diff options
| -rw-r--r-- | pki/base/silent/src/drm/ConfigureDRM.java | 212 | ||||
| -rwxr-xr-x | pki/base/silent/templates/pki_silent.template | 105 |
2 files changed, 268 insertions, 49 deletions
diff --git a/pki/base/silent/src/drm/ConfigureDRM.java b/pki/base/silent/src/drm/ConfigureDRM.java index 7247bb7e1..112d0c7a0 100644 --- a/pki/base/silent/src/drm/ConfigureDRM.java +++ b/pki/base/silent/src/drm/ConfigureDRM.java @@ -143,7 +143,15 @@ public class ConfigureDRM public static String subsystem_name = null; - + // cloning + public static boolean clone = false; + public static String clone_uri = null; + public static String clone_p12_passwd = null; + public static String clone_p12_file = null; + + //for correct selection of CA to be cloned + public static String urls; + public ConfigureDRM () { // do nothing :) @@ -291,47 +299,62 @@ public class ConfigureDRM public boolean SecurityDomainLoginPanel() { - boolean st = false; - HTTPResponse hr = null; - ByteArrayInputStream bais = null; - ParseXML px = new ParseXML(); - + try { + boolean st = false; + HTTPResponse hr = null; + ByteArrayInputStream bais = null; + ParseXML px = new ParseXML(); - String kra_url = "https://" + cs_hostname + ":" + cs_port + + String kra_url = "https://" + cs_hostname + ":" + cs_port + "/kra/admin/console/config/wizard" + "?p=5&subsystem=KRA" ; - String query_string = "url=" + URLEncoder.encode(kra_url); + String query_string = "url=" + URLEncoder.encode(kra_url); - hr = hc.sslConnect(sd_hostname,sd_admin_port,sd_login_uri,query_string); + hr = hc.sslConnect(sd_hostname,sd_admin_port,sd_login_uri,query_string); - String query_string_1 = "uid=" + sd_admin_name + + String query_string_1 = "uid=" + sd_admin_name + "&pwd=" + sd_admin_password + "&url=" + URLEncoder.encode(kra_url) ; - hr = hc.sslConnect(sd_hostname,sd_admin_port,sd_get_cookie_uri, + hr = hc.sslConnect(sd_hostname,sd_admin_port,sd_get_cookie_uri, query_string_1); - // get session id from security domain + // get session id from security domain - String kra_session_id = hr.getContentValue("header.session_id"); - String kra_url_1 = hr.getContentValue("header.url"); + String kra_session_id = hr.getContentValue("header.session_id"); + String kra_url_1 = hr.getContentValue("header.url"); - System.out.println("KRA_SESSION_ID=" + kra_session_id); - System.out.println("KRA_URL=" + kra_url_1); + System.out.println("KRA_SESSION_ID=" + kra_session_id); + System.out.println("KRA_URL=" + kra_url_1); - // use session id to connect back to KRA + // use session id to connect back to KRA - String query_string_2 = "p=5" + + String query_string_2 = "p=5" + "&subsystem=KRA" + "&session_id=" + kra_session_id + "&xml=true" ; - hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri, + hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri, query_string_2); - return true; + // parse urls + urls = hr.getHTML(); + int indx = urls.indexOf(clone_uri); + if (indx < 0) { + throw new Exception("Invalid clone_uri"); + } + urls = urls.substring(urls.lastIndexOf("<option" , indx), indx); + urls = urls.split("\"")[1]; + System.out.println("urls =" + urls); + + return true; + } catch (Exception e) { + System.out.println("Exception in SecurityDomainLoginPanel(): " + e.toString()); + e.printStackTrace(); + return false; + } } public boolean SubsystemPanel() @@ -340,11 +363,17 @@ public class ConfigureDRM HTTPResponse hr = null; ByteArrayInputStream bais = null; ParseXML px = new ParseXML(); - - String query_string = "p=5" + "&op=next" + "&xml=true" + - "&subsystemName=" + - URLEncoder.encode(subsystem_name) + - "&choice=newsubsystem" ; + String query_string = null; + if (!clone) { + query_string = "p=5" + "&op=next" + "&xml=true" + + "&choice=newsubsystem" + "&subsystemName=" + + URLEncoder.encode(subsystem_name); + } else { + query_string = "p=5" + "&op=next" + "&xml=true" + + "&choice=clonesubsystem" + "&subsystemName=" + + URLEncoder.encode(subsystem_name) + + "&urls=" + urls; + } hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string); // parse xml @@ -355,6 +384,30 @@ public class ConfigureDRM return true; } + public boolean RestoreKeyCertPanel() { + try { + ByteArrayInputStream bais = null; + HTTPResponse hr = null; + ParseXML px = new ParseXML(); + + String query_string = "p=6" + "&op=next" + "&xml=true" + + "&__password=" + URLEncoder.encode(clone_p12_passwd) + + "&path=" + URLEncoder.encode(clone_p12_file) + ""; + + hr = hc.sslConnect(cs_hostname, cs_port, wizard_uri, query_string); + + // parse xml + bais = new ByteArrayInputStream(hr.getHTML().getBytes()); + px.parse(bais); + px.prettyprintxml(); + return true; + } catch (Exception e) { + System.out.println("Exception in RestoreKeyCertPanel(): " + e.toString()); + e.printStackTrace(); + return false; + } + } + public boolean LdapConnectionPanel() { boolean st = false; @@ -390,26 +443,37 @@ public class ConfigureDRM ParseXML px = new ParseXML(); ArrayList al = null; + String query_string = null; - String query_string = "p=8" + "&op=next" + "&xml=true" + - "&transport_custom_size=" + key_size + - "&storage_custom_size=" + key_size + - "&subsystem_custom_size=" + key_size + - "&sslserver_custom_size=" + key_size + - "&custom_size=" + key_size + - "&audit_signing_custom_size=" + key_size + - "&transport_keytype=" + key_type + - "&storage_keytype=" + key_type + - "&subsystem_keytype=" + key_type + - "&sslserver_keytype=" + key_type + - "&audit_signing_keytype=" + key_type + - "&keytype=" + key_type + - "&transport_choice=default"+ - "&storage_choice=default"+ - "&subsystem_choice=default"+ - "&sslserver_choice=default"+ - "&choice=default"+ - "&audit_signing_choice=default"; + if (!clone) { + query_string = "p=8" + "&op=next" + "&xml=true" + + "&transport_custom_size=" + key_size + + "&storage_custom_size=" + key_size + + "&subsystem_custom_size=" + key_size + + "&sslserver_custom_size=" + key_size + + "&custom_size=" + key_size + + "&audit_signing_custom_size=" + key_size + + "&transport_keytype=" + key_type + + "&storage_keytype=" + key_type + + "&subsystem_keytype=" + key_type + + "&sslserver_keytype=" + key_type + + "&audit_signing_keytype=" + key_type + + "&keytype=" + key_type + + "&transport_choice=default"+ + "&storage_choice=default"+ + "&subsystem_choice=default"+ + "&sslserver_choice=default"+ + "&choice=default"+ + "&audit_signing_choice=default"; + } else { + query_string = "p=8" + "&op=next" + "&xml=true" + + "&sslserver_custom_size=" + key_size + + "&sslserver_keytype=" + key_type + + "&sslserver_choice=default" + + "&custom_size=" + key_size + + "&keytype=" + key_type + + "&choice=default"; + } hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string); @@ -460,11 +524,12 @@ public class ConfigureDRM ArrayList req_list = null; ArrayList cert_list = null; ArrayList dn_list = null; - + String query_string = null; String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ; - String query_string = "p=9" + "&op=next" + "&xml=true" + + if (!clone) { + query_string = "p=9" + "&op=next" + "&xml=true" + "&subsystem=" + URLEncoder.encode(drm_subsystem_cert_subject_name) + "&transport=" + @@ -476,8 +541,15 @@ public class ConfigureDRM "&audit_signing=" + URLEncoder.encode(drm_audit_signing_cert_subject_name) + "&urls=" + - URLEncoder.encode(domain_url); - + URLEncoder.encode(domain_url); + } else { + query_string = "p=9" + "&op=next" + "&xml=true" + + "&sslserver=" + + URLEncoder.encode(drm_server_cert_subject_name) + + "&urls=" + + URLEncoder.encode(domain_url); + } + hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string); // parse xml @@ -621,6 +693,16 @@ public class ConfigureDRM asSeq.size()+" SafeContents"); fis.close(); + + if (clone) { + query_string = "p=12" + "&op=next" + "&xml=true"; + hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string); + + // parse xml + bais = new ByteArrayInputStream(hr.getHTML().getBytes()); + px.parse(bais); + px.prettyprintxml(); + } } catch (Exception e) { System.out.println("ERROR: Exception=" + e.getMessage()); return false; @@ -810,6 +892,16 @@ public class ConfigureDRM } sleep_time(); + // 6. display restore key cert panel + if (clone) { + boolean restore_st = RestoreKeyCertPanel(); + if (!restore_st) { + System.out.println("ERROR: ConfigureCA: RestoreKeyCertPanel() failure"); + return false; + } + } + + sleep_time(); // 7. ldap connection panel boolean disp_ldap = LdapConnectionPanel(); if (!disp_ldap) { @@ -858,6 +950,10 @@ public class ConfigureDRM return false; } + if (clone) { + // no other panels required for clone + return true; + } sleep_time(); // 13. Admin Cert Req Panel @@ -948,6 +1044,12 @@ public class ConfigureDRM // subsystemName StringHolder x_subsystem_name = new StringHolder(); + //clone parameters + StringHolder x_clone = new StringHolder(); + StringHolder x_clone_uri = new StringHolder(); + StringHolder x_clone_p12_file = new StringHolder(); + StringHolder x_clone_p12_passwd = new StringHolder(); + // parse the args ArgParser parser = new ArgParser("ConfigureDRM"); @@ -1049,6 +1151,11 @@ public class ConfigureDRM "-drm_audit_signing_cert_subject_name %s #DRM audit signing cert subject name", x_drm_audit_signing_cert_subject_name); + parser.addOption("-clone %s #Clone of another KRA [true, false] (optional, default false)", x_clone); + parser.addOption("-clone_uri %s #URL of Master KRA to clone. It must have the form https://<hostname>:<EE port> (optional, required if -clone=true)", x_clone_uri); + parser.addOption("-clone_p12_file %s #File containing pk12 keys of Master KRA (optional, required if -clone=true)", x_clone_p12_file); + parser.addOption("-clone_p12_password %s #Password for pk12 file (optional, required if -clone=true)", x_clone_p12_passwd); + // and then match the arguments String [] unmatched = null; unmatched = parser.matchAllArgs (args,0,parser.EXIT_ON_UNMATCHED); @@ -1118,6 +1225,15 @@ public class ConfigureDRM subsystem_name = x_subsystem_name.value; + if ((x_clone.value != null) && (x_clone.value.equalsIgnoreCase("true"))) { + clone = true; + } else { + clone = false; + } + clone_uri = x_clone_uri.value; + clone_p12_file = x_clone_p12_file.value; + clone_p12_passwd = x_clone_p12_passwd.value; + boolean st = ca.ConfigureDRMInstance(); if (!st) { diff --git a/pki/base/silent/templates/pki_silent.template b/pki/base/silent/templates/pki_silent.template index dfce4c612..64d56823a 100755 --- a/pki/base/silent/templates/pki_silent.template +++ b/pki/base/silent/templates/pki_silent.template @@ -497,6 +497,38 @@ ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_s ## + "o=${pki_security_domain_name}" ## +## Optional CA Variables for creating a clone DRM +## +## It is possible for pkisilent to create a DRM that is a clone of a previously +## installed DRM (the master DRM). To do so, the keys of the master DRM must +## first be backed up in a pk12 file, and this file should be copied to the +## alias directory of the clone DRM. This file should have read permission for +## the PKI user (pkiuser). +## +## An example file would be /var/lib/drm-clone/alias/drm-master.p12. +## +## The following variables should then be uncommented and defined for the clone CA. +## kra_clone=true +## kra_clone_p12_file= +## kra_clone_p12_password= +## kra_clone_uri= +## +## NOTES: +## 1. drm_clone_p12_file must be just the filename relative to the alias directory. +## So in the example above, drm_clone_p12_file="drm-master.p12" +## 2. drm_clone_uri has the following format: https://<hostname>:<EE port> of the DRM to be cloned +## +## ADDITIONAL NOTES: +## 1. The clone DRM and master DRM cannot share the same database instance. A new +## instance should be created for the clone DRM. +## 2. The variables kra_base_dn and kra_db_name defined above MUST be identical to the +## kra_base_dn and kra_name of the master CA. The following assignments attempt +## to ensure this is correct. +## +## kra_master_instance_name= +## kra_base_dn="dc=${pki_host}-${kra_master_instance_name}" +## kra_db_name="${pki_host}-${kra_master_instance_name}" + kra_agent_name="KRA\ Administrator\ of\ Instance\ ${kra_instance_name}\'s\ ${pki_security_domain_name}\ ID" kra_agent_key_size=2048 kra_agent_key_type=rsa @@ -1324,10 +1356,81 @@ pkisilent ConfigureDRM \ /sbin/service ${kra_init_script} restart ${kra_instance_name} +############################################################################## +## D A T A R E C O V E R Y M A N A G E R (clone) ## +############################################################################## +## +## Use this to configure a DRM clone. +## +## For example, upon completion, +## execute '/sbin/service ${kra_init_script} status ${kra_instance_name}': +## +## ${kra_instance_name} (pid 11723) is running ... +## +## Unsecure Port = http://${pki_host}:10180/kra/ee/kra +## Secure Agent Port = https://${pki_host}:10443/kra/agent/kra +## Secure EE Port = https://${pki_host}:10444/kra/ee/kra +## Secure Admin Port = https://${pki_host}:10445/kra/services +## PKI Console Port = pkiconsole https://${pki_host}:10445/kra +## Tomcat Port = 10701 (for shutdown) +## + +## Configure DRM +# printf "'${pki_silent_script}': Configuring '${kra_instance_name}' . . .\n" +# pkisilent ConfigureDRM \ +# -cs_hostname "${pki_host}" \ +# -cs_port ${kra_admin_port} \ +# -sd_hostname "${pki_security_domain_host}" \ +# -sd_ssl_port ${ca_ee_port} \ +# -sd_agent_port ${ca_agent_port} \ +# -sd_admin_port ${ca_admin_port} \ +# -sd_admin_name "${pki_security_domain_admin_name}" \ +# -sd_admin_password ${pki_security_domain_admin_password} \ +# -ca_hostname ${pki_security_domain_host} \ +# -ca_port ${ca_nonssl_port} \ +# -ca_ssl_port ${ca_ee_port} \ +# -client_certdb_dir ${pki_silent_security_database_repository} \ +# -client_certdb_pwd ${pki_silent_security_database_password} \ +# -preop_pin ${kra_preop_pin} \ +# -domain_name "${pki_security_domain_name}" \ +# -admin_user ${pki_silent_admin_user} \ +# -admin_password ${pki_silent_admin_password} \ +# -admin_email "${pki_silent_admin_email}" \ +# -agent_name ${kra_agent_name} \ +# -ldap_host ${pki_ldap_host} \ +# -ldap_port ${pki_ldap_port} \ +# -bind_dn "${pki_bind_dn}" \ +# -bind_password ${pki_bind_password} \ +# -base_dn "${kra_base_dn}" \ +# -db_name "${kra_db_name}" \ +# -key_size ${kra_key_size} \ +# -key_type ${kra_key_type} \ +# -token_name ${kra_token_name} \ +# -token_pwd ${kra_token_password} \ +# -agent_key_size ${kra_agent_key_size} \ +# -agent_key_type ${kra_agent_key_type} \ +# -agent_cert_subject "${kra_agent_cert_subject}" \ +# -subsystem_name ${kra_subsystem_name} \ +# -backup_pwd ${kra_backup_password} \ +# -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ +# -drm_subsystem_cert_subject_name "${kra_subsystem_cert_subject_name}" \ +# -drm_storage_cert_subject_name "${kra_storage_cert_subject_name}" \ +# -drm_server_cert_subject_name "${kra_server_cert_subject_name}" \ +# -drm_audit_signing_cert_subject_name \ +# "${kra_audit_signing_cert_subject_name}" \ +# -clone ${kra_clone} \ +# -clone_p12_file ${kra_clone_p12_file} \ +# -clone_p12_password ${kra_clone_p12_password} \ +# -clone_uri ${kra_uri} \ +# | tee ${pki_silent_kra_log} + +## Restart drm +#/sbin/service ${kra_init_script} restart ${kra_instance_name} + ############################################################################## ## O N L I N E S T A T U S C E R T I F I C A T E P R O T O C O L ## -############################################################################## +############################################################################### ## ## For example, upon completion, ## execute '/sbin/service ${ocsp_init_script} status ${ocsp_instance_name}': |