diff options
Diffstat (limited to 'base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java')
| -rw-r--r-- | base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java | 768 |
1 files changed, 78 insertions, 690 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index 7729ea40e..f514a59f0 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -19,41 +19,21 @@ package com.netscape.cms.servlet.csadmin; import java.io.IOException; import java.math.BigInteger; -import java.net.URLEncoder; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.util.StringTokenizer; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.ldap.LDAPAttribute; -import netscape.ldap.LDAPAttributeSet; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPModification; -import netscape.security.x509.X509CertImpl; - import org.apache.velocity.context.Context; -import org.mozilla.jss.CryptoManager; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; -import com.netscape.certsrv.ocsp.IDefStore; import com.netscape.certsrv.ocsp.IOCSPAuthority; import com.netscape.certsrv.property.PropertySet; -import com.netscape.certsrv.usrgrp.EUsrGrpException; -import com.netscape.certsrv.usrgrp.IGroup; import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cms.servlet.wizard.WizardServlet; -import com.netscape.cmsutil.crypto.CryptoUtil; -import com.netscape.cmsutil.password.IPasswordStore; -import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.Utils; public class DonePanel extends WizardPanelBase { @@ -98,73 +78,10 @@ public class DonePanel extends WizardPanelBase { return set; } - private LDAPConnection getLDAPConn(Context context) - throws IOException { - IConfigStore cs = CMS.getConfigStore(); - - String host = ""; - String port = ""; - String pwd = null; - String binddn = ""; - String security = ""; - - IPasswordStore pwdStore = CMS.getPasswordStore(); - - if (pwdStore != null) { - CMS.debug("DonePanel: getLDAPConn: password store available"); - pwd = pwdStore.getPassword("internaldb"); - } - - if (pwd == null) { - throw new IOException("DonePanel: Failed to obtain password from password store"); - } - - try { - host = cs.getString("internaldb.ldapconn.host"); - port = cs.getString("internaldb.ldapconn.port"); - binddn = cs.getString("internaldb.ldapauth.bindDN"); - security = cs.getString("internaldb.ldapconn.secureConn"); - } catch (Exception e) { - CMS.debug("DonePanel: getLDAPConn" + e.toString()); - throw new IOException( - "Failed to retrieve LDAP information from CS.cfg."); - } - - int p = -1; - - try { - p = Integer.parseInt(port); - } catch (Exception e) { - CMS.debug("DonePanel getLDAPConn: " + e.toString()); - throw new IOException("Port is not valid"); - } - - LDAPConnection conn = null; - if (security.equals("true")) { - CMS.debug("DonePanel getLDAPConn: creating secure (SSL) connection for internal ldap"); - conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); - } else { - CMS.debug("DonePanel getLDAPConn: creating non-secure (non-SSL) connection for internal ldap"); - conn = new LDAPConnection(); - } - - CMS.debug("DonePanel connecting to " + host + ":" + p); - try { - conn.connect(host, p, binddn, pwd); - } catch (LDAPException e) { - CMS.debug("DonePanel getLDAPConn: " + e.toString()); - throw new IOException("Failed to connect to the internal database."); - } - - return conn; - } - /** * Display the panel. */ - public void display(HttpServletRequest request, - HttpServletResponse response, - Context context) { + public void display(HttpServletRequest request, HttpServletResponse response, Context context) { CMS.debug("DonePanel: display()"); // update session id @@ -175,26 +92,24 @@ public class DonePanel extends WizardPanelBase { } IConfigStore cs = CMS.getConfigStore(); - String ownport = CMS.getEENonSSLPort(); - String ownsport = CMS.getEESSLPort(); - String owneeclientauthsport = CMS.getEEClientAuthSSLPort(); - String ownhost = CMS.getEESSLHost(); - String ownagentsport = CMS.getAgentPort(); - String ownagenthost = CMS.getAgentHost(); - String ownadminsport = CMS.getAdminPort(); - String ownadminhost = CMS.getAdminHost(); - String select = ""; + String select = ""; String type = ""; String instanceId = ""; String instanceRoot = ""; String systemdService = ""; + String ca_host = ""; + String sdtype = ""; + int state = 0; try { type = cs.getString("cs.type", ""); instanceId = cs.getString("instanceId"); instanceRoot = cs.getString("instanceRoot"); select = cs.getString("preop.subsystem.select", ""); systemdService = cs.getString("pkicreate.systemd.servicename", ""); + ca_host = cs.getString("preop.ca.hostname", ""); + sdtype = cs.getString("securitydomain.select", ""); + state = cs.getInteger("cs.state"); } catch (Exception e) { } @@ -224,651 +139,124 @@ public class DonePanel extends WizardPanelBase { } context.put("title", "Done"); context.put("panel", "admin/console/config/donepanel.vm"); - context.put("host", ownadminhost); - context.put("port", ownadminsport); - String subsystemType = toLowerCaseSubsystemType(type); - context.put("systemType", subsystemType); - - try { - int state = cs.getInteger("cs.state"); - if (state == 1) { - context.put("csstate", "1"); - return; - } else - context.put("csstate", "0"); + context.put("host", CMS.getAdminHost()); + context.put("port", CMS.getAdminPort()); + context.put("systemType", type.toLowerCase()); - } catch (Exception e) { - } - - String sd_agent_port = ""; - String sd_admin_port = ""; - String sd_host = ""; - String ca_host = ""; - try { - sd_host = cs.getString("securitydomain.host", ""); - sd_agent_port = cs.getString("securitydomain.httpsagentport", ""); - sd_admin_port = cs.getString("securitydomain.httpsadminport", ""); - ca_host = cs.getString("preop.ca.hostname", ""); - } catch (Exception e) { - } + if (state == 1) { + context.put("csstate", "1"); + return; + } else + context.put("csstate", "0"); if (ca_host.equals("")) context.put("externalCA", "true"); else context.put("externalCA", "false"); - // update security domain - String sdtype = ""; - String subsystemName = ""; - try { - sdtype = cs.getString("securitydomain.select", ""); - subsystemName = cs.getString("preop.subsystem.name", ""); - } catch (Exception e) { - } - - boolean cloneMaster = false; - - if (select.equals("clone") && type.equalsIgnoreCase("CA") && isSDHostDomainMaster(cs)) { - cloneMaster = true; - CMS.debug("Cloning a domain master"); - } - - String s = getSubsystemNodeName(type); - if (sdtype.equals("new")) { - try { - LDAPConnection conn = getLDAPConn(context); - - String basedn = cs.getString("internaldb.basedn"); - String secdomain = cs.getString("securitydomain.name"); - - try { - // Create security domain ldap entry - String dn = "ou=Security Domain," + basedn; - CMS.debug("DonePanel: creating ldap entry : " + dn); - - LDAPEntry entry = null; - LDAPAttributeSet attrs = null; - attrs = new LDAPAttributeSet(); - attrs.add(new LDAPAttribute("objectclass", "top")); - attrs.add(new LDAPAttribute("objectclass", "pkiSecurityDomain")); - if (secdomain.equals("")) { - // this should not happen - just in case - CMS.debug("DonePanel display(): Security domain is an empty string!"); - throw new IOException("Security domain is an empty string!"); - } else { - attrs.add(new LDAPAttribute("name", secdomain)); - } - attrs.add(new LDAPAttribute("ou", "Security Domain")); - entry = new LDAPEntry(dn, attrs); - conn.add(entry); - } catch (Exception e) { - CMS.debug("Unable to create security domain"); - throw e; - } - - try { - // create list containers - String clist[] = { "CAList", "OCSPList", "KRAList", "RAList", "TKSList", "TPSList" }; - for (int i = 0; i < clist.length; i++) { - LDAPEntry entry = null; - LDAPAttributeSet attrs = null; - String dn = "cn=" + clist[i] + ",ou=Security Domain," + basedn; - attrs = new LDAPAttributeSet(); - attrs.add(new LDAPAttribute("objectclass", "top")); - attrs.add(new LDAPAttribute("objectclass", "pkiSecurityGroup")); - attrs.add(new LDAPAttribute("cn", clist[i])); - entry = new LDAPEntry(dn, attrs); - conn.add(entry); - } - } catch (Exception e) { - CMS.debug("Unable to create security domain list groups"); - throw e; - } + // Create or update security domain - try { - // Add this host (only CA can create new domain) - String cn = ownhost + ":" + ownadminsport; - String dn = "cn=" + cn + ",cn=CAList,ou=Security Domain," + basedn; - LDAPEntry entry = null; - LDAPAttributeSet attrs = null; - attrs = new LDAPAttributeSet(); - attrs.add(new LDAPAttribute("objectclass", "top")); - attrs.add(new LDAPAttribute("objectclass", "pkiSubsystem")); - attrs.add(new LDAPAttribute("Host", ownhost)); - attrs.add(new LDAPAttribute("SecurePort", ownsport)); - attrs.add(new LDAPAttribute("SecureAgentPort", - ownagentsport)); - attrs.add(new LDAPAttribute("SecureAdminPort", - ownadminsport)); - if (owneeclientauthsport != null) { - attrs.add(new LDAPAttribute("SecureEEClientAuthPort", - owneeclientauthsport)); - } - attrs.add(new LDAPAttribute("UnSecurePort", ownport)); - attrs.add(new LDAPAttribute("Clone", "FALSE")); - attrs.add(new LDAPAttribute("SubsystemName", subsystemName)); - attrs.add(new LDAPAttribute("cn", cn)); - attrs.add(new LDAPAttribute("DomainManager", "TRUE")); - entry = new LDAPEntry(dn, attrs); - conn.add(entry); - } catch (Exception e) { - CMS.debug("Unable to create host entry in security domain"); - throw e; - } - CMS.debug("DonePanel display: finish updating domain info"); - conn.disconnect(); - } catch (Exception e) { - CMS.debug("DonePanel display: " + e.toString()); - } - - int sd_admin_port_int = -1; - try { - sd_admin_port_int = Integer.parseInt(sd_admin_port); - } catch (Exception e) { - } - - try { - // Fetch the "new" security domain and display it - CMS.debug("Dump contents of new Security Domain . . ."); - @SuppressWarnings("unused") - String c = getDomainXML(sd_host, sd_admin_port_int, true); - } catch (Exception e) { - } - - // Since this instance is a new Security Domain, - // create an empty file to designate this fact. - String security_domain = instanceRoot + "/conf/" - + PKI_SECURITY_DOMAIN; - if (!Utils.isNT()) { - Utils.exec("touch " + security_domain); - Utils.exec("chmod 00660 " + security_domain); - } - - } else { //existing domain - int sd_agent_port_int = -1; - int sd_admin_port_int = -1; - try { - sd_agent_port_int = Integer.parseInt(sd_agent_port); - sd_admin_port_int = Integer.parseInt(sd_admin_port); - } catch (Exception e) { - } - - try { - String cloneStr = ""; - if (select.equals("clone")) - cloneStr = "&clone=true"; - else - cloneStr = "&clone=false"; - - String domainMasterStr = ""; - if (cloneMaster) - domainMasterStr = "&dm=true"; - else - domainMasterStr = "&dm=false"; - String eecaStr = ""; - if (owneeclientauthsport != null) - eecaStr = "&eeclientauthsport=" + owneeclientauthsport; - - updateDomainXML(sd_host, sd_agent_port_int, true, - "/ca/agent/ca/updateDomainXML", - "list=" + s - + "&type=" + type - + "&host=" + ownhost - + "&name=" + subsystemName - + "&sport=" + ownsport - + domainMasterStr - + cloneStr - + "&agentsport=" + ownagentsport - + "&adminsport=" + ownadminsport - + eecaStr - + "&httpport=" + ownport); - - // Fetch the "updated" security domain and display it - CMS.debug("Dump contents of updated Security Domain . . ."); - @SuppressWarnings("unused") - String c = getDomainXML(sd_host, sd_admin_port_int, true); - } catch (Exception e) { - context.put("errorString", "Failed to update the security domain on the domain master."); - //return; + try { + if (sdtype.equals("new")) { + ConfigurationUtils.createSecurityDomain(); + } else { //existing domain + ConfigurationUtils.updateSecurityDomain(); } - } - // add service.securityDomainPort to CS.cfg in case pkiremove - // needs to remove system reference from the security domain - try { - cs.putString("service.securityDomainPort", ownagentsport); + cs.putString("service.securityDomainPort", CMS.getAgentPort()); cs.putString("securitydomain.store", "ldap"); cs.commit(false); } catch (Exception e) { - CMS.debug("DonePanel: exception in adding service.securityDomainPort to CS.cfg" + e); - } - - // need to push connector information to the CA - if (type.equals("KRA") && !ca_host.equals("")) { - try { - updateConnectorInfo(ownagenthost, ownagentsport); - } catch (IOException e) { - context.put("errorString", "Failed to update connector information."); - return; - } - setupClientAuthUser(); - } // if KRA - - // import the CA certificate into the OCSP - // configure the CRL Publishing to OCSP in CA - if (type.equals("OCSP") && !ca_host.equals("")) { - try { - CMS.reinit(IOCSPAuthority.ID); - importCACertToOCSP(); - } catch (Exception e) { - CMS.debug("DonePanel display: Failed to import the CA certificate into OCSP."); - } - - try { - updateOCSPConfig(response); - } catch (Exception e) { - CMS.debug("DonePanel display: Failed to update OCSP information in CA."); - } - - setupClientAuthUser(); - } - - if (!select.equals("clone")) { - if (type.equals("CA") || type.equals("KRA")) { - String endRequestNumStr = ""; - String endSerialNumStr = ""; - - try { - endRequestNumStr = cs.getString("dbs.endRequestNumber", ""); - endSerialNumStr = cs.getString("dbs.endSerialNumber", ""); - BigInteger endRequestNum = new BigInteger(endRequestNumStr); - BigInteger endSerialNum = new BigInteger(endSerialNumStr); - BigInteger oneNum = new BigInteger("1"); - - // update global next range entries - LDAPConnection conn = getLDAPConn(context); - String basedn = cs.getString("internaldb.basedn"); - - String serialdn = ""; - if (type.equals("CA")) { - serialdn = "ou=certificateRepository,ou=" + type.toLowerCase() + "," + basedn; - } else { - serialdn = "ou=keyRepository,ou=" + type.toLowerCase() + "," + basedn; - } - LDAPAttribute attrSerialNextRange = - new LDAPAttribute("nextRange", endSerialNum.add(oneNum).toString()); - LDAPModification serialmod = new LDAPModification(LDAPModification.REPLACE, attrSerialNextRange); - conn.modify(serialdn, serialmod); - - String requestdn = "ou=" + type.toLowerCase() + ",ou=requests," + basedn; - LDAPAttribute attrRequestNextRange = - new LDAPAttribute("nextRange", endRequestNum.add(oneNum).toString()); - LDAPModification requestmod = new LDAPModification(LDAPModification.REPLACE, attrRequestNextRange); - conn.modify(requestdn, requestmod); - - conn.disconnect(); - } catch (Exception e) { - CMS.debug("Unable to update global next range numbers: " + e); - } - } - } - - if (cloneMaster) { - // cloning a domain master CA, the clone is also master of its domain - try { - cs.putString("securitydomain.host", ownhost); - cs.putString("securitydomain.httpport", ownport); - cs.putString("securitydomain.httpsadminport", ownadminsport); - cs.putString("securitydomain.httpsagentport", ownagentsport); - cs.putString("securitydomain.httpseeport", ownsport); - cs.putString("securitydomain.select", "new"); - } catch (Exception e) { - CMS.debug("Caught exception trying to save security domain parameters for clone of a domain master"); - } + CMS.debug("DonePanel - update(): Error while updating security domain: " + e); + e.printStackTrace(); } - String dbuser = null; + // push connector information to the CA try { - dbuser = cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" + cs.getString("service.securePort"); - if (! sdtype.equals("new")) { - setupDBUser(dbuser); + if (type.equals("KRA") && !ca_host.equals("")) { + ConfigurationUtils.updateConnectorInfo(CMS.getAgentHost(), CMS.getAgentPort()); + ConfigurationUtils.setupClientAuthUser(); } - IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - IUser user = system.getUser(dbuser); - system.addCertSubjectDN(user); } catch (Exception e) { + CMS.debug("DonePanel - update(): Error while pushing KRA connectot information to the CA: " + e); e.printStackTrace(); - CMS.debug("Unable to create or update dbuser" + e); } - cs.putInteger("cs.state", 1); + // import the CA certificate into the OCSP + // configure the CRL Publishing to OCSP in CA try { - // save variables needed for cloning and remove preop - String list = cs.getString("preop.cert.list", ""); - StringTokenizer st = new StringTokenizer(list, ","); - - while (st.hasMoreTokens()) { - String ss = st.nextToken(); - if (ss.equals("sslserver")) - continue; - cs.putString("cloning." + ss + ".nickname", cs.getString("preop.cert." + ss + ".nickname", "")); - cs.putString("cloning." + ss + ".dn", cs.getString("preop.cert." + ss + ".dn", "")); - cs.putString("cloning." + ss + ".keytype", cs.getString("preop.cert." + ss + ".keytype", "")); - cs.putString("cloning." + ss + ".keyalgorithm", cs.getString("preop.cert." + ss + ".keyalgorithm", "")); - cs.putString("cloning." + ss + ".privkey.id", cs.getString("preop.cert." + ss + ".privkey.id", "")); - cs.putString("cloning." + ss + ".pubkey.exponent", - cs.getString("preop.cert." + ss + ".pubkey.exponent", "")); - cs.putString("cloning." + ss + ".pubkey.modulus", - cs.getString("preop.cert." + ss + ".pubkey.modulus", "")); - cs.putString("cloning." + ss + ".pubkey.encoded", - cs.getString("preop.cert." + ss + ".pubkey.encoded", "")); - } - cs.putString("cloning.module.token", cs.getString("preop.module.token", "")); - cs.putString("cloning.list", list); - - // more cloning variables needed for non-ca clones - - if (!type.equals("CA")) { - String val = cs.getString("preop.ca.hostname", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.hostname", val); - - val = cs.getString("preop.ca.httpport", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.httpport", val); - - val = cs.getString("preop.ca.httpsport", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.httpsport", val); - - val = cs.getString("preop.ca.list", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.list", val); - - val = cs.getString("preop.ca.pkcs7", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.pkcs7", val); - - val = cs.getString("preop.ca.type", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.type", val); - } - - // save EC type for sslserver cert (if present) - cs.putString("jss.ssl.sslserver.ectype", cs.getString("preop.cert.sslserver.ec.type", "ECDHE")); - - cs.removeSubStore("preop"); - cs.commit(false); - - // Create an empty file that designates the fact that although - // this server instance has been configured, it has NOT yet - // been restarted! - String restart_server = instanceRoot + "/conf/" - + RESTART_SERVER_AFTER_CONFIGURATION; - if (!Utils.isNT()) { - Utils.exec("touch " + restart_server); - Utils.exec("chmod 00660 " + restart_server); + if (type.equals("OCSP") && !ca_host.equals("")) { + CMS.reinit(IOCSPAuthority.ID); + ConfigurationUtils.importCACertToOCSP(); + ConfigurationUtils.updateOCSPConfig(); + ConfigurationUtils.setupClientAuthUser(); } - } catch (Exception e) { - CMS.debug("Caught exception saving preop variables: " + e); + CMS.debug("DonePanel - update(): Error while configuring OCSP publishing on the CA: " + e); + e.printStackTrace(); } - context.put("csstate", "1"); - } - - private void setupClientAuthUser() { - IConfigStore cs = CMS.getConfigStore(); - - // retrieve CA subsystem certificate from the CA - IUGSubsystem system = - (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - String id = ""; try { - String b64 = getCASubsystemCert(); - if (b64 != null) { - int num = cs.getInteger("preop.subsystem.count", 0); - id = getCAUserId(); - num++; - cs.putInteger("preop.subsystem.count", num); - cs.putInteger("subsystem.count", num); - IUser user = system.createUser(id); - user.setFullName(id); - user.setEmail(""); - user.setPassword(""); - user.setUserType("agentType"); - user.setState("1"); - user.setPhone(""); - X509CertImpl[] certs = new X509CertImpl[1]; - certs[0] = new X509CertImpl(CMS.AtoB(b64)); - user.setX509Certificates(certs); - system.addUser(user); - CMS.debug("DonePanel display: successfully add the user"); - system.addUserCert(user); - CMS.debug("DonePanel display: successfully add the user certificate"); - cs.commit(false); - } - } catch (Exception e) { - } + if (!select.equals("clone")) { + if (type.equals("CA") || type.equals("KRA")) { + ConfigurationUtils.updateNextRanges(); - try { - String groupName = "Trusted Managers"; - IGroup group = system.getGroupFromName(groupName); - if (!group.isMember(id)) { - group.addMemberName(id); - system.modifyGroup(group); - CMS.debug("DonePanel display: successfully added the user to the group."); + } } } catch (Exception e) { - } - } - - private void setupDBUser(String dbuser) throws CertificateException, EUsrGrpException, LDAPException { - IUGSubsystem system = - (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - - String b64 = getSubsystemCert(); - if (b64 == null) { - CMS.debug("DonePanel setupDBUser: failed to fetch subsystem cert"); - return; - } - - IUser user = system.createUser(dbuser); - user.setFullName(dbuser); - user.setEmail(""); - user.setPassword(""); - user.setUserType("agentType"); - user.setState("1"); - user.setPhone(""); - X509CertImpl[] certs = new X509CertImpl[1]; - certs[0] = new X509CertImpl(CMS.AtoB(b64)); - user.setX509Certificates(certs); - system.addUser(user); - CMS.debug("DonePanel setupDBUser: successfully add the user"); - system.addUserCert(user); - CMS.debug("DonePanel setupDBUser: successfully add the user certificate"); - } - - private String getSubsystemCert() { - IConfigStore cs = CMS.getConfigStore(); - String nickname = ""; - try { - nickname = cs.getString("preop.cert.subsystem.nickname", ""); - String tokenname = cs.getString("preop.module.token", ""); - if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token") - && !tokenname.equals("")) - nickname = tokenname + ":" + nickname; - } catch (Exception e) { + CMS.debug("DonePanel - update(): Error while updating serial number next ranges: " + e); + e.printStackTrace(); } - CMS.debug("DonePanel getSubsystemCert: nickname=" + nickname); - String s = null; try { - CryptoManager cm = CryptoManager.getInstance(); - org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(nickname); - - if (cert == null) { - CMS.debug("DonePanel getSubsystemCert: subsystem cert is null"); - return null; + if (select.equals("clone") && type.equalsIgnoreCase("CA") && ConfigurationUtils.isSDHostDomainMaster(cs)) { + // cloning a domain master CA, the clone is also master of its domain + CMS.debug("Cloning a domain master"); + cs.putString("securitydomain.host", CMS.getEESSLHost()); + cs.putString("securitydomain.httpport", CMS.getEENonSSLPort()); + cs.putString("securitydomain.httpsadminport", CMS.getAdminPort()); + cs.putString("securitydomain.httpsagentport", CMS.getAgentPort()); + cs.putString("securitydomain.httpseeport", CMS.getEESSLPort()); + cs.putString("securitydomain.select", "new"); } - - byte[] bytes = cert.getEncoded(); - s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes)); - } catch (Exception e) { - CMS.debug("DonePanel getSubsystemCert: exception: " + e.toString()); - } - return s; - } - - private void updateOCSPConfig(HttpServletResponse response) - throws IOException { - IConfigStore config = CMS.getConfigStore(); - String cahost = ""; - int caport = -1; - - try { - cahost = config.getString("preop.ca.hostname", ""); - caport = config.getInteger("preop.ca.httpsport", -1); } catch (Exception e) { + CMS.debug("DonePanel - update(): Error in determining if security domain host is a master CA: " + e); + e.printStackTrace(); } - String ocsphost = CMS.getAgentHost(); - int ocspport = Integer.parseInt(CMS.getAgentPort()); - String session_id = CMS.getConfigSDSessionId(); - String content = "xmlOutput=true&sessionID=" + session_id + "&ocsp_host=" + ocsphost + "&ocsp_port=" + ocspport; - - updateOCSPConfig(cahost, caport, true, content, response); - } - - private void importCACertToOCSP() throws IOException { - IConfigStore config = CMS.getConfigStore(); - - // get certificate chain from CA + String dbuser = null; try { - String b64 = config.getString("preop.ca.pkcs7", ""); - - if (b64.equals("")) - throw new IOException("Failed to get certificate chain."); - - try { - // this could be a chain - X509Certificate[] certs = Cert.mapCertFromPKCS7(b64); - X509Certificate leafCert = null; - if (certs != null && certs.length > 0) { - if (certs[0].getSubjectDN().getName().equals(certs[0].getIssuerDN().getName())) { - leafCert = certs[certs.length - 1]; - } else { - leafCert = certs[0]; - } - - IOCSPAuthority ocsp = - (IOCSPAuthority) CMS.getSubsystem(IOCSPAuthority.ID); - IDefStore defStore = ocsp.getDefaultStore(); - - // (1) need to normalize (sort) the chain - - // (2) store certificate (and certificate chain) into - // database - ICRLIssuingPointRecord rec = defStore.createCRLIssuingPointRecord( - leafCert.getSubjectDN().getName(), - BIG_ZERO, - MINUS_ONE, null, null); - - try { - rec.set(ICRLIssuingPointRecord.ATTR_CA_CERT, leafCert.getEncoded()); - } catch (Exception e) { - // error - } - defStore.addCRLIssuingPoint(leafCert.getSubjectDN().getName(), rec); - //log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Added CA certificate " + leafCert.getSubjectDN().getName()); - - CMS.debug("DonePanel importCACertToOCSP: Added CA certificate."); - } - } catch (Exception e) { - throw new IOException("Failed to encode the certificate chain"); + dbuser = cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" + + cs.getString("service.securePort"); + if (!sdtype.equals("new")) { + ConfigurationUtils.setupDBUser(dbuser); } - } catch (IOException e) { - throw e; - } catch (Exception e) { - CMS.debug("DonePanel importCACertToOCSP: Failed to import the certificate chain into the OCSP"); - throw new IOException("Failed to import the certificate chain into the OCSP"); - } - } - - private String getCASubsystemCert() throws IOException { - IConfigStore cs = CMS.getConfigStore(); - String host = ""; - int port = -1; - try { - host = cs.getString("preop.ca.hostname", ""); - port = cs.getInteger("preop.ca.httpsadminport", -1); - } catch (Exception e) { - } - - return getSubsystemCert(host, port, true); - } - - private String getCAUserId() throws IOException { - IConfigStore cs = CMS.getConfigStore(); - String host = ""; - int port = -1; - try { - host = cs.getString("preop.ca.hostname", ""); - port = cs.getInteger("preop.ca.httpsport", -1); + IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); + IUser user = system.getUser(dbuser); + system.addCertSubjectDN(user); } catch (Exception e) { + e.printStackTrace(); + CMS.debug("DonePanel - update(): Unable to create or update dbuser" + e); } - return "CA-" + host + "-" + port; - } - - private void updateConnectorInfo(String ownagenthost, String ownagentsport) - throws IOException { - IConfigStore cs = CMS.getConfigStore(); - int port = -1; - String url = ""; - String host = null; - String transportCert = ""; + cs.putInteger("cs.state", 1); try { - url = cs.getString("preop.ca.url", ""); - if (!url.equals("")) { - host = cs.getString("preop.ca.hostname", ""); - port = cs.getInteger("preop.ca.httpsadminport", -1); - transportCert = cs.getString("kra.transport.cert", ""); - } + ConfigurationUtils.removePreopConfigEntries(); } catch (Exception e) { + CMS.debug("DonePanel - update(): Caught exception saving preop variables: " + e); } - if (host == null) { - CMS.debug("DonePanel: preop.ca.url is not defined. External CA selected. No transport certificate setup is required"); - } else { - CMS.debug("DonePanel: Transport certificate is being setup in " + url); - String session_id = CMS.getConfigSDSessionId(); - String content = - "ca.connector.KRA.enable=true&ca.connector.KRA.local=false&ca.connector.KRA.timeout=30&ca.connector.KRA.uri=/kra/agent/kra/connector&ca.connector.KRA.host=" - + ownagenthost - + "&ca.connector.KRA.port=" - + ownagentsport - + "&ca.connector.KRA.transportCert=" - + URLEncoder.encode(transportCert, "UTF-8") - + "&sessionID=" - + session_id; - - updateConnectorInfo(host, port, true, content); + // Create an empty file that designates the fact that although + // this server instance has been configured, it has NOT yet + // been restarted! + String restart_server = instanceRoot + "/conf/" + + RESTART_SERVER_AFTER_CONFIGURATION; + if (!Utils.isNT()) { + Utils.exec("touch " + restart_server); + Utils.exec("chmod 00660 " + restart_server); } - } - private String getSubsystemNodeName(String type) { - if (type.equals("CA")) { - return "CAList"; - } else if (type.equals("KRA")) { - return "KRAList"; - } else if (type.equals("TKS")) { - return "TKSList"; - } else if (type.equals("OCSP")) { - return "OCSPList"; - } - - return ""; + context.put("csstate", "1"); } /** |