summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--base/server/python/pki/server/deployment/pkihelper.py98
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/configuration.py105
2 files changed, 107 insertions, 96 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index cf2a7486c..d7de53fb1 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3835,6 +3835,7 @@ class ConfigClient:
self.san_inject = config.str2bool(self.mdict['pki_san_inject'])
def configure_pki_data(self, data):
+
config.pki_log.info(
log.PKI_CONFIG_CONFIGURING_PKI_DATA,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -3846,101 +3847,8 @@ class ConfigClient:
subsystem=self.mdict['pki_subsystem_type'],
trust_env=False)
- try:
- client = pki.system.SystemConfigClient(connection)
- response = client.configure(data)
-
- config.pki_log.debug(
- log.PKI_CONFIG_RESPONSE_STATUS + " " + str(response['status']),
- extra=config.PKI_INDENTATION_LEVEL_2)
- try:
- certs = response['systemCerts']
- except KeyError:
- # no system certs created
- config.pki_log.debug(
- "No new system certificates generated.",
- extra=config.PKI_INDENTATION_LEVEL_2)
- certs = []
-
- if not isinstance(certs, list):
- certs = [certs]
- for cdata in certs:
- if self.standalone and not self.external_step_two:
- # Stand-alone PKI (Step 1)
- if cdata['tag'].lower() == "audit_signing":
- # Save Stand-alone PKI 'Audit Signing Certificate' CSR
- # (Step 1)
- self.save_system_csr(
- cdata['request'],
- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_1,
- self.mdict['pki_external_audit_signing_csr_path'],
- self.subsystem)
- elif cdata['tag'].lower() == "signing":
- # Save Stand-alone PKI OCSP 'OCSP Signing Certificate'
- # CSR (Step 1)
- self.save_system_csr(
- cdata['request'],
- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING,
- self.mdict['pki_external_signing_csr_path'])
- elif cdata['tag'].lower() == "sslserver":
- # Save Stand-alone PKI 'SSL Server Certificate' CSR
- # (Step 1)
- self.save_system_csr(
- cdata['request'],
- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_1,
- self.mdict['pki_external_sslserver_csr_path'],
- self.subsystem)
- elif cdata['tag'].lower() == "storage":
- # Save Stand-alone PKI KRA 'Storage Certificate' CSR
- # (Step 1)
- self.save_system_csr(
- cdata['request'],
- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE,
- self.mdict['pki_external_storage_csr_path'])
- elif cdata['tag'].lower() == "subsystem":
- # Save Stand-alone PKI 'Subsystem Certificate' CSR
- # (Step 1)
- self.save_system_csr(
- cdata['request'],
- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_1,
- self.mdict['pki_external_subsystem_csr_path'],
- self.subsystem)
- elif cdata['tag'].lower() == "transport":
- # Save Stand-alone PKI KRA 'Transport Certificate' CSR
- # (Step 1)
- self.save_system_csr(
- cdata['request'],
- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT,
- self.mdict['pki_external_transport_csr_path'])
- else:
- config.pki_log.debug(
- log.PKI_CONFIG_CDATA_TAG + " " + cdata['tag'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- config.pki_log.debug(
- log.PKI_CONFIG_CDATA_CERT + "\n" + cdata['cert'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- config.pki_log.debug(
- log.PKI_CONFIG_CDATA_REQUEST + "\n" + cdata['request'],
- extra=config.PKI_INDENTATION_LEVEL_2)
-
- # Cloned PKI subsystems do not return an Admin Certificate
- if not self.clone:
- if self.standalone:
- if not self.external_step_two:
- # NOTE: Do nothing for Stand-alone PKI (Step 1)
- # as this has already been addressed
- # in 'set_admin_parameters()'
- pass
- else:
- admin_cert = response['adminCert']['cert']
- self.process_admin_cert(admin_cert)
- elif not config.str2bool(self.mdict['pki_import_admin_cert']):
- admin_cert = response['adminCert']['cert']
- self.process_admin_cert(admin_cert)
-
- except:
-
- raise
+ client = pki.system.SystemConfigClient(connection)
+ return client.configure(data)
def process_admin_cert(self, admin_cert):
config.pki_log.debug(
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index c9166f1ee..8c6b52368 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -96,8 +96,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
existing = deployer.configuration_file.existing
external = deployer.configuration_file.external
+ standalone = deployer.configuration_file.standalone
step_one = deployer.configuration_file.external_step_one
step_two = deployer.configuration_file.external_step_two
+ clone = deployer.configuration_file.clone
try:
if external and step_one: # external CA step 1 only
@@ -384,9 +386,110 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
data = deployer.config_client.construct_pki_configuration_data()
# Configure the subsystem
- deployer.config_client.configure_pki_data(
+ response = deployer.config_client.configure_pki_data(
json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
+ config.pki_log.debug(
+ log.PKI_CONFIG_RESPONSE_STATUS + " " + str(response['status']),
+ extra=config.PKI_INDENTATION_LEVEL_2)
+
+ try:
+ certs = response['systemCerts']
+ except KeyError:
+ # no system certs created
+ config.pki_log.debug(
+ "No new system certificates generated.",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ certs = []
+
+ if not isinstance(certs, list):
+ certs = [certs]
+
+ for cdata in certs:
+
+ if standalone and not step_two:
+
+ # Stand-alone PKI (Step 1)
+
+ if cdata['tag'].lower() == "audit_signing":
+ # Save Stand-alone PKI 'Audit Signing Certificate' CSR
+ # (Step 1)
+ deployer.config_client.save_system_csr(
+ cdata['request'],
+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_1,
+ deployer.mdict['pki_external_audit_signing_csr_path'],
+ subsystem.name)
+
+ elif cdata['tag'].lower() == "signing":
+ # Save Stand-alone PKI OCSP 'OCSP Signing Certificate'
+ # CSR (Step 1)
+ deployer.config_client.save_system_csr(
+ cdata['request'],
+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING,
+ deployer.mdict['pki_external_signing_csr_path'])
+
+ elif cdata['tag'].lower() == "sslserver":
+ # Save Stand-alone PKI 'SSL Server Certificate' CSR
+ # (Step 1)
+ deployer.config_client.save_system_csr(
+ cdata['request'],
+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_1,
+ deployer.mdict['pki_external_sslserver_csr_path'],
+ subsystem.name)
+
+ elif cdata['tag'].lower() == "storage":
+ # Save Stand-alone PKI KRA 'Storage Certificate' CSR
+ # (Step 1)
+ deployer.config_client.save_system_csr(
+ cdata['request'],
+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE,
+ deployer.mdict['pki_external_storage_csr_path'])
+
+ elif cdata['tag'].lower() == "subsystem":
+ # Save Stand-alone PKI 'Subsystem Certificate' CSR
+ # (Step 1)
+ deployer.config_client.save_system_csr(
+ cdata['request'],
+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_1,
+ deployer.mdict['pki_external_subsystem_csr_path'],
+ subsystem.name)
+
+ elif cdata['tag'].lower() == "transport":
+ # Save Stand-alone PKI KRA 'Transport Certificate' CSR
+ # (Step 1)
+ deployer.config_client.save_system_csr(
+ cdata['request'],
+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT,
+ deployer.mdict['pki_external_transport_csr_path'])
+
+ else:
+ config.pki_log.debug(
+ log.PKI_CONFIG_CDATA_TAG + " " + cdata['tag'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ config.pki_log.debug(
+ log.PKI_CONFIG_CDATA_CERT + "\n" + cdata['cert'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ config.pki_log.debug(
+ log.PKI_CONFIG_CDATA_REQUEST + "\n" + cdata['request'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+
+ # Cloned PKI subsystems do not return an Admin Certificate
+ if not clone:
+
+ if standalone:
+ if not step_two:
+ # NOTE: Do nothing for Stand-alone PKI (Step 1)
+ # as this has already been addressed
+ # in 'set_admin_parameters()'
+ pass
+ else:
+ admin_cert = response['adminCert']['cert']
+ deployer.config_client.process_admin_cert(admin_cert)
+
+ elif not config.str2bool(deployer.mdict['pki_import_admin_cert']):
+ admin_cert = response['adminCert']['cert']
+ deployer.config_client.process_admin_cert(admin_cert)
+
def destroy(self, deployer):
config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__,
generated by cgit (git 2.34.1) at 2025-05-09 16:00:56 +0000