summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--base/deploy/config/deployment.cfg154
-rwxr-xr-xbase/deploy/src/pkidestroy4
-rwxr-xr-xbase/deploy/src/pkispawn4
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py1
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py730
5 files changed, 139 insertions, 754 deletions
diff --git a/base/deploy/config/deployment.cfg b/base/deploy/config/deployment.cfg
index 6ff7a35bb..9eb930414 100644
--- a/base/deploy/config/deployment.cfg
+++ b/base/deploy/config/deployment.cfg
@@ -1,8 +1,13 @@
###############################################################################
-## Default Configuration: ##
+## Common Configuration: ##
+## ##
+## Values in this section are common to more than one PKI subsystem, and ##
+## contain required information which MAY be overridden by users as ##
+## necessary. ##
+## ##
+## There are also some meta-parameters that determine how the PKI ##
+## configuratiion should work. ##
## ##
-## This section contains meta-parameters that determine how the PKI ##
-## configuration should work. ##
###############################################################################
[DEFAULT]
@@ -47,35 +52,17 @@ destroy_scriplets=
infrastructure_layout
finalization
-###############################################################################
-## Common Configuration: ##
-## ##
-## Values in this section are common to more than one PKI subsystem, and ##
-## contain required information which MAY be overridden by users as ##
-## necessary. ##
-## ##
-## NOTE: Default values will be generated for any and all required ##
-## 'common' data values which are left undefined. ##
-###############################################################################
-[Common]
pki_admin_cert_request_type=crmf
pki_admin_domain_name=
pki_admin_dualkey=False
-pki_admin_email=
pki_admin_keysize=2048
-pki_admin_name=
-pki_admin_nickname=
pki_admin_password=
-pki_admin_subject_dn=
-pki_admin_uid=
pki_audit_group=pkiaudit
pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
-pki_audit_signing_nickname=
pki_audit_signing_signing_algorithm=SHA256withRSA
-pki_audit_signing_subject_dn=
-pki_audit_signing_token=
+pki_audit_signing_token=Internal Key Storage Token
pki_backup_keys=False
pki_backup_password=
pki_client_database_dir=
@@ -83,21 +70,22 @@ pki_client_database_password=
pki_client_database_purge=True
pki_client_dir=
pki_client_pkcs12_password=
-pki_ds_base_dn=
pki_ds_bind_dn=cn=Directory Manager
-pki_ds_database=
-pki_ds_hostname=
pki_ds_ldap_port=389
pki_ds_ldaps_port=636
pki_ds_password=
pki_ds_remove_data=True
pki_ds_secure_connection=False
pki_group=pkiuser
+pki_http_port=%(default_http_port)s
+pki_https_port=%(default_https_port)s
+pki_instance_id=%(pki_instance_name)s
+pki_instance_name=%(default_instance_name)s
pki_issuing_ca=
pki_restart_configured_instance=True
-pki_security_domain_hostname=
+pki_security_domain_hostname=%(hostname)s
pki_security_domain_https_port=8443
-pki_security_domain_name=
+pki_security_domain_name=%(dns_domainname)s Security Domain
pki_security_domain_password=
pki_security_domain_user=
pki_skip_configuration=False
@@ -105,15 +93,14 @@ pki_skip_installation=False
pki_ssl_server_key_algorithm=SHA256withRSA
pki_ssl_server_key_size=2048
pki_ssl_server_key_type=rsa
-pki_ssl_server_nickname=
-pki_ssl_server_subject_dn=
-pki_ssl_server_token=
+pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_id)s
+pki_ssl_server_subject_dn=cn=%(hostname)s,o=%(pki_security_domain_name)s
+pki_ssl_server_token=Internal Key Storage Token
+pki_subsystem=%(subsystem_type)s
pki_subsystem_key_algorithm=SHA256withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa
-pki_subsystem_nickname=
-pki_subsystem_subject_dn=
-pki_subsystem_token=
+pki_subsystem_token=Internal Key Storage Token
pki_token_name=internal
pki_token_password=
pki_user=pkiuser
@@ -126,9 +113,6 @@ pki_user=pkiuser
## required information which MAY be overridden by users as necessary. ##
###############################################################################
[Apache]
-pki_instance_name=pki-apache
-pki_http_port=80
-pki_https_port=443
###############################################################################
## Tomcat Configuration: ##
@@ -157,9 +141,6 @@ pki_clone_replication_security=None
pki_clone_uri=
pki_enable_java_debugger=False
pki_enable_proxy=False
-pki_http_port=8080
-pki_https_port=8443
-pki_instance_name=pki-tomcat
pki_proxy_http_port=80
pki_proxy_https_port=443
pki_security_manager=true
@@ -185,10 +166,10 @@ pki_tomcat_server_port=8005
pki_ca_signing_key_algorithm=SHA256withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
-pki_ca_signing_nickname=
+pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_id)s %(pki_subsystem)s
pki_ca_signing_signing_algorithm=SHA256withRSA
-pki_ca_signing_subject_dn=
-pki_ca_signing_token=
+pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
+pki_ca_signing_token=Internal Key Storage Token
pki_external=False
pki_external_ca_cert_chain_path=
pki_external_ca_cert_path=
@@ -198,13 +179,25 @@ pki_import_admin_cert=False
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
-pki_ocsp_signing_nickname=
+pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s %(pki_subsystem)s
pki_ocsp_signing_signing_algorithm=SHA256withRSA
-pki_ocsp_signing_subject_dn=
-pki_ocsp_signing_token=
+pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_token=Internal Key Storage Token
pki_subordinate=False
-pki_subsystem=CA
-pki_subsystem_name=
+pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=caadmin
+pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s CA
+pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-CA
+pki_ds_database=%(pki_instance_name)s-CA
+pki_ds_hostname=%(hostname)s
+pki_subsystem_name=CA %(hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s CA
+pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s
+
###############################################################################
## KRA Configuration: ##
@@ -218,19 +211,30 @@ pki_import_admin_cert=True
pki_storage_key_algorithm=SHA256withRSA
pki_storage_key_size=2048
pki_storage_key_type=rsa
-pki_storage_nickname=
+pki_storage_nickname=storageCert cert-%(pki_instance_id)s KRA
pki_storage_signing_algorithm=SHA256withRSA
-pki_storage_subject_dn=
-pki_storage_token=
-pki_subsystem=KRA
-pki_subsystem_name=
+pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s
+pki_storage_token=Internal Key Storage Token
pki_transport_key_algorithm=SHA256withRSA
pki_transport_key_size=2048
pki_transport_key_type=rsa
-pki_transport_nickname=
+pki_transport_nickname=transportCert cert-%(pki_instance_id)s KRA
pki_transport_signing_algorithm=SHA256withRSA
-pki_transport_subject_dn=
-pki_transport_token=
+pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s
+pki_transport_token=Internal Key Storage Token
+pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=kraadmin
+pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s KRA
+pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-KRA
+pki_ds_database=%(pki_instance_name)s-KRA
+pki_ds_hostname=%(hostname)s
+pki_subsystem_name=KRA %(hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s KRA
+pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s
###############################################################################
## OCSP Configuration: ##
@@ -244,12 +248,23 @@ pki_import_admin_cert=True
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
-pki_ocsp_signing_nickname=
+pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s OCSP
pki_ocsp_signing_signing_algorithm=SHA256withRSA
-pki_ocsp_signing_subject_dn=
-pki_ocsp_signing_token=
-pki_subsystem=OCSP
-pki_subsystem_name=
+pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_token=Internal Key Storage Token
+pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=ocspadmin
+pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s OCSP
+pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-OCSP
+pki_ds_database=%(pki_instance_name)s-OCSP
+pki_ds_hostname=%(hostname)s
+pki_subsystem_name=OCSP %(hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s OCSP
+pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s
###############################################################################
## RA Configuration: ##
@@ -258,8 +273,6 @@ pki_subsystem_name=
## required information which MAY be overridden by users as necessary. ##
###############################################################################
[RA]
-pki_subsystem=RA
-pki_subsystem_name=
###############################################################################
## TKS Configuration: ##
@@ -270,8 +283,19 @@ pki_subsystem_name=
###############################################################################
[TKS]
pki_import_admin_cert=True
-pki_subsystem=TKS
-pki_subsystem_name=
+pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=tksadmin
+pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s TKS
+pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-TKS
+pki_ds_database=%(pki_instance_name)s-TKS
+pki_ds_hostname=%(hostname)s
+pki_subsystem_name=TKS %(hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s TKS
+pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s
###############################################################################
## TPS Configuration: ##
@@ -280,5 +304,3 @@ pki_subsystem_name=
## required information which MAY be overridden by users as necessary. ##
###############################################################################
[TPS]
-pki_subsystem=TPS
-pki_subsystem_name=
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 4e8bca9d1..69daa13ad 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -119,8 +119,6 @@ def main(argv):
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_common_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
@@ -133,8 +131,6 @@ def main(argv):
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_common_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index 73d236247..79ab1b230 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -139,8 +139,6 @@ def main(argv):
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_common_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
@@ -153,8 +151,6 @@ def main(argv):
# NEVER print out 'sensitive' name/value pairs!!!
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_common_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 35c80a5f7..ec6c5ea38 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -205,7 +205,6 @@ pki_console_log_level = None
# PKI Deployment Global Dictionaries
pki_default_dict = None
-pki_common_dict = None
pki_web_server_dict = None
pki_subsystem_dict = None
pki_master_dict = None
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index a99425960..05536f424 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -79,8 +79,7 @@ class PKIConfigParser:
dest='pki_deployed_instance_name',
action='store',
nargs=1, required=True, metavar='<instance>',
- help='FORMAT: ${pki_instance_name}'
- '[.${pki_admin_domain_name}]')
+ help='FORMAT: ${pki_instance_name}')
# Establish 'Optional' command-line options
optional = parser.add_argument_group('optional arguments')
optional.add_argument('-h', '--help',
@@ -219,37 +218,51 @@ class PKIConfigParser:
"Read configuration file sections into dictionaries"
rv = 0
try:
- self.pki_config = ConfigParser.ConfigParser()
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ default_instance_name = 'pki-tomcat'
+ default_http_port = '8080'
+ default_https_port = '8443'
+ else:
+ default_instance_name = 'pki-apache'
+ default_http_port = '80'
+ default_https_port = '443'
+
+ predefined_dict = {'default_instance_name': default_instance_name,
+ 'default_http_port': default_http_port,
+ 'default_https_port': default_https_port,
+ 'dns_domainname': config.pki_dns_domainname,
+ 'subsystem_type' : config.pki_subsystem,
+ 'hostname': config.pki_hostname}
+
+ self.pki_config = ConfigParser.SafeConfigParser(predefined_dict)
# Make keys case-sensitive!
self.pki_config.optionxform = str
self.pki_config.read([
config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE,
config.pkideployment_cfg])
- config.pki_default_dict = self.pki_config.defaults()
+ config.pki_default_dict = dict(self.pki_config.items('DEFAULT'))
pkilogging.sensitive_parameters = config.pki_default_dict['sensitive_parameters'].split()
- config.pki_common_dict = dict(self.pki_config._sections['Common'])
if config.pki_subsystem == "CA":
- config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['CA'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('CA'))
elif config.pki_subsystem == "KRA":
- config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['KRA'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('KRA'))
elif config.pki_subsystem == "OCSP":
- config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['OCSP'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('OCSP'))
elif config.pki_subsystem == "RA":
- config.pki_web_server_dict = dict(self.pki_config._sections['Apache'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['RA'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Apache'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('RA'))
elif config.pki_subsystem == "TKS":
- config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['TKS'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('TKS'))
elif config.pki_subsystem == "TPS":
- config.pki_web_server_dict = dict(self.pki_config._sections['Apache'])
- config.pki_subsystem_dict = dict(self.pki_config._sections['TPS'])
+ config.pki_web_server_dict = dict(self.pki_config.items('Apache'))
+ config.pki_subsystem_dict = dict(self.pki_config.items('TPS'))
# Insert empty record into dictionaries for "pretty print" statements
# NEVER print "sensitive" key value pairs!!!
config.pki_default_dict[0] = None
- config.pki_common_dict[0] = None
config.pki_web_server_dict[0] = None
config.pki_subsystem_dict[0] = None
except ConfigParser.ParsingError, err:
@@ -296,10 +309,10 @@ class PKIConfigParser:
# Configuration file name/value pairs
# NEVER add "sensitive" key value pairs to the master dictionary!!!
config.pki_master_dict.update(config.pki_default_dict)
- config.pki_master_dict.update(config.pki_common_dict)
config.pki_master_dict.update(config.pki_web_server_dict)
config.pki_master_dict.update(config.pki_subsystem_dict)
config.pki_master_dict.update(__name__="PKI Master Dictionary")
+
# IMPORTANT: A "PKI instance" no longer corresponds to a single
# pki subystem, but rather to a unique
# "Tomcat web instance" or a unique "Apache web instance".
@@ -345,17 +358,12 @@ class PKIConfigParser:
# OLD: "pki-${pki_subsystem}"
# (e. g. Tomcat: "pki-ca", "pki-kra", "pki-ocsp", "pki-tks")
# (e. g. Apache: "pki-ra", "pki-tps")
- # NEW: "${pki_instance_name}[.${pki_admin_domain_name}]"
+ # NEW: "${pki_instance_name}"
# (e. g. Tomcat: "pki-tomcat", "pki-tomcat.example.com")
# (e. g. Apache: "pki-apache", "pki-apache.example.com")
#
- if len(config.pki_master_dict['pki_admin_domain_name']):
- config.pki_master_dict['pki_instance_id'] =\
- config.pki_master_dict['pki_instance_name'] + "." +\
- config.pki_master_dict['pki_admin_domain_name']
- else:
- config.pki_master_dict['pki_instance_id'] =\
- config.pki_master_dict['pki_instance_name']
+ config.pki_master_dict['pki_instance_id'] = config.pki_master_dict['pki_instance_name']
+
# PKI Source name/value pairs
config.pki_master_dict['pki_source_conf_path'] =\
os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
@@ -1364,7 +1372,6 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and potentially overridden below:
#
- # config.pki_master_dict['pki_client_database_password']
# config.pki_master_dict['pki_client_dir']
# config.pki_master_dict['pki_client_subsystem_dir']
#
@@ -1464,9 +1471,6 @@ class PKIConfigParser:
#
# config.pki_master_dict['pki_security_domain_user']
# config.pki_master_dict['pki_issuing_ca']
- # config.pki_master_dict['pki_security_domain_hostname']
- # config.pki_master_dict['pki_security_domain_name']
- # config.pki_master_dict['pki_subsystem_name']
#
# if security domain user is not defined
@@ -1478,44 +1482,16 @@ class PKIConfigParser:
config.pki_master_dict['pki_security_domain_user'] =\
self.pki_config.get('CA', 'pki_admin_uid')
- # or use the Common admin uid if it's defined
- elif self.pki_config.has_option('Common', 'pki_admin_uid') and\
- len(self.pki_config.get('Common', 'pki_admin_uid')) > 0:
+ # or use the Default admin uid if it's defined
+ elif self.pki_config.has_option('DEFAULT', 'pki_admin_uid') and\
+ len(self.pki_config.get('DEFAULT', 'pki_admin_uid')) > 0:
config.pki_master_dict['pki_security_domain_user'] =\
- self.pki_config.get('Common', 'pki_admin_uid')
+ self.pki_config.get('DEFAULT', 'pki_admin_uid')
# otherwise use the default CA admin uid
else:
config.pki_master_dict['pki_security_domain_user'] = "caadmin"
- if not len(config.pki_master_dict['pki_subsystem_name']):
- if config.pki_master_dict['pki_subsystem'] in\
- config.PKI_TOMCAT_SUBSYSTEMS and \
- config.str2bool(config.pki_master_dict['pki_clone']):
- config.pki_master_dict['pki_subsystem_name'] =\
- config.PKI_DEPLOYMENT_CLONED_PKI_SUBSYSTEM + " " +\
- config.pki_subsystem + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- elif config.pki_subsystem == "CA" and \
- config.str2bool(config.pki_master_dict['pki_external']):
- config.pki_master_dict['pki_subsystem_name'] =\
- config.PKI_DEPLOYMENT_EXTERNAL_CA + " " +\
- config.pki_subsystem + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- elif config.pki_subsystem == "CA" and \
- config.str2bool(config.pki_master_dict['pki_subordinate']):
- config.pki_master_dict['pki_subsystem_name'] =\
- config.PKI_DEPLOYMENT_SUBORDINATE_CA + " " +\
- config.pki_subsystem + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- else:
- config.pki_master_dict['pki_subsystem_name'] =\
- config.pki_subsystem + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
if config.pki_subsystem != "CA" or\
config.str2bool(config.pki_master_dict['pki_clone']) or\
config.str2bool(config.pki_master_dict['pki_subordinate']):
@@ -1523,16 +1499,6 @@ class PKIConfigParser:
# CA Clone, KRA Clone, OCSP Clone, TKS Clone, or
# Subordinate CA
config.pki_master_dict['pki_security_domain_type'] = "existing"
- if not len(config.pki_master_dict['pki_security_domain_name']):
- # Guess that the security domain resides on the local host
- config.pki_master_dict['pki_security_domain_name'] =\
- config.pki_master_dict['pki_dns_domainname'] + " " +\
- "Security Domain"
- if not\
- len(config.pki_master_dict['pki_security_domain_hostname']):
- # Guess that the security domain resides on the local host
- config.pki_master_dict['pki_security_domain_hostname'] =\
- config.pki_master_dict['pki_hostname']
config.pki_master_dict['pki_security_domain_uri'] =\
"https" + "://" +\
config.pki_master_dict['pki_security_domain_hostname'] + ":" +\
@@ -1552,58 +1518,7 @@ class PKIConfigParser:
else:
# PKI CA
config.pki_master_dict['pki_security_domain_type'] = "new"
- if not len(config.pki_master_dict['pki_security_domain_name']):
- # Guess that the security domain resides on the local host
- config.pki_master_dict['pki_security_domain_name'] =\
- config.pki_master_dict['pki_dns_domainname'] + " " +\
- "Security Domain"
- # Jython scriptlet
- # 'Directory Server' Configuration name/value pairs
- #
- # Apache - [TPS]
- # Tomcat - [CA], [KRA], [OCSP], [TKS]
- # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_ds_password']
- # config.pki_master_dict['pki_clone_replication_security']
- # config.pki_master_dict['pki_ds_bind_dn']
- # config.pki_master_dict['pki_ds_ldap_port']
- # config.pki_master_dict['pki_ds_ldaps_port']
- # config.pki_master_dict['pki_ds_remove_data']
- # config.pki_master_dict['pki_ds_secure_connection']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_ds_base_dn']
- # config.pki_master_dict['pki_ds_database']
- # config.pki_master_dict['pki_ds_hostname']
- #
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if not len(config.pki_master_dict['pki_ds_base_dn']):
- # if the instance is NOT a clone, create a default BASE DN
- # of "o=${pki_instance_id}"; the reason that this default
- # CANNOT be created if the instance is a clone is due to the
- # fact that a master and clone MUST share the same BASE DN,
- # and creating this default would prevent the ability to
- # place a master and clone on the same machine (the method
- # most often used for testing purposes)
- config.pki_master_dict['pki_ds_base_dn'] =\
- "o=" + config.pki_master_dict['pki_instance_id'] +\
- "-" + config.pki_subsystem
- if not len(config.pki_master_dict['pki_ds_database']):
- config.pki_master_dict['pki_ds_database'] =\
- config.pki_master_dict['pki_instance_id'] +\
- "-" + config.pki_subsystem
- if not len(config.pki_master_dict['pki_ds_hostname']):
- # Guess that the Directory Server resides on the local host
- config.pki_master_dict['pki_ds_hostname'] =\
- config.pki_master_dict['pki_hostname']
+
# Jython scriptlet
# 'External CA' Configuration name/value pairs
#
@@ -1639,566 +1554,23 @@ class PKIConfigParser:
config.pki_master_dict['pki_database_path'] + "/" +\
config.pki_master_dict['pki_subsystem'].lower() + "_" +\
"backup" + "_" + "keys" + "." + "p12"
- # Jython scriptlet
- # 'Admin Certificate' Configuration name/value pairs
- #
- # Apache - [RA], [TPS]
- # Tomcat - [CA], [KRA], [OCSP], [TKS]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_admin_password']
- # config.pki_master_dict['pki_admin_cert_request_type']
- # config.pki_master_dict['pki_admin_dualkey']
- # config.pki_master_dict['pki_admin_keysize']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_admin_name']
- # config.pki_master_dict['pki_admin_uid']
- # config.pki_master_dict['pki_admin_email']
- # config.pki_master_dict['pki_admin_nickname']
- # config.pki_master_dict['pki_admin_subject_dn']
- #
+
config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert"
- if not len(config.pki_master_dict['pki_admin_uid']):
- config.pki_master_dict['pki_admin_uid'] =\
- config.pki_subsystem.lower() + "admin"
- if not len (config.pki_master_dict['pki_admin_name']):
- config.pki_master_dict['pki_admin_name'] =\
- config.pki_master_dict['pki_admin_uid']
- if not len(config.pki_master_dict['pki_admin_email']):
- config.pki_master_dict['pki_admin_email'] =\
- config.pki_master_dict['pki_admin_name'] + "@" +\
- config.pki_master_dict['pki_dns_domainname']
- if not len(config.pki_master_dict['pki_admin_nickname']):
- config.pki_master_dict['pki_admin_nickname'] =\
- "PKI Administrator for " +\
- config.pki_master_dict['pki_dns_domainname']
if not 'pki_import_admin_cert' in config.pki_master_dict:
config.pki_master_dict['pki_import_admin_cert'] = 'false'
- if not len(config.pki_master_dict['pki_admin_subject_dn']):
- config.pki_master_dict['pki_admin_subject_dn'] =\
- "cn=PKI Administrator" +\
- ",e=" + config.pki_master_dict['pki_admin_email'] +\
- ",o=" + config.pki_master_dict['pki_security_domain_name']
-
- # Jython scriptlet
- # 'CA Signing Certificate' Configuration name/value pairs
- #
- # Tomcat - [CA]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_ca_signing_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_ca_signing_key_algorithm']
- # config.pki_master_dict['pki_ca_signing_key_size']
- # config.pki_master_dict['pki_ca_signing_key_type']
- # config.pki_master_dict['pki_ca_signing_signing_algorithm']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_ca_signing_nickname']
- # config.pki_master_dict['pki_ca_signing_subject_dn']
- # config.pki_master_dict['pki_ca_signing_token']
- #
- if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- # config.pki_master_dict['pki_ca_signing_nickname']
- if not len(config.pki_master_dict\
- ['pki_ca_signing_nickname']):
- config.pki_master_dict['pki_ca_signing_nickname'] =\
- "caSigningCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- # config.pki_master_dict['pki_ca_signing_subject_dn']
- if config.str2bool(config.pki_master_dict['pki_external']):
- # External CA
- if not len(config.pki_master_dict\
- ['pki_ca_signing_subject_dn']):
- config.pki_master_dict['pki_ca_signing_subject_dn']\
- = "cn=" + "External CA Signing Certificate"
- elif config.str2bool(
- config.pki_master_dict['pki_subordinate']):
- # Subordinate CA
- if not len(config.pki_master_dict\
- ['pki_ca_signing_subject_dn']):
- config.pki_master_dict['pki_ca_signing_subject_dn']\
- = "cn=" + "SubCA Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- else:
- # PKI CA
- if not len(config.pki_master_dict\
- ['pki_ca_signing_subject_dn']):
- config.pki_master_dict['pki_ca_signing_subject_dn']\
- = "cn=" + "CA Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- # config.pki_master_dict['pki_ca_signing_tag']
- config.pki_master_dict['pki_ca_signing_tag'] =\
- "signing"
- # config.pki_master_dict['pki_ca_signing_token']
- if not len(config.pki_master_dict['pki_ca_signing_token']):
- config.pki_master_dict['pki_ca_signing_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'OCSP Signing Certificate' Configuration name/value pairs
- #
- # Tomcat - [CA], [OCSP]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_ocsp_signing_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_ocsp_signing_key_algorithm']
- # config.pki_master_dict['pki_ocsp_signing_key_size']
- # config.pki_master_dict['pki_ocsp_signing_key_type']
- # config.pki_master_dict['pki_ocsp_signing_signing_algorithm']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_ocsp_signing_nickname']
- # config.pki_master_dict['pki_ocsp_signing_subject_dn']
- # config.pki_master_dict['pki_ocsp_signing_token']
- #
- if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_nickname']):
- config.pki_master_dict['pki_ocsp_signing_nickname'] =\
- "ocspSigningCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if config.str2bool(config.pki_master_dict['pki_external']):
- # External CA
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn']):
- config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn'] =\
- "cn=" + "External CA OCSP Signing Certificate"
- elif config.str2bool(
- config.pki_master_dict['pki_subordinate']):
- # Subordinate CA
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn']):
- config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn'] =\
- "cn=" + "SubCA OCSP Signing Certificate"\
- + "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- else:
- # PKI CA
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn']):
- config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn'] =\
- "cn=" + "CA OCSP Signing Certificate"\
- + "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- config.pki_master_dict['pki_ocsp_signing_tag'] =\
- "ocsp_signing"
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_token']):
- config.pki_master_dict['pki_ocsp_signing_token'] =\
- "Internal Key Storage Token"
- elif config.pki_master_dict['pki_subsystem'] == "OCSP":
- # PKI OCSP
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_nickname']):
- config.pki_master_dict['pki_ocsp_signing_nickname'] =\
- "ocspSigningCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_subject_dn']):
- config.pki_master_dict['pki_ocsp_signing_subject_dn'] =\
- "cn=" + "OCSP Signing Certificate" + "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_ocsp_signing_tag'] =\
- "signing"
- if not len(config.pki_master_dict\
- ['pki_ocsp_signing_token']):
- config.pki_master_dict['pki_ocsp_signing_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'SSL Server Certificate' Configuration name/value pairs
- #
- # Apache - [RA], [TPS]
- # Tomcat - [CA], [KRA], [OCSP], [TKS]
- # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_ssl_server_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_ssl_server_key_algorithm']
- # config.pki_master_dict['pki_ssl_server_key_size']
- # config.pki_master_dict['pki_ssl_server_key_type']
- # config.pki_master_dict['pki_ssl_server_nickname']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_ssl_server_subject_dn']
- # config.pki_master_dict['pki_ssl_server_token']
- #
- if not len(config.pki_master_dict['pki_ssl_server_nickname']):
- config.pki_master_dict['pki_ssl_server_nickname'] =\
- "Server-Cert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id']
- if not len(config.pki_master_dict['pki_ssl_server_subject_dn']):
- if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- config.pki_master_dict['pki_ssl_server_subject_dn'] =\
- "cn=" + config.pki_master_dict['pki_hostname'] +\
- "," + "ou=" + config.pki_master_dict['pki_instance_id'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if config.pki_master_dict['pki_subsystem'] == "CA" and\
- config.str2bool(config.pki_master_dict['pki_external']):
- # External CA
- config.pki_master_dict['pki_ssl_server_subject_dn'] =\
- "cn=" + config.pki_master_dict['pki_hostname'] +\
- "," + "o=" + "External CA"
- else:
- # PKI or Cloned CA, KRA, OCSP, TKS, or Subordinate CA
- config.pki_master_dict['pki_ssl_server_subject_dn'] =\
- "cn=" + config.pki_master_dict['pki_hostname'] +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_ca_signing_tag'] = "signing"
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ config.pki_master_dict['pki_ocsp_signing_tag'] = "ocsp_signing"
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ config.pki_master_dict['pki_ocsp_signing_tag'] = "signing"
config.pki_master_dict['pki_ssl_server_tag'] = "sslserver"
- if not len(config.pki_master_dict['pki_ssl_server_token']):
- config.pki_master_dict['pki_ssl_server_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'Subsystem Certificate' Configuration name/value pairs
- #
- # Apache - [RA], [TPS]
- # Tomcat - [CA], [KRA], [OCSP], [TKS]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_subsystem_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_subsystem_key_algorithm']
- # config.pki_master_dict['pki_subsystem_key_size']
- # config.pki_master_dict['pki_subsystem_key_type']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_subsystem_nickname']
- # config.pki_master_dict['pki_subsystem_subject_dn']
- # config.pki_master_dict['pki_subsystem_token']
- #
- if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- if not len(config.pki_master_dict['pki_subsystem_nickname']):
- config.pki_master_dict['pki_subsystem_nickname'] =\
- "subsystemCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
- if config.pki_master_dict['pki_subsystem'] == "RA":
- # PKI RA
- config.pki_master_dict['pki_subsystem_subject_dn'] =\
- "cn=" + "RA Subsystem Certificate" +\
- "," + "ou=" + config.pki_master_dict['pki_instance_id']\
- + "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "TPS":
- # PKI TPS
- config.pki_master_dict['pki_subsystem_subject_dn'] =\
- "cn=" + "TPS Subsystem Certificate" +\
- "," + "ou=" + config.pki_master_dict['pki_instance_id']\
- + "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
- if not len(config.pki_master_dict['pki_subsystem_token']):
- config.pki_master_dict['pki_subsystem_token'] =\
- "Internal Key Storage Token"
- elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if not len(config.pki_master_dict['pki_subsystem_nickname']):
- config.pki_master_dict['pki_subsystem_nickname'] =\
- "subsystemCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- if config.str2bool(
- config.pki_master_dict['pki_external']):
- # External CA
- config.pki_master_dict['pki_subsystem_subject_dn']\
- = "cn=" + "External CA Subsystem Certificate"
- elif config.str2bool(
- config.pki_master_dict['pki_subordinate']):
- # Subordinate CA
- config.pki_master_dict['pki_subsystem_subject_dn']\
- = "cn=" + "SubCA Subsystem Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- else:
- # PKI CA
- config.pki_master_dict['pki_subsystem_subject_dn']\
- = "cn=" + "CA Subsystem Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- config.pki_master_dict['pki_subsystem_subject_dn'] =\
- "cn=" + "DRM Subsystem Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "OCSP":
- # PKI OCSP
- config.pki_master_dict['pki_subsystem_subject_dn'] =\
- "cn=" + "OCSP Subsystem Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "TKS":
- # PKI TKS
- config.pki_master_dict['pki_subsystem_subject_dn'] =\
- "cn=" + "TKS Subsystem Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
- if not len(config.pki_master_dict['pki_subsystem_token']):
- config.pki_master_dict['pki_subsystem_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'Audit Signing Certificate' Configuration name/value pairs
- #
- # Apache - [TPS]
- # Tomcat - [CA], [KRA], [OCSP], [TKS]
- # - [External CA]
- # - [Subordinate CA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_audit_signing_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_audit_signing_key_algorithm']
- # config.pki_master_dict['pki_audit_signing_key_size']
- # config.pki_master_dict['pki_audit_signing_key_type']
- # config.pki_master_dict['pki_audit_signing_signing_algorithm']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_audit_signing_nickname']
- # config.pki_master_dict['pki_audit_signing_subject_dn']
- # config.pki_master_dict['pki_audit_signing_token']
- #
- if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- if config.pki_master_dict['pki_subsystem'] != "RA":
- if not len(config.pki_master_dict\
- ['pki_audit_signing_nickname']):
- config.pki_master_dict['pki_audit_signing_nickname'] =\
- "auditSigningCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] +" " +\
- config.pki_subsystem
- if not len(config.pki_master_dict\
- ['pki_audit_signing_subject_dn']):
- config.pki_master_dict['pki_audit_signing_subject_dn'] =\
- "cn=" + "TPS Audit Signing Certificate" +\
- "," + "ou=" + config.pki_master_dict['pki_instance_id']\
- + "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_audit_signing_tag'] =\
- "audit_signing"
- if not len(config.pki_master_dict['pki_audit_signing_token']):
- config.pki_master_dict['pki_audit_signing_token'] =\
- "Internal Key Storage Token"
- elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if not len(config.pki_master_dict\
- ['pki_audit_signing_nickname']):
- config.pki_master_dict['pki_audit_signing_nickname'] =\
- "auditSigningCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict\
- ['pki_audit_signing_subject_dn']):
- if config.pki_master_dict['pki_subsystem'] == "CA":
- if config.str2bool(
- config.pki_master_dict['pki_external']):
- # External CA
- config.pki_master_dict\
- ['pki_audit_signing_subject_dn'] =\
- "cn=" + "External CA Audit Signing Certificate"
- elif config.str2bool(
- config.pki_master_dict['pki_subordinate']):
- # Subordinate CA
- config.pki_master_dict\
- ['pki_audit_signing_subject_dn'] =\
- "cn=" + "SubCA Audit Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- else:
- # PKI CA
- config.pki_master_dict\
- ['pki_audit_signing_subject_dn'] =\
- "cn=" + "CA Audit Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict\
- ['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- config.pki_master_dict['pki_audit_signing_subject_dn']\
- = "cn=" + "DRM Audit Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "OCSP":
- # PKI OCSP
- config.pki_master_dict['pki_audit_signing_subject_dn']\
- = "cn=" + "OCSP Audit Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- elif config.pki_master_dict['pki_subsystem'] == "TKS":
- # PKI TKS
- config.pki_master_dict['pki_audit_signing_subject_dn']\
- = "cn=" + "TKS Audit Signing Certificate" +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_audit_signing_tag'] =\
- "audit_signing"
- if not len(config.pki_master_dict['pki_audit_signing_token']):
- config.pki_master_dict['pki_audit_signing_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'DRM Transport Certificate' Configuration name/value pairs
- #
- # Tomcat - [KRA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_transport_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_transport_key_algorithm']
- # config.pki_master_dict['pki_transport_key_size']
- # config.pki_master_dict['pki_transport_key_type']
- # config.pki_master_dict['pki_transport_signing_algorithm']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_transport_nickname']
- # config.pki_master_dict['pki_transport_subject_dn']
- # config.pki_master_dict['pki_transport_token']
- #
- if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- if not len(config.pki_master_dict\
- ['pki_transport_nickname']):
- config.pki_master_dict['pki_transport_nickname'] =\
- "transportCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict\
- ['pki_transport_subject_dn']):
- config.pki_master_dict['pki_transport_subject_dn']\
- = "cn=" + "DRM Transport Certificate" +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_transport_tag'] =\
- "transport"
- if not len(config.pki_master_dict['pki_transport_token']):
- config.pki_master_dict['pki_transport_token'] =\
- "Internal Key Storage Token"
- # Jython scriptlet
- # 'DRM Storage Certificate' Configuration name/value pairs
- #
- # Tomcat - [KRA]
- #
- # The following variables are defined below:
- #
- # config.pki_master_dict['pki_storage_tag']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and are NOT redefined below:
- #
- # config.pki_master_dict['pki_storage_key_algorithm']
- # config.pki_master_dict['pki_storage_key_size']
- # config.pki_master_dict['pki_storage_key_type']
- # config.pki_master_dict['pki_storage_signing_algorithm']
- #
- # The following variables are established via the specified PKI
- # deployment configuration file and potentially overridden below:
- #
- # config.pki_master_dict['pki_storage_nickname']
- # config.pki_master_dict['pki_storage_subject_dn']
- # config.pki_master_dict['pki_storage_token']
- #
- if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if not config.str2bool(config.pki_master_dict['pki_clone']):
- if config.pki_master_dict['pki_subsystem'] == "KRA":
- # PKI KRA
- if not len(config.pki_master_dict['pki_storage_nickname']):
- config.pki_master_dict['pki_storage_nickname'] =\
- "storageCert" + " " + "cert-" +\
- config.pki_master_dict['pki_instance_id'] + " " +\
- config.pki_subsystem
- if not len(config.pki_master_dict\
- ['pki_storage_subject_dn']):
- config.pki_master_dict['pki_storage_subject_dn']\
- = "cn=" + "DRM Storage Certificate" +\
- "," + "o=" +\
- config.pki_master_dict['pki_security_domain_name']
- config.pki_master_dict['pki_storage_tag'] =\
- "storage"
- if not len(config.pki_master_dict['pki_storage_token']):
- config.pki_master_dict['pki_storage_token'] =\
- "Internal Key Storage Token"
+ config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
+ config.pki_master_dict['pki_audit_signing_tag'] = "audit_signing"
+ config.pki_master_dict['pki_transport_tag'] = "transport"
+ config.pki_master_dict['pki_storage_tag'] = "storage"
+
# Finalization name/value pairs
config.pki_master_dict['pki_deployment_cfg_replica'] =\
os.path.join(config.pki_master_dict['pki_subsystem_registry_path'],