diff options
| author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-07-29 18:56:14 +0000 |
|---|---|---|
| committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-07-29 18:56:14 +0000 |
| commit | f9aff99f3e17979013d5ac943b8a1e218044b729 (patch) | |
| tree | 1ba4893baa74b1a59ce84900c538908b0a368767 /pki/base | |
| parent | 85c45437fcf3e07e714d4f2fe775cae73dc06801 (diff) | |
| download | pki-f9aff99f3e17979013d5ac943b8a1e218044b729.tar.gz pki-f9aff99f3e17979013d5ac943b8a1e218044b729.tar.xz pki-f9aff99f3e17979013d5ac943b8a1e218044b729.zip | |
Bugzilla Bug #472597 - Disable policy code,UI
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1138 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base')
6 files changed, 265 insertions, 1 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg index 21b0963f7..4b4ad6be9 100644 --- a/pki/base/ca/shared/conf/CS.cfg +++ b/pki/base/ca/shared/conf/CS.cfg @@ -200,6 +200,20 @@ ca.transitRecordPageSize=200 # ca.maxSearchReturns=1000 ca.scep.hashAlgorithm=SHA1 ca.scep.encryptionAlgorithm=DES3 +ca.Policy._000=## +ca.Policy._001=## Certificate Policy Framework (deprecated) +ca.Policy._002=## +ca.Policy._003=## Set 'ca.Policy.enable=true' to allow the following: +ca.Policy._004=## +ca.Policy._005=## SERVLET-NAME URL-PATTERN +ca.Policy._006=## ==================================================== +ca.Policy._007=## caadminEnroll ca/admin/ca/adminEnroll.html +ca.Policy._008=## cabulkissuance ca/agent/ca/bulkissuance.html +ca.Policy._009=## cacertbasedenrollment ca/certbasedenrollment.html +ca.Policy._010=## caenrollment ca/enrollment.html +ca.Policy._011=## capolicy ca/capolicy +ca.Policy._012=## +ca.Policy.enable=false ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, RenewalConstraintsRule, DefaultRenewalValidityRule, RevocationConstraintsRule, NSCertTypeExt, CMCertKeyUsageExt, RMCertKeyUsageExt, ClientCertKeyUsageExt, ServerCertKeyUsageExt, ObjSignCertKeyUsageExt, CRLSignCertKeyUsageExt, SubjectKeyIdentifierExt, CertificatePoliciesExt, NSCCommentExt, OCSPNoCheckExt, OCSPSigningExt, CODESigningExt, GenericASN1Ext, CRLDistributionPointsExt, SubjectAltNameExt, SigningAlgRule, AuthorityKeyIdentifierExt, AuthInfoAccessExt, BasicConstraintsExt, UniqueSubjectNameConstraints, NameConstraintsExt, PolicyConstraintsExt, SubCANameConstraints, PolicyMappingsExt, IssuerRule ca.Policy.processor=classic ca.Policy.impl._000=## @@ -677,6 +691,36 @@ cmc.revokeCert.verify=true cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret cms.version= +cmsgateway._000=## +cmsgateway._001=## In the event that all Admin Certificates have been lost +cmsgateway._002=## for a given instance, perform the following steps to +cmsgateway._003=## re-enroll for a new Admin Certificate: +cmsgateway._004=## +cmsgateway._005=## (1) Become 'root' +cmsgateway._006=## (2) Type: 'service pki-cad stop [PKI_INSTANCE_ID]' +cmsgateway._007=## (3) Edit '[PKI_INSTANCE_ROOT]/[PKI_INSTANCE_ID]/conf/CS.cfg' +cmsgateway._008=## and set the following name-value pairs (if necessary): +cmsgateway._009=## +cmsgateway._010=## ca.Policy.enable=true +cmsgateway._011=## cmsgateway.enableAdminEnroll=true +cmsgateway._012=## +cmsgateway._013=## (4) Type: 'service pki-cad start [PKI_INSTANCE_ID]' +cmsgateway._014=## (5) Launch a browser and re-enroll for +cmsgateway._015=## a new Admin Certificate by typing: +cmsgateway._016=## +cmsgateway._017=## https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca/admin/ca/adminEnroll.html +cmsgateway._018=## +cmsgateway._019=## (6) Verify that the browser contains the new +cmsgateway._020=## Admin Certificate by successfully navigating to: +cmsgateway._021=## +cmsgateway._022=## https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ca/agent/ca/ +cmsgateway._023=## +cmsgateway._024=## (7) Optionally, disable the Certificate Policies Framework +cmsgateway._025=## by following steps (1) - (4), but ONLY resetting +cmsgateway._026=## 'ca.Policy.enable=false', as +cmsgateway._027=## 'cmsgateway.enableAdminEnroll=false' should have +cmsgateway._028=## already been reset. +cmsgateway._029=## cmsgateway.enableAdminEnroll=false https.port=8443 http.port=8080 diff --git a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml index 0f680fcdc..58d56f7e2 100644 --- a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -1645,6 +1645,21 @@ </servlet> <servlet> + <servlet-name> caDynamicVariables-agent </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DynamicVariablesServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caDynamicVariables </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> dynamicVariables </param-name> + <param-value> serverdate=serverdate(),subsystemname=subsystemname(),http=http(),authmgrs=authmgrs(),clacrlurl=clacrlurl() </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + </servlet> + + <servlet> <servlet-name> caDynamicVariables-admin </servlet-name> <servlet-class> com.netscape.cms.servlet.base.DynamicVariablesServlet </servlet-class> <init-param><param-name> ID </param-name> @@ -2215,6 +2230,11 @@ </servlet-mapping> <servlet-mapping> + <servlet-name> caDynamicVariables-agent </servlet-name> + <url-pattern> /agent/dynamicVars.js </url-pattern> + </servlet-mapping> + + <servlet-mapping> <servlet-name> caDynamicVariables-admin </servlet-name> <url-pattern> /admin/dynamicVars.js </url-pattern> </servlet-mapping> diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java index 8a8b28636..3c516a7a2 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java @@ -88,16 +88,99 @@ public class PolicyAdminServlet extends AdminServlet { public void init(ServletConfig config) throws ServletException { super.init(config); String authority = config.getInitParameter(PROP_AUTHORITY); - + String policyStatus = null; + + CMS.debug( "PolicyAdminServlet: In Policy Admin Servlet init!" ); + + // CMS 6.1 began utilizing the "Certificate Profiles" framework + // instead of the legacy "Certificate Policies" framework. + // + // Beginning with CS 8.1, to meet the Common Criteria evaluation + // performed on this version of the product, it was determined + // that this legacy "Certificate Policies" framework would be + // deprecated and disabled by default (see Bugzilla Bug #472597). + // + // NOTE: The "Certificate Policies" framework ONLY applied to + // to CA, KRA, and legacy RA (pre-CMS 7.0) subsystems. + // + // Further, the "PolicyAdminServlet.java" servlet is ONLY used + // by the CA Console for the following: + // + // SERVLET-NAME URL-PATTERN + // ==================================================== + // capolicy ca/capolicy + // + // Finally, the "PolicyAdminServlet.java" servlet is ONLY used + // by the KRA Console for the following: + // + // SERVLET-NAME URL-PATTERN + // ==================================================== + // krapolicy kra/krapolicy + // if (authority != null) mAuthority = (IAuthority) CMS.getSubsystem(authority); if (mAuthority != null) if (mAuthority instanceof ICertificateAuthority) { mProcessor = ((ICertificateAuthority) mAuthority).getPolicyProcessor(); + try { + policyStatus = ICertificateAuthority.ID + + "." + "Policy" + + "." + IPolicyProcessor.PROP_ENABLE; + if( mConfig.getBoolean( policyStatus, true ) == true ) { + // NOTE: If "ca.Policy.enable=<boolean>" is missing, + // then the referenced instance existed prior + // to this name=value pair existing in its + // 'CS.cfg' file, and thus we err on the + // side that the user may still need to + // use the policy framework. + CMS.debug( "PolicyAdminServlet::init " + + "Certificate Policy Framework (deprecated) " + + "is ENABLED" ); + } else { + // CS 8.1 Default: ca.Policy.enable=false + CMS.debug( "PolicyAdminServlet::init " + + "Certificate Policy Framework (deprecated) " + + "is DISABLED" ); + return; + } + } catch( EBaseException e ) { + throw new ServletException( authority + + " does not have a " + + "master policy switch called '" + + policyStatus + "'" ); + } } else if (mAuthority instanceof IRegistrationAuthority) { + // this refers to the legacy RA (pre-CMS 7.0) mProcessor = ((IRegistrationAuthority) mAuthority).getPolicyProcessor(); } else if (mAuthority instanceof IKeyRecoveryAuthority) { mProcessor = ((IKeyRecoveryAuthority) mAuthority).getPolicyProcessor(); + try { + policyStatus = IKeyRecoveryAuthority.ID + + "." + "Policy" + + "." + IPolicyProcessor.PROP_ENABLE; + if( mConfig.getBoolean( policyStatus, true ) == true ) { + // NOTE: If "kra.Policy.enable=<boolean>" is missing, + // then the referenced instance existed prior + // to this name=value pair existing in its + // 'CS.cfg' file, and thus we err on the + // side that the user may still need to + // use the policy framework. + CMS.debug( "PolicyAdminServlet::init " + + "Certificate Policy Framework (deprecated) " + + "is ENABLED" ); + } else { + // CS 8.1 Default: kra.Policy.enable=false + CMS.debug( "PolicyAdminServlet::init " + + "Certificate Policy Framework (deprecated) " + + "is DISABLED" ); + return; + } + } catch( EBaseException e ) { + throw new ServletException( authority + + " does not have a " + + "master policy switch called '" + + policyStatus + "'" ); + } } else throw new ServletException(authority + " does not have policy processor!"); } diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java index 32a524023..b2b2bc845 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java @@ -60,6 +60,8 @@ import com.netscape.certsrv.authorization.*; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.AuditFormat; +import com.netscape.certsrv.policy.IPolicyProcessor; + import com.netscape.certsrv.usrgrp.*; import com.netscape.certsrv.ca.*; import com.netscape.certsrv.dbs.certdb.*; @@ -168,6 +170,67 @@ public class EnrollServlet extends CMSServlet { CMS.debug("EnrollServlet: In Enroll Servlet init!"); + try { + IConfigStore configStore = CMS.getConfigStore(); + String PKI_Subsystem = configStore.getString( "subsystem.0.id", + null ); + + // CMS 6.1 began utilizing the "Certificate Profiles" framework + // instead of the legacy "Certificate Policies" framework. + // + // Beginning with CS 8.1, to meet the Common Criteria + // evaluation performed on this version of the product, it + // was determined that this legacy "Certificate Policies" + // framework would be deprecated and disabled by default + // (see Bugzilla Bug #472597). + // + // NOTE: The "Certificate Policies" framework ONLY applied to + // to CA, KRA, and legacy RA (pre-CMS 7.0) subsystems. + // + // Further, the "EnrollServlet.java" servlet is ONLY + // used by the CA for the following: + // + // SERVLET-NAME URL-PATTERN + // ==================================================== + // caadminEnroll ca/admin/ca/adminEnroll.html + // cabulkissuance ca/agent/ca/bulkissuance.html + // cacertbasedenrollment ca/certbasedenrollment.html + // caenrollment ca/enrollment.html + // + // The "EnrollServlet.java" servlet is NOT used by + // the KRA. + // + if( PKI_Subsystem.trim().equalsIgnoreCase( "ca" ) ) { + String policyStatus = PKI_Subsystem.trim().toLowerCase() + + "." + "Policy" + + "." + IPolicyProcessor.PROP_ENABLE; + + if( configStore.getBoolean( policyStatus, true ) == true ) { + // NOTE: If "<subsystem>.Policy.enable=<boolean>" + // is missing, then the referenced instance + // existed prior to this name=value pair + // existing in its 'CS.cfg' file, and thus + // we err on the side that the user may + // still need to use the policy framework. + CMS.debug( "EnrollServlet::init Certificate " + + "Policy Framework (deprecated) " + + "is ENABLED" ); + } else { + // CS 8.1 Default: <subsystem>.Policy.enable=false + CMS.debug( "EnrollServlet::init Certificate " + + "Policy Framework (deprecated) " + + "is DISABLED" ); + return; + } + } + } catch( EBaseException e ) { + throw new ServletException( "EnrollServlet::init - " + + "EBaseException: " + + "Unable to initialize " + + "Certificate Policy Framework " + + "(deprecated)" ); + } + // override success template to allow direct import of keygen certs. mTemplates.remove(CMSRequest.SUCCESS); diff --git a/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java b/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java index d2a281be0..8ee9d06f1 100644 --- a/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java +++ b/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java @@ -137,6 +137,50 @@ public class GenericPolicyProcessor implements IPolicyProcessor { mGlobalStore = SubsystemRegistry.getInstance().get("MAIN").getConfigStore(); + try { + IConfigStore configStore = CMS.getConfigStore(); + String PKI_Subsystem = configStore.getString( "subsystem.0.id", + null ); + + // CMS 6.1 began utilizing the "Certificate Profiles" framework + // instead of the legacy "Certificate Policies" framework. + // + // Beginning with CS 8.1, to meet the Common Criteria evaluation + // performed on this version of the product, it was determined + // that this legacy "Certificate Policies" framework would be + // deprecated and disabled by default (see Bugzilla Bug #472597). + // + // NOTE: The "Certificate Policies" framework ONLY applied to + // to CA, KRA, and legacy RA (pre-CMS 7.0) subsystems. + // + if( PKI_Subsystem.trim().equalsIgnoreCase( "ca" ) || + PKI_Subsystem.trim().equalsIgnoreCase( "kra" ) ) { + String policyStatus = PKI_Subsystem.trim().toLowerCase() + + "." + "Policy" + + "." + IPolicyProcessor.PROP_ENABLE; + + if( configStore.getBoolean( policyStatus, true ) == true ) { + // NOTE: If "<subsystem>.Policy.enable=<boolean>" is + // missing, then the referenced instance existed + // prior to this name=value pair existing in its + // 'CS.cfg' file, and thus we err on the + // side that the user may still need to + // use the policy framework. + CMS.debug( "GenericPolicyProcessor::init Certificate " + + "Policy Framework (deprecated) " + + "is ENABLED" ); + } else { + // CS 8.1 Default: <subsystem>.Policy.enable=false + CMS.debug( "GenericPolicyProcessor::init Certificate " + + "Policy Framework (deprecated) " + + "is DISABLED" ); + return; + } + } + } catch( EBaseException e ) { + throw e; + } + // Initialize default policies system that would be // present in the system always. if (mInitSystemPolicies) { diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg index 3636af443..747605892 100644 --- a/pki/base/kra/shared/conf/CS.cfg +++ b/pki/base/kra/shared/conf/CS.cfg @@ -219,6 +219,16 @@ jss.ocspcheck.enable=false jss.ssl.cipherfortezza=true jss.ssl.cipherpref= jss.ssl.cipherversion=cipherdomestic +kra.Policy._000=## +kra.Policy._001=## Certificate Policy Framework (deprecated) +kra.Policy._002=## +kra.Policy._003=## Set 'kra.Policy.enable=true' to allow the following: +kra.Policy._004=## +kra.Policy._005=## SERVLET-NAME URL-PATTERN +kra.Policy._006=## ==================================================== +kra.Policy._007=## krapolicy kra/krapolicy +kra.Policy._008=## +kra.Policy.enable=false kra.keySplitting=false kra.noOfRequiredRecoveryAgents=1 kra.recoveryAgentGroup=Data Recovery Manager Agents |