summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--base/ca/shared/conf/CS.cfg.in2
-rw-r--r--base/ca/shared/conf/tomcat.conf52
-rw-r--r--base/deploy/CMakeLists.txt27
-rw-r--r--base/deploy/config/pkideployment.cfg11
-rw-r--r--base/deploy/config/pkislots.cfg88
-rwxr-xr-xbase/deploy/src/pkidestroy25
-rwxr-xr-xbase/deploy/src/pkispawn32
-rw-r--r--base/deploy/src/scriptlets/finalization.py2
-rw-r--r--base/deploy/src/scriptlets/initialization.py9
-rw-r--r--base/deploy/src/scriptlets/instance_layout.py72
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py10
-rw-r--r--base/deploy/src/scriptlets/pkihelper.py711
-rw-r--r--base/deploy/src/scriptlets/pkimanifest.py6
-rw-r--r--base/deploy/src/scriptlets/pkimessages.py47
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py777
-rw-r--r--base/deploy/src/scriptlets/security_databases.py89
-rw-r--r--base/deploy/src/scriptlets/slot_assignment.py52
-rw-r--r--base/deploy/src/scriptlets/slot_substitution.py120
-rw-r--r--base/deploy/src/scriptlets/subsystem_layout.py72
-rw-r--r--base/deploy/src/scriptlets/war_explosion.py22
-rw-r--r--base/deploy/src/scriptlets/webserver_layout.py169
-rw-r--r--base/kra/shared/conf/tomcat.conf52
-rw-r--r--base/ocsp/shared/conf/tomcat.conf52
-rw-r--r--base/ra/apache/conf/httpd.conf2
-rw-r--r--base/tks/shared/conf/tomcat.conf52
-rw-r--r--base/tps/apache/conf/httpd.conf2
26 files changed, 2159 insertions, 396 deletions
diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 980ed5854..f62543963 100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -741,7 +741,7 @@ cmsgateway._003=## re-enroll for a new Admin Certificate:
cmsgateway._004=##
cmsgateway._005=## (1) Become 'root'
cmsgateway._006=## (2) Type: 'service [PKI_INSTANCE_ID] stop'
-cmsgateway._007=## (3) Edit '[PKI_INSTANCE_ROOT]/[PKI_INSTANCE_ID]/conf/CS.cfg'
+cmsgateway._007=## (3) Edit '[PKI_CFG_PATH_NAME]'
cmsgateway._008=## and set the following name-value pairs (if necessary):
cmsgateway._009=##
cmsgateway._010=## ca.Policy.enable=true
diff --git a/base/ca/shared/conf/tomcat.conf b/base/ca/shared/conf/tomcat.conf
new file mode 100644
index 000000000..92af5f8b9
--- /dev/null
+++ b/base/ca/shared/conf/tomcat.conf
@@ -0,0 +1,52 @@
+# System-wide configuration file for tomcat services
+# This will be sourced by tomcat and any secondary service
+# Values will be overridden by service-specific configuration
+# files in /etc/sysconfig
+#
+# Use this one to change default values for all services
+# Change the service specific ones to affect only one service
+# (see, for instance, /etc/sysconfig/tomcat)
+#
+
+# Where your java installation lives
+#JAVA_HOME="/usr/lib/jvm/jre"
+
+# Where your tomcat installation lives
+CATALINA_BASE="[PKI_INSTANCE_PATH]"
+#CATALINA_HOME="/usr/share/tomcat"
+#JASPER_HOME="/usr/share/tomcat"
+#CATALINA_TMPDIR="/var/cache/tomcat/temp"
+
+# You can pass some parameters to java here if you wish to
+#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
+
+# Use JAVA_OPTS to set java.library.path for libtcnative.so
+#JAVA_OPTS="-Djava.library.path=/usr/lib"
+
+# What user should run tomcat
+TOMCAT_USER="[PKI_USER]"
+
+# You can change your tomcat locale here
+#LANG="en_US"
+
+# Run tomcat under the Java Security Manager
+SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
+
+# Time to wait in seconds, before killing process
+#SHUTDOWN_WAIT="30"
+
+# Whether to annoy the user with "attempting to shut down" messages or not
+#SHUTDOWN_VERBOSE="false"
+
+# Set the TOMCAT_PID location
+CATALINA_PID="[TOMCAT_PIDFILE]"
+
+# Set the tomcat log file
+TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log"
+
+# Connector port is 8080 for this tomcat instance
+#CONNECTOR_PORT="8080"
+
+# If you wish to further customize your tomcat environment,
+# put your own definitions here
+# (i.e. LD_LIBRARY_PATH for some jdbc drivers)
diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt
index 397c9a336..f1bdafec4 100644
--- a/base/deploy/CMakeLists.txt
+++ b/base/deploy/CMakeLists.txt
@@ -36,6 +36,7 @@ install(
install(
FILES
config/pkideployment.cfg
+ config/pkislots.cfg
DESTINATION
${DATA_INSTALL_DIR}/deployment/config
PERMISSIONS
@@ -67,7 +68,7 @@ install(
src/scriptlets/pkiparser.py
src/scriptlets/pkiscriptlet.py
src/scriptlets/security_databases.py
- src/scriptlets/slot_assignment.py
+ src/scriptlets/slot_substitution.py
src/scriptlets/subsystem_layout.py
src/scriptlets/war_explosion.py
src/scriptlets/webserver_layout.py
@@ -133,13 +134,13 @@ foreach(TOMCAT_SUBSYSTEM ${TOMCAT_SUBSYSTEMS})
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
- \"${PYTHON_SITE_PACKAGES}/pki/deployment/security_databases.py\"
- \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/050_security_databases\")"
+ \"${PYTHON_SITE_PACKAGES}/pki/deployment/slot_substitution.py\"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/050_slot_substitution\")"
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
- \"${PYTHON_SITE_PACKAGES}/pki/deployment/slot_assignment.py\"
- \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/060_slot_assignment\")"
+ \"${PYTHON_SITE_PACKAGES}/pki/deployment/security_databases.py\"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/060_security_databases\")"
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
@@ -171,23 +172,23 @@ foreach(TOMCAT_SUBSYSTEM ${TOMCAT_SUBSYSTEMS})
)
# install(CODE "execute_process(COMMAND
# ${CMAKE_COMMAND} -E create_symlink
-# \"${PYTHON_SITE_PACKAGES}/pki/deployment/slot_assignment.py\"
-# \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/940_slot_assignment\")"
+# \"${PYTHON_SITE_PACKAGES}/pki/deployment/slot_substitution.py\"
+# \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/940_slot_substitution\")"
# )
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
- \"${PYTHON_SITE_PACKAGES}/pki/deployment/security_databases.py\"
- \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/950_security_databases\")"
+ \"${PYTHON_SITE_PACKAGES}/pki/deployment/war_explosion.py\"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/950_war_explosion\")"
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
- \"${PYTHON_SITE_PACKAGES}/pki/deployment/war_explosion.py\"
- \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/960_war_explosion\")"
+ \"${PYTHON_SITE_PACKAGES}/pki/deployment/subsystem_layout.py\"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/960_subsystem_layout\")"
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
- \"${PYTHON_SITE_PACKAGES}/pki/deployment/subsystem_layout.py\"
- \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/970_subsystem_layout\")"
+ \"${PYTHON_SITE_PACKAGES}/pki/deployment/security_databases.py\"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/970_security_databases\")"
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
index 954fa935d..1122daa9f 100644
--- a/base/deploy/config/pkideployment.cfg
+++ b/base/deploy/config/pkideployment.cfg
@@ -1,9 +1,9 @@
[Common]
pki_source_root=/usr/share/pki
pki_instance_root=/var/lib/pki
-pki_instance_configuration_root=/etc/pki
pki_instance_log_root=/var/log/pki
-pki_instance_name=instance
+pki_instance_configuration_root=/etc/pki
+pki_instance_name=default
pki_user=pkiuser
pki_group=pkiuser
pki_audit_group=pkiaudit
@@ -14,23 +14,30 @@ pki_https_port=443
[Tomcat]
pki_web_server=Tomcat
pki_tomcat_root=/usr/share/tomcat
+pki_tomcat_systemd=/usr/sbin/tomcat-sysd
pki_http_port=8080
pki_https_port=8443
pki_ajp_port=8009
+pki_proxy_https_port=443
+pki_proxy_http_port=80
pki_security_manager=true
[CA]
pki_subsystem=CA
pki_war_name=ca.war
+tomcat_server_port=9701
[KRA]
pki_subsystem=KRA
pki_war_name=kra.war
+tomcat_server_port=10701
[OCSP]
pki_subsystem=OCSP
pki_war_name=ocsp.war
+tomcat_server_port=11701
[RA]
pki_subsystem=RA
[TKS]
pki_subsystem=TKS
pki_war_name=tks.war
+tomcat_server_port=13701
[TPS]
pki_subsystem=TPS
diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg
new file mode 100644
index 000000000..b04b8efa0
--- /dev/null
+++ b/base/deploy/config/pkislots.cfg
@@ -0,0 +1,88 @@
+[Apache]
+FORTITUDE_APACHE_SLOT=[FORTITUDE_APACHE]
+FORTITUDE_AUTH_MODULES_SLOT=[FORTITUDE_AUTH_MODULES]
+FORTITUDE_DIR_SLOT=[FORTITUDE_DIR]
+FORTITUDE_LIB_DIR_SLOT=[FORTITUDE_LIB_DIR]
+FORTITUDE_MODULE_SLOT=[FORTITUDE_MODULE]
+FORTITUDE_NSS_MODULES_SLOT=[FORTITUDE_NSS_MODULES]
+HTTPD_CONF_SLOT=[HTTPD_CONF]
+LIB_PREFIX_SLOT=[LIB_PREFIX]
+NON_CLIENTAUTH_SECURE_PORT_SLOT=[NON_CLIENTAUTH_SECURE_PORT]
+NSS_CONF_SLOT=[NSS_CONF]
+OBJ_EXT_SLOT=[OBJ_EXT]
+PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID]
+PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT]
+PKI_LOCKDIR_SLOT=[PKI_LOCKDIR]
+PKI_PIDDIR_SLOT=[PKI_PIDDIR]
+PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE]
+PORT_SLOT=[PORT]
+PROCESS_ID_SLOT=[PROCESS_ID]
+REQUIRE_CFG_PL_SLOT=[REQUIRE_CFG_PL]
+SECURE_PORT_SLOT=[SECURE_PORT]
+SECURITY_LIBRARIES_SLOT=[SECURITY_LIBRARIES]
+SERVER_NAME_SLOT=[SERVER_NAME]
+SERVER_ROOT_SLOT=[SERVER_ROOT]
+SYSTEM_LIBRARIES_SLOT=[SYSTEM_LIBRARIES]
+SYSTEM_USER_LIBRARIES_SLOT=[SYSTEM_USER_LIBRARIES]
+TMP_DIR_SLOT=[TMP_DIR]
+TPS_DIR_SLOT=[TPS_DIR]
+[Tomcat]
+INSTALL_TIME_SLOT=[INSTALL_TIME]
+PKI_ADMIN_SECURE_PORT_SLOT=[PKI_ADMIN_SECURE_PORT]
+PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]
+PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_ADMIN_SECURE_PORT_SERVER_COMMENT]
+PKI_AGENT_CLIENTAUTH_SLOT=[PKI_AGENT_CLIENTAUTH]
+PKI_AGENT_SECURE_PORT_SLOT=[PKI_AGENT_SECURE_PORT]
+PKI_AJP_PORT_SLOT=[PKI_AJP_PORT]
+PKI_AJP_REDIRECT_PORT_SLOT=[PKI_AJP_REDIRECT_PORT]
+PKI_CERT_DB_PASSWORD_SLOT=[PKI_CERT_DB_PASSWORD]
+PKI_CFG_PATH_NAME_SLOT=[PKI_CFG_PATH_NAME]
+PKI_CLOSE_AJP_PORT_COMMENT_SLOT=[PKI_CLOSE_AJP_PORT_COMMENT]
+PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT=[PKI_CLOSE_ENABLE_PROXY_COMMENT]
+PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
+PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
+PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT]
+PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME]
+PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT]
+PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_UI]
+PKI_EE_SECURE_PORT_SLOT=[PKI_EE_SECURE_PORT]
+PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_PORT_CONNECTOR_NAME]
+PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_PORT_SERVER_COMMENT]
+PKI_FLAVOR_SLOT=[PKI_FLAVOR]
+PKI_GROUP_SLOT=[PKI_GROUP]
+PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID]
+PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT]
+PKI_INSTANCE_PATH_SLOT=[PKI_INSTANCE_PATH]
+PKI_INSTANCE_ROOT_SLOT=[PKI_INSTANCE_ROOT]
+PKI_LOCKDIR_SLOT=[PKI_LOCKDIR]
+PKI_MACHINE_NAME_SLOT=[PKI_MACHINE_NAME]
+PKI_OPEN_AJP_PORT_COMMENT_SLOT=[PKI_OPEN_AJP_PORT_COMMENT]
+PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT=[PKI_OPEN_ENABLE_PROXY_COMMENT]
+PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT]
+PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
+PKI_PIDDIR_SLOT=[PKI_PIDDIR]
+PKI_PROXY_SECURE_PORT_SLOT=[PKI_PROXY_SECURE_PORT]
+PKI_PROXY_UNSECURE_PORT_SLOT=[PKI_PROXY_UNSECURE_PORT]
+PKI_RANDOM_NUMBER_SLOT=[PKI_RANDOM_NUMBER]
+PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE]
+PKI_SECURE_PORT_SLOT=[PKI_SECURE_PORT]
+PKI_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_SECURE_PORT_CONNECTOR_NAME]
+PKI_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_SECURE_PORT_SERVER_COMMENT]
+PKI_SECURITY_MANAGER_SLOT=[PKI_SECURITY_MANAGER]
+PKI_SERVER_XML_CONF_SLOT=[PKI_SERVER_XML_CONF]
+PKI_SUBSYSTEM_TYPE_SLOT=[PKI_SUBSYSTEM_TYPE]
+PKI_SYSTEMD_SERVICENAME_SLOT=[PKI_SYSTEMD_SERVICENAME]
+PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT]
+PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME]
+PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT]
+PKI_USER_SLOT=[PKI_USER]
+PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME]
+TOMCAT_CFG_SLOT=[TOMCAT_CFG]
+TOMCAT_INSTANCE_COMMON_LIB_SLOT=[TOMCAT_INSTANCE_COMMON_LIB]
+TOMCAT_LOG_DIR_SLOT=[TOMCAT_LOG_DIR]
+TOMCAT_PIDFILE_SLOT=[TOMCAT_PIDFILE]
+TOMCAT_SERVER_PORT_SLOT=[TOMCAT_SERVER_PORT]
+TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS]
+TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS]
+TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS]
+TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS]
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 6d0afd2b0..c54ba9a78 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -30,6 +30,10 @@ try:
import logging
import os
import pprint
+ import random
+ import socket
+ import string
+ import time
from time import strftime as date
from pki.deployment import pkiconfig as config
from pki.deployment import pkiparser as parse
@@ -56,8 +60,27 @@ def main(argv):
# Set the umask
os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK)
+ # Set installation time
+ ticks = time.time()
+ config.pki_install_time = time.asctime(time.localtime(ticks))
+
# Generate a timestamp
- config.pki_timestamp = date('%Y%m%d%H%M%S')
+ config.pki_timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks))
+ config.pki_certificate_timestamp =\
+ date('%Y-%m-%d %H:%M:%S', time.localtime(ticks))
+
+ # Retrieve hostname
+ config.pki_hostname = socket.gethostname()
+
+ # Generate a random 'pin' for use as the security database password
+ pin_low = 100000000000
+ pin_high = 999999999999
+ config.pki_pin = random.randint(pin_low, pin_high)
+
+ # Generate a one-time pin to be used prior to configuration
+ config.pki_one_time_pin =\
+ ''.join(random.choice(string.ascii_letters + string.digits)\
+ for x in range(20))
# Initialize 'pretty print' for objects
pp = pprint.PrettyPrinter(indent=4)
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index 2ac21a60a..c537b8e4d 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -30,6 +30,10 @@ try:
import logging
import os
import pprint
+ import random
+ import socket
+ import string
+ import time
from time import strftime as date
from pki.deployment import pkiconfig as config
from pki.deployment import pkiparser as parse
@@ -56,8 +60,27 @@ def main(argv):
# Set the umask
os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK)
+ # Set installation time
+ ticks = time.time()
+ config.pki_install_time = time.asctime(time.localtime(ticks))
+
# Generate a timestamp
- config.pki_timestamp = date('%Y%m%d%H%M%S')
+ config.pki_timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks))
+ config.pki_certificate_timestamp =\
+ date('%Y-%m-%d %H:%M:%S', time.localtime(ticks))
+
+ # Retrieve hostname
+ config.pki_hostname = socket.gethostname()
+
+ # Generate a random 'pin' for use as the security database password
+ pin_low = 100000000000
+ pin_high = 999999999999
+ config.pki_pin = random.randint(pin_low, pin_high)
+
+ # Generate a one-time pin to be used prior to configuration
+ config.pki_one_time_pin =\
+ ''.join(random.choice(string.ascii_letters + string.digits)\
+ for x in range(20))
# Initialize 'pretty print' for objects
pp = pprint.PrettyPrinter(indent=4)
@@ -151,6 +174,13 @@ def main(argv):
config.pki_log.debug(pp.pformat(config.pki_subsystem_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
+ # Read in the PKI slots configuration file.
+ parse.compose_pki_slots_dictionary()
+ config.pki_log.debug(log.PKI_DICTIONARY_SLOTS,
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(pp.pformat(config.pki_slots_dict),
+ extra=config.PKI_INDENTATION_LEVEL_0)
+
# Combine the various sectional dictionaries into a PKI master dictionary
parse.compose_pki_master_dictionary()
if not config.pki_update_flag:
diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py
index 60073262d..9a3c23cb5 100644
--- a/base/deploy/src/scriptlets/finalization.py
+++ b/base/deploy/src/scriptlets/finalization.py
@@ -44,6 +44,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
filename = master['pki_root_prefix'] +\
config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
master['pki_instance_name'] + "/" +\
+ master['pki_web_server'].lower() + "/" +\
master['pki_subsystem'].lower() +"/" +\
"spawn" + "_" + "manifest" + "." +\
master['pki_timestamp'] + "." + "csv"
@@ -77,6 +78,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
filename = master['pki_root_prefix'] +\
config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
master['pki_instance_name'] + "/" +\
+ master['pki_web_server'].lower() + "/" +\
master['pki_subsystem'].lower() +"/" +\
"respawn" + "_" + "manifest" + "." +\
master['pki_timestamp'] + "." + "csv"
diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py
index 67c93254d..408ddfb59 100644
--- a/base/deploy/src/scriptlets/initialization.py
+++ b/base/deploy/src/scriptlets/initialization.py
@@ -38,6 +38,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
+ # verify that this type of "subsystem" does NOT yet
+ # exist for this "instance"
+ util.instance.verify_subsystem_does_not_exist()
# establish 'uid' and 'gid'
util.identity.set_uid(master['pki_user'])
util.identity.set_gid(master['pki_group'])
@@ -50,6 +53,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.info(log.INITIALIZATION_RESPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
+ # verify that this type of "subsystem" currently EXISTS
+ # for this "instance"
+ util.instance.verify_subsystem_exists()
# establish 'uid' and 'gid'
util.identity.set_uid(master['pki_user'])
util.identity.set_gid(master['pki_group'])
@@ -62,6 +68,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
+ # verify that this type of "subsystem" currently EXISTS
+ # for this "instance"
+ util.instance.verify_subsystem_exists()
# establish 'uid' and 'gid'
util.identity.set_uid(master['pki_user'])
util.identity.set_gid(master['pki_group'])
diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py
index 38234f4cc..baa261cad 100644
--- a/base/deploy/src/scriptlets/instance_layout.py
+++ b/base/deploy/src/scriptlets/instance_layout.py
@@ -48,6 +48,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# establish instance registry
util.directory.create(master['pki_registry_path'])
util.directory.create(master['pki_instance_registry_path'])
+ # establish shared NSS security databases
+ util.directory.create(master['pki_database_path'])
+ # establish convenience symbolic links
+ util.symlink.create(master['pki_database_path'],
+ master['pki_instance_database_link'])
return self.rv
def respawn(self):
@@ -67,31 +72,56 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# update instance registry
util.directory.modify(master['pki_registry_path'])
util.directory.modify(master['pki_instance_registry_path'])
+ # update shared NSS security databases
+ util.directory.modify(master['pki_database_path'])
+ # update convenience symbolic links
+ util.symlink.modify(master['pki_instance_database_link'])
return self.rv
def destroy(self):
config.pki_log.info(log.INSTANCE_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# remove instance base
- if util.directory.is_empty(master['pki_instance_path']):
- util.directory.delete(master['pki_instance_path'])
- if util.directory.is_empty(master['pki_path']):
- util.directory.delete(master['pki_path'])
- # remove instance logs
- if util.directory.is_empty(master['pki_instance_log_path']):
- util.directory.delete(master['pki_instance_log_path'])
- if util.directory.is_empty(master['pki_log_path']):
- util.directory.delete(master['pki_log_path'])
- # remove instance configuration
- if util.directory.is_empty(master['pki_instance_configuration_path']):
- util.directory.delete(master['pki_instance_configuration_path'])
- if util.directory.is_empty(master['pki_configuration_path']) and\
- master['pki_configuration_path'] !=\
- config.PKI_SHARED_CONFIGURATION_ROOT:
- util.directory.delete(master['pki_configuration_path'])
- # remove instance registry
- if util.directory.is_empty(master['pki_instance_registry_path']):
- util.directory.delete(master['pki_instance_registry_path'])
- if util.directory.is_empty(master['pki_registry_path']):
- util.directory.delete(master['pki_registry_path'])
+ if not config.pki_dry_run_flag:
+ if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
+ util.instance.pki_subsystem_instances() == 0:
+ # remove instance base
+ util.directory.delete(master['pki_instance_path'])
+ util.directory.delete(master['pki_path'])
+ # remove instance logs
+ util.directory.delete(master['pki_instance_log_path'])
+ util.directory.delete(master['pki_log_path'])
+ # remove shared NSS security database path
+ util.directory.delete(master['pki_database_path'])
+ # remove instance configuration
+ util.directory.delete(master['pki_instance_configuration_path'])
+ if util.directory.is_empty(master['pki_configuration_path'])\
+ and master['pki_configuration_path'] !=\
+ config.PKI_SHARED_CONFIGURATION_ROOT:
+ util.directory.delete(master['pki_configuration_path'])
+ # remove instance registry
+ util.directory.delete(master['pki_instance_registry_path'])
+ util.directory.delete(master['pki_registry_path'])
+ util.file.delete(master['pki_target_tomcat_conf'])
+
+ else:
+ # ALWAYS display correct information (even during dry_run)
+ if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
+ util.instance.pki_subsystem_instances() == 1:
+ # remove instance base
+ util.directory.delete(master['pki_instance_path'])
+ util.directory.delete(master['pki_path'])
+ # remove instance logs
+ util.directory.delete(master['pki_instance_log_path'])
+ util.directory.delete(master['pki_log_path'])
+ # remove shared NSS security database path
+ util.directory.delete(master['pki_database_path'])
+ if util.directory.is_empty(master['pki_configuration_path'])\
+ and master['pki_configuration_path'] !=\
+ config.PKI_SHARED_CONFIGURATION_ROOT:
+ util.directory.delete(master['pki_configuration_path'])
+ # remove instance registry
+ util.directory.delete(master['pki_instance_registry_path'])
+ util.directory.delete(master['pki_registry_path'])
+ util.file.delete(master['pki_target_tomcat_conf'])
return self.rv
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 505bfc039..31b05312c 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -27,6 +27,7 @@ import logging
PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS = 00770
PKI_DEPLOYMENT_DEFAULT_EXE_PERMISSIONS = 00770
PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS = 00660
+PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS = 00600
PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770
PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777
PKI_DEPLOYMENT_DEFAULT_UMASK = 00002
@@ -52,15 +53,21 @@ PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '}
# in the configuration file (the value in the default configuration file
# should always match the 'default' instance name specified below).
PKI_DEPLOYMENT_REGISTRY_ROOT = "/etc/sysconfig/pki"
-PKI_DEPLOYMENT_DEFAULT_INSTANCE_NAME = "instance"
+PKI_DEPLOYMENT_DEFAULT_INSTANCE_NAME = "default"
PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE = "pkideployment.cfg"
+PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\
+ "/usr/share/pki/deployment/config/pkislots.cfg"
# NOTE: Top-level "/etc/pki" is owned by the "filesystem" package!
PKI_SHARED_CONFIGURATION_ROOT = "/etc/pki"
# PKI Deployment Global Variables
+pki_install_time = None
pki_timestamp = None
+pki_hostname = None
+pki_pin = None
+pki_one_time_pin = None
# PKI Deployment "Mandatory" Command-Line Variables
@@ -92,3 +99,4 @@ pki_common_dict = None
pki_web_server_dict = None
pki_subsystem_dict = None
pki_master_dict = None
+pki_slots_dict = None
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index 95b5bf0a7..b04af2db0 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -1,4 +1,5 @@
#!/usr/bin/python -t
+
# Authors:
# Matthew Harmsen <mharmsen@redhat.com>
#
@@ -23,7 +24,11 @@
import errno
import sys
import os
+import fileinput
+import random
import shutil
+import string
+import subprocess
from grp import getgrnam
from pwd import getpwnam
import zipfile
@@ -32,11 +37,12 @@ import zipfile
# PKI Deployment Imports
import pkiconfig as config
from pkiconfig import pki_master_dict as master
+from pkiconfig import pki_slots_dict as slots
import pkimanifest as manifest
import pkimessages as log
-# PKI Deployment Functions
+# PKI Deployment Helper Functions
def pki_copytree(src, dst, symlinks=False, ignore=None):
"""Recursively copy a directory tree using copy2().
@@ -165,27 +171,30 @@ class identity:
# PKI Deployment Instance Class
class instance:
- def apache_instances(self, name):
+ def apache_instances(self):
rv = 0
try:
- if not os.path.exists(name) or not os.path.isdir(name):
+ if not os.path.exists(master['pki_webserver_path']) or\
+ not os.path.isdir(master['pki_webserver_path']):
config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name,
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
+ master['pki_webserver_path'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# count number of PKI subsystems present
# within the specfied Apache instance
for subsystem in config.PKI_APACHE_SUBSYSTEMS:
- path = name + "/" + subsystem.lower()
+ path = master['pki_webserver_path'] + "/" + subsystem.lower()
if os.path.exists(path) and os.path.isdir(path):
rv = rv + 1
# always display correct information (even during dry_run)
if config.pki_dry_run_flag and rv > 0:
config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2,
- name, rv - 1,
+ master['pki_webserver_path'], rv - 1,
extra=config.PKI_INDENTATION_LEVEL_2)
else:
- config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, name,
+ config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2,
+ master['pki_webserver_path'],
rv, extra=config.PKI_INDENTATION_LEVEL_2)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
@@ -193,28 +202,38 @@ class instance:
sys.exit(1)
return rv
- def pki_subsystem_instances(self, name):
+ def pki_subsystem_instances(self):
rv = 0
try:
- if not os.path.exists(name) or not os.path.isdir(name):
+ if not os.path.exists(master['pki_instance_path']) or\
+ not os.path.isdir(master['pki_instance_path']):
config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name,
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
+ master['pki_instance_path'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
- # count total number of PKI subsystems present
+ # count total number of Apache PKI subsystems present
# within the specfied PKI instance
- for subsystem in config.PKI_SUBSYSTEMS:
- path = name + "/" + subsystem.lower()
- if os.path.exists(path) and os.path.isdir(path):
+ for apache_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+ apache_path = master['pki_instance_path'] + "/" + "apache" +\
+ "/" + apache_subsystem.lower()
+ if os.path.exists(apache_path) and os.path.isdir(apache_path):
+ rv = rv + 1
+ # count total number of Tomcat PKI subsystems present
+ # within the specfied PKI instance
+ for tomcat_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ tomcat_path = master['pki_instance_path'] + "/" + "tomcat" +\
+ "/" + tomcat_subsystem.lower()
+ if os.path.exists(tomcat_path) and os.path.isdir(tomcat_path):
rv = rv + 1
# always display correct information (even during dry_run)
if config.pki_dry_run_flag and rv > 0:
config.pki_log.debug(log.PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2,
- name, rv - 1,
+ master['pki_instance_path'], rv - 1,
extra=config.PKI_INDENTATION_LEVEL_2)
else:
config.pki_log.debug(log.PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2,
- name, rv,
+ master['pki_instance_path'], rv,
extra=config.PKI_INDENTATION_LEVEL_2)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
@@ -222,27 +241,30 @@ class instance:
sys.exit(1)
return rv
- def tomcat_instances(self, name):
+ def tomcat_instances(self):
rv = 0
try:
- if not os.path.exists(name) or not os.path.isdir(name):
+ if not os.path.exists(master['pki_webserver_path']) or\
+ not os.path.isdir(master['pki_webserver_path']):
config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name,
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
+ master['pki_webserver_path'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# count number of PKI subsystems present
# within the specfied Tomcat instance
for subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- path = name + "/" + subsystem.lower()
+ path = master['pki_webserver_path'] + "/" + subsystem.lower()
if os.path.exists(path) and os.path.isdir(path):
rv = rv + 1
# always display correct information (even during dry_run)
if config.pki_dry_run_flag and rv > 0:
config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2,
- name, rv - 1,
+ master['pki_webserver_path'], rv - 1,
extra=config.PKI_INDENTATION_LEVEL_2)
else:
- config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, name,
+ config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2,
+ master['pki_webserver_path'],
rv, extra=config.PKI_INDENTATION_LEVEL_2)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
@@ -250,6 +272,32 @@ class instance:
sys.exit(1)
return rv
+ def verify_subsystem_exists(self):
+ try:
+ if not os.path.exists(master['pki_subsystem_path']):
+ config.pki_log.error(log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2,
+ master['pki_subsystem'],
+ master['pki_instance_name'],
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ sys.exit(1)
+ except OSError as exc:
+ config.pki_log.error(log.PKI_OSERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+
+ def verify_subsystem_does_not_exist(self):
+ try:
+ if os.path.exists(master['pki_subsystem_path']):
+ config.pki_log.error(log.PKI_SUBSYSTEM_ALREADY_EXISTS_2,
+ master['pki_subsystem'],
+ master['pki_instance_name'],
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ sys.exit(1)
+ except OSError as exc:
+ config.pki_log.error(log.PKI_OSERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+
# PKI Deployment Directory Class
class directory:
@@ -295,11 +343,6 @@ class directory:
extra=config.PKI_INDENTATION_LEVEL_2)
if critical_failure == True:
sys.exit(1)
- else:
- config.pki_log.error(log.PKI_DIRECTORY_ALREADY_EXISTS_1, name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- if critical_failure == True:
- sys.exit(1)
except OSError as exc:
if exc.errno == errno.EEXIST:
pass
@@ -397,13 +440,13 @@ class directory:
def is_empty(self, name):
try:
if not os.listdir(name):
- config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1,
- name, extra=config.PKI_INDENTATION_LEVEL_2)
- return False
- else:
config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_EMPTY_1,
name, extra=config.PKI_INDENTATION_LEVEL_2)
return True
+ else:
+ config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1,
+ name, extra=config.PKI_INDENTATION_LEVEL_2)
+ return False
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -561,12 +604,7 @@ class directory:
dir_acls=None, file_acls=None, symlink_acls=None,
recursive_flag=True, overwrite_flag=False, critical_failure=True):
try:
- if not os.path.exists(old_name) or not os.path.isdir(old_name):
- config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, old_name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
- elif config.pki_dry_run_flag:
+ if config.pki_dry_run_flag:
if recursive_flag == True:
# cp -rp <old_name> <new_name>
config.pki_log.info(log.PKIHELPER_CP_RP_2,
@@ -580,6 +618,11 @@ class directory:
config.pki_log.info(
log.PKIHELPER_SET_MODE_1, new_name,
extra=config.PKI_INDENTATION_LEVEL_2)
+ elif not os.path.exists(old_name) or not os.path.isdir(old_name):
+ config.pki_log.error(
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, old_name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
else:
if os.path.exists(new_name):
if not overwrite_flag:
@@ -673,11 +716,6 @@ class file:
extra=config.PKI_INDENTATION_LEVEL_2)
if critical_failure == True:
sys.exit(1)
- else:
- config.pki_log.error(log.PKI_FILE_ALREADY_EXISTS_1, name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- if critical_failure == True:
- sys.exit(1)
except OSError as exc:
if exc.errno == errno.EEXIST:
pass
@@ -769,16 +807,174 @@ class file:
perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, acls=None,
overwrite_flag=False, critical_failure=True):
try:
- if not os.path.exists(old_name) or not os.path.isfile(old_name):
+ if config.pki_dry_run_flag:
+ # cp -p <old_name> <new_name>
+ config.pki_log.info(log.PKIHELPER_CP_P_2,
+ old_name, new_name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # chmod <perms> <new_name>
+ config.pki_log.debug(log.PKIHELPER_CHMOD_2,
+ perms, new_name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ # chown <uid>:<gid> <new_name>
+ config.pki_log.debug(log.PKIHELPER_CHOWN_3,
+ uid, gid, new_name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ elif not os.path.exists(old_name) or not os.path.isfile(old_name):
config.pki_log.error(
log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name,
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
- elif config.pki_dry_run_flag:
+ else:
+ if os.path.exists(new_name):
+ if not overwrite_flag:
+ config.pki_log.error(
+ log.PKI_FILE_ALREADY_EXISTS_1, new_name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
# cp -p <old_name> <new_name>
config.pki_log.info(log.PKIHELPER_CP_P_2,
old_name, new_name,
extra=config.PKI_INDENTATION_LEVEL_2)
+ shutil.copy2(old_name, new_name)
+ if uid == None:
+ uid = identity.get_uid()
+ if gid == None:
+ gid = identity.get_gid()
+ # chmod <perms> <new_name>
+ config.pki_log.debug(log.PKIHELPER_CHMOD_2,
+ perms, new_name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ os.chmod(new_name, perms)
+ # chown <uid>:<gid> <new_name>
+ config.pki_log.debug(log.PKIHELPER_CHOWN_3,
+ uid, gid, new_name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ os.chown(new_name, uid, gid)
+ # Store record in installation manifest
+ record = manifest.record()
+ record.name = new_name
+ record.type = manifest.RECORD_TYPE_FILE
+ record.user = master['pki_user']
+ record.group = master['pki_group']
+ record.uid = uid
+ record.gid = gid
+ record.permissions = perms
+ record.acls = acls
+ manifest.database.append(record)
+ except OSError as exc:
+ config.pki_log.error(log.PKI_OSERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ except shutil.Error as exc:
+ config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+ def apply_slot_substitution(
+ self, name, uid=None, gid=None,
+ perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS,
+ acls=None, critical_failure=True):
+ try:
+ if config.pki_dry_run_flag:
+ # applying in-place slot substitutions on <name>
+ config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1,
+ name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # NOTE: During dry_run, this file may not exist!
+ if os.path.exists(name) and os.path.isfile(name):
+ for line in fileinput.FileInput(name, inplace=1):
+ for slot in slots:
+ if slot != '__name__' and slots[slot] in line:
+ config.pki_log.debug(
+ log.PKIHELPER_SLOT_SUBSTITUTION_2,
+ slots[slot], master[slot],
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ # chmod <perms> <name>
+ config.pki_log.debug(log.PKIHELPER_CHMOD_2,
+ perms, name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ # chown <uid>:<gid> <name>
+ config.pki_log.debug(log.PKIHELPER_CHOWN_3,
+ uid, gid, name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ else:
+ if not os.path.exists(name) or not os.path.isfile(name):
+ config.pki_log.error(
+ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # applying in-place slot substitutions on <name>
+ config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1,
+ name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ for line in fileinput.FileInput(name, inplace=1):
+ for slot in slots:
+ if slot != '__name__' and slots[slot] in line:
+ config.pki_log.debug(
+ log.PKIHELPER_SLOT_SUBSTITUTION_2,
+ slots[slot], master[slot],
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ line=line.replace(slots[slot],master[slot])
+ sys.stdout.write(line)
+ if uid == None:
+ uid = identity.get_uid()
+ if gid == None:
+ gid = identity.get_gid()
+ # chmod <perms> <name>
+ config.pki_log.debug(log.PKIHELPER_CHMOD_2,
+ perms, name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ os.chmod(name, perms)
+ # chown <uid>:<gid> <name>
+ config.pki_log.debug(log.PKIHELPER_CHOWN_3,
+ uid, gid, name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ os.chown(name, uid, gid)
+ # Store record in installation manifest
+ record = manifest.record()
+ record.name = name
+ record.type = manifest.RECORD_TYPE_FILE
+ record.user = master['pki_user']
+ record.group = master['pki_group']
+ record.uid = uid
+ record.gid = gid
+ record.permissions = perms
+ record.acls = acls
+ manifest.database.append(record)
+ except OSError as exc:
+ config.pki_log.error(log.PKI_OSERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ except shutil.Error as exc:
+ config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+ def copy_with_slot_substitution(
+ self, old_name, new_name, uid=None, gid=None,
+ perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS,
+ acls=None, overwrite_flag=False,
+ critical_failure=True):
+ try:
+ if config.pki_dry_run_flag:
+ # copy <old_name> to <new_name> with slot substitutions
+ config.pki_log.info(log.PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2,
+ old_name, new_name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ for line in fileinput.FileInput(old_name):
+ for slot in slots:
+ if slot != '__name__' and slots[slot] in line:
+ config.pki_log.debug(
+ log.PKIHELPER_SLOT_SUBSTITUTION_2,
+ slots[slot], master[slot],
+ extra=config.PKI_INDENTATION_LEVEL_3)
# chmod <perms> <new_name>
config.pki_log.debug(log.PKIHELPER_CHMOD_2,
perms, new_name,
@@ -787,6 +983,11 @@ class file:
config.pki_log.debug(log.PKIHELPER_CHOWN_3,
uid, gid, new_name,
extra=config.PKI_INDENTATION_LEVEL_3)
+ elif not os.path.exists(old_name) or not os.path.isfile(old_name):
+ config.pki_log.error(
+ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
else:
if os.path.exists(new_name):
if not overwrite_flag:
@@ -794,11 +995,21 @@ class file:
log.PKI_FILE_ALREADY_EXISTS_1, new_name,
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
- # cp -p <old_name> <new_name>
- config.pki_log.info(log.PKIHELPER_CP_P_2,
+ # copy <old_name> to <new_name> with slot substitutions
+ config.pki_log.info(log.PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2,
old_name, new_name,
extra=config.PKI_INDENTATION_LEVEL_2)
- shutil.copy2(old_name, new_name)
+ FILE = open(new_name, "w")
+ for line in fileinput.FileInput(old_name):
+ for slot in slots:
+ if slot != '__name__' and slots[slot] in line:
+ config.pki_log.debug(
+ log.PKIHELPER_SLOT_SUBSTITUTION_2,
+ slots[slot], master[slot],
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ line=line.replace(slots[slot],master[slot])
+ FILE.write(line)
+ FILE.close()
if uid == None:
uid = identity.get_uid()
if gid == None:
@@ -836,6 +1047,64 @@ class file:
sys.exit(1)
return
+ def generate_noise_file(self, name, bytes, uid=None, gid=None,
+ perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS,
+ acls=None, critical_failure=True):
+ try:
+ if not os.path.exists(name):
+ # generating noise file called <name> and
+ # filling it with <bytes> random bytes
+ config.pki_log.info(log.PKIHELPER_NOISE_FILE_2, name, bytes,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ open(name, "w").close()
+ FILE = open(name, "w")
+ noise = ''.join(random.choice(string.ascii_letters +\
+ string.digits) for x in range(bytes))
+ FILE.write(noise)
+ FILE.close()
+ # chmod <perms> <name>
+ config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ if not config.pki_dry_run_flag:
+ os.chmod(name, perms)
+ # chown <uid>:<gid> <name>
+ if uid == None:
+ uid = identity.get_uid()
+ if gid == None:
+ gid = identity.get_gid()
+ config.pki_log.debug(log.PKIHELPER_CHOWN_3,
+ uid, gid, name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ if not config.pki_dry_run_flag:
+ os.chown(name, uid, gid)
+ # Store record in installation manifest
+ record = manifest.record()
+ record.name = name
+ record.type = manifest.RECORD_TYPE_FILE
+ record.user = master['pki_user']
+ record.group = master['pki_group']
+ record.uid = uid
+ record.gid = gid
+ record.permissions = perms
+ record.acls = acls
+ manifest.database.append(record)
+ elif not os.path.isfile(name):
+ config.pki_log.error(
+ log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ except OSError as exc:
+ if exc.errno == errno.EEXIST:
+ pass
+ else:
+ config.pki_log.error(log.PKI_OSERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
# PKI Deployment Symbolic Link Class
class symlink:
@@ -886,11 +1155,6 @@ class symlink:
extra=config.PKI_INDENTATION_LEVEL_2)
if critical_failure == True:
sys.exit(1)
- else:
- config.pki_log.error(log.PKI_SYMLINK_ALREADY_EXISTS_1, link,
- extra=config.PKI_INDENTATION_LEVEL_2)
- if critical_failure == True:
- sys.exit(1)
except OSError as exc:
if exc.errno == errno.EEXIST:
pass
@@ -1026,6 +1290,347 @@ class war:
return
+# PKI Deployment Password Class
+class password:
+ def create_password_conf(self, path, overwrite_flag=False):
+ try:
+ if not config.pki_dry_run_flag:
+ if os.path.exists(path):
+ if overwrite_flag:
+ config.pki_log.info(
+ log.PKIHELPER_PASSWORD_CONF_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # overwrite the existing 'password.conf' file
+ with open(path, "wt") as fd:
+ if master['pki_subsystem'] in\
+ config.PKI_APACHE_SUBSYSTEMS:
+ fd.write("internal" + ":" +\
+ str(master['pki_pin']))
+ else:
+ fd.write("internal" + "=" +\
+ str(master['pki_pin']))
+ fd.closed
+ else:
+ config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # create a new 'password.conf' file
+ with open(path, "wt") as fd:
+ if master['pki_subsystem'] in\
+ config.PKI_APACHE_SUBSYSTEMS:
+ fd.write("internal" + ":" +\
+ str(master['pki_pin']))
+ else:
+ fd.write("internal" + "=" +\
+ str(master['pki_pin']))
+ fd.closed
+ else:
+ if not os.path.exists(path) or overwrite_flag:
+ config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ except OSError as exc:
+ config.pki_log.error(log.PKI_OSERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+
+# PKI Deployment NSS 'certutil' Class
+class certutil:
+ def create_security_databases(self, path, password_file=None, prefix=None,
+ critical_failure=True):
+ try:
+ # Compose this "certutil" command
+ command = "certutil" + " " + "-N"
+ # Provide a path to the NSS security databases
+ if path:
+ command = command + " " + "-d" + " " + path
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_PATH,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if password_file != None:
+ command = command + " " + "-f" + " " + password_file
+ if prefix != None:
+ command = command + " " + "-P" + " " + prefix
+ if not config.pki_dry_run_flag:
+ if not os.path.exists(path):
+ config.pki_log.error(
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if os.path.exists(master['pki_cert_database']) or\
+ os.path.exists(master['pki_key_database']) or\
+ os.path.exists(master['pki_secmod_database']):
+ # Simply notify user that the security databases exist
+ config.pki_log.info(
+ log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3,
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ else:
+ if password_file != None:
+ if not os.path.exists(password_file) or\
+ not os.path.isfile(password_file):
+ config.pki_log.error(
+ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1,
+ password_file,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Display this "certutil" command
+ config.pki_log.info(
+ log.PKIHELPER_CREATE_SECURITY_DATABASES_1,
+ command,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # Execute this "certutil" command
+ subprocess.call(command, shell=True)
+ else:
+ if os.path.exists(master['pki_cert_database']) or\
+ os.path.exists(master['pki_key_database']) or\
+ os.path.exists(master['pki_secmod_database']):
+ # Simply notify user that the security databases exist
+ config.pki_log.info(
+ log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3,
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ else:
+ # Display this "certutil" command
+ config.pki_log.info(
+ log.PKIHELPER_CREATE_SECURITY_DATABASES_1,
+ command,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ except OSError as exc:
+ config.pki_log.error(log.PKI_OSERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+ def verify_certificate_exists(self, path, token, nickname,
+ password_file=None):
+ rv = 0
+ try:
+ # Compose this "certutil" command
+ command = "certutil" + " " + "-L"
+ # Provide a path to the NSS security databases
+ if path:
+ command = command + " " + "-d" + " " + path
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_PATH,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Specify the 'token'
+ if token:
+ command = command + " " + "-h" + " " + "'" + token + "'"
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_TOKEN,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Specify the nickname of this self-signed certificate
+ if nickname:
+ command = command + " " + "-n" + " " + "'" + nickname + "'"
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_NICKNAME,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # OPTIONALLY specify a password file
+ if password_file != None:
+ command = command + " " + "-f" + " " + password_file
+ # Always execute this command silently
+ command = command + " > /dev/null 2>&1"
+ if not config.pki_dry_run_flag:
+ if not os.path.exists(path):
+ config.pki_log.error(
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if not os.path.exists(master['pki_cert_database']) or\
+ not os.path.exists(master['pki_key_database']) or\
+ not os.path.exists(master['pki_secmod_database']):
+ # NSS security databases MUST exist!
+ config.pki_log.error(
+ log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3,
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if password_file != None:
+ if not os.path.exists(password_file) or\
+ not os.path.isfile(password_file):
+ config.pki_log.error(
+ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1,
+ password_file,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ else:
+ # Check for first time through as dry_run
+ if not os.path.exists(master['pki_cert_database']) or\
+ not os.path.exists(master['pki_key_database']) or\
+ not os.path.exists(master['pki_secmod_database']):
+ return False
+ # Execute this "certutil" command
+ subprocess.check_call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ return False
+ except OSError as exc:
+ config.pki_log.error(log.PKI_OSERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return True
+
+ def generate_self_signed_certificate(self, path, token, nickname,
+ subject, serial_number,
+ validity_period, issuer_name,
+ trustargs, noise_file,
+ password_file=None,
+ critical_failure=True):
+ try:
+ # Compose this "certutil" command
+ command = "certutil" + " " + "-S"
+ # Provide a path to the NSS security databases
+ if path:
+ command = command + " " + "-d" + " " + path
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_PATH,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Specify the 'token'
+ if token:
+ command = command + " " + "-h" + " " + "'" + token + "'"
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_TOKEN,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Specify the nickname of this self-signed certificate
+ if nickname:
+ command = command + " " + "-n" + " " + "'" + nickname + "'"
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_NICKNAME,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Specify the subject name (RFC1485)
+ if subject:
+ command = command + " " + "-s" + " " + "'" + subject + "'"
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_SUBJECT,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Specify the serial number
+ if serial_number != None:
+ command = command + " " + "-m" + " " + str(serial_number)
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Specify the months valid
+ if validity_period != None:
+ command = command + " " + "-v" + " " + str(validity_period)
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Specify the nickname of the issuer certificate
+ if issuer_name:
+ command = command + " " + "-c" + " " +\
+ "'" + issuer_name + "'"
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Specify the certificate trust attributes
+ if trustargs:
+ command = command + " " + "-t" + " " + "'" + trustargs + "'"
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Specify a noise file to be used for key generation
+ if noise_file:
+ command = command + " " + "-z" + " " + noise_file
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # OPTIONALLY specify a password file
+ if password_file != None:
+ command = command + " " + "-f" + " " + password_file
+ # ALWAYS self-sign this certificate
+ command = command + " " + "-x"
+ # ALWAYS mask the command-line output of this command
+ command = command + " " + "> /dev/null 2>&1"
+ # Display this "certutil" command
+ config.pki_log.info(
+ log.PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1, command,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ if not os.path.exists(path):
+ config.pki_log.error(
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if not os.path.exists(master['pki_cert_database']) or\
+ not os.path.exists(master['pki_key_database']) or\
+ not os.path.exists(master['pki_secmod_database']):
+ # NSS security databases MUST exist!
+ config.pki_log.error(
+ log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3,
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if not os.path.exists(noise_file):
+ config.pki_log.error(
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
+ noise_file,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if password_file != None:
+ if not os.path.exists(password_file) or\
+ not os.path.isfile(password_file):
+ config.pki_log.error(
+ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1,
+ password_file,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Execute this "certutil" command
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ except OSError as exc:
+ config.pki_log.error(log.PKI_OSERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+
# PKI Deployment Helper Class Instances
identity = identity()
instance = instance()
@@ -1033,3 +1638,5 @@ directory = directory()
file = file()
symlink = symlink()
war = war()
+password = password()
+certutil = certutil()
diff --git a/base/deploy/src/scriptlets/pkimanifest.py b/base/deploy/src/scriptlets/pkimanifest.py
index dfd18fbaf..4f45e4b61 100644
--- a/base/deploy/src/scriptlets/pkimanifest.py
+++ b/base/deploy/src/scriptlets/pkimanifest.py
@@ -22,6 +22,12 @@
# System Imports
from collections import namedtuple
import csv
+import sys
+
+
+# PKI Deployment Imports
+import pkiconfig as config
+import pkimessages as log
# PKI Deployment Manifest Constants
diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
index 81f0eadfe..774b1f169 100644
--- a/base/deploy/src/scriptlets/pkimessages.py
+++ b/base/deploy/src/scriptlets/pkimessages.py
@@ -28,6 +28,10 @@ PKI_DICTIONARY_MASTER="\n"\
"=====================================================\n"\
" DISPLAY CONTENTS OF PKI MASTER DICTIONARY\n"\
"====================================================="
+PKI_DICTIONARY_SLOTS="\n"\
+"=====================================================\n"\
+" DISPLAY CONTENTS OF PKI SLOTS DICTIONARY\n"\
+"====================================================="
PKI_DICTIONARY_SUBSYSTEM="\n"\
"=====================================================\n"\
" DISPLAY CONTENTS OF PKI SUBSYSTEM DICTIONARY\n"\
@@ -74,6 +78,14 @@ PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 = "File '%s' already "\
PKI_FILE_MISSING_OR_NOT_A_FILE_1 = "File '%s' is either missing "\
"or is NOT a regular file!"
PKI_FILE_NOT_A_WAR_FILE_1 = "File '%s' is NOT a war file!"
+PKI_SECURITY_DATABASES_ALREADY_EXIST_3 = "Security databases '%s', '%s', "\
+ "and/or '%s' already exist!"
+PKI_SECURITY_DATABASES_DO_NOT_EXIST_3 = "Security databases '%s', '%s', "\
+ "and/or '%s' do NOT exist!"
+PKI_SUBSYSTEM_ALREADY_EXISTS_2 = "PKI subsystem '%s' for instance '%s' "\
+ "already exists!"
+PKI_SUBSYSTEM_DOES_NOT_EXIST_2 = "PKI subsystem '%s' for instance '%s' "\
+ "does NOT exist!"
PKI_IOERROR_1 = "IOError: %s!"
PKI_KEYERROR_1 = "KeyError: %s!"
@@ -81,6 +93,7 @@ PKI_LARGEZIPFILE_ERROR_1 = "zipfile.LargeZipFile: %s!"
PKI_MANIFEST_MESSAGE_1 = "generating manifest file called '%s'"
PKI_OSERROR_1 = "OSError: %s!"
PKI_SHUTIL_ERROR_1 = "shutil.Error: %s!"
+PKI_SUBPROCESS_ERROR_1 = "subprocess.CalledProcessError: %s!"
PKI_SYMLINK_ALREADY_EXISTS_1 = "Symlink '%s' already exists!"
PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1 = "Symlink '%s' already "\
"exists BUT it is NOT a "\
@@ -108,12 +121,32 @@ PKISPAWN_END_MESSAGE_2 = "END spawning subsystem '%s' of "\
# PKI Deployment "Helper" Messages
-PKIHELPER_APACHE_INSTANCES_2 = "instance '%s' contains '%d' Apache PKI subsystems"
+PKIHELPER_APACHE_INSTANCES_2 = "instance '%s' contains '%d' "\
+ "Apache PKI subsystems"
+PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = "certutil: Missing "\
+ "'-c issuer-name' option!"
+PKIHELPER_CERTUTIL_MISSING_NICKNAME = "certutil: Missing "\
+ "'-n nickname' option!"
+PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = "certutil: Missing "\
+ "'-z noise-file' option!"
+PKIHELPER_CERTUTIL_MISSING_PATH = "certutil: Missing '-d path' option!"
+PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER = "certutil: Missing "\
+ "'-m serial-number' option!"
+PKIHELPER_CERTUTIL_MISSING_SUBJECT = "certutil: Missing '-s subject' option!"
+PKIHELPER_CERTUTIL_MISSING_TOKEN = "certutil: Missing '-h token' option!"
+PKIHELPER_CERTUTIL_MISSING_TRUSTARGS = "certutil: Missing "\
+ "'-t trustargs' option!"
+PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD = "certutil: Missing "\
+ "'-v months-valid' option!"
+PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1 = "executing '%s'"
PKIHELPER_CHMOD_2 = "chmod %o %s"
PKIHELPER_CHOWN_3 = "chown %s:%s %s"
PKIHELPER_CHOWN_H_3 = "chown -h %s:%s %s"
+PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2 = "copying '%s' --> '%s' "\
+ "with slot substitution"
PKIHELPER_CP_P_2 = "cp -p %s %s"
PKIHELPER_CP_RP_2 = "cp -rp %s %s"
+PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'"
PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'"
PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty"
PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty"
@@ -124,16 +157,24 @@ PKIHELPER_IS_A_FILE_1 = "'%s' is a file"
PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink"
PKIHELPER_JAR_XF_C_2 = "jar -xf %s -C %s"
PKIHELPER_LINK_S_2 = "ln -s %s %s"
+PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\
+ "slot substitutions on '%s'"
PKIHELPER_MKDIR_1 = "mkdir -p %s"
PKIHELPER_MODIFY_DIR_1 = "modifying '%s'"
PKIHELPER_MODIFY_FILE_1 = "modifying '%s'"
PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'"
-PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2 = "instance '%s' contains '%d' PKI subsystems"
+PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\
+ "filling it with '%d' random bytes"
+PKIHELPER_PASSWORD_CONF_1 = "generating '%s'"
+PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2 = "instance '%s' contains '%d' "\
+ "PKI subsystems"
PKIHELPER_RM_F_1 = "rm -f %s"
PKIHELPER_RM_RF_1 = "rm -rf %s"
PKIHELPER_RMDIR_1 = "rmdir %s"
PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'"
-PKIHELPER_TOMCAT_INSTANCES_2 = "instance '%s' contains '%d' Tomcat PKI subsystems"
+PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'"
+PKIHELPER_TOMCAT_INSTANCES_2 = "instance '%s' contains '%d' "\
+ "Tomcat PKI subsystems"
PKIHELPER_TOUCH_1 = "touch %s"
PKIHELPER_UID_2 = "UID of '%s' is %s"
PKIHELPER_USER_1 = "retrieving UID for '%s' . . ."
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index bff405955..19c9119a6 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -24,6 +24,7 @@ import ConfigParser
import argparse
import logging
import os
+import time
# PKI Deployment Imports
@@ -171,9 +172,14 @@ def process_command_line_arguments(argv):
# NOTE: When performing 'pkidestroy', a configuration file must be
# explicitly specified if it does not use the default location
# and/or default configuration file name.
+ if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+ pki_web_server = "Apache"
+ elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ pki_web_server = "Tomcat"
config.pkideployment_cfg = config.pki_root_prefix +\
config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
config.PKI_DEPLOYMENT_DEFAULT_INSTANCE_NAME + "/" +\
+ pki_web_server.lower() +"/" +\
config.pki_subsystem.lower() +"/" +\
config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
if not os.path.exists(config.pkideployment_cfg) or\
@@ -192,6 +198,8 @@ def read_pki_configuration_file():
rv = 0
try:
parser = ConfigParser.ConfigParser()
+ # Make keys case-sensitive!
+ parser.optionxform = str
parser.read(config.pkideployment_cfg)
config.pki_common_dict = dict(parser._sections['Common'])
if config.pki_subsystem == "CA":
@@ -223,140 +231,637 @@ def read_pki_configuration_file():
def compose_pki_master_dictionary():
"Create a single master PKI dictionary from the sectional dictionaries"
- config.pki_master_dict = dict()
- # 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs
- config.pki_master_dict['pki_timestamp'] = config.pki_timestamp
- # Configuration file name/value pairs
- config.pki_master_dict.update(config.pki_common_dict)
- config.pki_master_dict.update(config.pki_web_server_dict)
- config.pki_master_dict.update(config.pki_subsystem_dict)
- config.pki_master_dict.update(__name__="PKI Master Dictionary")
- config.pki_master_dict['pki_source_conf'] =\
- config.pki_master_dict['pki_source_root'] + "/" +\
- config.pki_master_dict['pki_subsystem'].lower() + "/" + "conf"
- if config.pki_master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- config.pki_master_dict['pki_war'] =\
- config.pki_master_dict['pki_source_root'] + "/" +\
- config.pki_master_dict['pki_subsystem'].lower() + "/" +\
- "war" + "/" + config.pki_master_dict['pki_war_name']
- config.pki_master_dict['pki_tomcat_bin_path'] =\
- config.pki_master_dict['pki_tomcat_root'] + "/" + "bin"
- config.pki_master_dict['pki_tomcat_lib_path'] =\
- config.pki_master_dict['pki_tomcat_root'] + "/" + "lib"
- if config.pki_master_dict['pki_subsystem'] == "CA":
- config.pki_master_dict['pki_source_emails'] =\
- config.pki_master_dict['pki_source_root'] + "/" +\
- "ca" + "/" + "emails"
- config.pki_master_dict['pki_source_profiles'] =\
- config.pki_master_dict['pki_source_root'] + "/" +\
- "ca" + "/" + "profiles"
- # Instance layout base name/value pairs
- config.pki_master_dict['pki_root_prefix'] = config.pki_root_prefix
- config.pki_master_dict['pki_path'] =\
- config.pki_master_dict['pki_root_prefix'] +\
- config.pki_master_dict['pki_instance_root']
- config.pki_master_dict['pki_instance_path'] =\
- config.pki_master_dict['pki_path'] + "/" +\
- config.pki_master_dict['pki_instance_name']
- config.pki_master_dict['pki_instance_database_link'] =\
- config.pki_master_dict['pki_instance_path'] + "/" + "alias"
- # Instance layout log name/value pairs
- config.pki_master_dict['pki_log_path'] =\
- config.pki_master_dict['pki_root_prefix'] +\
- config.pki_master_dict['pki_instance_log_root']
- config.pki_master_dict['pki_instance_log_path'] =\
- config.pki_master_dict['pki_log_path'] + "/" +\
- config.pki_master_dict['pki_instance_name']
- # Instance layout configuration name/value pairs
- config.pki_master_dict['pki_configuration_path'] =\
- config.pki_master_dict['pki_root_prefix'] +\
- config.pki_master_dict['pki_instance_configuration_root']
- config.pki_master_dict['pki_instance_configuration_path'] =\
- config.pki_master_dict['pki_configuration_path'] + "/" +\
- config.pki_master_dict['pki_instance_name']
- # Instance layout registry name/value pairs
- config.pki_master_dict['pki_registry_path'] =\
- config.pki_master_dict['pki_root_prefix'] +\
- config.PKI_DEPLOYMENT_REGISTRY_ROOT
- config.pki_master_dict['pki_instance_registry_path'] =\
- config.pki_master_dict['pki_registry_path'] + "/" +\
- config.pki_master_dict['pki_instance_name']
- # Instance-based webserver Apache base name/value pairs
- if config.pki_master_dict['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
- config.pki_master_dict['pki_apache_path'] =\
- config.pki_master_dict['pki_instance_path'] + "/apache"
- # Instance-based webserver Tomcat base name/value pairs
- if config.pki_master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- config.pki_master_dict['pki_tomcat_path'] =\
- config.pki_master_dict['pki_instance_path'] + "/" + "tomcat"
- config.pki_master_dict['pki_tomcat_bin_link'] =\
- config.pki_master_dict['pki_tomcat_path'] + "/" + "bin"
- config.pki_master_dict['pki_common_path'] =\
- config.pki_master_dict['pki_tomcat_path'] + "/" + "common"
- config.pki_master_dict['pki_common_lib_path'] =\
- config.pki_master_dict['pki_common_path'] + "/" + "lib"
- config.pki_master_dict['pki_conf_path'] =\
- config.pki_master_dict['pki_tomcat_path'] + "/" + "conf"
- config.pki_master_dict['pki_tomcat_lib_link'] =\
- config.pki_master_dict['pki_tomcat_path'] + "/" + "lib"
- config.pki_master_dict['pki_tomcat_logs_link'] =\
- config.pki_master_dict['pki_tomcat_path'] + "/" + "logs"
- config.pki_master_dict['pki_webapps_path'] =\
- config.pki_master_dict['pki_tomcat_path'] + "/" + "webapps"
- config.pki_master_dict['pki_webapps_root_path'] =\
- config.pki_master_dict['pki_webapps_path'] + "/" + "ROOT"
- config.pki_master_dict['pki_webapps_root_webinf_path'] =\
- config.pki_master_dict['pki_webapps_root_path'] + "/" + "WEB-INF"
- config.pki_master_dict['pki_webapps_webinf_path'] =\
- config.pki_master_dict['pki_webapps_path'] + "/" + "WEB-INF"
- config.pki_master_dict['pki_webapps_webinf_classes_path'] =\
- config.pki_master_dict['pki_webapps_webinf_path'] + "/" + "classes"
- config.pki_master_dict['pki_webapps_webinf_lib_path'] =\
- config.pki_master_dict['pki_webapps_webinf_path'] + "/" + "lib"
- config.pki_master_dict['pki_webapps_subsystem_path'] =\
- config.pki_master_dict['pki_webapps_path'] + "/" +\
- config.pki_master_dict['pki_subsystem'].lower()
- config.pki_master_dict['pki_webapps_subsystem_webinf_classes_link'] =\
- config.pki_master_dict['pki_webapps_subsystem_path'] + "/" +\
- "WEB-INF" + "/" + "classes"
- config.pki_master_dict['pki_webapps_subsystem_webinf_lib_link'] =\
- config.pki_master_dict['pki_webapps_subsystem_path'] + "/" +\
- "WEB-INF" + "/" + "lib"
- # Instance-based webserver Apache/Tomcat configuration name/value pairs
- config.pki_master_dict['pki_database_path'] =\
- config.pki_master_dict['pki_instance_configuration_path'] + "/" +\
- "alias"
- # Instance-based subsystem base name/value pairs
- config.pki_master_dict['pki_subsystem_path'] =\
- config.pki_master_dict['pki_instance_path'] + "/" +\
- config.pki_master_dict['pki_subsystem'].lower()
- config.pki_master_dict['pki_subsystem_database_link'] =\
- config.pki_master_dict['pki_subsystem_path'] + "/" + "alias"
- config.pki_master_dict['pki_subsystem_configuration_link'] =\
- config.pki_master_dict['pki_subsystem_path'] + "/" + "conf"
- config.pki_master_dict['pki_subsystem_logs_link'] =\
- config.pki_master_dict['pki_subsystem_path'] + "/" + "logs"
- if config.pki_master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- if config.pki_master_dict['pki_subsystem'] == "CA":
- config.pki_master_dict['pki_subsystem_emails_path'] =\
- config.pki_master_dict['pki_subsystem_path'] + "/" + "emails"
- config.pki_master_dict['pki_subsystem_profiles_path'] =\
- config.pki_master_dict['pki_subsystem_path'] + "/" + "profiles"
- config.pki_master_dict['pki_subsystem_webapps_link'] =\
- config.pki_master_dict['pki_subsystem_path'] + "/" + "webapps"
- # Instance-based subsystem log name/value pairs
- config.pki_master_dict['pki_subsystem_log_path'] =\
- config.pki_master_dict['pki_instance_log_path'] + "/" +\
- config.pki_master_dict['pki_subsystem'].lower()
- config.pki_master_dict['pki_subsystem_signed_audit_log_path'] =\
- config.pki_master_dict['pki_subsystem_log_path'] + "/" +\
- "signedAudit"
- # Instance-based subsystem configuration name/value pairs
- config.pki_master_dict['pki_subsystem_configuration_path'] =\
- config.pki_master_dict['pki_instance_configuration_path'] + "/" +\
- config.pki_master_dict['pki_subsystem'].lower()
- # Instance-based subsystem registry name/value pairs
- config.pki_master_dict['pki_subsystem_registry_path'] =\
- config.pki_master_dict['pki_instance_registry_path'] + "/" +\
- config.pki_master_dict['pki_subsystem'].lower()
+ try:
+ config.pki_master_dict = dict()
+ # 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs
+ config.pki_master_dict['pki_install_time'] = config.pki_install_time
+ config.pki_master_dict['pki_timestamp'] = config.pki_timestamp
+ config.pki_master_dict['pki_certificate_timestamp'] =\
+ config.pki_certificate_timestamp
+ config.pki_master_dict['pki_hostname'] = config.pki_hostname
+ config.pki_master_dict['pki_pin'] = config.pki_pin
+ config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin
+ # Configuration file name/value pairs
+ config.pki_master_dict.update(config.pki_common_dict)
+ config.pki_master_dict.update(config.pki_web_server_dict)
+ config.pki_master_dict.update(config.pki_subsystem_dict)
+ config.pki_master_dict.update(__name__="PKI Master Dictionary")
+ # IMPORTANT: A "PKI instance" no longer corresponds to a single
+ # pki subystem, but rather to zero or one unique
+ # "Tomcat web instance" AND/OR zero or one unique
+ # "Apache web instance". Obviously, each
+ # "PKI instance" must contain at least one of these
+ # two web instances. The name of the default
+ # "PKI instance" is called "default" and may be
+ # changed in the PKI deployment configuration file,
+ # and/or overridden via the command-line interface.
+ #
+ # A "Tomcat instance" consists of a single process
+ # which may itself contain zero or one unique
+ # "CA" and/or "KRA" and/or "OCSP" and/or "TKS"
+ # pki subystems. Obviously, the "Tomcat instance" must
+ # contain at least one of these four pki subystems.
+ #
+ # Similarly, an "Apache instance" consists of a single
+ # process which may itself contain zero or one unique
+ # "RA" and/or "TPS" pki subsystems. Obviously, the
+ # "Apache instance" must contain at least one of these
+ # two pki subystems.
+ #
+ # To emulate the original behavior of having a CA and
+ # KRA be unique PKI instances, each must be located
+ # within a separately named "PKI instance" if residing
+ # on the same host machine, or may be located within
+ # an identically named "PKI instance" when residing on
+ # two separate host machines.
+ #
+ # PKI INSTANCE NAMING CONVENTION:
+ #
+ # OLD: "pki-${pki_subsystem}"
+ # (e. g. Tomcat - "pki-ca", "pki-kra", "pki-ocsp", "pki-tks")
+ # (e. g. Apache - "pki-ra", "pki-tps")
+ # NEW: "pki-${pki_instance_name}-${pki_web_server}"
+ # (e. g. Tomcat: "pki-default-tomcat")
+ # (e. g. Apache: "pki-default-apache")
+ #
+ config.pki_master_dict['pki_instance_id'] =\
+ "pki" + "-" + config.pki_master_dict['pki_instance_name'] + "-" +\
+ config.pki_master_dict['pki_web_server'].lower()
+ # PKI Source name/value pairs
+ config.pki_master_dict['pki_source_conf_path'] =\
+ os.path.join(config.pki_master_dict['pki_source_root'],
+ config.pki_master_dict['pki_subsystem'].lower(),
+ "conf")
+ config.pki_master_dict['pki_source_setup_path'] =\
+ os.path.join(config.pki_master_dict['pki_source_root'],
+ config.pki_master_dict['pki_subsystem'].lower(),
+ "setup")
+ config.pki_master_dict['pki_source_cs_cfg'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "CS.cfg")
+ config.pki_master_dict['pki_source_registry'] =\
+ os.path.join(config.pki_master_dict['pki_source_setup_path'],
+ "registry_instance")
+ if config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_TOMCAT_SUBSYSTEMS:
+ config.pki_master_dict['pki_tomcat_bin_path'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_root'],
+ "bin")
+ config.pki_master_dict['pki_tomcat_lib_path'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_root'],
+ "lib")
+ config.pki_master_dict['pki_war_path'] =\
+ os.path.join(config.pki_master_dict['pki_source_root'],
+ config.pki_master_dict['pki_subsystem'].lower(),
+ "war")
+ config.pki_master_dict['pki_source_webapps_path'] =\
+ os.path.join(config.pki_master_dict['pki_source_root'],
+ config.pki_master_dict['pki_subsystem'].lower(),
+ "webapps")
+ config.pki_master_dict['pki_war'] =\
+ os.path.join(config.pki_master_dict['pki_war_path'],
+ config.pki_master_dict['pki_war_name'])
+ config.pki_master_dict['pki_source_catalina_properties'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "catalina.properties")
+ config.pki_master_dict['pki_source_servercertnick_conf'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "serverCertNick.conf")
+ config.pki_master_dict['pki_source_server_xml'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "server.xml")
+ config.pki_master_dict['pki_source_tomcat_conf'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "tomcat.conf")
+ config.pki_master_dict['pki_source_index_jsp'] =\
+ os.path.join(config.pki_master_dict['pki_source_webapps_path'],
+ "ROOT",
+ "index.jsp")
+ config.pki_master_dict['pki_source_webapps_root_web_xml'] =\
+ os.path.join(config.pki_master_dict['pki_source_webapps_path'],
+ "ROOT",
+ "WEB-INF",
+ "web.xml")
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ config.pki_master_dict['pki_source_emails'] =\
+ os.path.join(config.pki_master_dict['pki_source_root'],
+ "ca",
+ "emails")
+ config.pki_master_dict['pki_source_profiles'] =\
+ os.path.join(config.pki_master_dict['pki_source_root'],
+ "ca",
+ "profiles")
+ config.pki_master_dict['pki_source_proxy_conf'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "proxy.conf")
+ # Instance layout base name/value pairs
+ # NOTE: Never use 'os.path.join()' whenever 'pki_root_prefix'
+ # is being prepended!!!
+ config.pki_master_dict['pki_root_prefix'] = config.pki_root_prefix
+ config.pki_master_dict['pki_path'] =\
+ config.pki_master_dict['pki_root_prefix'] +\
+ config.pki_master_dict['pki_instance_root']
+ config.pki_master_dict['pki_instance_path'] =\
+ os.path.join(config.pki_master_dict['pki_path'],
+ config.pki_master_dict['pki_instance_name'])
+ # Instance layout log name/value pairs
+ config.pki_master_dict['pki_log_path'] =\
+ config.pki_master_dict['pki_root_prefix'] +\
+ config.pki_master_dict['pki_instance_log_root']
+ config.pki_master_dict['pki_instance_log_path'] =\
+ os.path.join(config.pki_master_dict['pki_log_path'],
+ config.pki_master_dict['pki_instance_name'])
+ # Instance layout configuration name/value pairs
+ config.pki_master_dict['pki_configuration_path'] =\
+ config.pki_master_dict['pki_root_prefix'] +\
+ config.pki_master_dict['pki_instance_configuration_root']
+ config.pki_master_dict['pki_instance_configuration_path'] =\
+ os.path.join(config.pki_master_dict['pki_configuration_path'],
+ config.pki_master_dict['pki_instance_name'])
+ # Instance layout registry name/value pairs
+ config.pki_master_dict['pki_registry_path'] =\
+ config.pki_master_dict['pki_root_prefix'] +\
+ config.PKI_DEPLOYMENT_REGISTRY_ROOT
+ config.pki_master_dict['pki_instance_registry_path'] =\
+ os.path.join(config.pki_master_dict['pki_registry_path'],
+ config.pki_master_dict['pki_instance_name'])
+ # Instance layout NSS security database name/value pairs
+ config.pki_master_dict['pki_database_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_configuration_path'],
+ "alias")
+ # Instance layout convenience symbolic links
+ config.pki_master_dict['pki_instance_database_link'] =\
+ os.path.join(config.pki_master_dict['pki_instance_path'],
+ "alias")
+ # Instance-based Apache/Tomcat webserver base name/value pairs
+ config.pki_master_dict['pki_webserver_path'] =\
+ os.path.join(config.pki_master_dict['pki_instance_path'],
+ config.pki_master_dict['pki_web_server'].lower())
+ # Instance-based Apache/Tomcat webserver log name/value pairs
+ config.pki_master_dict['pki_webserver_log_path'] =\
+ os.path.join(config.pki_master_dict['pki_instance_log_path'],
+ config.pki_master_dict['pki_web_server'].lower())
+ # Instance-based Apache/Tomcat webserver configuration name/value pairs
+ config.pki_master_dict['pki_webserver_configuration_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_configuration_path'],
+ config.pki_master_dict['pki_web_server'].lower())
+ # Instance-based Apache/Tomcat webserver registry name/value pairs
+ config.pki_master_dict['pki_webserver_registry_path'] =\
+ os.path.join(config.pki_master_dict['pki_instance_registry_path'],
+ config.pki_master_dict['pki_web_server'].lower())
+ # Instance-based Tomcat-specific webserver name/value pairs
+ if config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_TOMCAT_SUBSYSTEMS:
+ # Instance-based Tomcat webserver base name/value pairs
+ config.pki_master_dict['pki_tomcat_common_path'] =\
+ os.path.join(config.pki_master_dict['pki_webserver_path'],
+ "common")
+ config.pki_master_dict['pki_tomcat_common_lib_path'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_common_path'],
+ "lib")
+ config.pki_master_dict['pki_tomcat_webapps_path'] =\
+ os.path.join(config.pki_master_dict['pki_webserver_path'],
+ "webapps")
+ config.pki_master_dict['pki_tomcat_webapps_root_path'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
+ "ROOT")
+ config.pki_master_dict['pki_tomcat_webapps_root_webinf_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_root_path'],
+ "WEB-INF")
+ config.pki_master_dict['pki_tomcat_webapps_webinf_path'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
+ "WEB-INF")
+ config.pki_master_dict['pki_tomcat_webapps_webinf_classes_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_webinf_path'],
+ "classes")
+ config.pki_master_dict['pki_tomcat_webapps_webinf_lib_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_webinf_path'],
+ "lib")
+ config.pki_master_dict['pki_tomcat_webapps_root_webinf_web_xml'] =\
+ os.path.join(
+ config.pki_master_dict\
+ ['pki_tomcat_webapps_root_webinf_path'],
+ "web.xml")
+ # Instance-based Tomcat webserver log name/value pairs
+ # Instance-based Tomcat webserver configuration name/value pairs
+ # Instance-based Tomcat webserver registry name/value pairs
+ # Instance-based Tomcat webserver convenience symbolic links
+ config.pki_master_dict['pki_tomcat_bin_link'] =\
+ os.path.join(config.pki_master_dict['pki_webserver_path'],
+ "bin")
+ config.pki_master_dict['pki_tomcat_lib_link'] =\
+ os.path.join(config.pki_master_dict['pki_webserver_path'],
+ "lib")
+ config.pki_master_dict['pki_webserver_systemd_link'] =\
+ os.path.join(config.pki_master_dict['pki_webserver_path'],
+ config.pki_master_dict['pki_instance_id'])
+ # Instance-based Apache/Tomcat webserver convenience symbolic links
+ config.pki_master_dict['pki_webserver_database_link'] =\
+ os.path.join(config.pki_master_dict['pki_webserver_path'],
+ "alias")
+ config.pki_master_dict['pki_webserver_conf_link'] =\
+ os.path.join(config.pki_master_dict['pki_webserver_path'],
+ "conf")
+ config.pki_master_dict['pki_webserver_logs_link'] =\
+ os.path.join(config.pki_master_dict['pki_webserver_path'],
+ "logs")
+ # Instance-based PKI subsystem base name/value pairs
+ config.pki_master_dict['pki_subsystem_path'] =\
+ os.path.join(config.pki_master_dict['pki_webserver_path'],
+ config.pki_master_dict['pki_subsystem'].lower())
+ # Instance-based PKI subsystem log name/value pairs
+ config.pki_master_dict['pki_subsystem_log_path'] =\
+ os.path.join(config.pki_master_dict['pki_webserver_log_path'],
+ config.pki_master_dict['pki_subsystem'].lower())
+ # Instance-based PKI subsystem configuration name/value pairs
+ config.pki_master_dict['pki_subsystem_configuration_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_webserver_configuration_path'],
+ config.pki_master_dict['pki_subsystem'].lower())
+ # Instance-based PKI subsystem registry name/value pairs
+ config.pki_master_dict['pki_subsystem_registry_path'] =\
+ os.path.join(config.pki_master_dict['pki_webserver_registry_path'],
+ config.pki_master_dict['pki_subsystem'].lower())
+ # Instance-based Apache/Tomcat PKI subsystem name/value pairs
+ if config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_APACHE_SUBSYSTEMS:
+ # Instance-based Apache PKI subsystem base name/value pairs
+ # Instance-based Apache PKI subsystem log name/value pairs
+ if config.pki_master_dict['pki_subsystem'] == "TPS":
+ config.pki_master_dict['pki_subsystem_signed_audit_log_path'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_log_path'],
+ "signedAudit")
+ # Instance-based Apache PKI subsystem configuration name/value pairs
+ # Instance-based Apache PKI subsystem registry name/value pairs
+ # Instance-based Apache PKI subsystem convenience symbolic links
+ elif config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_TOMCAT_SUBSYSTEMS:
+ # Instance-based Tomcat PKI subsystem base name/value pairs
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
+ config.pki_master_dict['pki_subsystem'].lower())
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ config.pki_master_dict['pki_subsystem_emails_path'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_path'],
+ "emails")
+ config.pki_master_dict['pki_subsystem_profiles_path'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_path'],
+ "profiles")
+ # Instance-based Tomcat PKI subsystem log name/value pairs
+ config.pki_master_dict['pki_subsystem_signed_audit_log_path'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_log_path'],
+ "signedAudit")
+ # Instance-based Tomcat PKI subsystem configuration name/value pairs
+ # Instance-based Tomcat PKI subsystem registry name/value pairs
+ # Instance-based Tomcat PKI subsystem convenience symbolic links
+ config.pki_master_dict['pki_subsystem_tomcat_webapps_link'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_path'],
+ "webapps")
+ config.pki_master_dict\
+ ['pki_tomcat_webapps_subsystem_webinf_classes_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+ "WEB-INF",
+ "classes")
+ config.pki_master_dict\
+ ['pki_tomcat_webapps_subsystem_webinf_lib_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+ "WEB-INF",
+ "lib")
+ # Instance-based Apache/Tomcat PKI subsystem convenience symbolic links
+ config.pki_master_dict['pki_subsystem_database_link'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_path'],
+ "alias")
+ config.pki_master_dict['pki_subsystem_conf_link'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_path'],
+ "conf")
+ config.pki_master_dict['pki_subsystem_logs_link'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_path'],
+ "logs")
+ # PKI Target (slot substitution) name/value pairs
+ config.pki_master_dict['pki_target_cs_cfg'] =\
+ os.path.join(
+ config.pki_master_dict['pki_subsystem_configuration_path'],
+ "CS.cfg")
+ config.pki_master_dict['pki_target_registry'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_registry_path'],
+ config.pki_master_dict['pki_instance_id'])
+ if config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_TOMCAT_SUBSYSTEMS:
+ config.pki_master_dict['pki_target_catalina_properties'] =\
+ os.path.join(
+ config.pki_master_dict['pki_subsystem_configuration_path'],
+ "catalina.properties")
+ config.pki_master_dict['pki_target_servercertnick_conf'] =\
+ os.path.join(
+ config.pki_master_dict['pki_subsystem_configuration_path'],
+ "serverCertNick.conf")
+ config.pki_master_dict['pki_target_server_xml'] =\
+ os.path.join(
+ config.pki_master_dict['pki_subsystem_configuration_path'],
+ "server.xml")
+ config.pki_master_dict['pki_target_tomcat_conf'] =\
+ config.pki_master_dict['pki_root_prefix'] +\
+ "/etc/sysconfig/" +\
+ config.pki_master_dict['pki_instance_id']
+ config.pki_master_dict['pki_target_index_jsp'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_root_path'],
+ "index.jsp")
+ # in-place slot substitution name/value pairs
+ config.pki_master_dict['pki_target_velocity_properties'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+ "WEB-INF",
+ "velocity.properties")
+ config.pki_master_dict['pki_target_subsystem_web_xml'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+ "WEB-INF",
+ "web.xml")
+ # subystem-specific slot substitution name/value pairs
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ config.pki_master_dict['pki_target_proxy_conf'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "proxy.conf")
+ # in-place slot substitution name/value pairs
+ config.pki_master_dict['pki_target_profileselect_template'] =\
+ os.path.join(
+ config.pki_master_dict\
+ ['pki_tomcat_webapps_subsystem_path'],
+ "ee",
+ config.pki_master_dict['pki_subsystem'].lower(),
+ "ProfileSelect.template")
+ # Slot assignment name/value pairs
+ # NOTE: Master key == Slots key; Master value ==> Slots value
+ config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\
+ config.pki_master_dict['pki_instance_id']
+ config.pki_master_dict['PKI_INSTANCE_INITSCRIPT_SLOT'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_path'],
+ config.pki_master_dict['pki_instance_id'])
+ config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\
+ os.path.join("/var/lock/pki",
+ config.pki_master_dict['pki_subsystem'].lower())
+ config.pki_master_dict['PKI_PIDDIR_SLOT'] =\
+ os.path.join("/var/run/pki",
+ config.pki_master_dict['pki_subsystem'].lower())
+ config.pki_master_dict['PKI_REGISTRY_FILE_SLOT'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_registry_path'],
+ config.pki_master_dict['pki_instance_id'])
+ if config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_APACHE_SUBSYSTEMS:
+ config.pki_master_dict['FORTITUDE_APACHE_SLOT'] = None
+ config.pki_master_dict['FORTITUDE_AUTH_MODULES_SLOT'] = None
+ config.pki_master_dict['FORTITUDE_DIR_SLOT'] = None
+ config.pki_master_dict['FORTITUDE_LIB_DIR_SLOT'] = None
+ config.pki_master_dict['FORTITUDE_MODULE_SLOT'] = None
+ config.pki_master_dict['FORTITUDE_NSS_MODULES_SLOT'] = None
+ config.pki_master_dict['HTTPD_CONF_SLOT'] = None
+ config.pki_master_dict['LIB_PREFIX_SLOT'] = None
+ config.pki_master_dict['NON_CLIENTAUTH_SECURE_PORT_SLOT'] = None
+ config.pki_master_dict['NSS_CONF_SLOT'] = None
+ config.pki_master_dict['OBJ_EXT_SLOT'] = None
+ config.pki_master_dict['PORT_SLOT'] = None
+ config.pki_master_dict['PROCESS_ID_SLOT'] = None
+ config.pki_master_dict['REQUIRE_CFG_PL_SLOT'] = None
+ config.pki_master_dict['SECURE_PORT_SLOT'] = None
+ config.pki_master_dict['SECURITY_LIBRARIES_SLOT'] = None
+ config.pki_master_dict['SERVER_NAME_SLOT'] = None
+ config.pki_master_dict['SERVER_ROOT_SLOT'] = None
+ config.pki_master_dict['SYSTEM_LIBRARIES_SLOT'] = None
+ config.pki_master_dict['SYSTEM_USER_LIBRARIES_SLOT'] = None
+ config.pki_master_dict['TMP_DIR_SLOT'] = None
+ config.pki_master_dict['TPS_DIR_SLOT'] = None
+ elif config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_TOMCAT_SUBSYSTEMS:
+ config.pki_master_dict['INSTALL_TIME_SLOT'] =\
+ config.pki_master_dict['pki_install_time']
+ config.pki_master_dict['PKI_ADMIN_SECURE_PORT_SLOT'] =\
+ config.pki_master_dict['pki_https_port']
+ config.pki_master_dict\
+ ['PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\
+ "Unused"
+ config.pki_master_dict\
+ ['PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT'] =\
+ ""
+ config.pki_master_dict['PKI_AGENT_CLIENTAUTH_SLOT'] =\
+ "agent"
+ config.pki_master_dict['PKI_AGENT_SECURE_PORT_SLOT'] =\
+ config.pki_master_dict['pki_https_port']
+ config.pki_master_dict['PKI_AJP_PORT_SLOT'] =\
+ config.pki_master_dict['pki_ajp_port']
+ config.pki_master_dict['PKI_AJP_REDIRECT_PORT_SLOT'] =\
+ config.pki_master_dict['pki_https_port']
+ config.pki_master_dict['PKI_CERT_DB_PASSWORD_SLOT'] =\
+ config.pki_master_dict['pki_pin']
+ config.pki_master_dict['PKI_CFG_PATH_NAME_SLOT'] =\
+ config.pki_master_dict['pki_target_cs_cfg']
+ config.pki_master_dict['PKI_CLOSE_AJP_PORT_COMMENT_SLOT'] =\
+ "-->"
+ config.pki_master_dict['PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT'] =\
+ "-->"
+ config.pki_master_dict\
+ ['PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\
+ "-->"
+ config.pki_master_dict\
+ ['PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\
+ "-->"
+ config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT'] =\
+ config.pki_master_dict['pki_https_port']
+ config.pki_master_dict\
+ ['PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT'] =\
+ "Unused"
+ config.pki_master_dict\
+ ['PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT'] =\
+ ""
+ config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT'] =\
+ config.pki_master_dict['pki_https_port']
+ config.pki_master_dict['PKI_EE_SECURE_PORT_SLOT'] =\
+ config.pki_master_dict['pki_https_port']
+ config.pki_master_dict['PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\
+ "Unused"
+ config.pki_master_dict['PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT'] =\
+ ""
+ config.pki_master_dict['PKI_FLAVOR_SLOT'] =\
+ "pki"
+ config.pki_master_dict['PKI_GROUP_SLOT'] =\
+ config.pki_master_dict['pki_group']
+ config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\
+ config.pki_master_dict['pki_subsystem_path']
+ config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\
+ config.pki_master_dict['pki_webserver_path']
+ config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\
+ config.pki_master_dict['pki_hostname']
+ config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\
+ "<!--"
+ config.pki_master_dict['PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT'] =\
+ "<!--"
+ config.pki_master_dict\
+ ['PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\
+ "<!--"
+ config.pki_master_dict\
+ ['PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\
+ "<!--"
+ config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\
+ config.pki_master_dict['pki_proxy_https_port']
+ config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\
+ config.pki_master_dict['pki_proxy_http_port']
+ config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\
+ config.pki_master_dict['pki_one_time_pin']
+ config.pki_master_dict['PKI_SECURE_PORT_SLOT'] =\
+ config.pki_master_dict['pki_https_port']
+ config.pki_master_dict['PKI_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\
+ "Secure"
+ config.pki_master_dict['PKI_SECURE_PORT_SERVER_COMMENT_SLOT'] =\
+ "<!-- " +\
+ "Shared Ports: Agent, EE, and Admin Secure Port Connector " +\
+ "-->"
+ config.pki_master_dict['PKI_SECURITY_MANAGER_SLOT'] =\
+ config.pki_master_dict['pki_security_manager']
+ config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\
+ config.pki_master_dict['pki_target_server_xml']
+ config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\
+ config.pki_master_dict['pki_subsystem'].lower()
+ config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\
+ "pki-" + config.pki_master_dict['pki_subsystem'].lower() +\
+ "d" + "@" + "pki-" +\
+ config.pki_master_dict['pki_subsystem'].lower() + ".service"
+ config.pki_master_dict['PKI_UNSECURE_PORT_SLOT'] =\
+ config.pki_master_dict['pki_http_port']
+ config.pki_master_dict['PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT'] =\
+ "Unsecure"
+ config.pki_master_dict['PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT'] =\
+ "<!-- Shared Ports: Unsecure Port Connector -->"
+ config.pki_master_dict['PKI_USER_SLOT'] =\
+ config.pki_master_dict['pki_user']
+ config.pki_master_dict['PKI_WEBAPPS_NAME_SLOT'] =\
+ "webapps"
+ config.pki_master_dict['TOMCAT_CFG_SLOT'] =\
+ config.pki_master_dict['pki_target_tomcat_conf']
+ config.pki_master_dict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "*.jar")
+ config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\
+ config.pki_master_dict['pki_subsystem_log_path']
+ config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\
+ "/var/run/" + config.pki_master_dict['pki_instance_id'] + ".pid"
+ config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\
+ config.pki_master_dict['tomcat_server_port']
+ config.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] =\
+ "-SSL2_RC4_128_WITH_MD5," +\
+ "-SSL2_RC4_128_EXPORT40_WITH_MD5," +\
+ "-SSL2_RC2_128_CBC_WITH_MD5," +\
+ "-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5," +\
+ "-SSL2_DES_64_CBC_WITH_MD5," +\
+ "-SSL2_DES_192_EDE3_CBC_WITH_MD5"
+ config.pki_master_dict['TOMCAT_SSL3_CIPHERS_SLOT'] =\
+ "-SSL3_FORTEZZA_DMS_WITH_NULL_SHA," +\
+ "-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA," +\
+ "+SSL3_RSA_WITH_RC4_128_SHA," +\
+ "-SSL3_RSA_EXPORT_WITH_RC4_40_MD5," +\
+ "+SSL3_RSA_WITH_3DES_EDE_CBC_SHA," +\
+ "+SSL3_RSA_WITH_DES_CBC_SHA," +\
+ "-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5," +\
+ "-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA," +\
+ "-SSL_RSA_FIPS_WITH_DES_CBC_SHA," +\
+ "+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA," +\
+ "-SSL3_RSA_WITH_NULL_MD5," +\
+ "-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," +\
+ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\
+ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
+ config.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] =\
+ "ssl2=true," +\
+ "ssl3=true," +\
+ "tls=true"
+ config.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] =\
+ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +\
+ "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +\
+ "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +\
+ "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +\
+ "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +\
+ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\
+ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +\
+ "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," +\
+ "+TLS_RSA_WITH_AES_128_CBC_SHA," +\
+ "+TLS_RSA_WITH_AES_256_CBC_SHA," +\
+ "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +\
+ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +\
+ "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +\
+ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +\
+ "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +\
+ "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," +\
+ "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," +\
+ "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," +\
+ "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," +\
+ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\
+ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
+ # Shared Apache/Tomcat NSS security database name/value pairs
+ config.pki_master_dict['pki_shared_password_conf'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_configuration_path'],
+ "password.conf")
+ config.pki_master_dict['pki_cert_database'] =\
+ os.path.join(config.pki_master_dict['pki_database_path'],
+ "cert8.db")
+ config.pki_master_dict['pki_key_database'] =\
+ os.path.join(config.pki_master_dict['pki_database_path'],
+ "key3.db")
+ config.pki_master_dict['pki_secmod_database'] =\
+ os.path.join(config.pki_master_dict['pki_database_path'],
+ "secmod.db")
+ config.pki_master_dict['pki_self_signed_token'] = "internal"
+ config.pki_master_dict['pki_self_signed_nickname'] =\
+ "Server-Cert cert-" + config.pki_master_dict['pki_instance_id']
+ config.pki_master_dict['pki_self_signed_subject'] =\
+ "CN=" + config.pki_master_dict['pki_hostname'] + "," +\
+ "O=" + config.pki_master_dict['pki_certificate_timestamp']
+ config.pki_master_dict['pki_self_signed_serial_number'] = 0
+ config.pki_master_dict['pki_self_signed_validity_period'] = 12
+ config.pki_master_dict['pki_self_signed_issuer_name'] =\
+ "CN=" + config.pki_master_dict['pki_hostname'] + "," +\
+ "O=" + config.pki_master_dict['pki_certificate_timestamp']
+ config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu"
+ config.pki_master_dict['pki_self_signed_noise_file'] =\
+ os.path.join(
+ config.pki_master_dict['pki_subsystem_configuration_path'],
+ "noise")
+ config.pki_master_dict['pki_self_signed_noise_bytes'] = 1024
+ # Shared Apache/Tomcat NSS security database convenience symbolic links
+ config.pki_master_dict\
+ ['pki_subsystem_configuration_password_conf_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_subsystem_configuration_path'],
+ "password.conf")
+ except OSError as exc:
+ config.pki_log.error(log.PKI_OSERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
return
+
+
+def compose_pki_slots_dictionary():
+ """Read the slots configuration file to create
+ the appropriate PKI slots dictionary"""
+ rv = 0
+ try:
+ config.pki_slots_dict = dict()
+ parser = ConfigParser.ConfigParser()
+ # Make keys case-sensitive!
+ parser.optionxform = str
+ parser.read(config.PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE)
+ # Slots configuration file name/value pairs
+ if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+ config.pki_slots_dict = dict(parser._sections['Apache'])
+ elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ config.pki_slots_dict = dict(parser._sections['Tomcat'])
+ except ConfigParser.ParsingError, err:
+ rv = err
+ return rv
diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py
index 093e5ec36..f32b7e497 100644
--- a/base/deploy/src/scriptlets/security_databases.py
+++ b/base/deploy/src/scriptlets/security_databases.py
@@ -22,6 +22,7 @@
# PKI Deployment Imports
import pkiconfig as config
from pkiconfig import pki_master_dict as master
+import pkihelper as util
import pkimessages as log
import pkiscriptlet
@@ -33,20 +34,96 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
def spawn(self):
config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- config.pki_log.info("NOT YET IMPLEMENTED",
- extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ util.password.create_password_conf(
+ master['pki_shared_password_conf'])
+ util.file.modify(master['pki_shared_password_conf'])
+ util.certutil.create_security_databases(
+ master['pki_database_path'],
+ master['pki_shared_password_conf'])
+ util.file.modify(master['pki_cert_database'], perms=\
+ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+ util.file.modify(master['pki_key_database'], perms=\
+ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+ util.file.modify(master['pki_secmod_database'], perms=\
+ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+ rv = util.certutil.verify_certificate_exists(
+ master['pki_database_path'],
+ master['pki_self_signed_token'],
+ master['pki_self_signed_nickname'],
+ password_file=master['pki_shared_password_conf'])
+ if not rv:
+ util.file.generate_noise_file(
+ master['pki_self_signed_noise_file'],
+ master['pki_self_signed_noise_bytes'])
+ util.certutil.generate_self_signed_certificate(
+ master['pki_database_path'],
+ master['pki_self_signed_token'],
+ master['pki_self_signed_nickname'],
+ master['pki_self_signed_subject'],
+ master['pki_self_signed_serial_number'],
+ master['pki_self_signed_validity_period'],
+ master['pki_self_signed_issuer_name'],
+ master['pki_self_signed_trustargs'],
+ master['pki_self_signed_noise_file'],
+ password_file=master['pki_shared_password_conf'])
+ util.file.delete(master['pki_self_signed_noise_file'])
+ else:
+ util.password.create_password_conf(
+ master['pki_shared_password_conf'])
+ util.certutil.create_security_databases(
+ master['pki_database_path'],
+ master['pki_shared_password_conf'])
+ rv = util.certutil.verify_certificate_exists(
+ master['pki_database_path'],
+ master['pki_self_signed_token'],
+ master['pki_self_signed_nickname'],
+ password_file=master['pki_shared_password_conf'])
+ if not rv:
+ util.file.generate_noise_file(
+ master['pki_self_signed_noise_file'],
+ master['pki_self_signed_noise_bytes'])
+ util.certutil.generate_self_signed_certificate(
+ master['pki_database_path'],
+ master['pki_self_signed_token'],
+ master['pki_self_signed_nickname'],
+ master['pki_self_signed_subject'],
+ master['pki_self_signed_serial_number'],
+ master['pki_self_signed_validity_period'],
+ master['pki_self_signed_issuer_name'],
+ master['pki_self_signed_trustargs'],
+ master['pki_self_signed_noise_file'],
+ password_file=master['pki_shared_password_conf'])
return self.rv
def respawn(self):
config.pki_log.info(log.SECURITY_DATABASES_RESPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- config.pki_log.info("NOT YET IMPLEMENTED",
- extra=config.PKI_INDENTATION_LEVEL_2)
+ util.file.modify(master['pki_shared_password_conf'])
+ util.file.modify(master['pki_cert_database'],
+ perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+ util.file.modify(master['pki_key_database'],
+ perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+ util.file.modify(master['pki_secmod_database'],
+ perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
return self.rv
def destroy(self):
config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- config.pki_log.info("NOT YET IMPLEMENTED",
- extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
+ util.instance.pki_subsystem_instances() == 0:
+ util.file.delete(master['pki_cert_database'])
+ util.file.delete(master['pki_key_database'])
+ util.file.delete(master['pki_secmod_database'])
+ util.file.delete(master['pki_shared_password_conf'])
+ else:
+ # ALWAYS display correct information (even during dry_run)
+ if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
+ util.instance.pki_subsystem_instances() == 1:
+ util.file.delete(master['pki_cert_database'])
+ util.file.delete(master['pki_key_database'])
+ util.file.delete(master['pki_secmod_database'])
+ util.file.delete(master['pki_shared_password_conf'])
return self.rv
diff --git a/base/deploy/src/scriptlets/slot_assignment.py b/base/deploy/src/scriptlets/slot_assignment.py
deleted file mode 100644
index 6b23ea621..000000000
--- a/base/deploy/src/scriptlets/slot_assignment.py
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/usr/bin/python -t
-# Authors:
-# Matthew Harmsen <mharmsen@redhat.com>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2012 Red Hat, Inc.
-# All rights reserved.
-#
-
-# PKI Deployment Imports
-import pkiconfig as config
-from pkiconfig import pki_master_dict as master
-import pkimessages as log
-import pkiscriptlet
-
-
-# PKI Deployment Instance Population Classes
-class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
- rv = 0
-
- def spawn(self):
- config.pki_log.info(log.SLOT_ASSIGNMENT_SPAWN_1, __name__,
- extra=config.PKI_INDENTATION_LEVEL_1)
- config.pki_log.info("NOT YET IMPLEMENTED",
- extra=config.PKI_INDENTATION_LEVEL_2)
- return self.rv
-
- def respawn(self):
- config.pki_log.info(log.SLOT_ASSIGNMENT_RESPAWN_1, __name__,
- extra=config.PKI_INDENTATION_LEVEL_1)
- config.pki_log.info("NOT YET IMPLEMENTED",
- extra=config.PKI_INDENTATION_LEVEL_2)
- return self.rv
-
- def destroy(self):
- config.pki_log.info(log.SLOT_ASSIGNMENT_DESTROY_1, __name__,
- extra=config.PKI_INDENTATION_LEVEL_1)
- config.pki_log.info("NOT YET IMPLEMENTED",
- extra=config.PKI_INDENTATION_LEVEL_2)
- return self.rv
diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py
new file mode 100644
index 000000000..0a52af9f0
--- /dev/null
+++ b/base/deploy/src/scriptlets/slot_substitution.py
@@ -0,0 +1,120 @@
+#!/usr/bin/python -t
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+from pkiconfig import pki_slots_dict as slots
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+
+
+# PKI Deployment Instance Population Classes
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+
+ def spawn(self):
+ config.pki_log.info(log.SLOT_ASSIGNMENT_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'],
+ master['pki_target_cs_cfg'])
+ util.file.copy_with_slot_substitution(master['pki_source_registry'],
+ master['pki_target_registry'])
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ util.file.copy_with_slot_substitution(
+ master['pki_source_catalina_properties'],
+ master['pki_target_catalina_properties'])
+ util.file.copy_with_slot_substitution(
+ master['pki_source_servercertnick_conf'],
+ master['pki_target_servercertnick_conf'])
+ util.file.copy_with_slot_substitution(
+ master['pki_source_server_xml'],
+ master['pki_target_server_xml'])
+ util.file.copy_with_slot_substitution(
+ master['pki_source_tomcat_conf'],
+ master['pki_target_tomcat_conf'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_index_jsp'],
+ master['pki_target_index_jsp'],
+ overwrite_flag=True)
+ util.file.apply_slot_substitution(
+ master['pki_target_velocity_properties'])
+ util.file.apply_slot_substitution(
+ master['pki_target_subsystem_web_xml'])
+ if master['pki_subsystem'] == "CA":
+ util.file.copy_with_slot_substitution(
+ master['pki_source_proxy_conf'],
+ master['pki_target_proxy_conf'])
+ util.file.apply_slot_substitution(
+ master['pki_target_profileselect_template'])
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.SLOT_ASSIGNMENT_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'],
+ master['pki_target_cs_cfg'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(master['pki_source_registry'],
+ master['pki_target_registry'],
+ overwrite_flag=True)
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ util.file.copy_with_slot_substitution(
+ master['pki_source_catalina_properties'],
+ master['pki_target_catalina_properties'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_servercertnick_conf'],
+ master['pki_target_servercertnick_conf'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_server_xml'],
+ master['pki_target_server_xml'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_tomcat_conf'],
+ master['pki_target_tomcat_conf'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_index_jsp'],
+ master['pki_target_index_jsp'],
+ overwrite_flag=True)
+ util.file.apply_slot_substitution(
+ master['pki_target_velocity_properties'])
+ util.file.apply_slot_substitution(
+ master['pki_target_subsystem_web_xml'])
+ if master['pki_subsystem'] == "CA":
+ util.file.copy_with_slot_substitution(
+ master['pki_source_proxy_conf'],
+ master['pki_target_proxy_conf'],
+ overwrite_flag=True)
+ util.file.apply_slot_substitution(
+ master['pki_target_profileselect_template'])
+ return self.rv
+
+ def destroy(self):
+ config.pki_log.info(log.SLOT_ASSIGNMENT_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ config.pki_log.info("NOTHING NEEDS TO BE IMPLEMENTED",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ return self.rv
diff --git a/base/deploy/src/scriptlets/subsystem_layout.py b/base/deploy/src/scriptlets/subsystem_layout.py
index b71fe39f0..7dc347167 100644
--- a/base/deploy/src/scriptlets/subsystem_layout.py
+++ b/base/deploy/src/scriptlets/subsystem_layout.py
@@ -36,29 +36,38 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
# establish instance-based subsystem base
util.directory.create(master['pki_subsystem_path'])
- if master['pki_subsystem'] == "CA":
- util.directory.copy(master['pki_source_emails'],
- master['pki_subsystem_emails_path'])
- util.directory.copy(master['pki_source_profiles'],
- master['pki_subsystem_profiles_path'])
# establish instance-based subsystem logs
util.directory.create(master['pki_subsystem_log_path'])
if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS:
util.directory.create(master['pki_subsystem_signed_audit_log_path'])
# establish instance-based subsystem configuration
- util.directory.copy(master['pki_source_conf'],
- master['pki_subsystem_configuration_path'])
+ util.directory.create(master['pki_subsystem_configuration_path'])
+ # util.directory.copy(master['pki_source_conf_path'],
+ # master['pki_subsystem_configuration_path'])
# establish instance-based subsystem registry
util.directory.create(master['pki_subsystem_registry_path'])
- # establish convenience symbolic links
- util.symlink.create(master['pki_database_path'],
+ # establish instance-based Apache/Tomcat specific subsystems
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # establish instance-based Tomcat PKI subsystem base
+ if master['pki_subsystem'] == "CA":
+ util.directory.copy(master['pki_source_emails'],
+ master['pki_subsystem_emails_path'])
+ util.directory.copy(master['pki_source_profiles'],
+ master['pki_subsystem_profiles_path'])
+ # establish instance-based Tomcat PKI subsystem logs
+ # establish instance-based Tomcat PKI subsystem configuration
+ # establish instance-based Tomcat PKI subsystem registry
+ # establish instance-based Tomcat PKI subsystem convenience
+ # symbolic links
+ util.symlink.create(master['pki_tomcat_webapps_path'],
+ master['pki_subsystem_tomcat_webapps_link'])
+ # establish instance-based subsystem convenience symbolic links
+ util.symlink.create(master['pki_webserver_database_link'],
master['pki_subsystem_database_link'])
util.symlink.create(master['pki_subsystem_configuration_path'],
- master['pki_subsystem_configuration_link'])
+ master['pki_subsystem_conf_link'])
util.symlink.create(master['pki_subsystem_log_path'],
master['pki_subsystem_logs_link'])
- util.symlink.create(master['pki_webapps_path'],
- master['pki_subsystem_webapps_link'])
return self.rv
def respawn(self):
@@ -66,28 +75,37 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
# update instance-based subsystem base
util.directory.modify(master['pki_subsystem_path'])
- if master['pki_subsystem'] == "CA":
- util.directory.copy(master['pki_source_emails'],
- master['pki_subsystem_emails_path'],
- overwrite_flag=True)
- util.directory.copy(master['pki_source_profiles'],
- master['pki_subsystem_profiles_path'],
- overwrite_flag=True)
# update instance-based subsystem logs
util.directory.modify(master['pki_subsystem_log_path'])
if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS:
util.directory.modify(master['pki_subsystem_signed_audit_log_path'])
# update instance-based subsystem configuration
- util.directory.copy(master['pki_source_conf'],
- master['pki_subsystem_configuration_path'],
- overwrite_flag=True)
+ util.directory.modify(master['pki_subsystem_configuration_path'])
+ # util.directory.copy(master['pki_source_conf_path'],
+ # master['pki_subsystem_configuration_path'])
+ # overwrite_flag=True)
# update instance-based subsystem registry
util.directory.modify(master['pki_subsystem_registry_path'])
- # update convenience symbolic links
+ # establish instance-based Apache/Tomcat specific subsystems
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # update instance-based Tomcat PKI subsystem base
+ if master['pki_subsystem'] == "CA":
+ util.directory.copy(master['pki_source_emails'],
+ master['pki_subsystem_emails_path'],
+ overwrite_flag=True)
+ util.directory.copy(master['pki_source_profiles'],
+ master['pki_subsystem_profiles_path'],
+ overwrite_flag=True)
+ # update instance-based Tomcat PKI subsystem logs
+ # update instance-based Tomcat PKI subsystem configuration
+ # update instance-based Tomcat PKI subsystem registry
+ # update instance-based Tomcat PKI subsystem convenience
+ # symbolic links
+ util.symlink.modify(master['pki_subsystem_tomcat_webapps_link'])
+ # update instance-based subsystem convenience symbolic links
util.symlink.modify(master['pki_subsystem_database_link'])
- util.symlink.modify(master['pki_subsystem_configuration_link'])
+ util.symlink.modify(master['pki_subsystem_conf_link'])
util.symlink.modify(master['pki_subsystem_logs_link'])
- util.symlink.modify(master['pki_subsystem_webapps_link'])
return self.rv
def destroy(self):
@@ -95,10 +113,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
# remove instance-based subsystem base
if master['pki_subsystem'] == "CA":
- util.directory.delete(master['pki_subsystem_profiles_path'])
util.directory.delete(master['pki_subsystem_emails_path'])
+ util.directory.delete(master['pki_subsystem_profiles_path'])
util.directory.delete(master['pki_subsystem_path'])
# remove instance-based subsystem logs
+ if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS:
+ util.directory.delete(master['pki_subsystem_signed_audit_log_path'])
util.directory.delete(master['pki_subsystem_log_path'])
# remove instance-based subsystem configuration
util.directory.delete(master['pki_subsystem_configuration_path'])
diff --git a/base/deploy/src/scriptlets/war_explosion.py b/base/deploy/src/scriptlets/war_explosion.py
index 4f235d8d7..1a89c9f7c 100644
--- a/base/deploy/src/scriptlets/war_explosion.py
+++ b/base/deploy/src/scriptlets/war_explosion.py
@@ -36,16 +36,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
config.pki_log.info(log.WAR_EXPLOSION_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# deploy war file
- util.directory.create(master['pki_webapps_subsystem_path'])
+ util.directory.create(master['pki_tomcat_webapps_subsystem_path'])
util.war.explode(master['pki_war'],
- master['pki_webapps_subsystem_path'])
+ master['pki_tomcat_webapps_subsystem_path'])
# establish convenience symbolic links
- util.symlink.create(master['pki_webapps_webinf_classes_path'],
- master['pki_webapps_subsystem_webinf_classes_link'])
- util.symlink.create(master['pki_webapps_webinf_lib_path'],
- master['pki_webapps_subsystem_webinf_lib_link'])
+ util.symlink.create(master['pki_tomcat_webapps_webinf_classes_path'],
+ master['pki_tomcat_webapps_subsystem_webinf_classes_link'])
+ util.symlink.create(master['pki_tomcat_webapps_webinf_lib_path'],
+ master['pki_tomcat_webapps_subsystem_webinf_lib_link'])
# set ownerships, permissions, and acls
- util.directory.set_mode(master['pki_webapps_subsystem_path'])
+ util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path'])
return self.rv
def respawn(self):
@@ -53,17 +53,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
config.pki_log.info(log.WAR_EXPLOSION_RESPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# redeploy war file
- util.directory.modify(master['pki_webapps_subsystem_path'])
+ util.directory.modify(master['pki_tomcat_webapps_subsystem_path'])
util.war.explode(master['pki_war'],
- master['pki_webapps_subsystem_path'])
+ master['pki_tomcat_webapps_subsystem_path'])
# update ownerships, permissions, and acls
# NOTE: This includes existing convenience symbolic links
- util.directory.set_mode(master['pki_webapps_subsystem_path'])
+ util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path'])
return self.rv
def destroy(self):
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
config.pki_log.info(log.WAR_EXPLOSION_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- util.directory.delete(master['pki_webapps_subsystem_path'])
+ util.directory.delete(master['pki_tomcat_webapps_subsystem_path'])
return self.rv
diff --git a/base/deploy/src/scriptlets/webserver_layout.py b/base/deploy/src/scriptlets/webserver_layout.py
index 9b3deb7b4..ca24b7000 100644
--- a/base/deploy/src/scriptlets/webserver_layout.py
+++ b/base/deploy/src/scriptlets/webserver_layout.py
@@ -35,85 +35,118 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
config.pki_log.info(log.WEBSERVER_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# establish instance-based webserver base
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
- util.directory.create(master['pki_apache_path'])
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- util.directory.create(master['pki_tomcat_path'])
- util.directory.create(master['pki_common_path'])
- util.directory.create(master['pki_common_lib_path'])
- util.directory.create(master['pki_conf_path'])
- util.directory.create(master['pki_webapps_path'])
- util.directory.create(master['pki_webapps_root_path'])
- util.directory.create(master['pki_webapps_root_webinf_path'])
- util.directory.create(master['pki_webapps_webinf_path'])
- util.directory.create(master['pki_webapps_webinf_classes_path'])
- util.directory.create(master['pki_webapps_webinf_lib_path'])
+ util.directory.create(master['pki_webserver_path'])
+ # establish instance-based webserver logs
+ util.directory.create(master['pki_webserver_log_path'])
# establish instance-based webserver configuration
- util.directory.create(master['pki_database_path'])
- # establish convenience symbolic links
- util.symlink.create(master['pki_database_path'],
- master['pki_instance_database_link'])
- util.symlink.create(master['pki_tomcat_bin_path'],
- master['pki_tomcat_bin_link'])
- util.symlink.create(master['pki_tomcat_lib_path'],
- master['pki_tomcat_lib_link'])
- util.symlink.create(master['pki_instance_log_path'],
- master['pki_tomcat_logs_link'])
+ util.directory.create(master['pki_webserver_configuration_path'])
+ # establish instance-based webserver registry
+ util.directory.create(master['pki_webserver_registry_path'])
+ # establish instance-based Apache/Tomcat specific webserver
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # establish instance-based Tomcat webserver base
+ util.directory.create(master['pki_tomcat_common_path'])
+ util.directory.create(master['pki_tomcat_common_lib_path'])
+ util.directory.create(master['pki_tomcat_webapps_path'])
+ util.directory.create(master['pki_tomcat_webapps_root_path'])
+ util.directory.create(master['pki_tomcat_webapps_root_webinf_path'])
+ util.file.copy(master['pki_source_webapps_root_web_xml'],
+ master['pki_tomcat_webapps_root_webinf_web_xml'],
+ overwrite_flag=True)
+ util.directory.create(master['pki_tomcat_webapps_webinf_path'])
+ util.directory.create(\
+ master['pki_tomcat_webapps_webinf_classes_path'])
+ util.directory.create(master['pki_tomcat_webapps_webinf_lib_path'])
+ # establish instance-based Tomcat webserver logs
+ # establish instance-based Tomcat webserver configuration
+ # establish instance-based Tomcat webserver registry
+ # establish instance-based Tomcat webserver convenience
+ # symbolic links
+ util.symlink.create(master['pki_tomcat_bin_path'],
+ master['pki_tomcat_bin_link'])
+ util.symlink.create(master['pki_tomcat_lib_path'],
+ master['pki_tomcat_lib_link'])
+ util.symlink.create(master['pki_tomcat_systemd'],
+ master['pki_webserver_systemd_link'])
+ # establish instance-based webserver convenience symbolic links
+ util.symlink.create(master['pki_instance_database_link'],
+ master['pki_webserver_database_link'])
+ util.symlink.create(master['pki_webserver_configuration_path'],
+ master['pki_webserver_conf_link'])
+ util.symlink.create(master['pki_webserver_log_path'],
+ master['pki_webserver_logs_link'])
return self.rv
def respawn(self):
config.pki_log.info(log.WEBSERVER_RESPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# update instance-based webserver base
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
- util.directory.modify(master['pki_apache_path'])
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- util.directory.modify(master['pki_tomcat_path'])
- util.directory.modify(master['pki_common_path'])
- util.directory.modify(master['pki_common_lib_path'])
- util.directory.modify(master['pki_conf_path'])
- util.directory.modify(master['pki_webapps_path'])
- util.directory.modify(master['pki_webapps_root_path'])
- util.directory.modify(master['pki_webapps_root_webinf_path'])
- util.directory.modify(master['pki_webapps_webinf_path'])
- util.directory.modify(master['pki_webapps_webinf_classes_path'])
- util.directory.modify(master['pki_webapps_webinf_lib_path'])
+ util.directory.modify(master['pki_webserver_path'])
+ # update instance-based webserver logs
+ util.directory.modify(master['pki_webserver_log_path'])
# update instance-based webserver configuration
- util.directory.modify(master['pki_database_path'])
- # update convenience symbolic links
- util.symlink.modify(master['pki_instance_database_link'])
- util.symlink.modify(master['pki_tomcat_bin_link'])
- util.symlink.modify(master['pki_tomcat_lib_link'])
- util.symlink.modify(master['pki_tomcat_logs_link'])
+ util.directory.modify(master['pki_webserver_configuration_path'])
+ # update instance-based webserver registry
+ util.directory.modify(master['pki_webserver_registry_path'])
+ # update instance-based Apache/Tomcat specific webserver
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # update instance-based Tomcat webserver base
+ util.directory.modify(master['pki_tomcat_common_path'])
+ util.directory.modify(master['pki_tomcat_common_lib_path'])
+ util.directory.modify(master['pki_tomcat_webapps_path'])
+ util.directory.modify(master['pki_tomcat_webapps_root_path'])
+ util.directory.modify(master['pki_tomcat_webapps_root_webinf_path'])
+ util.file.copy(master['pki_source_webapps_root_web_xml'],
+ master['pki_tomcat_webapps_root_webinf_web_xml'],
+ overwrite_flag=True)
+ util.directory.modify(master['pki_tomcat_webapps_webinf_path'])
+ util.directory.modify(\
+ master['pki_tomcat_webapps_webinf_classes_path'])
+ util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path'])
+ # update instance-based Tomcat webserver logs
+ # update instance-based Tomcat webserver configuration
+ # update instance-based Tomcat webserver registry
+ # update instance-based Tomcat webserver convenience symbolic links
+ util.symlink.modify(master['pki_tomcat_bin_link'])
+ util.symlink.modify(master['pki_tomcat_lib_link'])
+ # update instance-based webserver convenience symbolic links
+ util.symlink.modify(master['pki_webserver_database_link'])
+ util.symlink.modify(master['pki_webserver_conf_link'])
+ util.symlink.modify(master['pki_webserver_logs_link'])
return self.rv
def destroy(self):
config.pki_log.info(log.WEBSERVER_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- # remove instance-based webserver base
- if not config.pki_dry_run_flag and\
- master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instances(master['pki_instance_path']) == 0:
- util.directory.delete(master['pki_apache_path'])
- elif master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instances(master['pki_instance_path']) == 1:
- # always display correct information (even during dry_run)
- util.directory.delete(master['pki_apache_path'])
- if not config.pki_dry_run_flag and\
- master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instances(master['pki_instance_path']) == 0:
- util.directory.delete(master['pki_tomcat_path'])
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instances(master['pki_instance_path']) == 1:
- # always display correct information (even during dry_run)
- util.directory.delete(master['pki_tomcat_path'])
- # remove instance-based webserver configuration
- if not config.pki_dry_run_flag and\
- util.instance.pki_subsystem_instances(\
- master['pki_instance_path']) == 0:
- util.directory.delete(master['pki_database_path'])
- elif util.instance.pki_subsystem_instances(\
- master['pki_instance_path']) == 1:
- # always display correct information (even during dry_run)
- util.directory.delete(master['pki_database_path'])
+ if not config.pki_dry_run_flag:
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() == 0:
+ # remove instance-based webserver base
+ util.directory.delete(master['pki_webserver_path'])
+ # remove instance-based webserver logs
+ # remove instance-based webserver configuration
+ # remove instance-based webserver registry
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() == 0:
+ # remove instance-based webserver base
+ util.directory.delete(master['pki_webserver_path'])
+ # remove instance-based webserver logs
+ # remove instance-based webserver configuration
+ # remove instance-based webserver registry
+ else:
+ # ALWAYS display correct information (even during dry_run)
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() == 1:
+ # remove instance-based webserver base
+ util.directory.delete(master['pki_webserver_path'])
+ # remove instance-based webserver logs
+ # remove instance-based webserver configuration
+ # remove instance-based webserver registry
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() == 1:
+ # remove instance-based webserver base
+ util.directory.delete(master['pki_webserver_path'])
+ # remove instance-based webserver logs
+ # remove instance-based webserver configuration
+ # remove instance-based webserver registry
return self.rv
diff --git a/base/kra/shared/conf/tomcat.conf b/base/kra/shared/conf/tomcat.conf
new file mode 100644
index 000000000..92af5f8b9
--- /dev/null
+++ b/base/kra/shared/conf/tomcat.conf
@@ -0,0 +1,52 @@
+# System-wide configuration file for tomcat services
+# This will be sourced by tomcat and any secondary service
+# Values will be overridden by service-specific configuration
+# files in /etc/sysconfig
+#
+# Use this one to change default values for all services
+# Change the service specific ones to affect only one service
+# (see, for instance, /etc/sysconfig/tomcat)
+#
+
+# Where your java installation lives
+#JAVA_HOME="/usr/lib/jvm/jre"
+
+# Where your tomcat installation lives
+CATALINA_BASE="[PKI_INSTANCE_PATH]"
+#CATALINA_HOME="/usr/share/tomcat"
+#JASPER_HOME="/usr/share/tomcat"
+#CATALINA_TMPDIR="/var/cache/tomcat/temp"
+
+# You can pass some parameters to java here if you wish to
+#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
+
+# Use JAVA_OPTS to set java.library.path for libtcnative.so
+#JAVA_OPTS="-Djava.library.path=/usr/lib"
+
+# What user should run tomcat
+TOMCAT_USER="[PKI_USER]"
+
+# You can change your tomcat locale here
+#LANG="en_US"
+
+# Run tomcat under the Java Security Manager
+SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
+
+# Time to wait in seconds, before killing process
+#SHUTDOWN_WAIT="30"
+
+# Whether to annoy the user with "attempting to shut down" messages or not
+#SHUTDOWN_VERBOSE="false"
+
+# Set the TOMCAT_PID location
+CATALINA_PID="[TOMCAT_PIDFILE]"
+
+# Set the tomcat log file
+TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log"
+
+# Connector port is 8080 for this tomcat instance
+#CONNECTOR_PORT="8080"
+
+# If you wish to further customize your tomcat environment,
+# put your own definitions here
+# (i.e. LD_LIBRARY_PATH for some jdbc drivers)
diff --git a/base/ocsp/shared/conf/tomcat.conf b/base/ocsp/shared/conf/tomcat.conf
new file mode 100644
index 000000000..92af5f8b9
--- /dev/null
+++ b/base/ocsp/shared/conf/tomcat.conf
@@ -0,0 +1,52 @@
+# System-wide configuration file for tomcat services
+# This will be sourced by tomcat and any secondary service
+# Values will be overridden by service-specific configuration
+# files in /etc/sysconfig
+#
+# Use this one to change default values for all services
+# Change the service specific ones to affect only one service
+# (see, for instance, /etc/sysconfig/tomcat)
+#
+
+# Where your java installation lives
+#JAVA_HOME="/usr/lib/jvm/jre"
+
+# Where your tomcat installation lives
+CATALINA_BASE="[PKI_INSTANCE_PATH]"
+#CATALINA_HOME="/usr/share/tomcat"
+#JASPER_HOME="/usr/share/tomcat"
+#CATALINA_TMPDIR="/var/cache/tomcat/temp"
+
+# You can pass some parameters to java here if you wish to
+#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
+
+# Use JAVA_OPTS to set java.library.path for libtcnative.so
+#JAVA_OPTS="-Djava.library.path=/usr/lib"
+
+# What user should run tomcat
+TOMCAT_USER="[PKI_USER]"
+
+# You can change your tomcat locale here
+#LANG="en_US"
+
+# Run tomcat under the Java Security Manager
+SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
+
+# Time to wait in seconds, before killing process
+#SHUTDOWN_WAIT="30"
+
+# Whether to annoy the user with "attempting to shut down" messages or not
+#SHUTDOWN_VERBOSE="false"
+
+# Set the TOMCAT_PID location
+CATALINA_PID="[TOMCAT_PIDFILE]"
+
+# Set the tomcat log file
+TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log"
+
+# Connector port is 8080 for this tomcat instance
+#CONNECTOR_PORT="8080"
+
+# If you wish to further customize your tomcat environment,
+# put your own definitions here
+# (i.e. LD_LIBRARY_PATH for some jdbc drivers)
diff --git a/base/ra/apache/conf/httpd.conf b/base/ra/apache/conf/httpd.conf
index 9f81b646d..f89e43b33 100644
--- a/base/ra/apache/conf/httpd.conf
+++ b/base/ra/apache/conf/httpd.conf
@@ -264,7 +264,7 @@ LoadModule cgi_module [FORTITUDE_LIB_DIR]/modules/mod_cgi.so
</Location>
#
-# Load config files from the config directory "/etc/[PKI_INSTANCE_ID]/conf.d".
+# Load config files from the config directory "[SERVER_ROOT]/conf".
#
#Include conf.d/*.conf
Include [SERVER_ROOT]/conf/perl.conf
diff --git a/base/tks/shared/conf/tomcat.conf b/base/tks/shared/conf/tomcat.conf
new file mode 100644
index 000000000..92af5f8b9
--- /dev/null
+++ b/base/tks/shared/conf/tomcat.conf
@@ -0,0 +1,52 @@
+# System-wide configuration file for tomcat services
+# This will be sourced by tomcat and any secondary service
+# Values will be overridden by service-specific configuration
+# files in /etc/sysconfig
+#
+# Use this one to change default values for all services
+# Change the service specific ones to affect only one service
+# (see, for instance, /etc/sysconfig/tomcat)
+#
+
+# Where your java installation lives
+#JAVA_HOME="/usr/lib/jvm/jre"
+
+# Where your tomcat installation lives
+CATALINA_BASE="[PKI_INSTANCE_PATH]"
+#CATALINA_HOME="/usr/share/tomcat"
+#JASPER_HOME="/usr/share/tomcat"
+#CATALINA_TMPDIR="/var/cache/tomcat/temp"
+
+# You can pass some parameters to java here if you wish to
+#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
+
+# Use JAVA_OPTS to set java.library.path for libtcnative.so
+#JAVA_OPTS="-Djava.library.path=/usr/lib"
+
+# What user should run tomcat
+TOMCAT_USER="[PKI_USER]"
+
+# You can change your tomcat locale here
+#LANG="en_US"
+
+# Run tomcat under the Java Security Manager
+SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
+
+# Time to wait in seconds, before killing process
+#SHUTDOWN_WAIT="30"
+
+# Whether to annoy the user with "attempting to shut down" messages or not
+#SHUTDOWN_VERBOSE="false"
+
+# Set the TOMCAT_PID location
+CATALINA_PID="[TOMCAT_PIDFILE]"
+
+# Set the tomcat log file
+TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log"
+
+# Connector port is 8080 for this tomcat instance
+#CONNECTOR_PORT="8080"
+
+# If you wish to further customize your tomcat environment,
+# put your own definitions here
+# (i.e. LD_LIBRARY_PATH for some jdbc drivers)
diff --git a/base/tps/apache/conf/httpd.conf b/base/tps/apache/conf/httpd.conf
index 878a4e655..372066afc 100644
--- a/base/tps/apache/conf/httpd.conf
+++ b/base/tps/apache/conf/httpd.conf
@@ -268,7 +268,7 @@ LoadModule tokendb_module [FORTITUDE_MODULE]/mod_tokendb.so
</Location>
#
-# Load config files from the config directory "/etc/[PKI_INSTANCE_ID]/conf.d".
+# Load config files from the config directory "[SERVER_ROOT]/conf".
#
#Include conf.d/*.conf
Include [SERVER_ROOT]/conf/perl.conf