summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--base/deploy/config/pkideployment.cfg3
-rw-r--r--base/deploy/src/scriptlets/pkijython.py50
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py152
3 files changed, 54 insertions, 151 deletions
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
index 6630907a7..13f6f2f31 100644
--- a/base/deploy/config/pkideployment.cfg
+++ b/base/deploy/config/pkideployment.cfg
@@ -27,6 +27,7 @@ pki_token_password=
## 'common' data values which are left undefined. ##
###############################################################################
[Common]
+pki_admin_cert_file=
pki_admin_cert_request_type=crmf
pki_admin_domain_name=
pki_admin_dualkey=False
@@ -78,6 +79,7 @@ pki_subsystem_nickname=
pki_subsystem_subject_dn=
pki_subsystem_token=
pki_token_name=internal
+pki_use_common_admin_user=true
pki_user=pkiuser
###############################################################################
## 'Apache' Data: ##
@@ -162,6 +164,7 @@ pki_ocsp_signing_token=
pki_subordinate=False
pki_subsystem=CA
pki_subsystem_name=
+pki_use_common_admin_user=false
###############################################################################
## 'KRA' Data: ##
## ##
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index e6098b01a..595dde2fc 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -350,25 +350,34 @@ class rest_client:
data.setAdminPassword(self.sensitive['pki_admin_password'])
data.setAdminProfileID(self.master['pki_admin_profile_id'])
data.setAdminUID(self.master['pki_admin_uid'])
- data.setAdminSubjectDN(self.master['pki_admin_subject_dn'])
- if self.master['pki_admin_cert_request_type'] == "crmf":
- data.setAdminCertRequestType("crmf")
- if config.str2bool(self.master['pki_admin_dualkey']):
- crmf_request = generateCRMFRequest(
- token,
- self.master['pki_admin_keysize'],
- self.master['pki_admin_subject_dn'],
- "true")
- else:
- crmf_request = generateCRMFRequest(
- token,
- self.master['pki_admin_keysize'],
- self.master['pki_admin_subject_dn'],
- "false")
- data.setAdminCertRequest(crmf_request)
+ if config.str2bool(self.master['pki_use_common_admin_user']):
+ data.setUseCommonAdmin("true")
+ # read config from file
+ f = open(self.master['pki_admin_cert_file'])
+ b64 = f.read().replace('\n','')
+ f.close()
+ data.setAdminCert(b64)
else:
- javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY)
- javasystem.exit(1)
+ data.setUseCommonAdmin("false")
+ data.setAdminSubjectDN(self.master['pki_admin_subject_dn'])
+ if self.master['pki_admin_cert_request_type'] == "crmf":
+ data.setAdminCertRequestType("crmf")
+ if config.str2bool(self.master['pki_admin_dualkey']):
+ crmf_request = generateCRMFRequest(
+ token,
+ self.master['pki_admin_keysize'],
+ self.master['pki_admin_subject_dn'],
+ "true")
+ else:
+ crmf_request = generateCRMFRequest(
+ token,
+ self.master['pki_admin_keysize'],
+ self.master['pki_admin_subject_dn'],
+ "false")
+ data.setAdminCertRequest(crmf_request)
+ else:
+ javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY)
+ javasystem.exit(1)
def create_system_cert(self, tag):
cert = SystemCertData()
@@ -569,13 +578,14 @@ class rest_client:
javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\
cdata.getRequest())
# Cloned PKI subsystems do not return an Admin Certificate
- if not config.str2bool(master['pki_clone']):
+ if not config.str2bool(master['pki_clone']) and \
+ not config.str2bool(master['pki_use_common_admin_user']):
admin_cert = response.getAdminCert().getCert()
javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\
" " + admin_cert)
# Store the Administration Certificate in a file
admin_cert_file = os.path.join(
- master['pki_client_dir'],
+ master['pki_database_path'],
master['pki_client_admin_cert'])
admin_cert_bin_file = admin_cert_file + ".der"
javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 4f2757359..e5be21670 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -1395,6 +1395,15 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_database_path'] + "/" +\
config.pki_master_dict['pki_subsystem'].lower() + "_" +\
"admin" + "_" + "cert" + "." + "p12"
+
+ # the admin cert is stored with the NSS server databases
+ # in case we want to use a common admin user cert
+ if not 'pki_admin_cert_file' in config.pki_master_dict or\
+ not len(config.pki_master_dict['pki_admin_cert_file']):
+ config.pki_master_dict['pki_admin_cert_file'] =\
+ config.pki_master_dict['pki_database_path'] +\
+ "/ca_admin.cert"
+
# Jython scriptlet name/value pairs
config.pki_master_dict['pki_jython_configuration_scriptlet'] =\
os.path.join(sys.prefix,
@@ -1635,138 +1644,19 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_admin_name'] + "@" +\
config.pki_master_dict['pki_dns_domainname']
if not len(config.pki_master_dict['pki_admin_nickname']):
- if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- if config.pki_master_dict['pki_subsystem'] == "RA":
- # PKI RA
- config.pki_master_dict['pki_admin_nickname'] =\
- "RA Administrator's" + " " +\
- config.pki_master_dict['pki_security_domain_name'] +\
- " " + "ID"
- elif config.pki_master_dict['pki_subsystem'] == "TPS":
- # PKI TPS
- config.pki_master_dict['pki_admin_nickname'] =\
- "TPS Administrator's" + " " +\
- config.pki_master_dict['pki_security_domain_name'] +\
- " " + "ID"
- elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- if config.str2bool(
- config.pki_master_dict['pki_external']):
- # External CA
- config.pki_master_dict['pki_admin_nickname'] =\
- "CA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "'s" + " " +\
- "External CA ID"
- else:
- # PKI CA or Subordinate CA
- config.pki_master_dict['pki_admin_nickname'] =\
- "CA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "'s" + " " +\
- config.pki_master_dict\
- ['pki_security_domain_name'] + " " + "ID"
- elif config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- config.pki_master_dict['pki_admin_nickname'] =\
- "KRA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "'s" + " " +\
- config.pki_master_dict['pki_security_domain_name']\
- + " " + "ID"
- elif config.pki_master_dict['pki_subsystem'] == "OCSP":
- # PKI OCSP
- config.pki_master_dict['pki_admin_nickname'] =\
- "OCSP Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "'s" + " " +\
- config.pki_master_dict['pki_security_domain_name']\
- + " " + "ID"
- elif config.pki_master_dict['pki_subsystem'] == "TKS":
- # PKI TKS
- config.pki_master_dict['pki_admin_nickname'] =\
- "TKS Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "'s" + " " +\
- config.pki_master_dict['pki_security_domain_name']\
- + " " + "ID"
+ config.pki_master_dict['pki_admin_nickname'] =\
+ "PKI Administrator's " +\
+ config.pki_master_dict['pki_security_domain_name'] +\
+ " ID"
+ if not 'pki_use_common_admin_user' in config.pki_master_dict:
+ config.pki_master_dict['pki_use_common_admin_user'] = 'false'
+
if not len(config.pki_master_dict['pki_admin_subject_dn']):
- if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- if config.pki_master_dict['pki_subsystem'] == "RA":
- # PKI RA
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "RA Administrator" + "," +\
- "uid=" + config.pki_master_dict['pki_admin_uid'] +\
- "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "TPS":
- # PKI TPS
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "TPS Administrator" + "," +\
- "uid=" + config.pki_master_dict['pki_admin_uid'] +\
- "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- if config.str2bool(
- config.pki_master_dict['pki_external']):
- # External CA
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "CA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "," + "uid=" +\
- config.pki_master_dict['pki_admin_uid']\
- + "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" + "External CA"
- else:
- # PKI CA or Subordinate CA
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "CA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] +\
- "," + "uid=" +\
- config.pki_master_dict['pki_admin_uid']\
- + "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "KRA Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] + "," +\
- "uid=" + config.pki_master_dict['pki_admin_uid'] +\
- "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "OCSP":
- # PKI OCSP
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "OCSP Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] + "," +\
- "uid=" + config.pki_master_dict['pki_admin_uid'] +\
- "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "TKS":
- # PKI TKS
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=" + "TKS Administrator of Instance" + " " +\
- config.pki_master_dict['pki_instance_id'] + "," +\
- "uid=" + config.pki_master_dict['pki_admin_uid'] +\
- "," + "e=" +\
- config.pki_master_dict['pki_admin_email'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=PKI Administrator" +\
+ ",e=" + config.pki_master_dict['pki_admin_email'] +\
+ ",o=" + config.pki_master_dict['pki_security_domain_name']
+
# Jython scriptlet
# 'CA Signing Certificate' Configuration name/value pairs
#
generated by cgit (git 2.34.1) at 2024-04-24 05:30:50 +0000