diff options
6 files changed, 171 insertions, 16 deletions
diff --git a/pki/base/common/src/com/netscape/certsrv/logging/AuditFormat.java b/pki/base/common/src/com/netscape/certsrv/logging/AuditFormat.java index 81253ff58..e5f8726f7 100644 --- a/pki/base/common/src/com/netscape/certsrv/logging/AuditFormat.java +++ b/pki/base/common/src/com/netscape/certsrv/logging/AuditFormat.java @@ -104,8 +104,11 @@ public class AuditFormat { "Admin UID: {0} added User UID: {1} to group: {2}"; public static final String REMOVEUSERGROUPFORMAT = "Admin UID: {0} removed User UID: {1} from group: {2}"; + public static final String ADDCERTSUBJECTDNFORMAT = + "Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}"; // LDAP publishing public static final String LDAP_PUBLISHED_FORMAT = "{0} successfully published serial number: 0x{1} with DN: {2}"; + } diff --git a/pki/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java b/pki/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java index fee5627ae..282d672f1 100644 --- a/pki/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java +++ b/pki/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java @@ -80,6 +80,14 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp { LDAPException; /** + * Add a certSubjectDN field to the user + * @param identity + * @throws EUsrGrpException + * @throws LDAPException + */ + public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException; + + /** * Removes a user certificate for a user entry * given a user certificate DN (actually, a combination of version, * serialNumber, issuerDN, and SubjectDN), and it gets removed diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java index ec3c8657d..5615c6dfb 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java @@ -518,10 +518,13 @@ public class DatabasePanel extends WizardPanelBase { String baseDN = ""; String database = ""; String dn = ""; + String dbuser = ""; try { baseDN = cs.getString("internaldb.basedn"); database = cs.getString("internaldb.database", ""); + dbuser = "uid=" + cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" + + cs.getString("service.securePort") + ",ou=people," + baseDN; } catch (Exception e) { CMS.debug("DatabasePanel populateDB: " + e.toString()); throw new IOException( @@ -652,6 +655,11 @@ public class DatabasePanel extends WizardPanelBase { } attrs.add(new LDAPAttribute("objectClass", oc3)); attrs.add(new LDAPAttribute(n, v)); + + String dbuserACI = "(targetattr=\"*\")(version 3.0; acl \"Cert Manager access\"; allow (all) userdn=\"ldap:///" + + dbuser + "\";)"; + CMS.debug("ACI string is ["+ dbuserACI + "]"); + attrs.add(new LDAPAttribute("aci", dbuserACI)); LDAPEntry entry = new LDAPEntry(baseDN, attrs); conn.add(entry); } catch (Exception e) { @@ -719,6 +727,23 @@ public class DatabasePanel extends WizardPanelBase { throw new IOException("Failed to find base DN"); } + // add dbuser aci to cn=config + String dbuserACI = "(targetattr=\"*\")(version 3.0; acl \"Cert Manager access\"; allow (read) userdn=\"ldap:///" + + dbuser + "\";)"; + CMS.debug("ACI string is [" + dbuserACI + "]"); + String configDN = "cn=ldbm database,cn=plugins,cn=config"; + try { + + LDAPAttribute attr = new LDAPAttribute("aci", dbuserACI); + LDAPModification mod = new LDAPModification(LDAPModification.ADD, attr); + conn.modify(configDN, mod); + } catch (LDAPException e) { + if (e.getLDAPResultCode() != LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) { + e.printStackTrace(); + throw new IOException("Failed to add aci to " + configDN); + } + } + String select = ""; try { select = cs.getString("preop.subsystem.select", ""); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index 174af72c9..48875c4cc 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -20,6 +20,7 @@ package com.netscape.cms.servlet.csadmin; import java.io.IOException; import java.math.BigInteger; import java.net.URLEncoder; +import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.StringTokenizer; @@ -37,6 +38,7 @@ import netscape.ldap.LDAPModification; import netscape.security.x509.X509CertImpl; import org.apache.velocity.context.Context; +import org.mozilla.jss.CryptoManager; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.IConfigStore; @@ -44,10 +46,12 @@ import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; import com.netscape.certsrv.ocsp.IDefStore; import com.netscape.certsrv.ocsp.IOCSPAuthority; import com.netscape.certsrv.property.PropertySet; +import com.netscape.certsrv.usrgrp.EUsrGrpException; import com.netscape.certsrv.usrgrp.IGroup; import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cms.servlet.wizard.WizardServlet; +import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.password.IPasswordStore; import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.Utils; @@ -525,6 +529,20 @@ public class DonePanel extends WizardPanelBase { } } + String dbuser = null; + try { + dbuser = cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" + cs.getString("service.securePort"); + if (! sdtype.equals("new")) { + setupDBUser(dbuser); + } + IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); + IUser user = system.getUser(dbuser); + system.addCertSubjectDN(user); + } catch (Exception e) { + e.printStackTrace(); + CMS.debug("Unable to create or update dbuser" + e); + } + cs.putInteger("cs.state", 1); try { // save variables needed for cloning and remove preop @@ -647,6 +665,63 @@ public class DonePanel extends WizardPanelBase { } } + private void setupDBUser(String dbuser) throws CertificateException, EUsrGrpException, LDAPException { + IUGSubsystem system = + (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); + + String b64 = getSubsystemCert(); + if (b64 == null) { + CMS.debug("DonePanel setupDBUser: failed to fetch subsystem cert"); + return; + } + + IUser user = system.createUser(dbuser); + user.setFullName(dbuser); + user.setEmail(""); + user.setPassword(""); + user.setUserType("agentType"); + user.setState("1"); + user.setPhone(""); + X509CertImpl[] certs = new X509CertImpl[1]; + certs[0] = new X509CertImpl(CMS.AtoB(b64)); + user.setX509Certificates(certs); + system.addUser(user); + CMS.debug("DonePanel setupDBUser: successfully add the user"); + system.addUserCert(user); + CMS.debug("DonePanel setupDBUser: successfully add the user certificate"); + } + + private String getSubsystemCert() { + IConfigStore cs = CMS.getConfigStore(); + String nickname = ""; + try { + nickname = cs.getString("preop.cert.subsystem.nickname", ""); + String tokenname = cs.getString("preop.module.token", ""); + if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token") + && !tokenname.equals("")) + nickname = tokenname + ":" + nickname; + } catch (Exception e) { + } + + CMS.debug("DonePanel getSubsystemCert: nickname=" + nickname); + String s = null; + try { + CryptoManager cm = CryptoManager.getInstance(); + org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(nickname); + + if (cert == null) { + CMS.debug("DonePanel getSubsystemCert: subsystem cert is null"); + return null; + } + + byte[] bytes = cert.getEncoded(); + s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes)); + } catch (Exception e) { + CMS.debug("DonePanel getSubsystemCert: exception: " + e.toString()); + } + return s; + } + private void updateOCSPConfig(HttpServletResponse response) throws IOException { IConfigStore config = CMS.getConfigStore(); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java index b8e1816f1..244b7df4c 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java @@ -296,6 +296,7 @@ public class LDAPSecurityDomainSessionTable String pwd = null; String binddn = ""; String security = ""; + String clientNick = ""; IPasswordStore pwdStore = CMS.getPasswordStore(); @@ -313,6 +314,7 @@ public class LDAPSecurityDomainSessionTable port = cs.getString("internaldb.ldapconn.port"); binddn = cs.getString("internaldb.ldapauth.bindDN"); security = cs.getString("internaldb.ldapconn.secureConn"); + clientNick = cs.getString("internaldb.ldapauth.clientCertNickname"); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: getLDAPConn" + e.toString()); throw new IOException( @@ -329,7 +331,10 @@ public class LDAPSecurityDomainSessionTable } LDAPConnection conn = null; - if (security.equals("true")) { + if (!clientNick.equals("")) { + CMS.debug("SecurityDomainSessionTable getLDAPConn: creating secure (SSL) client auth connection for internal ldap"); + conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory(clientNick)); + } else if (security.equals("true")) { //CMS.debug("SecurityDomainSessionTable getLDAPConn: creating secure (SSL) connection for internal ldap"); conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); } else { diff --git a/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java index 1bf251865..6796a3322 100644 --- a/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java +++ b/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java @@ -72,7 +72,7 @@ public final class UGSubsystem implements IUGSubsystem { protected static final String GROUP_ATTR_VALUE = "groupofuniquenames"; protected static final String LDAP_ATTR_USER_CERT_STRING = "description"; - // protected static final String LDAP_ATTR_CERTDN = "seeAlso"; + protected static final String LDAP_ATTR_CERTDN = "seeAlso"; protected static final String LDAP_ATTR_USER_CERT = "userCertificate"; protected static final String PROP_BASEDN = "basedn"; @@ -726,27 +726,18 @@ public final class UGSubsystem implements IUGSubsystem { LDAPModificationSet addCert = new LDAPModificationSet(); if ((cert = user.getX509Certificates()) != null) { - LDAPAttribute attrCertStr = new - LDAPAttribute(LDAP_ATTR_USER_CERT_STRING); - - /* - LDAPAttribute attrCertDNStr = new - LDAPAttribute(LDAP_ATTR_CERTDN); - */ - LDAPAttribute attrCertBin = new - LDAPAttribute(LDAP_ATTR_USER_CERT); + LDAPAttribute attrCertStr = new LDAPAttribute(LDAP_ATTR_USER_CERT_STRING); + LDAPAttribute attrCertBin = new LDAPAttribute(LDAP_ATTR_USER_CERT); try { attrCertBin.addValue(cert[0].getEncoded()); attrCertStr.addValue(getCertificateString(cert[0])); - // attrCertDNStr.addValue(cert[0].getSubjectDN().toString()); } catch (CertificateEncodingException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER_CERT", e.toString())); throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); } addCert.add(LDAPModification.ADD, attrCertStr); - //addCert.add(LDAPModification.ADD, attrCertDNStr); addCert.add(LDAPModification.ADD, attrCertBin); LDAPConnection ldapconn = null; @@ -783,6 +774,54 @@ public final class UGSubsystem implements IUGSubsystem { return; } + public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException { + User user = (User) identity; + + if (user == null) { + return; + } + + X509Certificate cert[] = null; + LDAPModificationSet addCert = new LDAPModificationSet(); + + if ((cert = user.getX509Certificates()) != null) { + LDAPAttribute attrCertDNStr = new LDAPAttribute(LDAP_ATTR_CERTDN); + attrCertDNStr.addValue(cert[0].getSubjectDN().toString()); + addCert.add(LDAPModification.ADD, attrCertDNStr); + + LDAPConnection ldapconn = null; + + try { + ldapconn = getConn(); + ldapconn.modify("uid=" + user.getUserID() + + "," + getUserBaseDN(), addCert); + // for audit log + SessionContext sessionContext = SessionContext.getContext(); + String adminId = (String) sessionContext.get(SessionContext.USER_ID); + + mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP, + AuditFormat.LEVEL, AuditFormat.ADDCERTSUBJECTDNFORMAT, + new Object[] { adminId, user.getUserID(), + cert[0].getSubjectDN().toString()} + ); + + } catch (LDAPException e) { + if (Debug.ON) { + e.printStackTrace(); + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + throw e; + } catch (ELdapException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + } finally { + if (ldapconn != null) + returnConn(ldapconn); + } + } + + return; + } + /** * Removes a user certificate for a user entry * given a user certificate DN (actually, a combination of version, @@ -821,7 +860,7 @@ public final class UGSubsystem implements IUGSubsystem { LDAPAttribute certAttrS = new LDAPAttribute(LDAP_ATTR_USER_CERT_STRING); - //LDAPAttribute certDNAttrS = new LDAPAttribute(LDAP_ATTR_CERTDN); + LDAPAttribute certDNAttrS = new LDAPAttribute(LDAP_ATTR_CERTDN); int certCount = 0; @@ -839,14 +878,14 @@ public final class UGSubsystem implements IUGSubsystem { try { certAttr.addValue(certs[i].getEncoded()); certAttrS.addValue(getCertificateString(certs[i])); - // certDNAttrS.addValue(certs[i].getSubjectDN().toString()); + certDNAttrS.addValue(certs[i].getSubjectDN().toString()); } catch (CertificateEncodingException e) { throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); } attrs.add(LDAPModification.DELETE, certAttr); attrs.add(LDAPModification.DELETE, certAttrS); - //attrs.add(LDAPModification.DELETE, certDNAttrS); + attrs.add(LDAPModification.DELETE, certDNAttrS); LDAPConnection ldapconn = null; |