SubsystemName", (String)v_name.elementAt(0))); + attrs.add(new LDAPAttribute("cn", cn)); + attrs.add(new LDAPAttribute("DomainManager", "true")); + entry = new LDAPEntry(dn, attrs); + + try { + conn.add(entry); + } + catch (LDAPException e) { + if (e.getLDAPResultCode() != 68) { + System.out.println("Unable to create entry " + dn +": "+ e.toString()); + } + } + } + } + cs.putString("securitydomain.store", "ldap"); + cs.commit(false); + System.out.println("MigrateSecurityDomain: Domain successfully migrated."); + } catch (Exception e) { + System.out.println("MigrateSecurityDomain: Migration failed. " + e.toString()); + } + System.exit(0); + } + +} diff --git a/pki/base/migrate/80/readme b/pki/base/migrate/80/readme new file mode 100644 index 000000000..50365c985 --- /dev/null +++ b/pki/base/migrate/80/readme @@ -0,0 +1,29 @@ +Date + + Fri Oct 3 00:37:14 EDT 2008 + +Version + + CMS 8.0 + +Overview + + In CMS8.0, the security domain data has been migrated into the + internal LDAP database to allow easier replication of this data + when cloning. Prior to this release, this information was stored + in the domain.xml configuration file on the CA serving as the Domain + Master. + +Program + + MigrateSecurityDomain - This command will add the relevant schema and migrate + security domain data that resides in domain.xml into the internal database. + The program needs only two arguments - the location of the instance root directory + (like /var/lib/pki-ca) and the directory user's password. + +Example + + Here is an example of MigrateSecurityDomain usage +java -cp /usr/share/java/ldapjdk.jar:/usr/share/java/pki/cmscore.jar:/usr/share/java/pki/cmsutil.jar:/usr/share/java/pki/certsrv.jar:. MigrateSecurityDomain /var/lib/pki-ca mypassword + + diff --git a/pki/base/migrate/80/schema-add.ldif b/pki/base/migrate/80/schema-add.ldif new file mode 100644 index 000000000..7d9cec640 --- /dev/null +++ b/pki/base/migrate/80/schema-add.ldif @@ -0,0 +1,36 @@ +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( Clone-oid NAME 'Clone' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( DomainManager-oid NAME 'DomainManager' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( securePort-oid NAME 'securePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiSecurityDomain-oid NAME 'pkiSecurityDomain' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ name ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' ) + + diff --git a/pki/base/migrate/build.xml b/pki/base/migrate/build.xml index 48623cdac..bcdc1e37b 100644 --- a/pki/base/migrate/build.xml +++ b/pki/base/migrate/build.xml @@ -159,6 +159,7 @@ <include name="41ToTxt/**"/> <include name="73ToTxt/**"/> <include name="TxtTo73/**"/> + <include name="80/**"/> </zipfileset> <zipfileset dir="." filemode="755" @@ -194,6 +195,7 @@ <include name="41ToTxt/**"/> <include name="73ToTxt/**"/> <include name="TxtTo73/**"/> + <include name="80/**"/> </tarfileset> <tarfileset dir="." mode="755" @@ -266,6 +268,7 @@ <include name="TxtTo71/**"/> <include name="TxtTo72/**"/> <include name="TxtTo73/**"/> + <include name="80/**"/> </zipfileset> </zip> <echo message="${end.source.zip.log.message}"/> @@ -302,6 +305,7 @@ <include name="TxtTo71/**"/> <include name="TxtTo72/**"/> <include name="TxtTo73/**"/> + <include name="80/**"/> </tarfileset> </tar> <echo message="${end.source.tar.log.message}"/> diff --git a/pki/base/setup/pkiremove b/pki/base/setup/pkiremove index 6ec3752b5..25335f215 100755 --- a/pki/base/setup/pkiremove +++ b/pki/base/setup/pkiremove @@ -30,7 +30,7 @@ # -pki_instance_name=<pki_instance_id> # Unique PKI subsystem # # instance name # # (e. g. - pki-pki1) -# +# # [-force] # Don't ask any # # questions # @@ -195,7 +195,7 @@ sub usage() print( STDOUT "Example: pkiremove -pki_instance_root=/var/lib " - . "-pki_instance_name=$pki_flavor-ca1\n\n" ); + . "-pki_instance_name=$pki_flavor-ca1\n\n " ); print( STDOUT "IMPORTANT: Must be run as root!\n\n" ); @@ -203,6 +203,93 @@ sub usage() return; } +sub update_domain() +{ + my $conf_file = $pki_instance_path . "/conf/CS.cfg"; + my $sport; + my $secport; + my $secselect; + my $typeval; + my $machinename; + my $subsytemnick; + + open(DAT, $conf_file) or die "Could not open CS.cfg file to update security domain"; + my @conf_data=<DAT>; + foreach my $line (@conf_data) { + chomp($line); + (my $varname, my $valname) = split(/=/, $line); + if ($varname eq "service.securePort") { $sport = $valname; } + if ($varname eq "securitydomain.host") { $sechost = $valname; } + if ($varname eq "securitydomain.httpsport") { $secport = $valname; } + if ($varname eq "securitydomain.select") { $secselect = $valname; } + if ($varname eq "cs.type") { $typeval = $valname; } + if ($varname eq "machineName") { $machinename = $valname; } + if ($varname =~ /[a-z]*.subsystem.nickname/) { $subsystemnick = $valname; } + } + close(DAT); + + if ((!defined($sechost)) || (!defined($secport))) { + print (STDOUT "No security domain defined. If this is an unconfigured instance, then that is OK.\n" . + "Otherwise, manually delete the entry from the security domain master.\n" ); + return; + } + + if ($secselect ne "new") { + # This is not a domain master, so we need to update the master + print (STDOUT "Contacting the security domain master to update the security domain\n"); + my $listval = $typeval . "List"; + my $urlheader = "https://" . $sechost . ":" . $secport; + my $updateURL = "/ca/agent/ca/updateDomainXML"; + my $loginURL = "/ca/ee/ca/securityDomainLogin"; + my $cookieURL = "/ca/ee/ca/getCookie"; + + # Login to security domain + use LWP; + my $browser= LWP::UserAgent->new; + + #create pk12 files for client cert authentication + my $intpw; + my $pwfile = $pki_instance_path . "/conf/password.conf"; + open(DAT, $pwfile) or die "Could not open password.conf file to generate pk12 files."; + my @pw_data=<DAT>; + foreach my $line (@pw_data) { + chomp($line); + (my $varname, my $valname) = split(/=/, $line); + if ($varname eq "internal") { $intpw = $valname; } + } + close($pwfile); + + my $tempfile = "/tmp/" . $$ . ".p12"; + my $dbpath = $pki_instance_path . "/alias"; + srand(time() ^($$ + ($$ <<15))) ; + my $p12pw = rand(); + + my @args = ("pk12util", "-d", $dbpath, "-o" , + $tempfile, "-n", $subsystemnick , "-K", $intpw, "-W", $p12pw ); + system(@args) == 0 or die "Could not generate pk12 file for client authentication."; + + #update domainXML + + $url = $urlheader . $updateURL; + #$ENV{HTTPS_DEBUG} = 1; + $ENV{HTTPS_PKCS12_FILE} = $tempfile; + $ENV{HTTPS_PKCS12_PASSWORD} = $p12pw; + + my $response = $browser->post( $url, + [ + 'name' => $pki_instance_name, + 'type' => $typeval, + 'list' => $listval, + 'host' => $machinename, + 'sport' => $sport, + 'operation' => 'remove' + ], + ); + + ($response->is_success) or die ("$url error: " . $response->status_line); + unlink $tempfile; + } +} # no args # return 1 - success, or @@ -247,6 +334,9 @@ ASK_AGAIN: $cleanup->open( "<$source_file_path" ) or die "Could not open file!\n"; + eval { update_domain(); }; + warn "Error updating security domain: " . $@ if $@; + my $file_mode = "file"; my @file_split; diff --git a/pki/base/util/src/com/netscape/cmsutil/xml/XMLObject.java b/pki/base/util/src/com/netscape/cmsutil/xml/XMLObject.java index 95cf8541c..e140c3098 100644 --- a/pki/base/util/src/com/netscape/cmsutil/xml/XMLObject.java +++ b/pki/base/util/src/com/netscape/cmsutil/xml/XMLObject.java @@ -158,4 +158,14 @@ public class XMLObject Result dest = new StreamResult(os); aTransformer.transform(src, dest); } + + public String toXMLString() throws TransformerConfigurationException, TransformerException { + TransformerFactory tranFactory = TransformerFactory.newInstance(); + Transformer transformer = tranFactory.newTransformer(); + Source src = new DOMSource(mDoc); + StreamResult dest = new StreamResult(new StringWriter()); + transformer.transform(src, dest); + String xmlString = dest.getWriter().toString(); + return xmlString; + } } |