diff options
author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-05-07 22:37:08 +0000 |
---|---|---|
committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-05-07 22:37:08 +0000 |
commit | 466202e75665108f5c51c5d602d2afaabed4a027 (patch) | |
tree | 9e953e972da8074d7fc4dfcc02f0d1a96f57db34 /pki | |
parent | 2963ca4c6381e7a43fff0457fb0135476874830f (diff) | |
download | pki-466202e75665108f5c51c5d602d2afaabed4a027.tar.gz pki-466202e75665108f5c51c5d602d2afaabed4a027.tar.xz pki-466202e75665108f5c51c5d602d2afaabed4a027.zip |
Bugzilla Bug #492735 - Configuration wizard stores certain incorrect port
values within TPS "CS.cfg" . . .
Bugzilla Bug #495597 - Unable to access Agent page using a configured CA/KRA
containing an HSM
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@431 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki')
69 files changed, 1400 insertions, 613 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg index 81e43c798..aac14e868 100644 --- a/pki/base/ca/shared/conf/CS.cfg +++ b/pki/base/ca/shared/conf/CS.cfg @@ -2,16 +2,16 @@ #cs.state=0 (pre-operational) #cs.state=1 (running) # -pkicreate.arg01.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.arg02.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.arg03.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.arg04.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.arg05.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.arg06.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.arg07.secure_port=[PKI_SECURE_PORT] -pkicreate.arg08.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.arg09.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.arg10.user=[PKI_USER] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] pkicreate.arg11.group=[PKI_GROUP] installDate=[INSTALL_TIME] preop.wizard.name=CA Setup Wizard @@ -25,12 +25,17 @@ authType=pwd admin.interface.uri=ca/admin/console/config/wizard ee.interface.uri=ca/ee/ca agent.interface.uri=ca/agent/ca -preop.securitydomain.url=https://[PKI_MACHINE_NAME]:9444 +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT] securitydomain.flushinterval=86400000 instanceRoot=[PKI_INSTANCE_PATH] machineName=[PKI_MACHINE_NAME] instanceId=[PKI_INSTANCE_ID] -service.securePort=[PKI_SECURE_PORT] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] preop.admin.name=Certificate System Administrator preop.admin.group=Certificate Manager Agents preop.admincert.profile=caAdminCert diff --git a/pki/base/ca/shared/conf/schema.ldif b/pki/base/ca/shared/conf/schema.ldif index 823543dcf..269b3f576 100644 --- a/pki/base/ca/shared/conf/schema.ldif +++ b/pki/base/ca/shared/conf/schema.ldif @@ -381,6 +381,21 @@ attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115. dn: cn=schema changetype: modify add: attributeTypes +attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) dn: cn=schema @@ -441,7 +456,7 @@ objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' ) +objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml index 7dd9f6ccd..58cd61666 100644 --- a/pki/base/ca/shared/conf/server.xml +++ b/pki/base/ca/shared/conf/server.xml @@ -98,7 +98,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" - clientAuth="true" sslProtocol="SSL" + clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL" sslOptions="ssl2=true,ssl3=true,tls=true" ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" diff --git a/pki/base/ca/shared/etc/init.d/httpd b/pki/base/ca/shared/etc/init.d/httpd index e0c7326be..4df900f36 100755 --- a/pki/base/ca/shared/etc/init.d/httpd +++ b/pki/base/ca/shared/etc/init.d/httpd @@ -208,6 +208,7 @@ fi pidfile=${PIDFILE:-/var/run/[PKI_INSTANCE_ID].pid} lockfile=${LOCKFILE:-/var/lock/subsys/[PKI_INSTANCE_ID]} +PKI_SECURITY_DOMAIN=[PKI_INSTANCE_PATH]/conf/pki_security_domain RESTART_SERVER=[PKI_INSTANCE_PATH]/conf/restart_server_after_configuration RETVAL=0 @@ -293,6 +294,78 @@ get_pki_status_definitions() fi } +get_pki_security_domain_definitions() +{ + # establish well-known strings + begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->" + end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->" + announce_urls=0 + total_ports=0 + secure_admin_port_statement="Secure Admin Port = " + + # initialize looping variables + pki_status_comment_found=0 + + # first check to see that an instance-specific "server.xml" file exists + if [ ! -f [PKI_SERVER_XML_CONF] ] ; then + echo "File '[PKI_SERVER_XML_CONF]' does not exist!" + exit 255 + fi + + # read this instance-specific "server.xml" file line-by-line + # to obtain the current PKI Status Definitions + exec < [PKI_SERVER_XML_CONF] + while read line; do + # first look for the well-known end PKI Status comment + # (to turn off processing) + if [ "$line" == "$end_pki_status_comment" ] ; then + pki_status_comment_found=0 + break; + fi + + # then look for the well-known begin PKI Status comment + # (to turn on processing) + if [ "$line" == "$begin_pki_status_comment" ] ; then + pki_status_comment_found=1 + fi + + # once the well-known begin PKI Status comment has been found, + # begin processing to obtain all of the PKI Status Definitions + if [ $pki_status_comment_found -eq 1 ] ; then + + # announce security domain URL + if [ ${announce_urls} -eq 0 ] ; then + echo + echo + echo " Security Domain URL:" + echo " ==========================================================================" + announce_urls=`expr ${total_ports} + 1` + fi + + # look for a PKI Status Definition and print the + # security domain portion of it + head=`echo "$line" | cut -b1-20` + url=`echo "$line" | cut -b21-` + if [ "$head" == "$secure_admin_port_statement" ] + then + security_domain=`echo "$url" | awk '{loc=index($0, "/ca/services"); printf substr($0, 1, (loc-1))}'` ; + echo " $security_domain" ; + total_ports=`expr ${total_ports} + 1` + fi + fi + done + + if [ ${announce_urls} -ne 0 ] ; then + echo " ==========================================================================" + fi + + if [ ${total_ports} -eq 1 ] ; then + return 0 + else + return 255 + fi +} + get_pki_secure_port() { # establish well-known strings @@ -1000,6 +1073,19 @@ status() if [ $? -ne 0 ] ; then echo "[PKI_INSTANCE_ID] Status Definitions not found" fi + if [ -f ${PKI_SECURITY_DOMAIN} ] ; then + get_pki_security_domain_definitions + if [ $? -ne 0 ] ; then + echo "[PKI_INSTANCE_ID] Security Domain Definitions not found" + fi + else + echo + echo + echo " Security Domain URL:" + echo " ==========================================================================" + echo " '[PKI_INSTANCE_ID]' is NOT a Security Domain!" + echo " ==========================================================================" + fi fi echo else diff --git a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml index ce9c972aa..eb2cdb45b 100644 --- a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -220,8 +220,6 @@ <param-value> services </param-value> </init-param> <init-param><param-name> templatePath </param-name> <param-value> /services.template </param-value> </init-param> - <init-param><param-name> interface </param-name> - <param-value> ee </param-value> </init-param> </servlet> <servlet> @@ -440,6 +438,17 @@ </servlet> <servlet> + <servlet-name> caGetCertChainAdmin </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetCertChain </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetCertChainAdmin </param-value> </init-param> + </servlet> + + <servlet> <servlet-name> caGetStatus </servlet-name> <servlet-class> com.netscape.cms.servlet.csadmin.GetStatus </servlet-class> <init-param><param-name> GetClientCert </param-name> @@ -1903,8 +1912,6 @@ <param-value> caSecurityDomainLogin </param-value> </init-param> <init-param><param-name> resourceID </param-name> <param-value> certServer.ee.certificates </param-value> </init-param> - <init-param><param-name> interface </param-name> - <param-value> ee </param-value> </init-param> </servlet> <servlet> @@ -1920,14 +1927,12 @@ <param-value> ca </param-value> </init-param> <init-param><param-name> ID </param-name> <param-value> caGetCookie </param-value> </init-param> - <init-param><param-name> interface </param-name> - <param-value> ee </param-value> </init-param> <init-param><param-name> AuthMgr </param-name> <param-value> passwdUserDBAuthMgr </param-value> </init-param> <init-param><param-name> templatePath </param-name> - <param-value> /ee/ca/sendCookie.template </param-value> </init-param> + <param-value> /admin/ca/sendCookie.template </param-value> </init-param> <init-param><param-name> errorTemplatePath </param-name> - <param-value> /ee/ca/securitydomainlogin.template </param-value> </init-param> + <param-value> /admin/ca/securitydomainlogin.template </param-value> </init-param> </servlet> <servlet> @@ -1997,53 +2002,56 @@ [PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] <filter-mapping> - <filter-name> PassThroughRequestFilter </filter-name> - <url-pattern> /agent/ca/updateDomainXML </url-pattern> + <filter-name> PassThroughRequestFilter </filter-name> + <url-pattern> /subsystem/* </url-pattern> + <url-pattern> /ca/getCertFromRequest </url-pattern> + <url-pattern> /ca/getBySerial </url-pattern> + <url-pattern> /index </url-pattern> + <url-pattern> /ca/connector </url-pattern> + <url-pattern> /ca/displayCertFromRequest </url-pattern> + <url-pattern> /ca/cloneConnector </url-pattern> + <url-pattern> /doRevoke </url-pattern> + + <url-pattern> /acl </url-pattern> + <url-pattern> /ug </url-pattern> + <url-pattern> /server </url-pattern> + <url-pattern> /capolicy </url-pattern> + <url-pattern> /log </url-pattern> + <url-pattern> /ca/getAdminCertBySerial </url-pattern> + <url-pattern> /caadmin </url-pattern> + <url-pattern> /registry </url-pattern> + <url-pattern> /ocsp </url-pattern> + <url-pattern> /caprofile </url-pattern> + <url-pattern> /jobsScheduler </url-pattern> + <url-pattern> /capublisher </url-pattern> + + <url-pattern> /renewal </url-pattern> + <url-pattern> /remoteAuthConfig </url-pattern> + <url-pattern> /certbasedenrollment </url-pattern> + <url-pattern> /enrollment </url-pattern> + <url-pattern> /ocsp </url-pattern> + <url-pattern> /profileSubmit </url-pattern> + + <url-pattern> /services </url-pattern> + + <url-pattern> /start </url-pattern> + <url-pattern> /cgi-bin/pkiclient.exe </url-pattern> </filter-mapping> <filter-mapping> - <filter-name> AgentRequestFilter </filter-name> - <url-pattern> /agent/ca/getOCSPInfo </url-pattern> - <url-pattern> /agent/ca/updateDir </url-pattern> - <url-pattern> /agent/ca/profileSelect </url-pattern> - <url-pattern> /agent/ca/monitor </url-pattern> - <url-pattern> /agent/ca/reasonToRevoke </url-pattern> - <url-pattern> /agent/ca/listRequests.html </url-pattern> - <url-pattern> /agent/ca/searchReqs </url-pattern> - <url-pattern> /agent/ca/profileApprove </url-pattern> - <url-pattern> /agent/ca/updateDir.html </url-pattern> - <url-pattern> /agent/ca/profileReview </url-pattern> - <url-pattern> /agent/ca/srchCerts </url-pattern> - <url-pattern> /agent/header </url-pattern> - <url-pattern> /agent/ca/listCerts </url-pattern> - <url-pattern> /agent/ca/queryReq </url-pattern> - <url-pattern> /agent/ca/processReq </url-pattern> - <url-pattern> /agent/ca/srchCert.html </url-pattern> - <url-pattern> /agent/ca/profileList </url-pattern> - <url-pattern> /agent/ca/displayBySerial </url-pattern> - <url-pattern> /agent/ca/srchRevokeCert.html </url-pattern> - <url-pattern> /agent/ca/doUnrevoke </url-pattern> - <url-pattern> /agent/ca/doRevoke </url-pattern> - <url-pattern> /agent/ca/profileProcess </url-pattern> - <url-pattern> /agent/ca/processCertReq </url-pattern> - <url-pattern> /agent/ca/bulkissuance </url-pattern> - <url-pattern> /agent/ca/queryBySerial.html </url-pattern> - <url-pattern> /agent/ca/updateCRL </url-pattern> - <url-pattern> /agent/ca/displayCRL </url-pattern> - <url-pattern> /agent/ca/getInfo </url-pattern> - <url-pattern> /agent/ca/getStats </url-pattern> - <url-pattern> /agent/bulkissuance </url-pattern> + <filter-name> AgentRequestFilter </filter-name> + <url-pattern> /agent/* </url-pattern> </filter-mapping> <filter-mapping> - <filter-name> AdminRequestFilter </filter-name> - <url-pattern> /admin/* </url-pattern> - <url-pattern> /auths </url-pattern> + <filter-name> AdminRequestFilter </filter-name> + <url-pattern> /admin/* </url-pattern> + <url-pattern> /auths </url-pattern> </filter-mapping> <filter-mapping> - <filter-name> EERequestFilter </filter-name> - <url-pattern> /ee/* </url-pattern> + <filter-name> EERequestFilter </filter-name> + <url-pattern> /ee/* </url-pattern> </filter-mapping> [PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] @@ -2089,7 +2097,7 @@ <servlet-mapping> <servlet-name> caGetDomainXML </servlet-name> - <url-pattern> /ee/ca/getDomainXML </url-pattern> + <url-pattern> /admin/ca/getDomainXML </url-pattern> </servlet-mapping> <servlet-mapping> @@ -2113,8 +2121,13 @@ </servlet-mapping> <servlet-mapping> + <servlet-name> caGetCertChainAdmin </servlet-name> + <url-pattern> /admin/ca/getCertChain </url-pattern> + </servlet-mapping> + + <servlet-mapping> <servlet-name> caGetStatus </servlet-name> - <url-pattern> /ee/ca/getStatus </url-pattern> + <url-pattern> /admin/ca/getStatus </url-pattern> </servlet-mapping> <servlet-mapping> @@ -2599,12 +2612,12 @@ <servlet-mapping> <servlet-name> caSecurityDomainLogin </servlet-name> - <url-pattern> /ee/ca/securityDomainLogin </url-pattern> + <url-pattern> /admin/ca/securityDomainLogin </url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name> caGetCookie </servlet-name> - <url-pattern> /ee/ca/getCookie </url-pattern> + <url-pattern> /admin/ca/getCookie </url-pattern> </servlet-mapping> <servlet-mapping> diff --git a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java index 0171df6be..298fd43c3 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java @@ -141,7 +141,7 @@ public class TokenAuthentication implements IAuthManager, String sessionId = (String)authCred.get(CRED_SESSION_ID); String givenHost = (String)authCred.get("clientHost"); String auth_host = sconfig.getString("securitydomain.host"); - int auth_port = sconfig.getInteger("securitydomain.httpsport"); + int auth_port = sconfig.getInteger("securitydomain.httpseeport"); HttpClient httpclient = new HttpClient(); String c = null; diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java index d2495c177..e8b0346a2 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java @@ -176,7 +176,7 @@ public class AdminPanel extends WizardPanelBase { String domainname = ""; try { - domainname = cs.getString("preop.securitydomain.name", ""); + domainname = cs.getString("securitydomain.name", ""); } catch (EBaseException e1) {} context.put("securityDomain", domainname); context.put("title", "Administrator"); @@ -286,8 +286,8 @@ public class AdminPanel extends WizardPanelBase { } } else { try { - ca_hostname = config.getString("preop.securitydomain.host", ""); - ca_port = config.getInteger("preop.securitydomain.httpsport"); + ca_hostname = config.getString("securitydomain.host", ""); + ca_port = config.getInteger("securitydomain.httpseeport"); } catch (Exception e) { } } @@ -362,7 +362,7 @@ public class AdminPanel extends WizardPanelBase { system.modifyGroup(group); } - String select = config.getString("preop.securitydomain.select", ""); + String select = config.getString("securitydomain.select", ""); if (select.equals("new")) { group = system.getGroupFromName("Security Domain Administrators"); if (!group.isMember(uid)) { @@ -419,8 +419,8 @@ public class AdminPanel extends WizardPanelBase { int sd_port = -1; try { - sd_hostname = config.getString("preop.securitydomain.host", ""); - sd_port = config.getInteger("preop.securitydomain.httpsport"); + sd_hostname = config.getString("securitydomain.host", ""); + sd_port = config.getInteger("securitydomain.httpseeport"); } catch (Exception e) {} String profileId = HttpInput.getID(request, "profileId"); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java index b88898bec..b24341459 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java @@ -70,7 +70,7 @@ public class AgentAuthenticatePanel extends WizardPanelBase { // if we are root, no need to get the certificate chain. try { - String select = cs.getString("preop.securitydomain.select",""); + String select = cs.getString("securitydomain.select",""); if (select.equals("new")) { return true; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java index 1cf6d7421..316c5706d 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java @@ -110,10 +110,6 @@ public class CAInfoPanel extends WizardPanelBase { CMS.debug("CAInfoPanel: display"); IConfigStore cs = CMS.getConfigStore(); - String sdcaHostname = ""; - String sdcaHttpPort = ""; - String othercaHostname = ""; - String othercaPort = ""; String hostname = ""; String httpport = ""; String httpsport = ""; @@ -153,6 +149,7 @@ public class CAInfoPanel extends WizardPanelBase { } String cstype = "CA"; + String portType = "SecurePort"; /* try { @@ -161,7 +158,7 @@ public class CAInfoPanel extends WizardPanelBase { */ CMS.debug("CAInfoPanel: Ready to get url"); - Vector v = getUrlListFromSecurityDomain(cs, cstype); + Vector v = getUrlListFromSecurityDomain(cs, cstype, portType); v.addElement("External CA"); StringBuffer list = new StringBuffer(); int size = v.size(); @@ -254,7 +251,7 @@ public class CAInfoPanel extends WizardPanelBase { } else { select = "sdca"; - // parse URL (CA1 - http://...) + // parse URL (CA1 - https://...) url = url.substring(url.indexOf("https")); urlx = new URL(url); } @@ -286,34 +283,35 @@ public class CAInfoPanel extends WizardPanelBase { } catch (Exception e) {} } - private void sdca(HttpServletRequest request, Context context, String hostname, String httpPortStr) throws IOException { + private void sdca(HttpServletRequest request, Context context, String hostname, String httpsPortStr) throws IOException { CMS.debug("CAInfoPanel update: this is the CA in the security domain."); IConfigStore config = CMS.getConfigStore(); context.put("sdcaHostname", hostname); - context.put("sdHttpPort", httpPortStr); + context.put("sdcaHttpsPort", httpsPortStr); if (hostname == null || hostname.length() == 0) { context.put("errorString", "Hostname is null"); throw new IOException("Hostname is null"); } - int httpport = -1; + int httpsport = -1; try { - httpport = Integer.parseInt(httpPortStr); + httpsport = Integer.parseInt(httpsPortStr); } catch (Exception e) { CMS.debug( - "CAInfoPanel update: Http port is not valid. Exception: " + "CAInfoPanel update: Https port is not valid. Exception: " + e.toString()); throw new IOException("Http Port is not valid."); } config.putString("preop.ca.hostname", hostname); - config.putString("preop.ca.httpsport", httpPortStr); + config.putString("preop.ca.httpsport", httpsPortStr); ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); - updateCertChain(config, "ca", hostname, httpport, true, context, - certApprovalCallback); + updateCertChainUsingSecureEEPort( config, "ca", hostname, + httpsport, true, context, + certApprovalCallback ); } /** diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java index 5fccf9004..339a92444 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java @@ -139,12 +139,15 @@ public class CreateSubsystemPanel extends WizardPanelBase { context.put("systemname", config.getString("preop.system.name")); context.put("fullsystemname", config.getString("preop.system.fullname")); context.put("machineName", config.getString("machineName")); - context.put("https_port", CMS.getEESSLPort()); context.put("http_port", CMS.getEENonSSLPort()); + context.put("https_agent_port", CMS.getAgentPort()); + context.put("https_ee_port", CMS.getEESSLPort()); + context.put("https_admin_port", CMS.getAdminPort()); } catch (EBaseException e) { } - Vector v = getMasterUrlListFromSecurityDomain(config, cstype); + Vector v = getMasterUrlListFromSecurityDomain( config, cstype, + "SecurePort" ); StringBuffer list = new StringBuffer(); int size = v.size(); for (int i = 0; i < size; i++) { @@ -247,18 +250,18 @@ public class CreateSubsystemPanel extends WizardPanelBase { URL u = new URL(url); String host = u.getHost(); - int port = u.getPort(); + int https_ee_port = u.getPort(); config.putString("preop.master.hostname", host); - config.putInteger("preop.master.httpsport", port); + config.putInteger("preop.master.httpsport", https_ee_port); ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); if (cstype.equals("ca")) { - updateCertChain(config, "clone", host, port, true, context, - certApprovalCallback); + updateCertChain( config, "clone", host, https_ee_port, + true, context, certApprovalCallback ); } - getTokenInfo(config, cstype, host, port, true, context, + getTokenInfo(config, cstype, host, https_ee_port, true, context, certApprovalCallback); } else { CMS.debug("CreateSubsystemPanel: invalid choice " + select); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java index a27bcf09d..d4816bc9f 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java @@ -94,7 +94,7 @@ public class DisplayCertChainPanel extends WizardPanelBase { // if we are root, no need to get the certificate chain. try { - String select = cs.getString("preop.securitydomain.select",""); + String select = cs.getString("securitydomain.select",""); String type = cs.getString("preop.subsystem.select", ""); String hierarchy = cs.getString("preop.hierarchy.select", ""); @@ -194,13 +194,26 @@ public class DisplayCertChainPanel extends WizardPanelBase { int panel = getPanelNo()+1; IConfigStore cs = CMS.getConfigStore(); try { - String hostname = cs.getString("preop.securitydomain.host", ""); - int port = cs.getInteger("preop.securitydomain.httpsport", -1); + String sd_hostname = cs.getString("securitydomain.host", ""); + int sd_port = cs.getInteger("securitydomain.httpsadminport", -1); + String cs_hostname = cs.getString("machineName", ""); + int cs_port = cs.getInteger("pkicreate.admin_secure_port", -1); String subsystem = cs.getString("cs.type", ""); - String urlVal = "https://"+CMS.getEESSLHost()+":"+CMS.getEESSLPort()+"/"+toLowerCaseSubsystemType(subsystem)+"/admin/console/config/wizard?p="+panel+"&subsystem="+subsystem; + String urlVal = "https://"+cs_hostname+":"+cs_port+"/"+toLowerCaseSubsystemType(subsystem)+"/admin/console/config/wizard?p="+panel+"&subsystem="+subsystem; String encodedValue = URLEncoder.encode(urlVal, "UTF-8"); - String sdurl = "https://"+hostname+":"+port+"/ca/ee/ca/securityDomainLogin?url="+encodedValue; + String sdurl = "https://"+sd_hostname+":"+sd_port+"/ca/admin/ca/securityDomainLogin?url="+encodedValue; response.sendRedirect(sdurl); + + // The user previously specified the CA Security Domain's + // SSL Admin port in the "Security Domain Panel"; + // now retrieve this specified CA Security Domain's + // non-SSL EE, SSL Agent, and SSL EE ports: + cs.putString( "securitydomain.httpport", + getSecurityDomainPort( cs, "UnSecurePort" ) ); + cs.putString("securitydomain.httpsagentport", + getSecurityDomainPort( cs, "SecureAgentPort" ) ); + cs.putString("securitydomain.httpseeport", + getSecurityDomainPort( cs, "SecurePort" ) ); } catch (Exception ee) { CMS.debug("DisplayCertChainPanel Exception="+ee.toString()); } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index 011be5861..1b657d28a 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -53,6 +53,7 @@ public class DonePanel extends WizardPanelBase { public static final Long MINUS_ONE = Long.valueOf(-1); public static final String RESTART_SERVER_AFTER_CONFIGURATION = "restart_server_after_configuration"; + public static final String PKI_SECURITY_DOMAIN = "pki_security_domain"; public DonePanel() {} @@ -166,8 +167,13 @@ public class DonePanel extends WizardPanelBase { } IConfigStore cs = CMS.getConfigStore(); + String ownport = CMS.getEENonSSLPort(); String ownsport = CMS.getEESSLPort(); String ownhost = CMS.getEESSLHost(); + String ownagentsport = CMS.getAgentPort(); + String ownagenthost = CMS.getAgentHost(); + String ownadminsport = CMS.getAdminPort(); + String ownadminhost = CMS.getAdminHost(); String select = ""; String type = ""; @@ -189,8 +195,8 @@ public class DonePanel extends WizardPanelBase { } context.put("title", "Done"); context.put("panel", "admin/console/config/donepanel.vm"); - context.put("host", ownhost); - context.put("port", ownsport); + context.put("host", ownadminhost); + context.put("port", ownadminsport); String subsystemType = toLowerCaseSubsystemType(type); context.put("systemType", subsystemType); @@ -205,12 +211,14 @@ public class DonePanel extends WizardPanelBase { } catch (Exception e) { } - String sd_port = ""; + String sd_agent_port = ""; + String sd_admin_port = ""; String sd_host = ""; String ca_host = ""; try { - sd_host = cs.getString("preop.securitydomain.host", ""); - sd_port = cs.getString("preop.securitydomain.httpsport", ""); + sd_host = cs.getString("securitydomain.host", ""); + sd_agent_port = cs.getString("securitydomain.httpsagentport", ""); + sd_admin_port = cs.getString("securitydomain.httpsadminport", ""); ca_host = cs.getString("preop.ca.hostname", ""); } catch (Exception e) { } @@ -225,7 +233,7 @@ public class DonePanel extends WizardPanelBase { String instanceName = ""; String subsystemName = ""; try { - sdtype = cs.getString("preop.securitydomain.select", ""); + sdtype = cs.getString("securitydomain.select", ""); instanceName = cs.getString("instanceId", ""); subsystemName = cs.getString("preop.subsystem.name", ""); } catch (Exception e) { @@ -237,7 +245,7 @@ public class DonePanel extends WizardPanelBase { LDAPConnection conn = getLDAPConn(context); String basedn = cs.getString("internaldb.basedn"); - String secdomain = cs.getString("preop.securitydomain.name"); + String secdomain = cs.getString("securitydomain.name"); try { // Create security domain ldap entry @@ -288,6 +296,11 @@ public class DonePanel extends WizardPanelBase { attrs.add(new LDAPAttribute("objectclass", "pkiSubsystem")); attrs.add(new LDAPAttribute("Host", ownhost)); attrs.add(new LDAPAttribute("SecurePort", ownsport)); + attrs.add(new LDAPAttribute("SecureAgentPort", + ownagentsport)); + attrs.add(new LDAPAttribute("SecureAdminPort", + ownadminsport)); + attrs.add(new LDAPAttribute("UnSecurePort", ownport)); attrs.add(new LDAPAttribute("Clone", "false")); attrs.add(new LDAPAttribute("SubsystemName", subsystemName)); attrs.add(new LDAPAttribute("cn", cn)); @@ -304,10 +317,34 @@ public class DonePanel extends WizardPanelBase { } catch (Exception e) { CMS.debug("DonePanel display: "+e.toString()); } + + int sd_admin_port_int = -1; + try { + sd_admin_port_int = Integer.parseInt( sd_admin_port ); + } catch (Exception e) { + } + + try { + // Fetch the "new" security domain and display it + CMS.debug( "Dump contents of new Security Domain . . ." ); + String c = getDomainXML( sd_host, sd_admin_port_int, true ); + } catch( Exception e ) {} + + // Since this instance is a new Security Domain, + // create an empty file to designate this fact. + String security_domain = instanceRoot + "/conf/" + + PKI_SECURITY_DOMAIN; + if( !Utils.isNT() ) { + Utils.exec( "touch " + security_domain ); + Utils.exec( "chmod 00660 " + security_domain ); + } + } else { //existing domain - int p = -1; + int sd_agent_port_int = -1; + int sd_admin_port_int = -1; try { - p = Integer.parseInt(sd_port); + sd_agent_port_int = Integer.parseInt(sd_agent_port); + sd_admin_port_int = Integer.parseInt(sd_admin_port); } catch (Exception e) { } @@ -317,17 +354,31 @@ public class DonePanel extends WizardPanelBase { cloneStr = "&clone=true"; else cloneStr = "&clone=false"; - updateDomainXML(sd_host, p, true, "/ca/agent/ca/updateDomainXML", - "list="+s+"&type="+type+"&host="+ownhost+"&name="+subsystemName+"&sport="+ownsport+"&dm=false"+cloneStr); + updateDomainXML( sd_host, sd_agent_port_int, true, + "/ca/agent/ca/updateDomainXML", + "list=" + s + + "&type=" + type + + "&host=" + ownhost + + "&name=" + subsystemName + + "&sport=" + ownsport + + "&dm=false" + cloneStr + + "&agentsport=" + ownagentsport + + "&adminsport=" + ownadminsport + + "&httpport=" + ownport ); + + // Fetch the "updated" security domain and display it + CMS.debug( "Dump contents of updated Security Domain . . ." ); + String c = getDomainXML( sd_host, sd_admin_port_int, true ); } catch (Exception e) { context.put("errorString", "Failed to update the security domain on the domain master."); //return; } } - // add service.securityDomainPort to CS.cfg in case pkiremove needs to remove system reference from the security domain + // add service.securityDomainPort to CS.cfg in case pkiremove + // needs to remove system reference from the security domain try { - cs.putString("service.securityDomainPort", ownsport); + cs.putString("service.securityDomainPort", ownagentsport); cs.commit(false); } catch (Exception e) { CMS.debug("DonePanel: exception in adding service.securityDomainPort to CS.cfg" + e); @@ -337,7 +388,7 @@ public class DonePanel extends WizardPanelBase { // need to push connector information to the CA if (type.equals("KRA") && !ca_host.equals("")) { try { - updateConnectorInfo(ownhost, ownsport, sd_host, sd_port); + updateConnectorInfo(ownagenthost, ownagentsport); } catch (IOException e) { context.put("errorString", "Failed to update connector information."); return; @@ -495,8 +546,8 @@ public class DonePanel extends WizardPanelBase { try { cahost = config.getString("preop.ca.hostname", ""); caport = config.getInteger("preop.ca.httpsport", -1); - sdhost = config.getString("preop.securitydomain.host", ""); - sdport = config.getInteger("preop.securitydomain.httpsport", -1); + sdhost = config.getString("securitydomain.host", ""); + sdport = config.getInteger("securitydomain.httpseeport", -1); } catch (Exception e) { } @@ -589,8 +640,7 @@ public class DonePanel extends WizardPanelBase { return "CA-" + host + "-" + port; } - private void updateConnectorInfo(String ownhost, String ownsport, - String sd_host, String sd_port) + private void updateConnectorInfo(String ownagenthost, String ownagentsport) throws IOException { IConfigStore cs = CMS.getConfigStore(); int port = -1; @@ -614,7 +664,7 @@ public class DonePanel extends WizardPanelBase { } else { CMS.debug("DonePanel: Transport certificate is being setup in " + url); String session_id = CMS.getConfigSDSessionId(); - String content = "ca.connector.KRA.enable=true&ca.connector.KRA.local=false&ca.connector.KRA.timeout=30&ca.connector.KRA.uri=/kra/agent/kra/connector&ca.connector.KRA.host="+ownhost+"&ca.connector.KRA.port="+ownsport+"&ca.connector.KRA.transportCert="+URLEncoder.encode(transportCert)+"&sessionID="+session_id; + String content = "ca.connector.KRA.enable=true&ca.connector.KRA.local=false&ca.connector.KRA.timeout=30&ca.connector.KRA.uri=/kra/agent/kra/connector&ca.connector.KRA.host="+ownagenthost+"&ca.connector.KRA.port="+ownagentsport+"&ca.connector.KRA.transportCert="+URLEncoder.encode(transportCert)+"&sessionID="+session_id; updateConnectorInfo(host, port, true, content); } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java index ce9142ca7..b78b98b82 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java @@ -126,7 +126,7 @@ public class GetCookie extends CMSServlet { header.addStringValue("subsystem", subsystem); header.addStringValue("url", url_e); header.addStringValue("errorString", "Failed Authentication"); - String sdname = cs.getString("preop.securitydomain.name", ""); + String sdname = cs.getString("securitydomain.name", ""); header.addStringValue("sdname", sdname); CMS.debug("mErrorFormPath=" + mErrorFormPath); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java index ef08b05cd..3f2ccc8c8 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java @@ -133,8 +133,8 @@ public class ImportAdminCertPanel extends WizardPanelBase { if (ca == null) { if (type.equals("otherca")) { try { - caHost = cs.getString("preop.securitydomain.host", ""); - caPort = cs.getString("preop.securitydomain.httpsport", ""); + caHost = cs.getString("securitydomain.host", ""); + caPort = cs.getString("securitydomain.httpseeport", ""); } catch (Exception e) {} } else if (type.equals("sdca")) { try { @@ -142,6 +142,12 @@ public class ImportAdminCertPanel extends WizardPanelBase { caPort = cs.getString("preop.ca.httpsport", ""); } catch (Exception e) {} } + } else { + // Provide default Security Domain values for 'caHost' and 'caPort' + try { + caHost = cs.getString("securitydomain.host", ""); + caPort = cs.getString("securitydomain.httpseeport", ""); + } catch (Exception e) {} } String pkcs7 = ""; diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java index 02614f2ec..3b76b6972 100755 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java @@ -99,6 +99,10 @@ public class ImportCAChainPanel extends WizardPanelBase { context.put("import", "true"); IConfigStore cs = CMS.getConfigStore(); + try { + context.put("machineName", cs.getString("machineName")); + context.put("https_port", CMS.getEESSLPort()); + } catch (EBaseException e) {} ISubsystem ca = (ISubsystem) CMS.getSubsystem("ca"); @@ -141,7 +145,12 @@ public class ImportCAChainPanel extends WizardPanelBase { Context context) { /* This should never be called */ - context.put("title", "Import CA's Certificate Chain"); - context.put("panel", "admin/console/config/importcachainpanel.vm"); + IConfigStore cs = CMS.getConfigStore(); + try { + context.put("machineName", cs.getString("machineName")); + context.put("https_port", CMS.getEESSLPort()); + context.put("title", "Import CA's Certificate Chain"); + context.put("panel", "admin/console/config/importcachainpanel.vm"); + } catch (EBaseException e) {} } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java index 75a524e5a..8b5554593 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java @@ -192,20 +192,20 @@ public class NamePanel extends WizardPanelBase { } try { - domainname = config.getString("preop.securitydomain.name", ""); + domainname = config.getString("securitydomain.name", ""); String certTags = config.getString("preop.cert.list"); // same token for now String token = config.getString(PRE_CONF_CA_TOKEN); StringTokenizer st = new StringTokenizer(certTags, ","); - String domaintype = config.getString("preop.securitydomain.select"); + String domaintype = config.getString("securitydomain.select"); int count = 0; String host = ""; - int sport = -1; + int sd_admin_port = -1; if (domaintype.equals("existing")) { - host = config.getString("preop.securitydomain.host", ""); - sport = config.getInteger("preop.securitydomain.httpsport", -1); - count = getSubsystemCount(host, sport, true, cstype); + host = config.getString("securitydomain.host", ""); + sd_admin_port = config.getInteger("securitydomain.httpsadminport", -1); + count = getSubsystemCount(host, sd_admin_port, true, cstype); } while (st.hasMoreTokens()) { @@ -237,7 +237,7 @@ public class NamePanel extends WizardPanelBase { //o_sd is to add o=secritydomainname boolean o_sd = config.getBoolean(PCERT_PREFIX + certTag + "o_securitydomain", true); - domainname = config.getString("preop.securitydomain.name", ""); + domainname = config.getString("securitydomain.name", ""); CMS.debug("NamePanel: display() override is "+override); CMS.debug("NamePanel: display() o_securitydomain is "+o_sd); CMS.debug("NamePanel: display() domainname is "+domainname); @@ -276,8 +276,8 @@ public class NamePanel extends WizardPanelBase { CMS.debug("NamePanel: " + e.toString()); } - CMS.debug("NamePanel: Ready to get urls"); - Vector v = getUrlListFromSecurityDomain(config, "CA"); + CMS.debug("NamePanel: Ready to get SSL EE HTTPS urls"); + Vector v = getUrlListFromSecurityDomain(config, "CA", "SecurePort"); v.addElement("External CA"); StringBuffer list = new StringBuffer(); int size = v.size(); @@ -416,10 +416,10 @@ public class NamePanel extends WizardPanelBase { String profileId = config.getString(PCERT_PREFIX+certTag+".profile"); String session_id = CMS.getConfigSDSessionId(); String sd_hostname = ""; - int sd_port = -1; + int sd_ee_port = -1; try { - sd_hostname = config.getString("preop.securitydomain.host", ""); - sd_port = config.getInteger("preop.securitydomain.httpsport", -1); + sd_hostname = config.getString("securitydomain.host", ""); + sd_ee_port = config.getInteger("securitydomain.httpseeport", -1); } catch (Exception ee) { CMS.debug("NamePanel: configCert() exception caught:"+ee.toString()); } @@ -428,7 +428,7 @@ public class NamePanel extends WizardPanelBase { String securePort = config.getString("service.securePort", ""); if (certTag.equals("subsystem")) { String content = "requestor_name=" + sysType + "-" + machineName + "-" + securePort + "&profileId="+profileId+"&cert_request_type=pkcs10&cert_request="+URLEncoder.encode(pkcs10, "UTF-8")+"&xmlOutput=true&sessionID="+session_id; - cert = CertUtil.createRemoteCert(sd_hostname, sd_port, + cert = CertUtil.createRemoteCert(sd_hostname, sd_ee_port, content, response, this); if (cert == null) { throw new IOException("Error: remote certificate is null"); @@ -716,7 +716,7 @@ public class NamePanel extends WizardPanelBase { } else { CMS.debug("NamePanel: local CA selected"); select = "sdca"; - // parse URL (CA1 - http://...) + // parse URL (CA1 - https://...) url = url.substring(url.indexOf("https")); config.putString("preop.ca.url", url); @@ -805,23 +805,23 @@ public class NamePanel extends WizardPanelBase { CMS.debug("NamePanel: update() done"); } - private void sdca(HttpServletRequest request, Context context, String hostname, String httpPortStr) throws IOException { + private void sdca(HttpServletRequest request, Context context, String hostname, String httpsPortStr) throws IOException { CMS.debug("NamePanel update: this is the CA in the security domain."); - CMS.debug("NamePanel update: selected CA hostname=" + hostname + " port=" + httpPortStr); + CMS.debug("NamePanel update: selected CA hostname=" + hostname + " port=" + httpsPortStr); IConfigStore config = CMS.getConfigStore(); context.put("sdcaHostname", hostname); - context.put("sdHttpPort", httpPortStr); + context.put("sdHttpPort", httpsPortStr); if (hostname == null || hostname.length() == 0) { context.put("errorString", "Hostname is null"); throw new IOException("Hostname is null"); } - int httpport = -1; + int httpsport = -1; try { - httpport = Integer.parseInt(httpPortStr); + httpsport = Integer.parseInt(httpsPortStr); } catch (Exception e) { CMS.debug( "NamePanel update: Http port is not valid. Exception: " @@ -830,10 +830,11 @@ public class NamePanel extends WizardPanelBase { } config.putString("preop.ca.hostname", hostname); - config.putString("preop.ca.httpsport", httpPortStr); + config.putString("preop.ca.httpsport", httpsPortStr); ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); - updateCertChain(config, "ca", hostname, httpport, true, context, - certApprovalCallback); + updateCertChainUsingSecureEEPort( config, "ca", hostname, + httpsport, true, context, + certApprovalCallback ); try { CMS.debug("Importing CA chain"); importCertChain("ca"); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java index 13fb58ef9..9ae5689ad 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java @@ -348,8 +348,8 @@ public class RestoreKeyCertPanel extends WizardPanelBase { String master_hostname = ""; int master_port = -1; try { - sd_hostname = config.getString("preop.securitydomain.host", ""); - sd_port = config.getInteger("preop.securitydomain.httpsport", -1); + sd_hostname = config.getString("securitydomain.host", ""); + sd_port = config.getInteger("securitydomain.httpseeport", -1); master_hostname = config.getString("preop.master.hostname", ""); master_port = config.getInteger("preop.master.httpsport", -1); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java index 73ab1b07f..bb4dba978 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java @@ -96,12 +96,14 @@ public class SecurityDomainPanel extends WizardPanelBase { context.put("title", "Security Domain"); IConfigStore config = CMS.getConfigStore(); String errorString = ""; - String url = ""; + String admin_url = ""; String name = ""; + String cstype = ""; try { - url = config.getString("preop.securitydomain.url", ""); + admin_url = config.getString("preop.securitydomain.admin_url", ""); name = config.getString("preop.securitydomain.name", ""); + cstype = config.getString("cs.type", ""); } catch (Exception e) { CMS.debug(e.toString()); } @@ -130,70 +132,60 @@ public class SecurityDomainPanel extends WizardPanelBase { context.put("panelname", "Security Domain Configuration"); context.put("systemname", config.getString("preop.system.name")); context.put("machineName", config.getString("machineName")); - context.put("https_port", CMS.getEESSLPort()); - context.put("http_port", CMS.getEENonSSLPort()); + context.put("http_ee_port", CMS.getEENonSSLPort()); + context.put("https_agent_port", CMS.getAgentPort()); + context.put("https_ee_port", CMS.getEESSLPort()); + context.put("https_admin_port", CMS.getAdminPort()); + context.put("sdomainAdminURL", admin_url); } catch (EBaseException e) {} context.put("panel", "admin/console/config/securitydomainpanel.vm"); context.put("errorString", errorString); - if (url != null) { - String r = null; - - try { - URL u = new URL(url); - - String hostname = u.getHost(); - int port = u.getPort(); - ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); - r = pingCS(hostname, port, true, certApprovalCallback); - } catch (Exception e) { - CMS.debug("SecurityDomainPanel: exception caught: "+e.toString()); - } - - if (r != null) { - CMS.debug("SecurityDomainPanel: pingCS returns: "+r); - context.put("sdomainURL", url); - } else { - CMS.debug("SecurityDomainPanel: pingCS no successful response"); - context.put("sdomainURL", ""); - } - } - - // from url, find hostname, if fully qualified, get network + // from admin_url, find hostname, if fully qualified, get network // domain name and generate default security domain name - if (name.equals("") && (url != null)) { + if (name.equals("") && (admin_url != null)) { try { - URL u = new URL(url); + URL u = new URL(admin_url); String hostname = u.getHost(); StringTokenizer st = new StringTokenizer(hostname, "."); - boolean first = true; - int numTokens = st.countTokens(); - int count = 0; - String defaultDomain = ""; - StringBuffer sb = new StringBuffer(); - while (st.hasMoreTokens()) { - count++; - String n = st.nextToken(); - if (first) { //skip the hostname - first = false; - continue; + boolean first = true; + int numTokens = st.countTokens(); + int count = 0; + String defaultDomain = ""; + StringBuffer sb = new StringBuffer(); + while (st.hasMoreTokens()) { + count++; + String n = st.nextToken(); + if (first) { //skip the hostname + first = false; + continue; } - if (count == numTokens) // skip the last element (e.g. com) - continue; - sb.append((defaultDomain.length()==0)? "":" "); - sb.append(capitalize(n)); - } - defaultDomain = sb.toString() + " "+ "Domain"; - name = defaultDomain; - CMS.debug("SecurityDomainPanel: defaultDomain generated:"+ name); + if (count == numTokens) // skip the last element (e.g. com) + continue; + sb.append((defaultDomain.length()==0)? "":" "); + sb.append(capitalize(n)); + } + defaultDomain = sb.toString() + " "+ "Domain"; + name = defaultDomain; + CMS.debug("SecurityDomainPanel: defaultDomain generated:"+ name); } catch (MalformedURLException e) { errorString = "Malformed URL"; - // not being able to come up with default domain name is ok + // not being able to come up with default domain name is ok } } context.put("sdomainName", name); + + // Information for "existing" Security Domain CAs + String instanceId = "<security_domain_instance_name>"; + String os = System.getProperty( "os.name" ); + if( os.equalsIgnoreCase( "Linux" ) ) { + context.put( "initCommand", "/sbin/service " + instanceId ); + } else { + /* default case: e. g. - ( os.equalsIgnoreCase( "SunOS" ) */ + context.put( "initCommand", "/etc/init.d/" + instanceId ); + } } public static String capitalize(String s) { @@ -219,10 +211,41 @@ public class SecurityDomainPanel extends WizardPanelBase { throw new IOException("Missing name value for the security domain"); } } else if (select.equals("existingdomain")) { - String url = HttpInput.getURL(request, "sdomainURL"); - if (url == null || url.equals("")) { - initParams(request, context); - throw new IOException("Missing url value for the security domain"); + CMS.debug( "SecurityDomainPanel: validating " + + "SSL Admin HTTPS . . ." ); + String admin_url = HttpInput.getURL( request, "sdomainURL" ); + if( admin_url == null || admin_url.equals("") ) { + initParams( request, context ); + throw new IOException( "Missing SSL Admin HTTPS url value " + + "for the security domain" ); + } else { + String r = null; + + try { + URL u = new URL( admin_url ); + + String hostname = u.getHost(); + int admin_port = u.getPort(); + ConfigCertApprovalCallback + certApprovalCallback = new ConfigCertApprovalCallback(); + r = pingCS( hostname, admin_port, true, + certApprovalCallback ); + } catch( Exception e ) { + CMS.debug( "SecurityDomainPanel: exception caught: " + + e.toString() ); + throw new IOException( "Illegal SSL Admin HTTPS url value " + + "for the security domain" ); + } + + if (r != null) { + CMS.debug("SecurityDomainPanel: pingAdminCS returns: " + + r ); + context.put( "sdomainURL", admin_url ); + } else { + CMS.debug( "SecurityDomainPanel: pingAdminCS " + + "no successful response for SSL Admin HTTPS" ); + context.put( "sdomainURL", "" ); + } } } } @@ -250,10 +273,10 @@ public class SecurityDomainPanel extends WizardPanelBase { name = ""; context.put("sdomainName", name); - String url = request.getParameter("sdomainURL"); - if (url == null) - url = ""; - context.put("sdomainURL", url); + String admin_url = request.getParameter("sdomainURL"); + if (admin_url == null) + admin_url = ""; + context.put("sdomainURL", admin_url); } /** @@ -274,22 +297,20 @@ public class SecurityDomainPanel extends WizardPanelBase { if (select.equals("newdomain")) { config.putString("preop.securitydomain.select", "new"); config.putString("securitydomain.select", "new"); - config.putString("preop.securitydomain.host", - CMS.getEENonSSLHost()); + config.putString("preop.securitydomain.name", + HttpInput.getDomainName(request, "sdomainName")); + config.putString("securitydomain.name", + HttpInput.getDomainName(request, "sdomainName")); config.putString("securitydomain.host", CMS.getEENonSSLHost()); - config.putString("preop.securitydomain.httpport", - CMS.getEENonSSLPort()); config.putString("securitydomain.httpport", CMS.getEENonSSLPort()); - config.putString("preop.securitydomain.httpsport", - CMS.getEESSLPort()); - config.putString("securitydomain.httpsport", + config.putString("securitydomain.httpsagentport", + CMS.getAgentPort()); + config.putString("securitydomain.httpseeport", CMS.getEESSLPort()); - config.putString("preop.securitydomain.name", - HttpInput.getDomainName(request, "sdomainName")); - config.putString("securitydomain.name", - HttpInput.getDomainName(request, "sdomainName")); + config.putString("securitydomain.httpsadminport", + CMS.getAdminPort()); // make sure the subsystem certificate is issued by the security // domain @@ -315,29 +336,25 @@ public class SecurityDomainPanel extends WizardPanelBase { config.putString("preop.cert.subsystem.type", "remote"); config.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert"); - String url = HttpInput.getURL(request, "sdomainURL"); + String admin_url = HttpInput.getURL(request, "sdomainURL"); String hostname = ""; - int port = -1; + int admin_port = -1; - if (url != null) { + if( admin_url != null ) { try { - URL u = new URL(url); + URL admin_u = new URL( admin_url ); - hostname = u.getHost(); - port = u.getPort(); - } catch (MalformedURLException e) { - errorString = "Malformed URL"; - throw new IOException(errorString); + hostname = admin_u.getHost(); + admin_port = admin_u.getPort(); + } catch( MalformedURLException e ) { + errorString = "Malformed SSL Admin HTTPS URL"; + throw new IOException( errorString ); } - - context.put("sdomainURL", url); - config.putString("preop.securitydomain.url", url); - config.putString("preop.securitydomain.host", hostname); - config.putString("securitydomain.host", hostname); - config.putInteger("preop.securitydomain.httpsport", port); - config.putInteger("securitydomain.httpsport", port); - } else { - config.putString("preop.securitydomain.url", ""); + + context.put( "sdomainURL", admin_url ); + config.putString( "securitydomain.host", hostname ); + config.putInteger( "securitydomain.httpsadminport", + admin_port ); } try { @@ -345,8 +362,8 @@ public class SecurityDomainPanel extends WizardPanelBase { } catch (EBaseException e) {} ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); - updateCertChain(config, "securitydomain", hostname, port, true, - context, certApprovalCallback); + updateCertChain( config, "securitydomain", hostname, admin_port, + true, context, certApprovalCallback ); } else { CMS.debug("SecurityDomainPanel: invalid choice " + select); errorString = "Invalid choice"; @@ -369,7 +386,7 @@ public class SecurityDomainPanel extends WizardPanelBase { } /** - * If validiate() returns false, this method will be called. + * If validate() returns false, this method will be called. */ public void displayError(HttpServletRequest request, HttpServletResponse response, @@ -381,9 +398,24 @@ public class SecurityDomainPanel extends WizardPanelBase { } try { context.put("machineName", config.getString("machineName")); - context.put("https_port", CMS.getEESSLPort()); - context.put("http_port", CMS.getEENonSSLPort()); + context.put("http_ee_port", CMS.getEENonSSLPort()); + context.put("https_agent_port", CMS.getAgentPort()); + context.put("https_ee_port", CMS.getEESSLPort()); + context.put("https_admin_port", CMS.getAdminPort()); + context.put("sdomainAdminURL", + config.getString("preop.securitydomain.admin_url")); } catch (EBaseException e) {} + + // Information for "existing" Security Domain CAs + String instanceId = "<security_domain_instance_name>"; + String os = System.getProperty( "os.name" ); + if( os.equalsIgnoreCase( "Linux" ) ) { + context.put( "initCommand", "/sbin/service " + instanceId ); + } else { + /* default case: e. g. - ( os.equalsIgnoreCase( "SunOS" ) */ + context.put( "initCommand", "/etc/init.d/" + instanceId ); + } + context.put("title", "Security Domain"); context.put("panel", "admin/console/config/securitydomainpanel.vm"); } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java index 2b9f7328b..e96d82bb1 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java @@ -244,6 +244,9 @@ public class UpdateDomainXML extends CMSServlet { String host = httpReq.getParameter("host"); String name = httpReq.getParameter("name"); String sport = httpReq.getParameter("sport"); + String agentsport = httpReq.getParameter("agentsport"); + String adminsport = httpReq.getParameter("adminsport"); + String httpport = httpReq.getParameter("httpport"); String domainmgr = httpReq.getParameter("dm"); String clone = httpReq.getParameter("clone"); String operation = httpReq.getParameter("operation"); @@ -268,7 +271,7 @@ public class UpdateDomainXML extends CMSServlet { ILdapConnFactory connFactory = null; LDAPConnection conn = null; String listName = type + "List"; - String cn = host + ":" + sport; + String cn = host + ":" + adminsport; String dn = "cn=" + cn + ",cn=" + listName + ",ou=Security Domain," + basedn; CMS.debug("UpdateDomainXML: updating LDAP entry: " + dn); @@ -279,6 +282,9 @@ public class UpdateDomainXML extends CMSServlet { attrs.add(new LDAPAttribute("cn", cn)); attrs.add(new LDAPAttribute("Host", host)); attrs.add(new LDAPAttribute("SecurePort", sport)); + attrs.add(new LDAPAttribute("SecureAgentPort", agentsport)); + attrs.add(new LDAPAttribute("SecureAdminPort", adminsport)); + attrs.add(new LDAPAttribute("UnSecurePort", httpport)); attrs.add(new LDAPAttribute("DomainManager", domainmgr)); attrs.add(new LDAPAttribute("clone", clone)); attrs.add(new LDAPAttribute("SubsystemName", name)); @@ -286,7 +292,7 @@ public class UpdateDomainXML extends CMSServlet { if ((operation != null) && (operation.equals("remove"))) { status = remove_from_ldap(dn); - String adminUserDN = "uid=" + type + "-" + host + "-" + sport + ",ou=People," + basedn; + String adminUserDN = "uid=" + type + "-" + host + "-" + adminsport + ",ou=People," + basedn; if (status.equals(SUCCESS)) { // remove the client cert for this subsystem's admin status = remove_from_ldap(adminUserDN); @@ -327,9 +333,9 @@ public class UpdateDomainXML extends CMSServlet { Node nn = (Node) nodeList.item(i); Vector v_name = parser.getValuesFromContainer(nn, "SubsystemName"); Vector v_host = parser.getValuesFromContainer(nn, "Host"); - Vector v_port = parser.getValuesFromContainer(nn, "SecurePort"); + Vector v_adminport = parser.getValuesFromContainer(nn, "SecureAdminPort"); if ((v_name.elementAt(0).equals(name)) && (v_host.elementAt(0).equals(host)) - && (v_port.elementAt(0).equals(sport))) { + && (v_adminport.elementAt(0).equals(adminsport))) { Node parent = nn.getParentNode(); Node remNode = parent.removeChild(nn); count --; @@ -342,6 +348,9 @@ public class UpdateDomainXML extends CMSServlet { parser.addItemToContainer(parent, "SubsystemName", name); parser.addItemToContainer(parent, "Host", host); parser.addItemToContainer(parent, "SecurePort", sport); + parser.addItemToContainer(parent, "SecureAgentPort", agentsport); + parser.addItemToContainer(parent, "SecureAdminPort", adminsport); + parser.addItemToContainer(parent, "UnSecurePort", httpport); parser.addItemToContainer(parent, "DomainManager", domainmgr); parser.addItemToContainer(parent, "Clone", clone); count ++; diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java index cd0630491..6ebdc9df3 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java @@ -284,11 +284,11 @@ public class WizardPanelBase implements IWizardPanel { } } - public int getSubsystemCount(String hostname, int port, boolean https, - String type) - throws IOException { + public int getSubsystemCount( String hostname, int https_admin_port, + boolean https, String type ) + throws IOException { CMS.debug("WizardPanelBase getSubsystemCount start"); - String c = getDomainXML(hostname, port, true); + String c = getDomainXML(hostname, https_admin_port, true); if (c != null) { try { ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); @@ -327,12 +327,12 @@ public class WizardPanelBase implements IWizardPanel { return -1; } - public String getDomainXML(String hostname, int port, boolean https) - throws IOException { + public String getDomainXML( String hostname, int https_admin_port, + boolean https ) + throws IOException { CMS.debug("WizardPanelBase getDomainXML start"); - String c = getHttpResponse(hostname, port, https, "/ca/ee/ca/getDomainXML", - null, null); - + String c = getHttpResponse( hostname, https_admin_port, https, + "/ca/admin/ca/getDomainXML", null, null ); if (c != null) { try { ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); @@ -440,12 +440,16 @@ public class WizardPanelBase implements IWizardPanel { } } - public String getCertChain(String hostname, int port, boolean https, - ConfigCertApprovalCallback certApprovalCallback) - throws IOException { - CMS.debug("WizardPanelBase getCertChain start"); - String c = getHttpResponse(hostname, port, https, - "/ca/ee/ca/getCertChain", null, null, certApprovalCallback); + public String getCertChainUsingSecureAdminPort( String hostname, + int https_admin_port, + boolean https, + ConfigCertApprovalCallback + certApprovalCallback ) + throws IOException { + CMS.debug("WizardPanelBase getCertChainUsingSecureAdminPort start"); + String c = getHttpResponse( hostname, https_admin_port, https, + "/ca/admin/ca/getCertChain", null, null, + certApprovalCallback ); if (c != null) { try { @@ -455,21 +459,21 @@ public class WizardPanelBase implements IWizardPanel { try { parser = new XMLObject(bis); } catch (Exception e) { - CMS.debug( "WizardPanelBase::getCertChain() - " + CMS.debug( "WizardPanelBase::getCertChainUsingSecureAdminPort() - " + "Exception="+e.toString() ); throw new IOException( e.toString() ); } String status = parser.getValue("Status"); - CMS.debug("WizardPanelBase getCertChain: status=" + status); + CMS.debug("WizardPanelBase getCertChainUsingSecureAdminPort: status=" + status); if (status.equals(SUCCESS)) { String certchain = parser.getValue("ChainBase64"); certchain = CryptoUtil.normalizeCertStr(certchain); CMS.debug( - "WizardPanelBase getCertChain: certchain=" + "WizardPanelBase getCertChainUsingSecureAdminPort: certchain=" + certchain); return certchain; } else { @@ -478,10 +482,63 @@ public class WizardPanelBase implements IWizardPanel { throw new IOException(error); } } catch (IOException e) { - CMS.debug("WizardPanelBase: getCertChain: " + e.toString()); + CMS.debug("WizardPanelBase: getCertChainUsingSecureAdminPort: " + e.toString()); throw e; } catch (Exception e) { - CMS.debug("WizardPanelBase: getCertChain: " + e.toString()); + CMS.debug("WizardPanelBase: getCertChainUsingSecureAdminPort: " + e.toString()); + throw new IOException(e.toString()); + } + } + + return null; + } + + public String getCertChainUsingSecureEEPort( String hostname, + int https_ee_port, + boolean https, + ConfigCertApprovalCallback + certApprovalCallback ) + throws IOException { + CMS.debug("WizardPanelBase getCertChainUsingSecureEEPort start"); + String c = getHttpResponse( hostname, https_ee_port, https, + "/ca/ee/ca/getCertChain", null, null, + certApprovalCallback ); + + if (c != null) { + try { + ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); + XMLObject parser = null; + + try { + parser = new XMLObject(bis); + } catch (Exception e) { + CMS.debug( "WizardPanelBase::getCertChainUsingSecureEEPort() - " + + "Exception="+e.toString() ); + throw new IOException( e.toString() ); + } + + String status = parser.getValue("Status"); + + CMS.debug("WizardPanelBase getCertChainUsingSecureEEPort: status=" + status); + + if (status.equals(SUCCESS)) { + String certchain = parser.getValue("ChainBase64"); + + certchain = CryptoUtil.normalizeCertStr(certchain); + CMS.debug( + "WizardPanelBase getCertChainUsingSecureEEPort: certchain=" + + certchain); + return certchain; + } else { + String error = parser.getValue("Error"); + + throw new IOException(error); + } + } catch (IOException e) { + CMS.debug("WizardPanelBase: getCertChainUsingSecureEEPort: " + e.toString()); + throw e; + } catch (Exception e) { + CMS.debug("WizardPanelBase: getCertChainUsingSecureEEPort: " + e.toString()); throw new IOException(e.toString()); } } @@ -860,15 +917,17 @@ public class WizardPanelBase implements IWizardPanel { return c; } - public Vector getMasterUrlListFromSecurityDomain(IConfigStore config, String type) { + public Vector getMasterUrlListFromSecurityDomain( IConfigStore config, + String type, + String portType ) { Vector v = new Vector(); try { - String hostname = config.getString("preop.securitydomain.host"); - int httpsport = config.getInteger("preop.securitydomain.httpsport"); + String hostname = config.getString("securitydomain.host"); + int httpsadminport = config.getInteger("securitydomain.httpsadminport"); CMS.debug("Getting domain.xml from CA..."); - String c = getDomainXML(hostname, httpsport, true); + String c = getDomainXML(hostname, httpsadminport, true); String list = ""; CMS.debug("Type " + type); @@ -882,13 +941,23 @@ public class WizardPanelBase implements IWizardPanel { list = "TKSList"; } + CMS.debug( "Getting " + portType + " from Security Domain ..." ); + if( !portType.equals( "UnSecurePort" ) && + !portType.equals( "SecureAgentPort" ) && + !portType.equals( "SecurePort" ) && + !portType.equals( "SecureAdminPort" ) ) { + CMS.debug( "getPortFromSecurityDomain: " + + "unknown port type " + portType ); + return v; + } + ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); XMLObject parser = new XMLObject(bis); Document doc = parser.getDocument(); NodeList nodeList = doc.getElementsByTagName(type); // save domain name in cfg - config.putString("preop.securitydomain.name", + config.putString("securitydomain.name", parser.getValue("Name")); int len = nodeList.getLength(); @@ -905,11 +974,13 @@ public class WizardPanelBase implements IWizardPanel { Vector v_host = parser.getValuesFromContainer(nodeList.item(i), "Host"); Vector v_port = parser.getValuesFromContainer(nodeList.item(i), - "SecurePort"); + portType); - v.addElement( - v_name.elementAt(0) + " - https://" + v_host.elementAt(0) - + ":" + v_port.elementAt(0)); + v.addElement( v_name.elementAt(0) + + " - https://" + + v_host.elementAt(0) + + ":" + + v_port.elementAt(0) ); } } catch (Exception e) { CMS.debug(e.toString()); @@ -918,18 +989,20 @@ public class WizardPanelBase implements IWizardPanel { return v; } - public Vector getUrlListFromSecurityDomain(IConfigStore config, String type) { + public Vector getUrlListFromSecurityDomain( IConfigStore config, + String type, + String portType ) { Vector v = new Vector(); try { - String hostname = config.getString("preop.securitydomain.host"); - int httpsport = config.getInteger("preop.securitydomain.httpsport"); + String hostname = config.getString("securitydomain.host"); + int httpsadminport = config.getInteger("securitydomain.httpsadminport"); CMS.debug("Getting domain.xml from CA..."); - String c = getDomainXML(hostname, httpsport, true); + String c = getDomainXML(hostname, httpsadminport, true); String list = ""; - CMS.debug("Type " + type); + CMS.debug("Subsystem Type " + type); if (type.equals("CA")) { list = "CAList"; } else if (type.equals("KRA")) { @@ -940,13 +1013,23 @@ public class WizardPanelBase implements IWizardPanel { list = "TKSList"; } + CMS.debug( "Getting " + portType + " from Security Domain ..." ); + if( !portType.equals( "UnSecurePort" ) && + !portType.equals( "SecureAgentPort" ) && + !portType.equals( "SecurePort" ) && + !portType.equals( "SecureAdminPort" ) ) { + CMS.debug( "getPortFromSecurityDomain: " + + "unknown port type " + portType ); + return v; + } + ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); XMLObject parser = new XMLObject(bis); Document doc = parser.getDocument(); NodeList nodeList = doc.getElementsByTagName(type); // save domain name in cfg - config.putString("preop.securitydomain.name", + config.putString("securitydomain.name", parser.getValue("Name")); int len = nodeList.getLength(); @@ -958,11 +1041,13 @@ public class WizardPanelBase implements IWizardPanel { Vector v_host = parser.getValuesFromContainer(nodeList.item(i), "Host"); Vector v_port = parser.getValuesFromContainer(nodeList.item(i), - "SecurePort"); + portType); - v.addElement( - v_name.elementAt(0) + " - https://" + v_host.elementAt(0) - + ":" + v_port.elementAt(0)); + v.addElement( v_name.elementAt(0) + + " - https://" + + v_host.elementAt(0) + + ":" + + v_port.elementAt(0) ); } } catch (Exception e) { CMS.debug(e.toString()); @@ -971,37 +1056,105 @@ public class WizardPanelBase implements IWizardPanel { return v; } - public String pingCS(String hostname, int port, boolean https, - SSLCertificateApprovalCallback certApprovalCallback) + public String getSecurityDomainPort( IConfigStore config, + String portType ) { + String port = new String(); + + try { + String hostname = config.getString( "securitydomain.host" ); + int httpsadminport = + config.getInteger( "securitydomain.httpsadminport" ); + + CMS.debug( "Getting domain.xml from CA ..." ); + String c = getDomainXML( hostname, httpsadminport, true ); + + CMS.debug( "Getting " + portType + " from Security Domain ..." ); + if( !portType.equals( "UnSecurePort" ) && + !portType.equals( "SecureAgentPort" ) && + !portType.equals( "SecurePort" ) && + !portType.equals( "SecureAdminPort" ) ) { + CMS.debug( "getPortFromSecurityDomain: " + + "unknown port type " + portType ); + return ""; + } + + ByteArrayInputStream bis = new ByteArrayInputStream( c.getBytes() ); + XMLObject parser = new XMLObject( bis ); + Document doc = parser.getDocument(); + NodeList nodeList = doc.getElementsByTagName( "CA" ); + + int len = nodeList.getLength(); + for( int i = 0; i < len; i++ ) { + Vector v_admin_port = + parser.getValuesFromContainer( nodeList.item(i), + "SecureAdminPort" ); + + Vector v_port = null; + if( portType.equals( "UnSecurePort" ) ) { + v_port = parser.getValuesFromContainer( nodeList.item(i), + "UnSecurePort" ); + } else if( portType.equals( "SecureAgentPort" ) ) { + v_port = parser.getValuesFromContainer( nodeList.item(i), + "SecureAgentPort" ); + } else if( portType.equals( "SecurePort" ) ) { + v_port = parser.getValuesFromContainer( nodeList.item(i), + "SecurePort" ); + } else if( portType.equals( "SecureAdminPort" ) ) { + v_port = parser.getValuesFromContainer( nodeList.item(i), + "SecureAdminPort" ); + } + + if( ( v_port != null ) && + ( v_admin_port.elementAt( 0 ).equals( + Integer.toString( httpsadminport ) ) ) ) { + port = v_port.elementAt( 0 ).toString(); + break; + } + } + } catch (Exception e) { + CMS.debug( e.toString() ); + } + + return( port ); + } + + public String pingCS( String hostname, int port, boolean https, + SSLCertificateApprovalCallback certApprovalCallback ) throws IOException { - CMS.debug("WizardPanelBase pingCS start"); - String c = getHttpResponse(hostname, port, https, "/ca/ee/ca/getStatus", - null, null, certApprovalCallback); + CMS.debug( "WizardPanelBase pingCS: started" ); - if (c != null) { + String c = getHttpResponse( hostname, port, https, + "/ca/admin/ca/getStatus", + null, null, certApprovalCallback ); + + if( c != null ) { try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); + ByteArrayInputStream bis = new + ByteArrayInputStream( c.getBytes() ); XMLObject parser = null; - String state = null; + String state = null; try { - parser = new XMLObject(bis); - CMS.debug("WizardPanelBase pingCS: got XML parsed"); - state = parser.getValue("State"); + parser = new XMLObject( bis ); + CMS.debug( "WizardPanelBase pingCS: got XML parsed" ); + state = parser.getValue( "State" ); - if (state != null) - CMS.debug("WizardPanelBase pingCS: state=" + state); + if( state != null ) { + CMS.debug( "WizardPanelBase pingCS: state=" + state ); + } } catch (Exception e) { - CMS.debug("WizardPanelBase: pingCS: parser failed" + e.toString()); - } + CMS.debug( "WizardPanelBase: pingCS: parser failed" + + e.toString() ); + } - return state; - } catch (Exception e) { - CMS.debug("WizardPanelBase: pingCS: " + e.toString()); - throw new IOException(e.toString()); + return state; + } catch( Exception e ) { + CMS.debug( "WizardPanelBase: pingCS: " + e.toString() ); + throw new IOException( e.toString() ); } } + CMS.debug( "WizardPanelBase pingCS: stopped" ); return null; } @@ -1021,12 +1174,12 @@ public class WizardPanelBase implements IWizardPanel { } public void getTokenInfo(IConfigStore config, String type, String host, - int port, boolean https, Context context, + int https_ee_port, boolean https, Context context, ConfigCertApprovalCallback certApprovalCallback) throws IOException { CMS.debug("WizardPanelBase getTokenInfo start"); String uri = "/"+type+"/ee/"+type+"/getTokenInfo"; CMS.debug("WizardPanelBase getTokenInfo: uri="+uri); - String c = getHttpResponse(host, port, https, uri, null, null, + String c = getHttpResponse(host, https_ee_port, https, uri, null, null, certApprovalCallback); if (c != null) { try { @@ -1127,14 +1280,65 @@ public class WizardPanelBase implements IWizardPanel { } public void updateCertChain(IConfigStore config, String name, String host, - int port, boolean https, Context context) throws IOException { - updateCertChain(config, name, host, port, https, context, null); + int https_admin_port, boolean https, Context context) throws IOException { + updateCertChain( config, name, host, https_admin_port, + https, context, null ); } public void updateCertChain(IConfigStore config, String name, String host, - int port, boolean https, Context context, + int https_admin_port, boolean https, Context context, ConfigCertApprovalCallback certApprovalCallback) throws IOException { - String certchain = getCertChain(host, port, https, certApprovalCallback); + String certchain = getCertChainUsingSecureAdminPort( host, + https_admin_port, + https, + certApprovalCallback ); + config.putString("preop."+name+".pkcs7", certchain); + + byte[] decoded = CryptoUtil.base64Decode(certchain); + java.security.cert.X509Certificate[] b_certchain = null; + + try { + b_certchain = CryptoUtil.getX509CertificateFromPKCS7(decoded); + } catch (Exception e) { + context.put("errorString", + "Failed to get the certificate chain."); + return; + } + + int size = 0; + if (b_certchain != null) { + size = b_certchain.length; + } + config.putInteger("preop."+name+".certchain.size", size); + for (int i = 0; i < size; i++) { + byte[] bb = null; + + try { + bb = b_certchain[i].getEncoded(); + } catch (Exception e) { + context.put("errorString", + "Failed to get the der-encoded certificate chain."); + return; + } + config.putString("preop."+name+".certchain." + i, + CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bb))); + } + + try { + config.commit(false); + } catch (EBaseException e) { + } + } + + public void updateCertChainUsingSecureEEPort( IConfigStore config, + String name, String host, + int https_ee_port, + boolean https, + Context context, + ConfigCertApprovalCallback certApprovalCallback ) throws IOException { + String certchain = getCertChainUsingSecureEEPort( host, https_ee_port, + https, + certApprovalCallback); config.putString("preop."+name+".pkcs7", certchain); byte[] decoded = CryptoUtil.base64Decode(certchain); @@ -1238,13 +1442,15 @@ public class WizardPanelBase implements IWizardPanel { public void reloginSecurityDomain(HttpServletResponse response) { IConfigStore cs = CMS.getConfigStore(); try { - String hostname = cs.getString("preop.securitydomain.host", ""); - int port = cs.getInteger("preop.securitydomain.httpsport", -1); + String hostname = cs.getString("securitydomain.host", ""); + int port = cs.getInteger("securitydomain.httpsadminport", -1); + String cs_hostname = cs.getString("machineName", ""); + int cs_port = cs.getInteger("pkicreate.admin_secure_port", -1); int panel = getPanelNo(); String subsystem = cs.getString("cs.type", ""); - String urlVal = "https://"+CMS.getEESSLHost()+":"+CMS.getEESSLPort()+"/"+toLowerCaseSubsystemType(subsystem)+"/admin/console/config/wizard?p="+panel+"&subsystem="+subsystem; + String urlVal = "https://"+cs_hostname+":"+cs_port+"/"+toLowerCaseSubsystemType(subsystem)+"/admin/console/config/wizard?p="+panel+"&subsystem="+subsystem; String encodedValue = URLEncoder.encode(urlVal, "UTF-8"); - String sdurl = "https://"+hostname+":"+port+"/ca/ee/ca/securityDomainLogin?url="+encodedValue; + String sdurl = "https://"+hostname+":"+port+"/ca/admin/ca/securityDomainLogin?url="+encodedValue; response.sendRedirect(sdurl); } catch (Exception e) { CMS.debug("WizardPanelBase reloginSecurityDomain: Exception="+e.toString()); diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg index e30a224b5..8d10595c4 100644 --- a/pki/base/kra/shared/conf/CS.cfg +++ b/pki/base/kra/shared/conf/CS.cfg @@ -1,13 +1,13 @@ -pkicreate.arg01.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.arg02.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.arg03.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.arg04.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.arg05.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.arg06.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.arg07.secure_port=[PKI_SECURE_PORT] -pkicreate.arg08.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.arg09.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.arg10.user=[PKI_USER] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] pkicreate.arg11.group=[PKI_GROUP] installDate=[INSTALL_TIME] preop.wizard.name=DRM Setup Wizard @@ -20,11 +20,16 @@ cs.type=KRA admin.interface.uri=kra/admin/console/config/wizard agent.interface.uri=kra/agent/kra authType=pwd -preop.securitydomain.url=https://[PKI_MACHINE_NAME]:9444 +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 instanceRoot=[PKI_INSTANCE_PATH] machineName=[PKI_MACHINE_NAME] instanceId=[PKI_INSTANCE_ID] -service.securePort=[PKI_SECURE_PORT] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] preop.admin.name=Data Recovery Manager Administrator preop.admin.group=Data Recovery Manager Agents preop.admincert.profile=caAdminCert diff --git a/pki/base/kra/shared/conf/schema.ldif b/pki/base/kra/shared/conf/schema.ldif index 823543dcf..269b3f576 100644 --- a/pki/base/kra/shared/conf/schema.ldif +++ b/pki/base/kra/shared/conf/schema.ldif @@ -381,6 +381,21 @@ attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115. dn: cn=schema changetype: modify add: attributeTypes +attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) dn: cn=schema @@ -441,7 +456,7 @@ objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' ) +objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml index 7dd9f6ccd..58cd61666 100644 --- a/pki/base/kra/shared/conf/server.xml +++ b/pki/base/kra/shared/conf/server.xml @@ -98,7 +98,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" - clientAuth="true" sslProtocol="SSL" + clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL" sslOptions="ssl2=true,ssl3=true,tls=true" ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" diff --git a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml index 84dfcabb2..8af3e56e8 100644 --- a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml +++ b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml @@ -782,8 +782,6 @@ <param-value> services </param-value> </init-param> <init-param><param-name> templatePath </param-name> <param-value> /services.template </param-value> </init-param> - <init-param><param-name> interface </param-name> - <param-value> ee </param-value> </init-param> </servlet> <servlet> @@ -851,6 +849,25 @@ [PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] <filter-mapping> <filter-name> PassThroughRequestFilter </filter-name> + <url-pattern> /index </url-pattern> + + <url-pattern> /server </url-pattern> + <url-pattern> /kra </url-pattern> + <url-pattern> /log </url-pattern> + <url-pattern> /registry </url-pattern> + <url-pattern> /ug </url-pattern> + <url-pattern> /acl </url-pattern> + <url-pattern> /jobsScheduler </url-pattern> + <url-pattern> /krapolicy </url-pattern> + + <url-pattern> /services </url-pattern> + + <url-pattern> /start </url-pattern> + <url-pattern> /dynamicVars.js </url-pattern> + </filter-mapping> + + <filter-mapping> + <filter-name> AgentRequestFilter </filter-name> <url-pattern> /agent/* </url-pattern> </filter-mapping> diff --git a/pki/base/migrate/80/MigrateSecurityDomain.java b/pki/base/migrate/80/MigrateSecurityDomain.java index 5cfdf584a..33bbb72b1 100644 --- a/pki/base/migrate/80/MigrateSecurityDomain.java +++ b/pki/base/migrate/80/MigrateSecurityDomain.java @@ -191,6 +191,13 @@ public class MigrateSecurityDomain { attrs.add(new LDAPAttribute("SubsystemName", (String)v_name.elementAt(0))); attrs.add(new LDAPAttribute("cn", cn)); attrs.add(new LDAPAttribute("DomainManager", "true")); + // Since the initial port separation feature didn't occur + // until an RHCS 7.3 errata, simply store the "SecurePort" + // value for BOTH the "SecureAgentPort" and the + // "SecureAdminPort", and DON'T store any values for the + // "UnSecurePort" + attrs.add(new LDAPAttribute("SecureAgentPort", (String)v_port.elementAt(0))); + attrs.add(new LDAPAttribute("SecureAdminPort", (String)v_port.elementAt(0))); entry = new LDAPEntry(dn, attrs); try { diff --git a/pki/base/migrate/80/schema-add.ldif b/pki/base/migrate/80/schema-add.ldif index 7d9cec640..fe6577e51 100644 --- a/pki/base/migrate/80/schema-add.ldif +++ b/pki/base/migrate/80/schema-add.ldif @@ -11,7 +11,22 @@ attributeTypes: ( DomainManager-oid NAME 'DomainManager' SYNTAX 1.3.6.1.4.1.146 dn: cn=schema changetype: modify add: attributeTypes -attributeTypes: ( securePort-oid NAME 'securePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify @@ -31,6 +46,5 @@ objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' ) - +objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' ) diff --git a/pki/base/ocsp/shared/conf/CS.cfg b/pki/base/ocsp/shared/conf/CS.cfg index 59185dd8e..0544fc632 100644 --- a/pki/base/ocsp/shared/conf/CS.cfg +++ b/pki/base/ocsp/shared/conf/CS.cfg @@ -3,17 +3,17 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.arg01.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.arg02.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.arg03.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.arg04.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.arg05.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.arg06.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.arg07.secure_port=[PKI_SECURE_PORT] -pkicreate.arg08.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.arg09.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.arg10.user=[PKI_USER] -pkicreate.arg11.group=[PKI_GROUP] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] installDate=[INSTALL_TIME] cs.type=OCSP admin.interface.uri=ocsp/admin/console/config/wizard @@ -21,7 +21,7 @@ agent.interface.uri=ocsp/agent/ocsp preop.admin.name=Online Certificate Status Manager Administrator preop.admin.group=Online Certificate Status Manager Agents preop.admincert.profile=caAdminCert -preop.securitydomain.url=https://[PKI_MACHINE_NAME]:9444 +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 preop.wizard.name=OCSP Setup Wizard preop.product.name=CS preop.product.version= @@ -88,7 +88,12 @@ authType=pwd instanceRoot=[PKI_INSTANCE_PATH] machineName=[PKI_MACHINE_NAME] instanceId=[PKI_INSTANCE_ID] -service.securePort=[PKI_SECURE_PORT] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] preop.pin=[PKI_RANDOM_NUMBER] passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf passwordClass=com.netscape.cmsutil.password.PlainPasswordFile diff --git a/pki/base/ocsp/shared/conf/schema.ldif b/pki/base/ocsp/shared/conf/schema.ldif index 823543dcf..d61f83dd6 100644 --- a/pki/base/ocsp/shared/conf/schema.ldif +++ b/pki/base/ocsp/shared/conf/schema.ldif @@ -381,6 +381,21 @@ attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115. dn: cn=schema changetype: modify add: attributeTypes +attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) dn: cn=schema @@ -441,7 +456,7 @@ objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' ) +objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify diff --git a/pki/base/ocsp/shared/conf/server.xml b/pki/base/ocsp/shared/conf/server.xml index 7dd9f6ccd..58cd61666 100644 --- a/pki/base/ocsp/shared/conf/server.xml +++ b/pki/base/ocsp/shared/conf/server.xml @@ -98,7 +98,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" - clientAuth="true" sslProtocol="SSL" + clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL" sslOptions="ssl2=true,ssl3=true,tls=true" ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" diff --git a/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml index a7768b889..37ac36cf6 100644 --- a/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +++ b/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml @@ -438,8 +438,6 @@ <param-value> services </param-value> </init-param> <init-param><param-name> templatePath </param-name> <param-value> /services.template </param-value> </init-param> - <init-param><param-name> interface </param-name> - <param-value> ee </param-value> </init-param> </servlet> <servlet> @@ -491,6 +489,21 @@ [PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] <filter-mapping> + <filter-name> PassThroughRequestFilter </filter-name> + <url-pattern> /registry </url-pattern> + <url-pattern> /acl </url-pattern> + <url-pattern> /jobsScheduler </url-pattern> + <url-pattern> /ug </url-pattern> + <url-pattern> /server </url-pattern> + <url-pattern> /log </url-pattern> + <url-pattern> /ocsp </url-pattern> + + <url-pattern> /services </url-pattern> + + <url-pattern> /start </url-pattern> + </filter-mapping> + + <filter-mapping> <filter-name> AgentRequestFilter </filter-name> <url-pattern> /agent/* </url-pattern> </filter-mapping> diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg index 697853bd1..c580d2741 100644 --- a/pki/base/ra/doc/CS.cfg +++ b/pki/base/ra/doc/CS.cfg @@ -16,14 +16,14 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.arg01.pki_instance_root=[INSTANCE_ROOT] -pkicreate.arg02.pki_instance_name=[INSTANCE_ID] -pkicreate.arg03.subsystem_type=[SUBSYSTEM_TYPE] -pkicreate.arg04.secure_port=[SECURE_PORT] -pkicreate.arg05.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] -pkicreate.arg06.unsecure_port=[PORT] -pkicreate.arg07.user=[USERID] -pkicreate.arg08.group=[GROUPID] +pkicreate.pki_instance_root=[INSTANCE_ROOT] +pkicreate.pki_instance_name=[INSTANCE_ID] +pkicreate.subsystem_type=[SUBSYSTEM_TYPE] +pkicreate.secure_port=[SECURE_PORT] +pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] +pkicreate.unsecure_port=[PORT] +pkicreate.user=[USERID] +pkicreate.group=[GROUPID] request._000=######################################### request._001=# Request Queue Parameters request._002=######################################### @@ -250,6 +250,6 @@ preop.keysize._000=######################################### preop.keysize._001=# Installation configuration "preop" keysize parameters preop.keysize._002=######################################### preop.keysize.customsize=2048 -preop.keysize.select=custom +preop.keysize.select=default preop.keysize.size=2048 preop.keysize.ecc.size=256 diff --git a/pki/base/ra/forms/ee/user/renewal.cgi b/pki/base/ra/forms/ee/user/renewal.cgi index 63a211eff..a4bbc458c 100755 --- a/pki/base/ra/forms/ee/user/renewal.cgi +++ b/pki/base/ra/forms/ee/user/renewal.cgi @@ -53,7 +53,7 @@ sub process() $self->debug_params($cfg, $q); my $host = $cfg->get("service.machineName"); - my $port = $cfg->get("service.securePort"); + my $port = $cfg->get("service.non_clientauth_securePort"); my %context; $context{url} = "https://$host:$port/ee/user/renew.cgi"; diff --git a/pki/base/ra/forms/index.cgi b/pki/base/ra/forms/index.cgi index e71e1ec67..0e643166b 100755 --- a/pki/base/ra/forms/index.cgi +++ b/pki/base/ra/forms/index.cgi @@ -55,6 +55,7 @@ sub process() $self->debug_params($cfg, $q); $::symbol{machineName} = $cfg->get("service.machineName"); + $::symbol{non_clientauth_securePort} = $cfg->get("service.non_clientauth_securePort"); $::symbol{securePort} = $cfg->get("service.securePort"); $::symbol{unsecurePort} = $cfg->get("service.unsecurePort"); diff --git a/pki/base/ra/lib/perl/PKI/RA/AdminPanel.pm b/pki/base/ra/lib/perl/PKI/RA/AdminPanel.pm index d67a9b2e3..e08032913 100755 --- a/pki/base/ra/lib/perl/PKI/RA/AdminPanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/AdminPanel.pm @@ -99,12 +99,12 @@ sub update my $cainfo = $::config->get("preop.ca.url"); &PKI::RA::Wizard::debug_log("AdminPanel: preop.ca.url=$cainfo"); if ($cainfo eq "" || $cainfo =~ /:$/) { - $cainfo = $::config->get("config.sdomainURL"); - &PKI::RA::Wizard::debug_log("AdminPanel: config.sdomainURL=$cainfo"); + $cainfo = $::config->get("config.sdomainEEURL"); + &PKI::RA::Wizard::debug_log("AdminPanel: config.sdomainEEURL=$cainfo"); } &PKI::RA::Wizard::debug_log("AdminPanel: Connecting to CA: $cainfo"); my $cainfo_url = new URI::URL($cainfo); - my $sdom = $::config->get("config.sdomainURL"); + my $sdom = $::config->get("config.sdomainEEURL"); my $sdom_url = new URI::URL($sdom); my $machineName = $::config->get("service.machineName"); @@ -132,15 +132,15 @@ sub update "auth_hostname=" . $sdom_url->host . "&" . "auth_port=" . $sdom_url->port; - my $host = $cainfo_url->host; - my $port = $cainfo_url->port; + my $ca_host = $cainfo_url->host; + my $https_ee_port = $cainfo_url->port; my $content = ""; my $tmpfile = "/tmp/admin-$$"; if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { - system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port > $tmpfile"); + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile"); $content = `cat $tmpfile`; } else { - system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port > $tmpfile"); + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile"); $content = `cat $tmpfile`; } system("rm $tmpfile"); @@ -158,8 +158,8 @@ sub update my $admincert = $response->{Requests}->{Request}->{b64}; &PKI::RA::Wizard::debug_log("AdminPanel: admincert " . $admincert); - $host = $::config->get("preop.database.host"); - $port = $::config->get("preop.database.port"); + my $ldap_host = $::config->get("preop.database.host"); + my $ldap_port = $::config->get("preop.database.port"); my $basedn = $::config->get("preop.database.basedn"); my $binddn = $::config->get("preop.database.binddn"); # my $bindpwd = $::config->get("tokendb.bindPass"); @@ -221,7 +221,7 @@ sub update # system("sed -e 's/\$TOKENDB_ROOT/$basedn/' " . # "-e 's/\$TOKENDB_AGENT_CERT/$admincert/' " . # "/usr/share/$flavor/ra/scripts/addAgents.ldif > $tmp"); -# system("$mozldap_path/ldapmodify -h '$host' -p '$port' -D '$binddn' " . +# system("$mozldap_path/ldapmodify -h '$ldap_host' -p '$ldap_port' -D '$binddn' " . # "-w '$bindpwd' -a " . # "-f '$tmp'"); system("rm $tmp"); diff --git a/pki/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm b/pki/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm index dbfc42eec..901be9a34 100755 --- a/pki/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm @@ -84,29 +84,29 @@ sub update my $instanceID = $::config->get("service.instanceID"); my $host = ""; - my $port = ""; + my $https_ee_port = ""; if ($count =~ /http/) { my $info = new URI::URL($count); $host = $info->host; - $port = $info->port; + $https_ee_port = $info->port; } else { $host = $::config->get("preop.securitydomain.ca$count.host"); - $port = $::config->get("preop.securitydomain.ca$count.secureport"); + $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); } - if (($host eq "") || ($port eq "")) { + if (($host eq "") || ($https_ee_port eq "")) { $::symbol{errorString} = "no CA found. CA, TKS and optionally DRM must be installed prior to RA installation"; return 0; } - &PKI::RA::Wizard::debug_log("CAInfoPanel: update - host= $host, port= $port"); + &PKI::RA::Wizard::debug_log("CAInfoPanel: update - host= $host, https_ee_port= $https_ee_port"); - $::config->put("preop.cainfo.select", "https://$host:$port"); + $::config->put("preop.cainfo.select", "https://$host:$https_ee_port"); my $serverCertNickName = $::config->get("preop.cert.sslserver.nickname"); my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname"); $::config->put("conn.ca1.clientNickname", $subsystemCertNickName); - $::config->put("conn.ca1.hostport", $host . ":" . $port); + $::config->put("conn.ca1.hostport", $host . ":" . $https_ee_port); $::config->commit(); @@ -116,7 +116,7 @@ sub update my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; $db_password =~ s/\n$//g; my $tmpfile = "/tmp/ca-$$"; - system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$port > $tmpfile"); + system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$https_ee_port > $tmpfile"); my $cmd = `cat $tmpfile`; system("rm $tmpfile"); my $caCert; @@ -165,10 +165,10 @@ sub display if ($host eq "") { goto DONE; } - my $port = $::config->get("preop.securitydomain.ca$count.secureport"); + my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); my $name = $::config->get("preop.securitydomain.ca$count.subsystemname"); - my $item = $name . " - https://" . $host . ":" . $port; -# my $item = "https://" . $host . ":" . $port; + my $item = $name . " - https://" . $host . ":" . $https_ee_port; +# my $item = "https://" . $host . ":" . $https_ee_port; # unshift(@{$::symbol{urls}}, $item); $::symbol{urls}[$count++] = $item; if ($first eq 1) { diff --git a/pki/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm b/pki/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm index 707a45dc1..924fe0cb9 100755 --- a/pki/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm @@ -81,24 +81,24 @@ sub update my $count = $q->param('urls'); my $instanceID = $::config->get("service.instanceID"); my $host = ""; - my $port = ""; + my $https_agent_port = ""; if ($count =~ /http/) { my $info = new URI::URL($count); $host = $info->host; - $port = $info->port; + $https_agent_port = $info->port; } else { $host = $::config->get("preop.securitydomain.kra$count.host"); - $port = $::config->get("preop.securitydomain.kra$count.secureport"); + $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport"); } - if (($host eq "") || ($port eq "")) { + if (($host eq "") || ($https_agent_port eq "")) { $::symbol{errorString} = "no DRM found. CA, TKS and DRM must be installed prior to RA installation"; return 0; } - $::config->put("preop.krainfo.select", "https://$host:$port"); + $::config->put("preop.krainfo.select", "https://$host:$https_agent_port"); my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname"); $::config->put("conn.drm1.clientNickname", $subsystemCertNickName); - $::config->put("conn.drm1.hostport", $host . ":" . $port); + $::config->put("conn.drm1.hostport", $host . ":" . $https_agent_port); $::config->put("conn.tks1.serverKeygen", "true"); $::config->put("op.enroll.userKey.keyGen.encryption.serverKeygen.enable", "true"); $::config->put("op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable", "true"); @@ -127,9 +127,9 @@ sub display if ($host eq "") { goto DONE; } - my $port = $::config->get("preop.securitydomain.kra$count.secureport"); + my $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport"); my $name = $::config->get("preop.securitydomain.kra$count.subsystemname"); - $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $port; + $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port; } DONE: $::symbol{urls_size} = $count; diff --git a/pki/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm b/pki/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm index c0c897139..54e9b85cf 100755 --- a/pki/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm @@ -102,25 +102,25 @@ sub update $tmp = `rm $instanceDir/conf/caCert.der`; $tmp = `rm $instanceDir/conf/caCert_pp.txt`; - # complete the SeucrityDomain task - my $sdomainURL = $::config->get("config.sdomainURL"); - if ($sdomainURL eq "") { + # complete the SecurityDomain task + my $sdomainAdminURL = $::config->get("config.sdomainAdminURL"); + if ($sdomainAdminURL eq "") { return 2; } my $machineName = $::config->get("service.machineName"); - my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); my $unsecurePort = $::config->get("service.unsecurePort"); # check if url is accessible # redirect to the security domain authentication if ($ENV{'SERVER_PORT'} eq $unsecurePort) { - $::symbol{redirect} = $sdomainURL . "/ca/ee/ca/securityDomainLogin?url=http%3A%2F%2F" . $machineName . "%3A" . $unsecurePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA"; + $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=http%3A%2F%2F" . $machineName . "%3A" . $unsecurePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA"; } else { - $::symbol{redirect} = $sdomainURL . "/ca/ee/ca/securityDomainLogin?url=https%3A%2F%2F" . $machineName . "%3A" . $securePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA"; + $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=https%3A%2F%2F" . $machineName . "%3A" . $non_clientauth_securePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA"; } - get_domain_xml($sdomainURL); + get_domain_xml($sdomainAdminURL); return 3; @@ -135,27 +135,27 @@ sub display &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: update connecting to CA and retrieve cert chain"); my $instanceID = $::config->get("service.instanceID"); my $instanceDir = $::config->get("service.instanceDir"); - my $sdomainURL = $::config->get("config.sdomainURL"); - if ($sdomainURL eq "") { + my $sdomainAdminURL = $::config->get("config.sdomainAdminURL"); + if ($sdomainAdminURL eq "") { return 2; } my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; $db_password =~ s/\n$//g; - my $url_info = new URI::URL($sdomainURL); - my $host = $url_info->host; - my $port = $url_info->port; + my $url_info = new URI::URL($sdomainAdminURL); + my $sd_host = $url_info->host; + my $sd_admin_port = $url_info->port; my $nickname = $::config->get("preop.cert.sslserver.nickname"); - my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/getCertChain\" $host:$port`; + my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getCertChain\" $sd_host:$sd_admin_port`; - my $caCert; + my $caCert = ""; if ($cmd =~ /\<ChainBase64\>(.*)\<\/ChainBase64\>/) { $caCert = $1; &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: ca= $caCert"); } - my $certpp; + my $certpp = ""; if ($caCert ne "") { open(F, ">$instanceDir/conf/caCert.txt"); print F $caCert; @@ -199,13 +199,14 @@ sub display return 1; } + sub get_domain_xml { - my ($sdomainURL) = @_; + my ($sdomainAdminURL) = @_; - my $sdom_info = new URI::URL($sdomainURL); + my $sdom_info = new URI::URL($sdomainAdminURL); # get the domain xml - # e. g. - https://water.sfbay.redhat.com:9444/ca/ee/ca/getDomainXML + # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML my $nickname = $::config->get("preop.cert.sslserver.nickname"); my $instanceID = $::config->get("service.instanceID"); @@ -213,9 +214,9 @@ sub get_domain_xml my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; $db_password =~ s/\n$//g; - my $host = $sdom_info->host; - my $port = $sdom_info->port; - my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/getDomainXML\" $host:$port`; + my $sd_host = $sdom_info->host; + my $sd_admin_port = $sdom_info->port; + my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`; $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; $content = $1; @@ -241,8 +242,40 @@ sub get_domain_xml $c->{'SubsystemName'}[0]); $::config->put("preop.securitydomain.ca" . $count . ".secureport", $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.ca" . $count . ".secureagentport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.ca" . $count . ".secureadminport", + $c->{'SecureAdminPort'}[0]); + $::config->put("preop.securitydomain.ca" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); $::config->put("preop.securitydomain.ca" . $count . ".host", $c->{'Host'}[0]); + + # The user previously specified the CA Security Domain's + # SSL Admin URL in the "Security Domain Panel"; + # now retrieve this specified CA Security Domain's + # non-SSL EE, SSL Agent, and SSL EE URLs: + if( $sd_admin_port eq $c->{'SecureAdminPort'}[0] ) { + # Build the URLs + my $http_ee_port = "https://" + . $c->{'Host'}[0] + . ":" + . $c->{'UnSecurePort'}[0]; + my $https_agent_port = "https://" + . $c->{'Host'}[0] + . ":" + . $c->{'SecureAgentPort'}[0]; + my $https_ee_port = "https://" + . $c->{'Host'}[0] + . ":" + . $c->{'SecurePort'}[0]; + + # Store the URLs + $::config->put( "config.sdomainHttpURL", $http_ee_port ); + $::config->put( "config.sdomainAgentURL", $https_agent_port ); + $::config->put( "config.sdomainEEURL", $https_ee_port ); + } + $count++; } @@ -254,6 +287,12 @@ sub get_domain_xml $c->{'SubsystemName'}[0]); $::config->put("preop.securitydomain.tks" . $count . ".secureport", $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.tks" . $count . ".secureagentport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.tks" . $count . ".secureadminport", + $c->{'SecureAdminPort'}[0]); + $::config->put("preop.securitydomain.tks" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); $::config->put("preop.securitydomain.tks" . $count . ".host", $c->{'Host'}[0]); $count++; @@ -267,6 +306,12 @@ sub get_domain_xml $c->{'SubsystemName'}[0]); $::config->put("preop.securitydomain.kra" . $count . ".secureport", $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.kra" . $count . ".secureagentport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.kra" . $count . ".secureadminport", + $c->{'SecureAdminPort'}[0]); + $::config->put("preop.securitydomain.kra" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); $::config->put("preop.securitydomain.kra" . $count . ".host", $c->{'Host'}[0]); $count++; @@ -279,7 +324,11 @@ sub get_domain_xml $::config->put("preop.securitydomain.ra" . $count . ".subsystemname", $c->{'SubsystemName'}[0]); $::config->put("preop.securitydomain.ra" . $count . ".secureport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.ra" . $count . ".non_clientauth_secure_port", $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.ra" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); $::config->put("preop.securitydomain.ra" . $count . ".host", $c->{'Host'}[0]); $count++; diff --git a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm index 086d51e4a..87d8bd8c4 100755 --- a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm @@ -91,13 +91,15 @@ sub register_ra &PKI::RA::Wizard::debug_log("DonePanel: Connecting to Security Domain"); my $machineName = $::config->get("service.machineName"); + my $unsecurePort = $::config->get("service.unsecurePort"); my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); my $session_id = $::config->get("preop.sessionID"); &PKI::RA::Wizard::debug_log("DonePanel: Security Domain Info " . $url); - # add service.securityDomainPort to the config file in case pkiremove needs to - # remove system reference from the security domain + # add service.securityDomainPort to the config file in case pkiremove + # needs to remove system reference from the security domain $::config->put("service.securityDomainPort", $securePort); $::config->commit(); @@ -183,7 +185,9 @@ sub get_kra_transport_cert my $krainfo_url = new URI::URL($krainfo); my $machineName = $::config->get("service.machineName"); + my $unsecurePort = $::config->get("service.unsecurePort"); my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); my $session_id = $::config->get("preop.sessionID"); my $nickname = $::config->get("preop.cert.sslserver.nickname"); @@ -234,7 +238,9 @@ sub send_kra_transport_cert my $tksinfo_url = new URI::URL($tksinfo); my $machineName = $::config->get("service.machineName"); + my $unsecurePort = $::config->get("service.unsecurePort"); my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); my $session_id = $::config->get("preop.sessionID"); my $nickname = $::config->get("preop.cert.sslserver.nickname"); @@ -296,7 +302,7 @@ sub display } # Add this RA's server certificate to the subsystems - my $sdom = $::config->get("config.sdomainURL"); + my $sdom = $::config->get("config.sdomainEEURL"); my $cainfo = $::config->get("preop.cainfo.select"); $cainfo =~ s/.* - //g; ®ister_ra($sdom, $cainfo, $::config->get("conn.ca1.servlet.addagent"), "CA"); @@ -368,8 +374,9 @@ sub display &PKI::RA::Wizard::debug_log("DonePanel: Connecting to Security Domain"); my $machineName = $::config->get("service.machineName"); - my $securePort = $::config->get("service.securePort"); my $unsecurePort = $::config->get("service.unsecurePort"); + my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); my $instanceID = $::config->get("service.instanceID"); my $initCommand = ""; @@ -381,8 +388,9 @@ sub display } $::symbol{host} = $machineName; - $::symbol{port} = $securePort; $::symbol{unsecurePort} = $unsecurePort; + $::symbol{port} = $securePort; + $::symbol{non_clientauth_port} = $non_clientauth_securePort; $::symbol{initCommand} = $initCommand; $::config->deleteSubstore("preop."); diff --git a/pki/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm b/pki/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm index 7ee15e596..54159a336 100755 --- a/pki/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm @@ -75,7 +75,7 @@ sub update &PKI::RA::Wizard::debug_log("ImportAdminCertPanel: update"); # register to Security Domain - my $sdom = $::config->get("config.sdomainURL"); + my $sdom = $::config->get("config.sdomainAgentURL"); my $sdom_url = new URI::URL($sdom); # @@ -102,6 +102,18 @@ sub update my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$subCertNickName\" -r \"/ca/agent/ca/updateDomainXML?$params\" $sdom_url->host:$sdom_url->port`; + # Fetch the "updated" security domain and display it + &PKI::RA::Wizard::debug_log("ImportAdminCertPanel: Dump contents of updated Security Domain . . ."); + my $sdomainAdminURL = $::config->get("config.sdomainAdminURL"); + my $sdom_info = new URI::URL($sdomainAdminURL); + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $sd_host = $sdom_info->host; + my $sd_admin_port = $sdom_info->port; + my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`; + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + &PKI::RA::Wizard::debug_log($content); + return 1; } diff --git a/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm b/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm index 383654184..221f93263 100755 --- a/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm @@ -87,25 +87,25 @@ sub update &PKI::RA::Wizard::debug_log("NamePanel: update - selected ca= $count"); my $host = ""; - my $port = ""; + my $https_ee_port = ""; my $useExternalCA = "off"; if ($count =~ /http/) { my $info = new URI::URL($count); $host = $info->host; - $port = $info->port; + $https_ee_port = $info->port; } else { $host = $::config->get("preop.securitydomain.ca$count.host"); if ($host eq "") { $useExternalCA = "on"; } else { - $port = $::config->get("preop.securitydomain.ca$count.secureport"); - &PKI::RA::Wizard::debug_log("NamePanel: update - host= $host, port= $port"); + $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); + &PKI::RA::Wizard::debug_log("NamePanel: update - host= $host, https_ee_port= $https_ee_port"); } } $::config->put("preop.certenroll.useExternalCA", $useExternalCA); - $::config->put("preop.ca.url", "https://" . $host . ":" . $port); + $::config->put("preop.ca.url", "https://" . $host . ":" . $https_ee_port); my $tokenname = $::config->get("preop.module.token"); &PKI::RA::Wizard::debug_log("NamePanel: update got token name = $tokenname"); @@ -242,7 +242,7 @@ GEN_CERT: # see if there is an existing cert my $cert = $::config->get("preop.cert.$certtag.cert"); - my $sdom = $::config->get("config.sdomainURL"); + my $sdom = $::config->get("config.sdomainEEURL"); my $sdom_url = new URI::URL($sdom); if (($useExternalCA eq "on") && ($certtag ne "subsystem")) { @@ -293,14 +293,14 @@ GEN_CERT: if ($certtag eq "subsystem") { $host = $sdom_url->host; - $port = $sdom_url->port; + $https_ee_port = $sdom_url->port; } if ($changed eq "true") { -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; } else { -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; } &PKI::RA::Wizard::debug_log("debug_req = " . $debug_req); @@ -480,9 +480,9 @@ sub display if ($host eq "") { goto DONE; } - my $port = $::config->get("preop.securitydomain.ca$count.secureport"); + my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); my $name = $::config->get("preop.securitydomain.ca$count.subsystemname"); - my $item = $name . " - https://" . $host . ":" . $port; + my $item = $name . " - https://" . $host . ":" . $https_ee_port; $::symbol{urls}[$count++] = $item; } diff --git a/pki/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm b/pki/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm index 468a5b1c3..ce622f915 100755 --- a/pki/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm @@ -26,6 +26,7 @@ use strict; use warnings; use PKI::RA::GlobalVar; use PKI::RA::Common; +use URI::URL; use XML::Simple; use Data::Dumper; @@ -78,7 +79,7 @@ sub display $::symbol{panelname} = "Security Domain"; $::symbol{sdomainName} = "Security Domain"; my $hostname = $::config->get("service.machineName"); - $::symbol{sdomainURL} = "https://" . $hostname . ":9444"; + $::symbol{sdomainAdminURL} = "https://" . $hostname . ":9445"; return 1; } @@ -90,15 +91,22 @@ sub update &PKI::RA::Wizard::debug_log("SecurityPanel: update"); my $sdomainURL = $q->param("sdomainURL"); + my $sdomainURL_info = new URI::URL($sdomainURL); + if ($sdomainURL eq "") { &PKI::RA::Wizard::debug_log("SecurityPanel: sdomainURL not found"); - $::symbol{errorString} = "Security Domain URL not found"; + $::symbol{errorString} = "Security Domain HTTPS Admin URL not found"; return 0; } - # save url in CS.cfg + # save urls in CS.cfg &PKI::RA::Wizard::debug_log("SecurityPanel: sdomainURL=" . $sdomainURL); - $::config->put("config.sdomainURL", $sdomainURL); + $::config->put("config.sdomainAdminURL", $sdomainURL); + + # Add values necessary for 'pkiremove' . . . + $::config->put("securitydomain.select", "existing"); + $::config->put("securitydomain.host", $sdomainURL_info->host); + $::config->put("securitydomain.httpsadminport", $sdomainURL_info->port); $::config->commit(); return 1; diff --git a/pki/base/ra/lib/perl/PKI/RA/SizePanel.pm b/pki/base/ra/lib/perl/PKI/RA/SizePanel.pm index 763b184be..3a1ba77d6 100755 --- a/pki/base/ra/lib/perl/PKI/RA/SizePanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/SizePanel.pm @@ -211,11 +211,11 @@ sub display #for "common key settings" my $select = $::config->get("preop.keysize.select"); - if ($select ne "") { + if (($select eq "") || ($select eq "default")) { + $::symbol{select} = "default"; + } else { &PKI::RA::Wizard::debug_log("SizePanel: display keysize select= $select"); $::symbol{select} = $select; - } else { - $::symbol{select} = "default"; } my $default_size = $::config->get("preop.keysize.size"); if ($default_size eq "") { diff --git a/pki/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm b/pki/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm index 4f98bee61..4a0869420 100755 --- a/pki/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm @@ -76,7 +76,9 @@ sub update $::symbol{subsystemName} = "Registration Authority"; $::symbol{fullsystemname} = "Registration Authority"; $::symbol{machineName} = "localhost"; - $::symbol{https_port} = "7889"; + $::symbol{http_port} = "12888"; + $::symbol{https_port} = "12889"; + $::symbol{non_clientauth_https_port} = "12890"; $::symbol{check_clonesubsystem} = " "; $::symbol{check_newsubsystem} = " "; $::symbol{disableClone} = 1; @@ -97,12 +99,15 @@ sub display $::symbol{fullsystemname} = "Registration Authority "; my $machineName = $::config->get("service.machineName"); - my $securePort = $::config->get("service.securePort"); my $unsecurePort = $::config->get("service.unsecurePort"); + my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); $::symbol{machineName} = $machineName; + $::symbol{http_port} = $unsecurePort; $::symbol{https_port} = $securePort; + $::symbol{non_clientauth_https_port} = $non_clientauth_securePort; $::symbol{check_clonesubsystem} = ""; $::symbol{check_newsubsystem} = "checked "; @@ -117,7 +122,7 @@ sub display if ($host eq "") { goto DONE; } - my $port = $::config->get("preop.securitydomain.ra$count.secureport"); + my $port = $::config->get("preop.securitydomain.ra$count.non_clientauth_secure_port"); my $name = $::config->get("preop.securitydomain.ra$count.subsystemname"); unshift(@{$::symbol{urls}}, "https://" . $host . ":" . $port); $count++; diff --git a/pki/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm b/pki/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm index a219e74c3..6a4f6b16e 100755 --- a/pki/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm @@ -79,28 +79,28 @@ sub update my $instanceID = $::config->get("service.instanceID"); my $host = ""; - my $port = ""; + my $https_agent_port = ""; if ($count =~ /http/) { my $info = new URI::URL($count); $host = $info->host; - $port = $info->port; - if (($host eq "") || ($port eq "")) { + $https_agent_port = $info->port; + if (($host eq "") || ($https_agent_port eq "")) { $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to RA installation"; return 0; } $::config->put("preop.tksinfo.select", $count); } else { $host = $::config->get("preop.securitydomain.tks$count.host"); - $port = $::config->get("preop.securitydomain.tks$count.secureport"); - if (($host eq "") || ($port eq "")) { + $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport"); + if (($host eq "") || ($https_agent_port eq "")) { $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to RA installation"; return 0; } - $::config->put("preop.tksinfo.select", "https://$host:$port"); + $::config->put("preop.tksinfo.select", "https://$host:$https_agent_port"); } my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname"); $::config->put("conn.tks1.clientNickname", $subsystemCertNickName); - $::config->put("conn.tks1.hostport", $host . ":" . $port); + $::config->put("conn.tks1.hostport", $host . ":" . $https_agent_port); $::config->commit(); return 1; @@ -117,9 +117,9 @@ sub display if ($host eq "") { goto DONE; } - my $port = $::config->get("preop.securitydomain.tks$count.secureport"); + my $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport"); my $name = $::config->get("preop.securitydomain.tks$count.subsystemname"); - $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $port; + $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port; } DONE: $::symbol{urls_size} = $count; diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index fd960985d..8f327147b 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -337,6 +337,7 @@ my $FORTITUDE_REVOCATOR_MODULES = "FORTITUDE_REVOCATOR_MODULES"; # Template slot constants (CA, KRA, OCSP, TKS) my $INSTALL_TIME = "INSTALL_TIME"; +my $PKI_AGENT_CLIENTAUTH_SLOT = "PKI_AGENT_CLIENTAUTH"; my $PKI_CERT_DB_PASSWORD_SLOT = "PKI_CERT_DB_PASSWORD"; my $PKI_CFG_PATH_NAME_SLOT = "PKI_CFG_PATH_NAME"; my $PKI_GROUP_SLOT = "PKI_GROUP"; @@ -1036,6 +1037,7 @@ sub parse_arguments() # (always overwrite this file) $logfile = "/var/log/$pki_instance_name-install.log"; open_logfile( $logfile ); + chmod( $default_file_permissions, $logfile ); push( @installed_files, $logfile ); emit( "Capturing installation information in $logfile.\n" ); @@ -1174,7 +1176,7 @@ sub parse_arguments() emit( " ee_secure_port $ee_secure_port\n"); } else { - if(agent_secure_port >= 0) { + if($agent_secure_port >= 0) { emit( "Must include value for ee_secure_port if agent_secure_port is given!\n"); } } @@ -1187,7 +1189,7 @@ sub parse_arguments() emit( " admin_secure_port $admin_secure_port\n"); } else { - if(agent_secure_port >= 0) { + if($agent_secure_port >= 0) { emit( "Must include value for admin_secure_port if agent_secure_port is given!\n"); } } @@ -2312,7 +2314,6 @@ LoadModule nss_module /opt/fortitude/modules.local/mod_rev.so $slot_hash{$PKI_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_AGENT_SECURE_PORT_NAME; $slot_hash{$PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_ADMIN_SECURE_PORT_NAME; $slot_hash{$PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_EE_SECURE_PORT_NAME; -my $PKI_SECURE_PORT_NAME = "Secure"; # Establish "Port Separation" Connector Ports $slot_hash{$PKI_SECURE_PORT_SLOT} = $agent_secure_port; @@ -2326,6 +2327,9 @@ my $PKI_SECURE_PORT_NAME = "Secure"; $slot_hash{$PKI_ADMIN_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_ADMIN_SECURE_SEPARATE_PORTS_COMMENT; $slot_hash{$PKI_EE_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_EE_SECURE_SEPARATE_PORTS_COMMENT; + # Set appropriate "clientAuth" parameter for "Port Separation" + $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "true"; + # Do NOT comment out the "Admin/EE" Ports $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = ""; $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = ""; @@ -2353,6 +2357,9 @@ my $PKI_SECURE_PORT_NAME = "Secure"; $slot_hash{$PKI_ADMIN_SECURE_PORT_COMMENT_SERVER_SLOT} = ""; $slot_hash{$PKI_EE_SECURE_PORT_COMMENT_SERVER_SLOT} = ""; + # Set appropriate "clientAuth" parameter for "Shared Ports" + $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "agent"; + # Comment out the "Admin/EE" Ports $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = $PKI_OPEN_COMMENT; $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = $PKI_CLOSE_COMMENT;; @@ -3613,44 +3620,61 @@ ASK_AGAIN: system( "$command" ); + # Notify user to check firewall settings . . . print( STDOUT - "Server can be operated with " - . "$pki_start_stop_command " - . "start | stop | restart\n\n" ); - emit( "Server can be operated with " - . "$pki_start_stop_command " - . "start | stop | restart\n", - "log" ); + "Before proceeding with the configuration, make sure \n" + . "the firewall settings of this machine permit proper \n" + . "access to this subsystem. \n\n"); # EXCEPTION: To enable a user to easily configure their PKI subsystem, # this is the ONLY instance in which we print out the actual # value of the the one-time random PIN, as well as store this # message at the end of the initialization log. - if( $ee_secure_port > 0 ) { - print( STDOUT - "Please start the configuration by accessing:\n" - . "https://$host:$ee_secure_port/$subsystem_type/admin/" - . "console/config/login?pin=$random\n\n" ); - emit( "Configuration Wizard listening on\n" - . "https://$host:$ee_secure_port/$subsystem_type/admin/" - . "console/config/login?pin=$random\n", - "log" ); - } else { + if( $subsystem_type eq $CA || + $subsystem_type eq $KRA || + $subsystem_type eq $OCSP || + $subsystem_type eq $TKS ) { + if( $admin_secure_port > 0 ) { + # Port Separation: CA, KRA, OCSP, TKS + print( STDOUT + "Please start the configuration by accessing:\n\n" + . "https://$host:$admin_secure_port/$subsystem_type/admin/" + . "console/config/login?pin=$random\n\n" ); + emit( "Configuration Wizard listening on\n" + . "https://$host:$admin_secure_port/$subsystem_type/admin/" + . "console/config/login?pin=$random\n", + "log" ); + } else { + # Shared Ports: CA, KRA, OCSP, TKS + print( STDOUT + "Please start the configuration by accessing:\n\n" + . "https://$host:$secure_port/$subsystem_type/admin/" + . "console/config/login?pin=$random\n\n" ); + emit( "Configuration Wizard listening on\n" + . "https://$host:$secure_port/$subsystem_type/admin/" + . "console/config/login?pin=$random\n", + "log" ); + } + } else { + # Port Separation: RA, TPS print( STDOUT - "Please start the configuration by accessing:\n" - . "http://$host:$unsecure_port/$subsystem_type/admin/" - . "console/config/login?pin=$random\n\n" ); + "Please start the configuration by accessing:\n\n" + . "https://$host:$non_clientauth_secure_port/$subsystem_type/" + . "admin/console/config/login?pin=$random\n\n" ); emit( "Configuration Wizard listening on\n" - . "http://$host:$unsecure_port/$subsystem_type/admin/" - . "console/config/login?pin=$random\n", + . "https://$host:$non_clientauth_secure_port/$subsystem_type/" + . "admin/console/config/login?pin=$random\n", "log" ); } - # Notify user to check firewall settings . . . print( STDOUT - "Before proceeding with the configuration, make sure \n" - . "the firewall settings of this machine permit proper \n" - . "access to this subsystem. \n"); + "After configuration, the server can be operated by the command:\n\n" + . " $pki_start_stop_command " + . "start | stop | restart\n\n" ); + emit( "After configuration, the server can be operated by the command:\n" + . "$pki_start_stop_command " + . "start | stop | restart\n", + "log" ); # If it exists, close the log file close_logfile( $logfile ); diff --git a/pki/base/setup/pkiremove b/pki/base/setup/pkiremove index e3a828a13..707ba2217 100755 --- a/pki/base/setup/pkiremove +++ b/pki/base/setup/pkiremove @@ -209,7 +209,10 @@ sub update_domain() my $conf_file = $pki_instance_path . "/conf/CS.cfg"; my $sport; my $ncsport; - my $secport; + my $httpport; + my $seceeport; + my $secagentport; + my $secadminport; my $secselect; my $typeval; my $machinename; @@ -220,18 +223,34 @@ sub update_domain() foreach my $line (@conf_data) { chomp($line); (my $varname, my $valname) = split(/=/, $line); + + if ($varname eq "cs.type") { $typeval = $valname; } + if ($varname eq "service.machineName") { $machinename = $valname; } if ($varname eq "service.securityDomainPort") { $sport = $valname; } if ($varname eq "service.non_clientauth_securePort") { $ncsport = $valname; } if ($varname eq "securitydomain.host") { $sechost = $valname; } - if ($varname eq "securitydomain.httpsport") { $secport = $valname; } + if ($varname eq "securitydomain.httpport") { $httpport = $valname; } + if ($varname eq "securitydomain.httpseeport") { $seceeport = $valname; } + if ($varname eq "securitydomain.httpsagentport") { $secagentport = $valname; } + if ($varname eq "securitydomain.httpsadminport") { $secadminport = $valname; } if ($varname eq "securitydomain.select") { $secselect = $valname; } - if ($varname eq "cs.type") { $typeval = $valname; } - if ($varname eq "machineName") { $machinename = $valname; } - if ($varname =~ /[a-z]*.subsystem.nickname/) { $subsystemnick = $valname; } + # CA, KRA, OCSP, TKS + if ($varname =~ /[a-z]*.subsystem.nickname/) { + $subsystemnick = $valname; + } + # RA, TPS + if ($varname =~ /conn.[a-z]*.clientNickname/) { + $subsystemnick = $valname; + } } close(DAT); - if ((!defined($sechost)) || (!defined($secport))) { + # NOTE: Don't check for the existence of "$httpport", as this will + # be undefined for a Security Domain that has been migrated! + if ((!defined($sechost)) || + (!defined($seceeport)) || + (!defined($secagentport)) || + (!defined($secadminport))) { print (STDOUT "No security domain defined.\nIf this is an unconfigured instance, then that is OK.\n" . "Otherwise, manually delete the entry from the security domain master.\n" ); return; @@ -241,10 +260,12 @@ sub update_domain() # This is not a domain master, so we need to update the master print (STDOUT "Contacting the security domain master to update the security domain\n"); my $listval = $typeval . "List"; - my $urlheader = "https://" . $sechost . ":" . $secport; + my $urlheader = "https://" . $sechost . ":" . $seceeport; + my $urlagentheader = "https://" . $sechost . ":" . $secagentport; + my $urladminheader = "https://" . $sechost . ":" . $secadminport; my $updateURL = "/ca/agent/ca/updateDomainXML"; - my $loginURL = "/ca/ee/ca/securityDomainLogin"; - my $cookieURL = "/ca/ee/ca/getCookie"; + my $loginURL = "/ca/admin/ca/securityDomainLogin"; + my $cookieURL = "/ca/admin/ca/getCookie"; # Login to security domain use LWP; @@ -257,8 +278,16 @@ sub update_domain() my @pw_data=<DAT>; foreach my $line (@pw_data) { chomp($line); - (my $varname, my $valname) = split(/=/, $line); - if ($varname eq "internal") { $intpw = $valname; } + if (($typeval eq "CA") || + ($typeval eq "KRA") || + ($typeval eq "OCSP") || + ($typeval eq "TKS")) { + (my $varname, my $valname) = split(/=/, $line); + if ($varname eq "internal") { $intpw = $valname; } + } else { # TPS, RA + (my $varname, my $valname) = split(/:/, $line); + if ($varname eq "internal") { $intpw = $valname; } + } } close($pwfile); @@ -277,7 +306,7 @@ sub update_domain() #update domainXML - $url = $urlheader . $updateURL; + $url = $urlagentheader . $updateURL; #$ENV{HTTPS_DEBUG} = 1; $ENV{HTTPS_PKCS12_FILE} = $tempfile; $ENV{HTTPS_PKCS12_PASSWORD} = $p12pw; diff --git a/pki/base/silent/src/ca/ConfigureCA.java b/pki/base/silent/src/ca/ConfigureCA.java index a85768e99..1dacffefa 100644 --- a/pki/base/silent/src/ca/ConfigureCA.java +++ b/pki/base/silent/src/ca/ConfigureCA.java @@ -61,8 +61,8 @@ public class ConfigureCA { public static String domain_uri = "/ca/ee/ca/domain"; public static String ee_uri = "/ca/ee/ca/getBySerial"; public static String pkcs12_uri = "/ca/admin/console/config/savepkcs12"; - public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin"; - public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie"; + public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin"; + public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie"; public static String cs_hostname = null; public static String cs_port = null; diff --git a/pki/base/silent/src/drm/ConfigureDRM.java b/pki/base/silent/src/drm/ConfigureDRM.java index 1050cb59e..ae0130a62 100644 --- a/pki/base/silent/src/drm/ConfigureDRM.java +++ b/pki/base/silent/src/drm/ConfigureDRM.java @@ -58,8 +58,8 @@ public class ConfigureDRM public static String domain_uri = "/kra/ee/ca/domain"; public static String ee_uri = "/ca/ee/ca/getBySerial"; - public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin"; - public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie"; + public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin"; + public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie"; public static String pkcs12_uri = "/kra/admin/console/config/savepkcs12"; public static String cs_hostname = null; diff --git a/pki/base/silent/src/ocsp/ConfigureOCSP.java b/pki/base/silent/src/ocsp/ConfigureOCSP.java index 2103229c0..f0ab09abc 100644 --- a/pki/base/silent/src/ocsp/ConfigureOCSP.java +++ b/pki/base/silent/src/ocsp/ConfigureOCSP.java @@ -57,8 +57,8 @@ public class ConfigureOCSP public static String wizard_uri = "/ocsp/admin/console/config/wizard"; public static String ee_uri = "/ca/ee/ca/getBySerial"; - public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin"; - public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie"; + public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin"; + public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie"; public static String pkcs12_uri = "/ocsp/admin/console/config/savepkcs12"; public static String cs_hostname = null; diff --git a/pki/base/silent/src/ra/ConfigureRA.java b/pki/base/silent/src/ra/ConfigureRA.java index 06e4f0883..a4a1ba803 100644 --- a/pki/base/silent/src/ra/ConfigureRA.java +++ b/pki/base/silent/src/ra/ConfigureRA.java @@ -58,8 +58,8 @@ public class ConfigureRA public static String domain_uri = "/ra/ee/ca/domain"; public static String ee_uri = "/ca/ee/ca/getBySerial"; - public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin"; - public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie"; + public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin"; + public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie"; public static String pkcs12_uri = "/ra/admin/console/config/savepkcs12"; public static String cs_hostname = null; diff --git a/pki/base/silent/src/subca/ConfigureSubCA.java b/pki/base/silent/src/subca/ConfigureSubCA.java index 4dc56d693..fa7737a3e 100644 --- a/pki/base/silent/src/subca/ConfigureSubCA.java +++ b/pki/base/silent/src/subca/ConfigureSubCA.java @@ -57,8 +57,8 @@ public class ConfigureSubCA public static String wizard_uri = "/ca/admin/console/config/wizard"; public static String domain_uri = "/ca/ee/ca/domain"; public static String ee_uri = "/ca/ee/ca/getBySerial"; - public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin"; - public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie"; + public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin"; + public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie"; public static String pkcs12_uri = "/ca/admin/console/config/savepkcs12"; public static String cs_hostname = null; diff --git a/pki/base/silent/src/tks/ConfigureTKS.java b/pki/base/silent/src/tks/ConfigureTKS.java index 32df24817..0b6ae2ebe 100644 --- a/pki/base/silent/src/tks/ConfigureTKS.java +++ b/pki/base/silent/src/tks/ConfigureTKS.java @@ -57,8 +57,8 @@ public class ConfigureTKS public static String wizard_uri = "/tks/admin/console/config/wizard"; public static String ee_uri = "/ca/ee/ca/getBySerial"; - public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin"; - public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie"; + public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin"; + public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie"; public static String pkcs12_uri = "/tks/admin/console/config/savepkcs12"; public static String cs_hostname = null; diff --git a/pki/base/silent/src/tps/ConfigureTPS.java b/pki/base/silent/src/tps/ConfigureTPS.java index abfb321de..753caa5f3 100644 --- a/pki/base/silent/src/tps/ConfigureTPS.java +++ b/pki/base/silent/src/tps/ConfigureTPS.java @@ -58,8 +58,8 @@ public class ConfigureTPS public static String domain_uri = "/tps/ee/ca/domain"; public static String ee_uri = "/ca/ee/ca/getBySerial"; - public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin"; - public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie"; + public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin"; + public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie"; public static String pkcs12_uri = "/tps/admin/console/config/savepkcs12"; public static String cs_hostname = null; diff --git a/pki/base/tks/shared/conf/CS.cfg b/pki/base/tks/shared/conf/CS.cfg index 6de39a15f..7c1dcec58 100644 --- a/pki/base/tks/shared/conf/CS.cfg +++ b/pki/base/tks/shared/conf/CS.cfg @@ -6,24 +6,24 @@ _000=## _001=## File Created On : Mon Oct 10 15:57:03 PDT 2005 _002=## -pkicreate.arg01.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.arg02.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.arg03.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.arg04.agent_secure_port=[PKI_AGENT_SECURE_PORT] -pkicreate.arg05.ee_secure_port=[PKI_EE_SECURE_PORT] -pkicreate.arg06.admin_secure_port=[PKI_ADMIN_SECURE_PORT] -pkicreate.arg07.secure_port=[PKI_SECURE_PORT] -pkicreate.arg08.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.arg09.tomcat_server_port=[TOMCAT_SERVER_PORT] -pkicreate.arg10.user=[PKI_USER] -pkicreate.arg11.group=[PKI_GROUP] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] installDate=[INSTALL_TIME] cs.type=TKS admin.interface.uri=tks/admin/console/config/wizard preop.admin.name=Token Key Service Manager Administrator preop.admin.group=Token Key Service Manager Agents preop.admincert.profile=caAdminCert -preop.securitydomain.url=https://[PKI_MACHINE_NAME]:9444 +preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 preop.wizard.name=TKS Setup Wizard preop.system.name=TKS preop.product.name=CS @@ -86,7 +86,12 @@ instanceRoot=[PKI_INSTANCE_PATH] machineName=[PKI_MACHINE_NAME] instanceId=[PKI_INSTANCE_ID] preop.pin=[PKI_RANDOM_NUMBER] -service.securePort=[PKI_SECURE_PORT] +service.machineName=[PKI_MACHINE_NAME] +service.instanceDir=[PKI_INSTANCE_ROOT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +service.instanceID=[PKI_INSTANCE_ID] passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf passwordClass=com.netscape.cmsutil.password.PlainPasswordFile multiroles=true diff --git a/pki/base/tks/shared/conf/schema.ldif b/pki/base/tks/shared/conf/schema.ldif index 823543dcf..d61f83dd6 100644 --- a/pki/base/tks/shared/conf/schema.ldif +++ b/pki/base/tks/shared/conf/schema.ldif @@ -381,6 +381,21 @@ attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115. dn: cn=schema changetype: modify add: attributeTypes +attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) dn: cn=schema @@ -441,7 +456,7 @@ objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' ) +objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify diff --git a/pki/base/tks/shared/conf/server.xml b/pki/base/tks/shared/conf/server.xml index 7dd9f6ccd..58cd61666 100644 --- a/pki/base/tks/shared/conf/server.xml +++ b/pki/base/tks/shared/conf/server.xml @@ -98,7 +98,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" - clientAuth="true" sslProtocol="SSL" + clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL" sslOptions="ssl2=true,ssl3=true,tls=true" ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" diff --git a/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml b/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml index 8e7a99ee9..d0ad44899 100644 --- a/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml +++ b/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml @@ -295,8 +295,6 @@ <param-value> services </param-value> </init-param> <init-param><param-name> templatePath </param-name> <param-value> /services.template </param-value> </init-param> - <init-param><param-name> interface </param-name> - <param-value> ee </param-value> </init-param> </servlet> <servlet> @@ -350,16 +348,30 @@ [PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] <filter-mapping> <filter-name> PassThroughRequestFilter </filter-name> + <url-pattern> /ug </url-pattern> + <url-pattern> /log </url-pattern> + <url-pattern> /registry </url-pattern> + <url-pattern> /jobsScheduler </url-pattern> + <url-pattern> /acl </url-pattern> + <url-pattern> /server </url-pattern> + + <url-pattern> /services </url-pattern> + + <url-pattern> /start </url-pattern> + </filter-mapping> + + <filter-mapping> + <filter-name> AgentRequestFilter </filter-name> <url-pattern> /agent/* </url-pattern> </filter-mapping> <filter-mapping> + <filter-mapping> <filter-name> AdminRequestFilter </filter-name> <url-pattern> /admin/* </url-pattern> <url-pattern> /auths </url-pattern> </filter-mapping> - <filter-mapping> <filter-name> EERequestFilter </filter-name> <url-pattern> /ee/* </url-pattern> </filter-mapping> diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg index 2dd000a20..814913b5d 100644 --- a/pki/base/tps/doc/CS.cfg +++ b/pki/base/tps/doc/CS.cfg @@ -18,14 +18,14 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.arg01.pki_instance_root=[INSTANCE_ROOT] -pkicreate.arg02.pki_instance_name=[INSTANCE_ID] -pkicreate.arg03.subsystem_type=[SUBSYSTEM_TYPE] -pkicreate.arg04.secure_port=[SECURE_PORT] -pkicreate.arg05.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] -pkicreate.arg06.unsecure_port=[PORT] -pkicreate.arg07.user=[USERID] -pkicreate.arg08.group=[GROUPID] +pkicreate.pki_instance_root=[INSTANCE_ROOT] +pkicreate.pki_instance_name=[INSTANCE_ID] +pkicreate.subsystem_type=[SUBSYSTEM_TYPE] +pkicreate.secure_port=[SECURE_PORT] +pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] +pkicreate.unsecure_port=[PORT] +pkicreate.user=[USERID] +pkicreate.group=[GROUPID] cs.type=TPS service.machineName=[SERVER_NAME] service.instanceDir=[SERVER_ROOT] @@ -371,7 +371,7 @@ preop.keysize._000=######################################### preop.keysize._001=# Installation configuration "preop" keysize parameters preop.keysize._002=######################################### preop.keysize.customsize=2048 -preop.keysize.select=custom +preop.keysize.select=default preop.keysize.size=2048 preop.keysize.ecc.size=256 op.enroll._000=######################################### diff --git a/pki/base/tps/lib/perl/PKI/TPS/AdminPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/AdminPanel.pm index 5c03ddac4..6607abd1b 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/AdminPanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/AdminPanel.pm @@ -97,12 +97,12 @@ sub update my $cainfo = $::config->get("preop.ca.url"); &PKI::TPS::Wizard::debug_log("AdminPanel: preop.ca.url=$cainfo"); if ($cainfo eq "" || $cainfo =~ /:$/) { - $cainfo = $::config->get("config.sdomainURL"); - &PKI::TPS::Wizard::debug_log("AdminPanel: config.sdomainURL=$cainfo"); + $cainfo = $::config->get("config.sdomainEEURL"); + &PKI::TPS::Wizard::debug_log("AdminPanel: config.sdomainEEURL=$cainfo"); } &PKI::TPS::Wizard::debug_log("AdminPanel: Connecting to CA: $cainfo"); my $cainfo_url = new URI::URL($cainfo); - my $sdom = $::config->get("config.sdomainURL"); + my $sdom = $::config->get("config.sdomainEEURL"); my $sdom_url = new URI::URL($sdom); my $machineName = $::config->get("service.machineName"); @@ -130,15 +130,15 @@ sub update "auth_hostname=" . $sdom_url->host . "&" . "auth_port=" . $sdom_url->port; - my $host = $cainfo_url->host; - my $port = $cainfo_url->port; + my $ca_host = $cainfo_url->host; + my $https_ee_port = $cainfo_url->port; my $content = ""; my $tmpfile = "/tmp/admin-$$"; if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { - system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port > $tmpfile"); + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile"); $content = `cat $tmpfile`; } else { - system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port > $tmpfile"); + system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile"); $content = `cat $tmpfile`; } system("rm $tmpfile"); @@ -156,8 +156,8 @@ sub update my $admincert = $response->{Requests}->{Request}->{b64}; &PKI::TPS::Wizard::debug_log("AdminPanel: admincert " . $admincert); - $host = $::config->get("preop.database.host"); - $port = $::config->get("preop.database.port"); + my $ldap_host = $::config->get("preop.database.host"); + my $ldap_port = $::config->get("preop.database.port"); my $basedn = $::config->get("preop.database.basedn"); my $binddn = $::config->get("preop.database.binddn"); # my $bindpwd = $::config->get("tokendb.bindPass"); @@ -183,7 +183,7 @@ sub update "-e 's/\$TOKENDB_AGENT_PWD/$password/' " . "-e 's/\$TOKENDB_AGENT_CERT/$admincert/' " . "/usr/share/$flavor/tps/scripts/addAgents.ldif > $tmp"); - system("$mozldap_path/ldapmodify -h '$host' -p '$port' -D '$binddn' " . + system("$mozldap_path/ldapmodify -h '$ldap_host' -p '$ldap_port' -D '$binddn' " . "-w '$bindpwd' -a " . "-f '$tmp'"); system("rm $tmp"); diff --git a/pki/base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm index 9056e2ef1..eb789dc6b 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm @@ -83,29 +83,29 @@ sub update my $instanceID = $::config->get("service.instanceID"); my $host = ""; - my $port = ""; + my $https_ee_port = ""; if ($count =~ /http/) { my $info = new URI::URL($count); $host = $info->host; - $port = $info->port; + $https_ee_port = $info->port; } else { $host = $::config->get("preop.securitydomain.ca$count.host"); - $port = $::config->get("preop.securitydomain.ca$count.secureport"); + $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); } - if (($host eq "") || ($port eq "")) { + if (($host eq "") || ($https_ee_port eq "")) { $::symbol{errorString} = "no CA found. CA, TKS and optionally DRM must be installed prior to TPS installation"; return 0; } - &PKI::TPS::Wizard::debug_log("CAInfoPanel: update - host= $host, port= $port"); + &PKI::TPS::Wizard::debug_log("CAInfoPanel: update - host= $host, https_ee_port= $https_ee_port"); - $::config->put("preop.cainfo.select", "https://$host:$port"); + $::config->put("preop.cainfo.select", "https://$host:$https_ee_port"); my $serverCertNickName = $::config->get("preop.cert.sslserver.nickname"); my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname"); $::config->put("conn.ca1.clientNickname", $subsystemCertNickName); - $::config->put("conn.ca1.hostport", $host . ":" . $port); + $::config->put("conn.ca1.hostport", $host . ":" . $https_ee_port); $::config->commit(); @@ -115,7 +115,7 @@ sub update my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; $db_password =~ s/\n$//g; my $tmpfile = "/tmp/ca-$$"; - system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$port > $tmpfile"); + system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$https_ee_port > $tmpfile"); my $cmd = `cat $tmpfile`; system("rm $tmpfile"); my $caCert; @@ -164,10 +164,10 @@ sub display if ($host eq "") { goto DONE; } - my $port = $::config->get("preop.securitydomain.ca$count.secureport"); + my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); my $name = $::config->get("preop.securitydomain.ca$count.subsystemname"); - my $item = $name . " - https://" . $host . ":" . $port; -# my $item = "https://" . $host . ":" . $port; + my $item = $name . " - https://" . $host . ":" . $https_ee_port; +# my $item = "https://" . $host . ":" . $https_ee_port; # unshift(@{$::symbol{urls}}, $item); $::symbol{urls}[$count++] = $item; if ($first eq 1) { diff --git a/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm index 2533a12db..61d3fb52e 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm @@ -80,24 +80,24 @@ sub update my $count = $q->param('urls'); my $instanceID = $::config->get("service.instanceID"); my $host = ""; - my $port = ""; + my $https_agent_port = ""; if ($count =~ /http/) { my $info = new URI::URL($count); $host = $info->host; - $port = $info->port; + $https_agent_port = $info->port; } else { $host = $::config->get("preop.securitydomain.kra$count.host"); - $port = $::config->get("preop.securitydomain.kra$count.secureport"); + $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport"); } - if (($host eq "") || ($port eq "")) { + if (($host eq "") || ($https_agent_port eq "")) { $::symbol{errorString} = "no DRM found. CA, TKS and DRM must be installed prior to TPS installation"; return 0; } - $::config->put("preop.krainfo.select", "https://$host:$port"); + $::config->put("preop.krainfo.select", "https://$host:$https_agent_port"); my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname"); $::config->put("conn.drm1.clientNickname", $subsystemCertNickName); - $::config->put("conn.drm1.hostport", $host . ":" . $port); + $::config->put("conn.drm1.hostport", $host . ":" . $https_agent_port); $::config->put("conn.tks1.serverKeygen", "true"); $::config->put("op.enroll.userKey.keyGen.encryption.serverKeygen.enable", "true"); $::config->put("op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable", "true"); @@ -134,9 +134,9 @@ sub display if ($host eq "") { goto DONE; } - my $port = $::config->get("preop.securitydomain.kra$count.secureport"); + my $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport"); my $name = $::config->get("preop.securitydomain.kra$count.subsystemname"); - $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $port; + $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port; } DONE: $::symbol{urls_size} = $count; diff --git a/pki/base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm index 4b374575f..841d9dcc8 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm @@ -101,25 +101,25 @@ sub update $tmp = `rm $instanceDir/conf/caCert.der`; $tmp = `rm $instanceDir/conf/caCert_pp.txt`; - # complete the SeucrityDomain task - my $sdomainURL = $::config->get("config.sdomainURL"); - if ($sdomainURL eq "") { + # complete the SecurityDomain task + my $sdomainAdminURL = $::config->get("config.sdomainAdminURL"); + if ($sdomainAdminURL eq "") { return 2; } my $machineName = $::config->get("service.machineName"); - my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); my $unsecurePort = $::config->get("service.unsecurePort"); # check if url is accessible # redirect to the security domain authentication if ($ENV{'SERVER_PORT'} eq $unsecurePort) { - $::symbol{redirect} = $sdomainURL . "/ca/ee/ca/securityDomainLogin?url=http%3A%2F%2F" . $machineName . "%3A" . $unsecurePort . "%2Ftps%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DTPS"; + $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=http%3A%2F%2F" . $machineName . "%3A" . $unsecurePort . "%2Ftps%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DTPS"; } else { - $::symbol{redirect} = $sdomainURL . "/ca/ee/ca/securityDomainLogin?url=https%3A%2F%2F" . $machineName . "%3A" . $securePort . "%2Ftps%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DTPS"; + $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=https%3A%2F%2F" . $machineName . "%3A" . $non_clientauth_securePort . "%2Ftps%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DTPS"; } - get_domain_xml($sdomainURL); + get_domain_xml($sdomainAdminURL); return 3; @@ -134,27 +134,27 @@ sub display &PKI::TPS::Wizard::debug_log("DisplayCertChainPanel: update connecting to CA and retrieve cert chain"); my $instanceID = $::config->get("service.instanceID"); my $instanceDir = $::config->get("service.instanceDir"); - my $sdomainURL = $::config->get("config.sdomainURL"); - if ($sdomainURL eq "") { + my $sdomainAdminURL = $::config->get("config.sdomainAdminURL"); + if ($sdomainAdminURL eq "") { return 2; } my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; $db_password =~ s/\n$//g; - my $url_info = new URI::URL($sdomainURL); - my $host = $url_info->host; - my $port = $url_info->port; + my $url_info = new URI::URL($sdomainAdminURL); + my $sd_host = $url_info->host; + my $sd_admin_port = $url_info->port; my $nickname = $::config->get("preop.cert.sslserver.nickname"); - my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/getCertChain\" $host:$port`; + my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getCertChain\" $sd_host:$sd_admin_port`; - my $caCert; + my $caCert = ""; if ($cmd =~ /\<ChainBase64\>(.*)\<\/ChainBase64\>/) { $caCert = $1; &PKI::TPS::Wizard::debug_log("DisplayCertChainPanel: ca= $caCert"); } - my $certpp; + my $certpp = ""; if ($caCert ne "") { open(F, ">$instanceDir/conf/caCert.txt"); print F $caCert; @@ -198,13 +198,14 @@ sub display return 1; } + sub get_domain_xml { - my ($sdomainURL) = @_; + my ($sdomainAdminURL) = @_; - my $sdom_info = new URI::URL($sdomainURL); + my $sdom_info = new URI::URL($sdomainAdminURL); # get the domain xml - # e. g. - https://water.sfbay.redhat.com:9444/ca/ee/ca/getDomainXML + # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML my $nickname = $::config->get("preop.cert.sslserver.nickname"); my $instanceID = $::config->get("service.instanceID"); @@ -212,9 +213,9 @@ sub get_domain_xml my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`; $db_password =~ s/\n$//g; - my $host = $sdom_info->host; - my $port = $sdom_info->port; - my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/getDomainXML\" $host:$port`; + my $sd_host = $sdom_info->host; + my $sd_admin_port = $sdom_info->port; + my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`; $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; $content = $1; @@ -240,8 +241,40 @@ sub get_domain_xml $c->{'SubsystemName'}[0]); $::config->put("preop.securitydomain.ca" . $count . ".secureport", $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.ca" . $count . ".secureagentport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.ca" . $count . ".secureadminport", + $c->{'SecureAdminPort'}[0]); + $::config->put("preop.securitydomain.ca" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); $::config->put("preop.securitydomain.ca" . $count . ".host", $c->{'Host'}[0]); + + # The user previously specified the CA Security Domain's + # SSL Admin URL in the "Security Domain Panel"; + # now retrieve this specified CA Security Domain's + # non-SSL EE, SSL Agent, and SSL EE URLs: + if( $sd_admin_port eq $c->{'SecureAdminPort'}[0] ) { + # Build the URLs + my $http_ee_port = "https://" + . $c->{'Host'}[0] + . ":" + . $c->{'UnSecurePort'}[0]; + my $https_agent_port = "https://" + . $c->{'Host'}[0] + . ":" + . $c->{'SecureAgentPort'}[0]; + my $https_ee_port = "https://" + . $c->{'Host'}[0] + . ":" + . $c->{'SecurePort'}[0]; + + # Store the URLs + $::config->put( "config.sdomainHttpURL", $http_ee_port ); + $::config->put( "config.sdomainAgentURL", $https_agent_port ); + $::config->put( "config.sdomainEEURL", $https_ee_port ); + } + $count++; } @@ -253,6 +286,12 @@ sub get_domain_xml $c->{'SubsystemName'}[0]); $::config->put("preop.securitydomain.tks" . $count . ".secureport", $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.tks" . $count . ".secureagentport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.tks" . $count . ".secureadminport", + $c->{'SecureAdminPort'}[0]); + $::config->put("preop.securitydomain.tks" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); $::config->put("preop.securitydomain.tks" . $count . ".host", $c->{'Host'}[0]); $count++; @@ -266,6 +305,12 @@ sub get_domain_xml $c->{'SubsystemName'}[0]); $::config->put("preop.securitydomain.kra" . $count . ".secureport", $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.kra" . $count . ".secureagentport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.kra" . $count . ".secureadminport", + $c->{'SecureAdminPort'}[0]); + $::config->put("preop.securitydomain.kra" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); $::config->put("preop.securitydomain.kra" . $count . ".host", $c->{'Host'}[0]); $count++; @@ -278,7 +323,11 @@ sub get_domain_xml $::config->put("preop.securitydomain.tps" . $count . ".subsystemname", $c->{'SubsystemName'}[0]); $::config->put("preop.securitydomain.tps" . $count . ".secureport", + $c->{'SecureAgentPort'}[0]); + $::config->put("preop.securitydomain.tps" . $count . ".non_clientauth_secure_port", $c->{'SecurePort'}[0]); + $::config->put("preop.securitydomain.tps" . $count . ".unsecureport", + $c->{'UnSecurePort'}[0]); $::config->put("preop.securitydomain.tps" . $count . ".host", $c->{'Host'}[0]); $count++; diff --git a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm index 5315c40c0..641ecf210 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm @@ -90,13 +90,15 @@ sub register_tps &PKI::TPS::Wizard::debug_log("DonePanel: Connecting to Security Domain"); my $machineName = $::config->get("service.machineName"); + my $unsecurePort = $::config->get("service.unsecurePort"); my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); my $session_id = $::config->get("preop.sessionID"); &PKI::TPS::Wizard::debug_log("DonePanel: Security Domain Info " . $url); - # add service.securityDomainPort to the config file in case pkiremove needs to - # remove system reference from the security domain + # add service.securityDomainPort to the config file in case pkiremove + # needs to remove system reference from the security domain $::config->put("service.securityDomainPort", $securePort); $::config->commit(); @@ -182,7 +184,9 @@ sub get_kra_transport_cert my $krainfo_url = new URI::URL($krainfo); my $machineName = $::config->get("service.machineName"); + my $unsecurePort = $::config->get("service.unsecurePort"); my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); my $session_id = $::config->get("preop.sessionID"); my $nickname = $::config->get("preop.cert.sslserver.nickname"); @@ -233,7 +237,9 @@ sub send_kra_transport_cert my $tksinfo_url = new URI::URL($tksinfo); my $machineName = $::config->get("service.machineName"); + my $unsecurePort = $::config->get("service.unsecurePort"); my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); my $session_id = $::config->get("preop.sessionID"); my $nickname = $::config->get("preop.cert.sslserver.nickname"); @@ -295,7 +301,7 @@ sub display } # Add this TPS's server certificate to the subsystems - my $sdom = $::config->get("config.sdomainURL"); + my $sdom = $::config->get("config.sdomainEEURL"); my $cainfo = $::config->get("preop.cainfo.select"); $cainfo =~ s/.* - //g; ®ister_tps($sdom, $cainfo, "/ca/admin/ca/registerUser", "CA"); @@ -381,8 +387,9 @@ sub display &PKI::TPS::Wizard::debug_log("DonePanel: Connecting to Security Domain"); my $machineName = $::config->get("service.machineName"); - my $securePort = $::config->get("service.securePort"); my $unsecurePort = $::config->get("service.unsecurePort"); + my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); my $instanceID = $::config->get("service.instanceID"); my $initCommand = ""; @@ -394,8 +401,9 @@ sub display } $::symbol{host} = $machineName; - $::symbol{port} = $securePort; $::symbol{unsecurePort} = $unsecurePort; + $::symbol{port} = $securePort; + $::symbol{non_clientauth_port} = $non_clientauth_securePort; $::symbol{initCommand} = $initCommand; $::config->deleteSubstore("preop."); diff --git a/pki/base/tps/lib/perl/PKI/TPS/ImportAdminCertPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/ImportAdminCertPanel.pm index e14020d60..1112319ca 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/ImportAdminCertPanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/ImportAdminCertPanel.pm @@ -74,7 +74,7 @@ sub update &PKI::TPS::Wizard::debug_log("ImportAdminCertPanel: update"); # register to Security Domain - my $sdom = $::config->get("config.sdomainURL"); + my $sdom = $::config->get("config.sdomainAgentURL"); my $sdom_url = new URI::URL($sdom); # @@ -101,6 +101,18 @@ sub update my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$subCertNickName\" -r \"/ca/agent/ca/updateDomainXML?$params\" $sdom_url->host:$sdom_url->port`; + # Fetch the "updated" security domain and display it + &PKI::TPS::Wizard::debug_log("ImportAdminCertPanel: Dump contents of updated Security Domain . . ."); + my $sdomainAdminURL = $::config->get("config.sdomainAdminURL"); + my $sdom_info = new URI::URL($sdomainAdminURL); + my $nickname = $::config->get("preop.cert.sslserver.nickname"); + my $sd_host = $sdom_info->host; + my $sd_admin_port = $sdom_info->port; + my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`; + $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; + $content = $1; + &PKI::TPS::Wizard::debug_log($content); + return 1; } diff --git a/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm index 8baaafad2..9d8335a2e 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm @@ -86,25 +86,25 @@ sub update &PKI::TPS::Wizard::debug_log("NamePanel: update - selected ca= $count"); my $host = ""; - my $port = ""; + my $https_ee_port = ""; my $useExternalCA = "off"; if ($count =~ /http/) { my $info = new URI::URL($count); $host = $info->host; - $port = $info->port; + $https_ee_port = $info->port; } else { $host = $::config->get("preop.securitydomain.ca$count.host"); if ($host eq "") { $useExternalCA = "on"; } else { - $port = $::config->get("preop.securitydomain.ca$count.secureport"); - &PKI::TPS::Wizard::debug_log("NamePanel: update - host= $host, port= $port"); + $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); + &PKI::TPS::Wizard::debug_log("NamePanel: update - host= $host, https_ee_port= $https_ee_port"); } } $::config->put("preop.certenroll.useExternalCA", $useExternalCA); - $::config->put("preop.ca.url", "https://" . $host . ":" . $port); + $::config->put("preop.ca.url", "https://" . $host . ":" . $https_ee_port); my $tokenname = $::config->get("preop.module.token"); &PKI::TPS::Wizard::debug_log("NamePanel: update got token name = $tokenname"); @@ -240,7 +240,7 @@ GEN_CERT: # see if there is an existing cert my $cert = $::config->get("preop.cert.$certtag.cert"); - my $sdom = $::config->get("config.sdomainURL"); + my $sdom = $::config->get("config.sdomainEEURL"); my $sdom_url = new URI::URL($sdom); if (($useExternalCA eq "on") && ($certtag ne "subsystem")) { @@ -291,14 +291,14 @@ GEN_CERT: if ($certtag eq "subsystem") { $host = $sdom_url->host; - $port = $sdom_url->port; + $https_ee_port = $sdom_url->port; } if ($changed eq "true") { -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; } else { -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; } &PKI::TPS::Wizard::debug_log("debug_req = " . $debug_req); @@ -479,9 +479,9 @@ sub display if ($host eq "") { goto DONE; } - my $port = $::config->get("preop.securitydomain.ca$count.secureport"); + my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); my $name = $::config->get("preop.securitydomain.ca$count.subsystemname"); - my $item = $name . " - https://" . $host . ":" . $port; + my $item = $name . " - https://" . $host . ":" . $https_ee_port; $::symbol{urls}[$count++] = $item; } diff --git a/pki/base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm index 1027a5c39..700fc487e 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm @@ -25,6 +25,7 @@ use strict; use warnings; use PKI::TPS::GlobalVar; use PKI::TPS::Common; +use URI::URL; use XML::Simple; use Data::Dumper; @@ -77,7 +78,7 @@ sub display $::symbol{panelname} = "Security Domain"; $::symbol{sdomainName} = "Security Domain"; my $hostname = $::config->get("service.machineName"); - $::symbol{sdomainURL} = "https://" . $hostname . ":9444"; + $::symbol{sdomainAdminURL} = "https://" . $hostname . ":9445"; return 1; } @@ -89,15 +90,22 @@ sub update &PKI::TPS::Wizard::debug_log("SecurityPanel: update"); my $sdomainURL = $q->param("sdomainURL"); + my $sdomainURL_info = new URI::URL($sdomainURL); + if ($sdomainURL eq "") { &PKI::TPS::Wizard::debug_log("SecurityPanel: sdomainURL not found"); - $::symbol{errorString} = "Security Domain URL not found"; + $::symbol{errorString} = "Security Domain HTTPS Admin URL not found"; return 0; } - # save url in CS.cfg + # save urls in CS.cfg &PKI::TPS::Wizard::debug_log("SecurityPanel: sdomainURL=" . $sdomainURL); - $::config->put("config.sdomainURL", $sdomainURL); + $::config->put("config.sdomainAdminURL", $sdomainURL); + + # Add values necessary for 'pkiremove' . . . + $::config->put("securitydomain.select", "existing"); + $::config->put("securitydomain.host", $sdomainURL_info->host); + $::config->put("securitydomain.httpsadminport", $sdomainURL_info->port); $::config->commit(); return 1; diff --git a/pki/base/tps/lib/perl/PKI/TPS/SizePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/SizePanel.pm index eb1fc6c30..3f8151fe2 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/SizePanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/SizePanel.pm @@ -210,11 +210,11 @@ sub display #for "common key settings" my $select = $::config->get("preop.keysize.select"); - if ($select ne "") { + if (($select eq "") || ($select eq "default")) { + $::symbol{select} = "default"; + } else { &PKI::TPS::Wizard::debug_log("SizePanel: display keysize select= $select"); $::symbol{select} = $select; - } else { - $::symbol{select} = "default"; } my $default_size = $::config->get("preop.keysize.size"); if ($default_size eq "") { diff --git a/pki/base/tps/lib/perl/PKI/TPS/SubsystemTypePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/SubsystemTypePanel.pm index dba4aa33a..d36ef8faf 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/SubsystemTypePanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/SubsystemTypePanel.pm @@ -75,7 +75,9 @@ sub update $::symbol{subsystemName} = "Token Processing System"; $::symbol{fullsystemname} = "Token Processing System "; $::symbol{machineName} = "localhost"; + $::symbol{http_port} = "7888"; $::symbol{https_port} = "7889"; + $::symbol{non_clientauth_https_port} = "7890"; $::symbol{check_clonesubsystem} = " "; $::symbol{check_newsubsystem} = " "; $::symbol{disableClone} = 1; @@ -96,12 +98,15 @@ sub display $::symbol{fullsystemname} = "Token Processing System "; my $machineName = $::config->get("service.machineName"); - my $securePort = $::config->get("service.securePort"); my $unsecurePort = $::config->get("service.unsecurePort"); + my $securePort = $::config->get("service.securePort"); + my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort"); $::symbol{machineName} = $machineName; + $::symbol{http_port} = $unsecurePort; $::symbol{https_port} = $securePort; + $::symbol{non_clientauth_https_port} = $non_clientauth_securePort; $::symbol{check_clonesubsystem} = ""; $::symbol{check_newsubsystem} = "checked "; @@ -116,7 +121,7 @@ sub display if ($host eq "") { goto DONE; } - my $port = $::config->get("preop.securitydomain.tps$count.secureport"); + my $port = $::config->get("preop.securitydomain.tps$count.non_clientauth_secure_port"); my $name = $::config->get("preop.securitydomain.tps$count.subsystemname"); unshift(@{$::symbol{urls}}, "https://" . $host . ":" . $port); $count++; diff --git a/pki/base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm index bfdaa0ed6..8a85b13c5 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm @@ -78,28 +78,28 @@ sub update my $instanceID = $::config->get("service.instanceID"); my $host = ""; - my $port = ""; + my $https_agent_port = ""; if ($count =~ /http/) { my $info = new URI::URL($count); $host = $info->host; - $port = $info->port; - if (($host eq "") || ($port eq "")) { + $https_agent_port = $info->port; + if (($host eq "") || ($https_agent_port eq "")) { $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to TPS installation"; return 0; } $::config->put("preop.tksinfo.select", $count); } else { $host = $::config->get("preop.securitydomain.tks$count.host"); - $port = $::config->get("preop.securitydomain.tks$count.secureport"); - if (($host eq "") || ($port eq "")) { + $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport"); + if (($host eq "") || ($https_agent_port eq "")) { $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to TPS installation"; return 0; } - $::config->put("preop.tksinfo.select", "https://$host:$port"); + $::config->put("preop.tksinfo.select", "https://$host:$https_agent_port"); } my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname"); $::config->put("conn.tks1.clientNickname", $subsystemCertNickName); - $::config->put("conn.tks1.hostport", $host . ":" . $port); + $::config->put("conn.tks1.hostport", $host . ":" . $https_agent_port); $::config->commit(); return 1; @@ -116,9 +116,9 @@ sub display if ($host eq "") { goto DONE; } - my $port = $::config->get("preop.securitydomain.tks$count.secureport"); + my $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport"); my $name = $::config->get("preop.securitydomain.tks$count.subsystemname"); - $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $port; + $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port; } DONE: $::symbol{urls_size} = $count; |