diff options
| -rw-r--r-- | base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java | 71 | ||||
| -rw-r--r-- | base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPInstallerService.java | 29 |
2 files changed, 80 insertions, 20 deletions
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java index 883ab3779..355e744a3 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java @@ -20,6 +20,8 @@ package org.dogtagpki.server.ca.rest; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; import java.util.StringTokenizer; import netscape.ldap.LDAPAttribute; @@ -39,7 +41,6 @@ import com.netscape.cms.servlet.csadmin.ConfigurationUtils; import com.netscape.cmscore.base.LDAPConfigStore; import com.netscape.cmscore.profile.LDAPProfileSubsystem; - /** * @author alee * @@ -55,9 +56,9 @@ public class CAInstallerService extends SystemConfigService { super.finalizeConfiguration(request); try { - if (!request.isClone()) { - ConfigurationUtils.updateNextRanges(); - } + if (!request.isClone()) { + ConfigurationUtils.updateNextRanges(); + } } catch (Exception e) { CMS.debug(e); @@ -75,6 +76,10 @@ public class CAInstallerService extends SystemConfigService { cs.putString("securitydomain.select", "new"); } + if (request.isClone()) { + disableCRLCachingAndGenerationForClone(request); + } + } catch (Exception e) { CMS.debug(e); throw new PKIException("Errors in determining if security domain host is a master CA"); @@ -105,16 +110,16 @@ public class CAInstallerService extends SystemConfigService { /** * Import profiles from the filesystem into the database. * - * @param configRoot Where to look for the profile files. For a - * fresh installation this should be - * "/usr/share/pki". For existing installations it - * should be CMS.getConfigStore().getString("instanceRoot"). + * @param configRoot Where to look for the profile files. For a + * fresh installation this should be + * "/usr/share/pki". For existing installations it + * should be CMS.getConfigStore().getString("instanceRoot"). * */ public void importProfiles(String configRoot) throws EBaseException, ELdapException { IPluginRegistry registry = (IPluginRegistry) - CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); + CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); IConfigStore profileCfg = cs.getSubStore("profile"); String profileIds = profileCfg.getString("list", ""); StringTokenizer st = new StringTokenizer(profileIds, ","); @@ -146,10 +151,10 @@ public class CAInstallerService extends SystemConfigService { /** * Import one profile from the filesystem into the database. * - * @param dbFactory LDAP connection factory. - * @param classId The profile class of the profile to import. - * @param profileId The ID of the profile to import. - * @param profilePath Path to the on-disk profile configuration. + * @param dbFactory LDAP connection factory. + * @param classId The profile class of the profile to import. + * @param profileId The ID of the profile to import. + * @param profilePath Path to the on-disk profile configuration. */ public void importProfile( ILdapConnFactory dbFactory, String classId, @@ -160,15 +165,15 @@ public class CAInstallerService extends SystemConfigService { String dn = "cn=" + profileId + ",ou=certificateProfiles,ou=ca," + basedn; - String[] objectClasses = {"top", "certProfile"}; + String[] objectClasses = { "top", "certProfile" }; LDAPAttribute[] createAttrs = { - new LDAPAttribute("objectclass", objectClasses), - new LDAPAttribute("cn", profileId), - new LDAPAttribute("classId", classId) + new LDAPAttribute("objectclass", objectClasses), + new LDAPAttribute("cn", profileId), + new LDAPAttribute("classId", classId) }; IConfigStore configStore = new LDAPConfigStore( - dbFactory, dn, createAttrs, "certProfileConfig"); + dbFactory, dn, createAttrs, "certProfileConfig"); try { FileInputStream input = new FileInputStream(profilePath); @@ -181,4 +186,34 @@ public class CAInstallerService extends SystemConfigService { configStore.commit(false /* no backup */); } + + private void disableCRLCachingAndGenerationForClone(ConfigurationRequest data) throws MalformedURLException { + + CMS.debug("CAInstallerService:disableCRLCachingAndGenerationForClone entering."); + if (!data.isClone()) + return; + + //Now add some well know entries that we need to disable CRL functionality. + //With well known values to disable and well known master CRL ID. + + cs.putInteger("ca.certStatusUpdateInterval", 0); + cs.putBoolean("ca.listenToCloneModifications", false); + cs.putBoolean("ca.crl.MasterCRL.enableCRLCache", false); + cs.putBoolean("ca.crl.MasterCRL.enableCRLUpdates", false); + + String cloneUri = data.getCloneUri(); + URL url = null; + + url = new URL(cloneUri); + + String masterHost = url.getHost(); + int masterPort = url.getPort(); + + CMS.debug("CAInstallerService:disableCRLCachingAndGenerationForClone: masterHost: " + masterHost + + " masterPort: " + masterPort); + + cs.putString("master.ca.agent.host", masterHost); + cs.putInteger("master.ca.agent.port", masterPort); + + } } diff --git a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPInstallerService.java b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPInstallerService.java index aaeeb346b..4b0fe0d2a 100644 --- a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPInstallerService.java +++ b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPInstallerService.java @@ -32,6 +32,8 @@ import com.netscape.cms.servlet.csadmin.ConfigurationUtils; */ public class OCSPInstallerService extends SystemConfigService { + private static final int DEF_REFRESH_IN_SECS_FOR_CLONE = 14400; // CRL Publishing schedule + public OCSPInstallerService() throws EBaseException { } @@ -47,17 +49,40 @@ public class OCSPInstallerService extends SystemConfigService { // configure the CRL Publishing to OCSP in CA if (!ca_host.equals("")) { CMS.reinit(IOCSPAuthority.ID); - ConfigurationUtils.importCACertToOCSP(); + if (!request.isClone()) + ConfigurationUtils.importCACertToOCSP(); + else + CMS.debug("OCSPInstallerService: Skipping importCACertToOCSP for clone."); if (!request.getStandAlone()) { - ConfigurationUtils.updateOCSPConfig(); + + // For now don't register publishing with the CA for a clone. + // Preserves existing functionality + // Next we need to treat the publishing of clones as a group , + // and fail over amongst them. + if (!request.isClone()) + ConfigurationUtils.updateOCSPConfig(); + ConfigurationUtils.setupClientAuthUser(); } } + if (request.isClone()) { + configureCloneRefresh(request); + } + } catch (Exception e) { CMS.debug(e); throw new PKIException("Errors in configuring CA publishing to OCSP: " + e); } } + + private void configureCloneRefresh(ConfigurationRequest request) { + if (request == null || !request.isClone()) + return; + + //Set well know default value for OCSP clone + cs.putInteger("ocsp.store.defStore.refreshInSec", DEF_REFRESH_IN_SECS_FOR_CLONE); + + } } |