summaryrefslogtreecommitdiffstats
path: root/base/deploy/src/scriptlets
diff options
context:
space:
mode:
Diffstat (limited to 'base/deploy/src/scriptlets')
-rw-r--r--base/deploy/src/scriptlets/configuration.jy116
-rw-r--r--base/deploy/src/scriptlets/configuration.py69
-rw-r--r--base/deploy/src/scriptlets/finalization.py16
-rw-r--r--base/deploy/src/scriptlets/initialization.py7
-rw-r--r--base/deploy/src/scriptlets/instance_layout.py119
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py58
-rw-r--r--base/deploy/src/scriptlets/pkihelper.py382
-rw-r--r--base/deploy/src/scriptlets/pkijython.py429
-rw-r--r--base/deploy/src/scriptlets/pkimessages.py65
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py1251
-rw-r--r--base/deploy/src/scriptlets/security_databases.py33
-rw-r--r--base/deploy/src/scriptlets/slot_substitution.py26
-rw-r--r--base/deploy/src/scriptlets/subsystem_layout.py68
-rw-r--r--base/deploy/src/scriptlets/war_explosion.py32
14 files changed, 2549 insertions, 122 deletions
diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy
index f7366c723..a40e7c645 100644
--- a/base/deploy/src/scriptlets/configuration.jy
+++ b/base/deploy/src/scriptlets/configuration.jy
@@ -9,7 +9,6 @@ import sys
# PKI Python Imports
import pkijython as jyutil
import pkiconfig as config
-from pkiconfig import pki_master_jython_dict as master
import pkimessages as log
@@ -18,12 +17,19 @@ from java.lang import System as javasystem
def main(argv):
+ rv = 0
+
# Establish 'master' as the PKI jython dictionary
master = dict()
- # import the master dictionary from 'pkispawn'
+ # Import the master dictionary from 'pkispawn'
master = pickle.loads(argv[1])
+ # Optionally enable a java debugger (e. g. - 'eclipse'):
+ if config.str2bool(master['pki_enable_java_debugger']):
+ config.wait_to_attach_an_external_java_debugger()
+
+
# IMPORTANT: Unfortunately, 'jython 2.2' does NOT support logging!
#
# Until, and unless, 'jython 2.5' or later is used,
@@ -59,11 +65,107 @@ def main(argv):
master['pki_jython_log_level'])
# Log into token
- jyutil.security_databases.log_into_token(
- master['pki_client_database_path'],
- master['pki_client_password_conf'],
- master['pki_dry_run_flag'],
- master['pki_jython_log_level'])
+ token = jyutil.security_databases.log_into_token(
+ master['pki_client_database_path'],
+ master['pki_client_password_conf'],
+ master['pki_dry_run_flag'],
+ master['pki_jython_log_level'])
+
+ # Establish REST Client
+ client = jyutil.rest_client.initialize(
+ master['pki_jython_base_uri'],
+ master['pki_dry_run_flag'],
+ master['pki_jython_log_level'])
+
+ # Construct PKI Subsystem Configuration Data
+ data = None
+ if master['pki_instance_type'] == "Apache":
+ if master['pki_subsystem'] == "RA":
+ print "%s '%s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif master['pki_subsystem'] == "TPS":
+ print "%s '%s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif master['pki_instance_type'] == "Tomcat":
+ if master['pki_subsystem'] == "CA":
+ if config.str2bool(master['pki_clone']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif config.str2bool(master['pki_external']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_EXTERNAL_CA,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif config.str2bool(master['pki_subordinate']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_SUBORDINATE_CA,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ else:
+ data = jyutil.rest_client.construct_pki_configuration_data(
+ master, token)
+ elif master['pki_subsystem'] == "KRA":
+ if config.str2bool(master['pki_clone']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ else:
+ print "%s '%s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif master['pki_subsystem'] == "OCSP":
+ if config.str2bool(master['pki_clone']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ else:
+ print "%s '%s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif master['pki_subsystem'] == "TKS":
+ if config.str2bool(master['pki_clone']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ else:
+ print "%s '%s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+
+ # Formulate PKI Subsystem Configuration Data Response
+ jyutil.rest_client.configure_pki_data(data,
+ master['pki_subsystem'],
+ master['pki_dry_run_flag'],
+ master['pki_jython_log_level'])
if __name__ == "__main__":
diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py
index f40573940..421e08dc0 100644
--- a/base/deploy/src/scriptlets/configuration.py
+++ b/base/deploy/src/scriptlets/configuration.py
@@ -36,9 +36,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
if not config.pki_dry_run_flag:
util.directory.create(master['pki_client_path'], uid=0, gid=0)
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a client password file
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
util.password.create_password_conf(
master['pki_client_password_conf'],
- master['pki_client_pin'])
+ master['pki_client_pin'], pin_sans_token=True)
util.directory.create(master['pki_client_database_path'],
uid=0, gid=0)
util.certutil.create_security_databases(
@@ -47,19 +51,60 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_client_key_database'],
master['pki_client_secmod_database'],
password_file=master['pki_client_password_conf'])
- util.symlink.create(
- config.pki_master_dict['pki_systemd_service'],
- config.pki_master_dict['pki_systemd_service_link'])
+ util.symlink.create(master['pki_systemd_service'],
+ master['pki_systemd_service_link'])
else:
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a client password file
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
util.password.create_password_conf(
master['pki_client_password_conf'],
- master['pki_client_pin'])
+ master['pki_client_pin'], pin_sans_token=True)
util.certutil.create_security_databases(
master['pki_client_database_path'],
master['pki_client_cert_database'],
master['pki_client_key_database'],
master['pki_client_secmod_database'],
password_file=master['pki_client_password_conf'])
+ # Start/Restart this Apache/Tomcat PKI Process
+ if not config.pki_dry_run_flag:
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ apache_instances = util.instance.apache_instances()
+ if apache_instances == 1:
+ util.systemd.start()
+ elif apache_instances > 1:
+ util.systemd.restart()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # Optionally prepare to enable a java debugger
+ # (e. g. - 'eclipse'):
+ if config.str2bool(master['pki_enable_java_debugger']):
+ config.prepare_for_an_external_java_debugger(
+ master['pki_target_tomcat_conf_instance_id'])
+ tomcat_instances = util.instance.tomcat_instances()
+ if tomcat_instances == 1:
+ util.systemd.start()
+ elif tomcat_instances > 1:
+ util.systemd.restart()
+ else:
+ # ALWAYS display correct information (even during dry_run)
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ apache_instances = util.instance.apache_instances()
+ if apache_instances == 0:
+ util.systemd.start()
+ elif apache_instances > 0:
+ util.systemd.restart()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # Optionally prepare to enable a java debugger
+ # (e. g. - 'eclipse'):
+ if config.str2bool(master['pki_enable_java_debugger']):
+ config.prepare_for_an_external_java_debugger(
+ master['pki_target_tomcat_conf_instance_id'])
+ tomcat_instances = util.instance.tomcat_instances()
+ if tomcat_instances == 0:
+ util.systemd.start()
+ elif tomcat_instances > 0:
+ util.systemd.restart()
# Pass control to the Java servlet via Jython 2.2 'configuration.jy'
util.jython.invoke(master['pki_jython_configuration_scriptlet'])
return self.rv
@@ -67,6 +112,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
def respawn(self):
config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
+ # ALWAYS Restart this Apache/Tomcat PKI Process
+ util.systemd.restart()
return self.rv
def destroy(self):
@@ -76,23 +123,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
util.instance.apache_instances() == 1:
util.directory.delete(master['pki_client_path'])
- util.symlink.delete(
- config.pki_master_dict['pki_systemd_service_link'])
+ util.symlink.delete(master['pki_systemd_service_link'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
util.instance.tomcat_instances() == 1:
util.directory.delete(master['pki_client_path'])
- util.symlink.delete(
- config.pki_master_dict['pki_systemd_service_link'])
+ util.symlink.delete(master['pki_systemd_service_link'])
else:
# ALWAYS display correct information (even during dry_run)
if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
util.instance.apache_instances() == 0:
util.directory.delete(master['pki_client_path'])
- util.symlink.delete(
- config.pki_master_dict['pki_systemd_service_link'])
+ util.symlink.delete(master['pki_systemd_service_link'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
util.instance.tomcat_instances() == 0:
util.directory.delete(master['pki_client_path'])
- util.symlink.delete(
- config.pki_master_dict['pki_systemd_service_link'])
+ util.symlink.delete(master['pki_systemd_service_link'])
return self.rv
diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py
index 02c5065cb..bceec67e0 100644
--- a/base/deploy/src/scriptlets/finalization.py
+++ b/base/deploy/src/scriptlets/finalization.py
@@ -100,4 +100,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_0)
if not config.pki_dry_run_flag:
util.file.modify(master['pki_destroy_log'], silent=True)
+ # Start this Apache/Tomcat PKI Process
+ if not config.pki_dry_run_flag:
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() >= 1:
+ util.systemd.start()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() >= 1:
+ util.systemd.start()
+ else:
+ # ALWAYS display correct information (even during dry_run)
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() >= 0:
+ util.systemd.start()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() >= 0:
+ util.systemd.start()
return self.rv
diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py
index 3077737c8..1ff8522ed 100644
--- a/base/deploy/src/scriptlets/initialization.py
+++ b/base/deploy/src/scriptlets/initialization.py
@@ -41,9 +41,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# verify that this type of "subsystem" does NOT yet
# exist for this "instance"
util.instance.verify_subsystem_does_not_exist()
+ # initialize 'uid' and 'gid'
+ util.identity.add_uid_and_gid(master['pki_user'], master['pki_group'])
# establish 'uid' and 'gid'
util.identity.set_uid(master['pki_user'])
util.identity.set_gid(master['pki_group'])
+ # verify existence of MANDATORY configuration file data
+ util.configuration_file.verify_sensitive_data()
+ util.configuration_file.verify_mutually_exclusive_data()
return self.rv
def respawn(self):
@@ -74,4 +79,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# establish 'uid' and 'gid'
util.identity.set_uid(master['pki_user'])
util.identity.set_gid(master['pki_group'])
+ # ALWAYS Stop this Apache/Tomcat PKI Process
+ util.systemd.stop()
return self.rv
diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py
index 8a645f029..2fd7165d1 100644
--- a/base/deploy/src/scriptlets/instance_layout.py
+++ b/base/deploy/src/scriptlets/instance_layout.py
@@ -48,30 +48,90 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# establish Tomcat instance base
util.directory.create(master['pki_tomcat_common_path'])
util.directory.create(master['pki_tomcat_common_lib_path'])
+ util.directory.create(master['pki_tomcat_tmpdir_path'])
util.directory.create(master['pki_tomcat_webapps_path'])
util.directory.create(master['pki_tomcat_webapps_root_path'])
util.directory.create(master['pki_tomcat_webapps_root_webinf_path'])
util.file.copy(master['pki_source_webapps_root_web_xml'],
master['pki_tomcat_webapps_root_webinf_web_xml'],
overwrite_flag=True)
- util.directory.create(master['pki_tomcat_webapps_webinf_path'])
+ util.directory.create(master['pki_tomcat_work_path'])
+ util.directory.create(master['pki_tomcat_work_catalina_path'])
+ util.directory.create(master['pki_tomcat_work_catalina_host_path'])
util.directory.create(
- master['pki_tomcat_webapps_webinf_classes_path'])
- util.directory.create(master['pki_tomcat_webapps_webinf_lib_path'])
+ master['pki_tomcat_work_catalina_host_run_path'])
+ util.directory.create(
+ master['pki_tomcat_work_catalina_host_subsystem_path'])
# establish Tomcat instance logs
# establish Tomcat instance configuration
util.directory.copy(master['pki_source_shared_path'],
master['pki_instance_configuration_path'],
overwrite_flag=True)
# establish Tomcat instance registry
- # establish Tomcat instance convenience
- # symbolic links
+ # establish Tomcat instance convenience symbolic links
util.symlink.create(master['pki_tomcat_bin_path'],
master['pki_tomcat_bin_link'])
util.symlink.create(master['pki_tomcat_lib_path'],
master['pki_tomcat_lib_link'])
+ util.symlink.create(master['pki_instance_log4j_properties'],
+ master['pki_tomcat_lib_log4j_properties_link'],
+ uid=0, gid=0)
util.symlink.create(master['pki_tomcat_systemd'],
- master['pki_instance_systemd_link'])
+ master['pki_instance_systemd_link'],
+ uid=0, gid=0)
+ # establish Tomcat instance common lib jar symbolic links
+ util.symlink.create(master['pki_apache_commons_collections_jar'],
+ master['pki_apache_commons_collections_jar_link'])
+ util.symlink.create(master['pki_apache_commons_lang_jar'],
+ master['pki_apache_commons_lang_jar_link'])
+ util.symlink.create(master['pki_apache_commons_logging_jar'],
+ master['pki_apache_commons_logging_jar_link'])
+ util.symlink.create(master['pki_commons_codec_jar'],
+ master['pki_commons_codec_jar_link'])
+ util.symlink.create(master['pki_httpclient_jar'],
+ master['pki_httpclient_jar_link'])
+ util.symlink.create(master['pki_javassist_jar'],
+ master['pki_javassist_jar_link'])
+ util.symlink.create(master['pki_resteasy_jaxrs_api_jar'],
+ master['pki_resteasy_jaxrs_api_jar_link'])
+ util.symlink.create(master['pki_jettison_jar'],
+ master['pki_jettison_jar_link'])
+ util.symlink.create(master['pki_jss_jar'],
+ master['pki_jss_jar_link'])
+ util.symlink.create(master['pki_ldapjdk_jar'],
+ master['pki_ldapjdk_jar_link'])
+ util.symlink.create(master['pki_certsrv_jar'],
+ master['pki_certsrv_jar_link'])
+ util.symlink.create(master['pki_cmsbundle'],
+ master['pki_cmsbundle_jar_link'])
+ util.symlink.create(master['pki_cmscore'],
+ master['pki_cmscore_jar_link'])
+ util.symlink.create(master['pki_cms'],
+ master['pki_cms_jar_link'])
+ util.symlink.create(master['pki_cmsutil'],
+ master['pki_cmsutil_jar_link'])
+ util.symlink.create(master['pki_nsutil'],
+ master['pki_nsutil_jar_link'])
+ util.symlink.create(master['pki_resteasy_jaxb_provider_jar'],
+ master['pki_resteasy_jaxb_provider_jar_link'])
+ util.symlink.create(master['pki_resteasy_jaxrs_jar'],
+ master['pki_resteasy_jaxrs_jar_link'])
+ util.symlink.create(master['pki_resteasy_jettison_provider_jar'],
+ master['pki_resteasy_jettison_provider_jar_link'])
+ util.symlink.create(master['pki_scannotation_jar'],
+ master['pki_scannotation_jar_link'])
+ util.symlink.create(master['pki_symkey_jar'],
+ master['pki_symkey_jar_link'])
+ util.symlink.create(master['pki_tomcatjss_jar'],
+ master['pki_tomcatjss_jar_link'])
+ util.symlink.create(master['pki_velocity_jar'],
+ master['pki_velocity_jar_link'])
+ util.symlink.create(master['pki_xerces_j2_jar'],
+ master['pki_xerces_j2_jar_link'])
+ util.symlink.create(master['pki_xml_commons_apis_jar'],
+ master['pki_xml_commons_apis_jar_link'])
+ util.symlink.create(master['pki_xml_commons_resolver_jar'],
+ master['pki_xml_commons_resolver_jar_link'])
# establish shared NSS security databases for this instance
util.directory.create(master['pki_database_path'])
# establish instance convenience symbolic links
@@ -106,16 +166,53 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.file.copy(master['pki_source_webapps_root_web_xml'],
master['pki_tomcat_webapps_root_webinf_web_xml'],
overwrite_flag=True)
- util.directory.modify(master['pki_tomcat_webapps_webinf_path'])
+ util.directory.modify(master['pki_tomcat_work_path'])
+ util.directory.modify(master['pki_tomcat_work_catalina_path'])
+ util.directory.modify(master['pki_tomcat_work_catalina_host_path'])
+ util.directory.modify(
+ master['pki_tomcat_work_catalina_host_run_path'])
util.directory.modify(
- master['pki_tomcat_webapps_webinf_classes_path'])
- util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path'])
+ master['pki_tomcat_work_catalina_host_subsystem_path'])
# update Tomcat instance logs
# update Tomcat instance configuration
# update Tomcat instance registry
# update Tomcat instance convenience symbolic links
util.symlink.modify(master['pki_tomcat_bin_link'])
util.symlink.modify(master['pki_tomcat_lib_link'])
+ util.symlink.modify(master['pki_tomcat_lib_log4j_properties_link'],
+ uid=0, gid=0)
+ util.symlink.modify(master['pki_instance_systemd_link'],
+ uid=0, gid=0)
+ # update Tomcat instance common lib jar symbolic links
+
+ util.symlink.modify(
+ master['pki_apache_commons_collections_jar_link'])
+ util.symlink.modify(master['pki_apache_commons_lang_jar_link'])
+ util.symlink.modify(master['pki_apache_commons_logging_jar_link'])
+ util.symlink.modify(master['pki_commons_codec_jar_link'])
+ util.symlink.modify(master['pki_httpclient_jar_link'])
+ util.symlink.modify(master['pki_javassist_jar_link'])
+ util.symlink.modify(master['pki_resteasy_jaxrs_api_jar_link'])
+ util.symlink.modify(master['pki_jettison_jar_link'])
+ util.symlink.modify(master['pki_jss_jar_link'])
+ util.symlink.modify(master['pki_ldapjdk_jar_link'])
+ util.symlink.modify(master['pki_certsrv_jar_link'])
+ util.symlink.modify(master['pki_cmsbundle_jar_link'])
+ util.symlink.modify(master['pki_cmscore_jar_link'])
+ util.symlink.modify(master['pki_cms_jar_link'])
+ util.symlink.modify(master['pki_cmsutil_jar_link'])
+ util.symlink.modify(master['pki_nsutil_jar_link'])
+ util.symlink.modify(master['pki_resteasy_jaxb_provider_jar_link'])
+ util.symlink.modify(master['pki_resteasy_jaxrs_jar_link'])
+ util.symlink.modify(
+ master['pki_resteasy_jettison_provider_jar_link'])
+ util.symlink.modify(master['pki_scannotation_jar_link'])
+ util.symlink.modify(master['pki_symkey_jar_link'])
+ util.symlink.modify(master['pki_tomcatjss_jar_link'])
+ util.symlink.modify(master['pki_velocity_jar_link'])
+ util.symlink.modify(master['pki_xerces_j2_jar_link'])
+ util.symlink.modify(master['pki_xml_commons_apis_jar_link'])
+ util.symlink.modify(master['pki_xml_commons_resolver_jar_link'])
# update shared NSS security databases for this instance
util.directory.modify(master['pki_database_path'])
# update instance convenience symbolic links
@@ -150,6 +247,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove shared NSS security database path for this instance
util.directory.delete(master['pki_database_path'])
# remove Tomcat instance configuration
+ util.symlink.delete(
+ master['pki_tomcat_lib_log4j_properties_link'])
util.directory.delete(master['pki_instance_configuration_path'])
# remove Tomcat instance registry
util.directory.delete(master['pki_instance_type_registry_path'])
@@ -174,6 +273,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove shared NSS security database path for this instance
util.directory.delete(master['pki_database_path'])
# remove Tomcat instance configuration
+ util.symlink.delete(
+ master['pki_tomcat_lib_log4j_properties_link'])
util.directory.delete(master['pki_instance_configuration_path'])
# remove Tomcat instance registry
util.directory.delete(master['pki_instance_type_registry_path'])
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 2acd37d36..07537d7aa 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -28,6 +28,13 @@ PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770
PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777
PKI_DEPLOYMENT_DEFAULT_UMASK = 00002
+PKI_DEPLOYMENT_DEFAULT_COMMENT = "'Certificate System'"
+PKI_DEPLOYMENT_DEFAULT_GID = 17
+PKI_DEPLOYMENT_DEFAULT_GROUP = "pkiuser"
+PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin"
+PKI_DEPLOYMENT_DEFAULT_UID = 17
+PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser"
+
PKI_SUBSYSTEMS = ["CA","KRA","OCSP","RA","TKS","TPS"]
PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS","TPS"]
PKI_APACHE_SUBSYSTEMS = ["RA","TPS"]
@@ -39,6 +46,12 @@ PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '}
PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '}
PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '}
+PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\
+ "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-"
+PKI_DEPLOYMENT_JAR_SOURCE_ROOT = "/usr/share/java"
+PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT = "/usr/share/java/httpcomponents"
+PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT = "/usr/share/java/pki"
+PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT = "/usr/share/java/resteasy"
PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki"
PKI_DEPLOYMENT_SYSTEMD_ROOT = "/lib/systemd/system"
PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT = "/etc/systemd/system"
@@ -101,6 +114,48 @@ custom_pki_https_port = None
custom_pki_ajp_port = None
+# PKI Deployment Helper Functions
+def str2bool(string):
+ return string.lower() in ("yes", "true", "t", "1")
+
+# NOTE: To utilize the 'preparations_for_an_external_java_debugger(master)'
+# and 'wait_to_attach_an_external_java_debugger(master)' functions,
+# change 'pki_enable_java_debugger=False' to
+# 'pki_enable_java_debugger=True' in the appropriate
+# 'pkideployment.cfg' configuration file.
+def prepare_for_an_external_java_debugger(instance):
+ print
+ print PKI_DEPLOYMENT_INTERRUPT_BANNER
+ print
+ print "The following 'JAVA_OPTS' MUST be enabled (uncommented) in"
+ print "'%s':" % instance
+ print
+ print " JAVA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,\""
+ print " \"address=8000,server=y,suspend\""
+ print
+ raw_input("Enable external java debugger 'JAVA_OPTS' "\
+ "and press return to continue . . . ")
+ print
+ print PKI_DEPLOYMENT_INTERRUPT_BANNER
+ print
+ return
+
+def wait_to_attach_an_external_java_debugger():
+ print
+ print PKI_DEPLOYMENT_INTERRUPT_BANNER
+ print
+ print "Attach the java debugger to this process on the port specified by"
+ print "the 'address' selected by 'JAVA_OPTS' (e. g. - port 8000) and"
+ print "set any desired breakpoints"
+ print
+ raw_input("Please attach an external java debugger "\
+ "and press return to continue . . . ")
+ print
+ print PKI_DEPLOYMENT_INTERRUPT_BANNER
+ print
+ return
+
+
# PKI Deployment Logger Variables
pki_jython_log_level = None
pki_log = None
@@ -111,6 +166,9 @@ pki_console_log_level = None
# PKI Deployment Global Dictionaries
+pki_sensitive_dict = None
+pki_mandatory_dict = None
+pki_optional_dict = None
pki_common_dict = None
pki_web_server_dict = None
pki_subsystem_dict = None
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index b88eafe72..7b77bcee5 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -30,14 +30,17 @@ import random
import shutil
import string
import subprocess
+from grp import getgrgid
from grp import getgrnam
from pwd import getpwnam
+from pwd import getpwuid
import zipfile
# PKI Deployment Imports
import pkiconfig as config
from pkiconfig import pki_master_dict as master
+from pkiconfig import pki_sensitive_dict as sensitive
from pkiconfig import pki_slots_dict as slots
import pkimanifest as manifest
import pkimessages as log
@@ -117,6 +120,136 @@ def pki_copytree(src, dst, symlinks=False, ignore=None):
# PKI Deployment Identity Class
class identity:
+ def __add_gid(self, pki_group):
+ pki_gid = None
+ try:
+ # Does the specified 'pki_group' exist?
+ pki_gid = getgrnam(pki_group)[2]
+ # Yes, group 'pki_group' exists!
+ config.pki_log.info(log.PKIHELPER_GROUP_ADD_2, pki_group, pki_gid,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ except KeyError as exc:
+ # No, group 'pki_group' does not exist!
+ config.pki_log.debug(log.PKIHELPER_GROUP_ADD_KEYERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ try:
+ # Is the default well-known GID already defined?
+ group = getgrgid(config.PKI_DEPLOYMENT_DEFAULT_GID)[0]
+ # Yes, the default well-known GID exists!
+ config.pki_log.info(log.PKIHELPER_GROUP_ADD_DEFAULT_2,
+ group, config.PKI_DEPLOYMENT_DEFAULT_GID,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # Attempt to create 'pki_group' using a random GID.
+ command = "/usr/sbin/groupadd" + " " +\
+ pki_group + " " +\
+ "> /dev/null 2>&1"
+ except KeyError as exc:
+ # No, the default well-known GID does not exist!
+ config.pki_log.debug(log.PKIHELPER_GROUP_ADD_GID_KEYERROR_1,
+ exc, extra=config.PKI_INDENTATION_LEVEL_2)
+ # Is the specified 'pki_group' the default well-known group?
+ if pki_group == config.PKI_DEPLOYMENT_DEFAULT_GROUP:
+ # Yes, attempt to create the default well-known group
+ # using the default well-known GID.
+ command = "/usr/sbin/groupadd" + " " +\
+ "-g" + " " +\
+ str(config.PKI_DEPLOYMENT_DEFAULT_GID) + " " +\
+ "-r" + " " +\
+ pki_group + " " +\
+ "> /dev/null 2>&1"
+ else:
+ # No, attempt to create 'pki_group' using a random GID.
+ command = "/usr/sbin/groupadd" + " " +\
+ pki_group + " " +\
+ "> /dev/null 2>&1"
+ # Execute this "groupadd" command.
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ return
+
+ def __add_uid(self, pki_user, pki_group):
+ pki_uid = None
+ try:
+ # Does the specified 'pki_user' exist?
+ pki_uid = getpwnam(pki_user)[2]
+ # Yes, user 'pki_user' exists!
+ config.pki_log.info(log.PKIHELPER_USER_ADD_2, pki_user, pki_uid,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # NOTE: For now, never check validity of specified 'pki_group'!
+ except KeyError as exc:
+ # No, user 'pki_user' does not exist!
+ config.pki_log.debug(log.PKIHELPER_USER_ADD_KEYERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ try:
+ # Is the default well-known UID already defined?
+ user = getpwuid(config.PKI_DEPLOYMENT_DEFAULT_UID)[0]
+ # Yes, the default well-known UID exists!
+ config.pki_log.info(log.PKIHELPER_USER_ADD_DEFAULT_2,
+ user, config.PKI_DEPLOYMENT_DEFAULT_UID,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # Attempt to create 'pki_user' using a random UID.
+ command = "/usr/sbin/useradd" + " " +\
+ "-g" + " " +\
+ pki_group + " " +\
+ "-d" + " " +\
+ config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
+ "-s" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
+ "-c" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
+ pki_user + " " +\
+ "> /dev/null 2>&1"
+ except KeyError as exc:
+ # No, the default well-known UID does not exist!
+ config.pki_log.debug(log.PKIHELPER_USER_ADD_UID_KEYERROR_1,
+ exc, extra=config.PKI_INDENTATION_LEVEL_2)
+ # Is the specified 'pki_user' the default well-known user?
+ if pki_user == config.PKI_DEPLOYMENT_DEFAULT_USER:
+ # Yes, attempt to create the default well-known user
+ # using the default well-known UID.
+ command = "/usr/sbin/useradd" + " " +\
+ "-g" + " " +\
+ pki_group + " " +\
+ "-d" + " " +\
+ config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
+ "-s" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
+ "-c" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
+ "-u" + " " +\
+ str(config.PKI_DEPLOYMENT_DEFAULT_UID) + " " +\
+ "-r" + " " +\
+ pki_user + " " +\
+ "> /dev/null 2>&1"
+ else:
+ # No, attempt to create 'pki_user' using a random UID.
+ command = "/usr/sbin/useradd" + " " +\
+ "-g" + " " +\
+ pki_group + " " +\
+ "-d" + " " +\
+ config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
+ "-s" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
+ "-c" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
+ pki_user + " " +\
+ "> /dev/null 2>&1"
+ # Execute this "useradd" command.
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ return
+
+ def add_uid_and_gid(self, pki_user, pki_group):
+ self.__add_gid(pki_group)
+ self.__add_uid(pki_user, pki_group)
+ return
+
def get_uid(self, critical_failure=True):
try:
pki_uid = master['pki_uid']
@@ -170,18 +303,140 @@ class identity:
return pki_gid
+# PKI Deployment Configuration File Class
+class configuration_file:
+ def verify_sensitive_data(self):
+ # Silently verify the existence of 'sensitive' data
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # Verify existence of Directory Server Password (ALWAYS)
+ if not sensitive.has_key('pki_ds_password') or\
+ not len(sensitive['pki_ds_password']):
+ config.pki_log.error(
+ log.PKIHELPER_UNDEFINED_DS_PASSWORD_1,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Verify existence of Admin Password (except for Clones)
+ if not config.str2bool(master['pki_clone']):
+ if not sensitive.has_key('pki_admin_password') or\
+ not len(sensitive['pki_admin_password']):
+ config.pki_log.error(
+ log.PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # If required, verify existence of Backup Password
+ # (except for Clones)
+ if config.str2bool(master['pki_backup_keys']):
+ if not config.str2bool(master['pki_clone']):
+ if not sensitive.has_key('pki_backup_password') or\
+ not len(sensitive['pki_backup_password']):
+ config.pki_log.error(
+ log.PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Verify existence of PKCS #12 Password (ONLY for Clones)
+ if config.str2bool(master['pki_clone']):
+ if not sensitive.has_key('pki_pkcs12_password') or\
+ not len(sensitive['pki_pkcs12_password']):
+ config.pki_log.error(
+ log.PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Verify existence of Security Domain Password File
+ # (ONLY for Clones, Subordinate CA, KRA, OCSP, RA, TKS, or TPS)
+ if config.str2bool(master['pki_clone']) or\
+ config.str2bool(master['pki_subordinate']) or\
+ master['pki_subsystem'] == "KRA" or\
+ master['pki_subsystem'] == "OCSP" or\
+ master['pki_subsystem'] == "RA" or\
+ master['pki_subsystem'] == "TKS" or\
+ master['pki_subsystem'] == "TPS":
+ if not sensitive.has_key('pki_security_domain_password') or\
+ not len(sensitive['pki_security_domain_password']):
+ config.pki_log.error(
+ log.PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ return
+
+ def verify_mutually_exclusive_data(self):
+ # Silently verify the existence of 'mutually exclusive' data
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ if master['pki_subsystem'] == "CA":
+ if config.str2bool(master['pki_clone']) and\
+ config.str2bool(master['pki_external']) and\
+ config.str2bool(master['pki_subordinate']):
+ config.pki_log.error(
+ log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ elif config.str2bool(master['pki_clone']) and\
+ config.str2bool(master['pki_external']):
+ config.pki_log.error(
+ log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ elif config.str2bool(master['pki_clone']) and\
+ config.str2bool(master['pki_subordinate']):
+ config.pki_log.error(
+ log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ elif config.str2bool(master['pki_external']) and\
+ config.str2bool(master['pki_subordinate']):
+ config.pki_log.error(
+ log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+
+
+# PKI Deployment XML File Class
+#class xml_file:
+# def remove_filter_section_from_web_xml(self,
+# web_xml_source,
+# web_xml_target):
+# config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1,
+# master['pki_target_subsystem_web_xml'],
+# extra=config.PKI_INDENTATION_LEVEL_2)
+# if not config.pki_dry_run_flag:
+# begin_filters_section = False
+# begin_servlet_section = False
+# FILE = open(web_xml_target, "w")
+# for line in fileinput.FileInput(web_xml_source):
+# if not begin_filters_section:
+# # Read and write lines until first "<filter>" tag
+# if line.count("<filter>") >= 1:
+# # Mark filters section
+# begin_filters_section = True
+# else:
+# FILE.write(line)
+# elif not begin_servlet_section:
+# # Skip lines until first "<servlet>" tag
+# if line.count("<servlet>") >= 1:
+# # Mark servlets section and write out the opening tag
+# begin_servlet_section = True
+# FILE.write(line)
+# else:
+# continue
+# else:
+# # Read and write lines all lines after "<servlet>" tag
+# FILE.write(line)
+# FILE.close()
+
+
# PKI Deployment Instance Class
class instance:
def apache_instances(self):
rv = 0
try:
- if not os.path.exists(master['pki_instance_path']) or\
- not os.path.isdir(master['pki_instance_path']):
- config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
- master['pki_instance_path'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
# count number of PKI subsystems present
# within the specified Apache instance
for subsystem in config.PKI_APACHE_SUBSYSTEMS:
@@ -206,13 +461,6 @@ class instance:
def pki_subsystem_instances(self):
rv = 0
try:
- if not os.path.exists(master['pki_path']) or\
- not os.path.isdir(master['pki_path']):
- config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
- master['pki_path'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
# Since ALL directories within the top-level PKI infrastructure
# SHOULD represent PKI instances, look for all possible
# PKI instances within the top-level PKI infrastructure
@@ -247,13 +495,6 @@ class instance:
def tomcat_instances(self):
rv = 0
try:
- if not os.path.exists(master['pki_instance_path']) or\
- not os.path.isdir(master['pki_instance_path']):
- config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
- master['pki_instance_path'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
# count number of PKI subsystems present
# within the specified Tomcat instance
for subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
@@ -1295,8 +1536,8 @@ class war:
# PKI Deployment Password Class
class password:
- def create_password_conf(self, path, pin, overwrite_flag=False,
- critical_failure=True):
+ def create_password_conf(self, path, pin, pin_sans_token=False,
+ overwrite_flag=False, critical_failure=True):
try:
if not config.pki_dry_run_flag:
if os.path.exists(path):
@@ -1306,7 +1547,9 @@ class password:
extra=config.PKI_INDENTATION_LEVEL_2)
# overwrite the existing 'password.conf' file
with open(path, "wt") as fd:
- if master['pki_subsystem'] in\
+ if pin_sans_token == True:
+ fd.write(str(pin))
+ elif master['pki_subsystem'] in\
config.PKI_APACHE_SUBSYSTEMS:
fd.write(master['pki_self_signed_token'] +\
":" + str(pin))
@@ -1319,7 +1562,9 @@ class password:
extra=config.PKI_INDENTATION_LEVEL_2)
# create a new 'password.conf' file
with open(path, "wt") as fd:
- if master['pki_subsystem'] in\
+ if pin_sans_token == True:
+ fd.write(str(pin))
+ elif master['pki_subsystem'] in\
config.PKI_APACHE_SUBSYSTEMS:
fd.write(master['pki_self_signed_token'] +\
":" + str(pin))
@@ -1642,6 +1887,90 @@ class certutil:
return
+# PKI Deployment 'systemd' Execution Management Class
+class systemd:
+ def start(self, critical_failure=True):
+ try:
+ # Compose this "systemd" execution management command
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "start" + " " +\
+ "pki-apached" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "start" + " " +\
+ "pki-tomcatd" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ # Display this "systemd" execution managment command
+ config.pki_log.info(
+ log.PKIHELPER_SYSTEMD_COMMAND_1, command,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ # Execute this "systemd" execution management command
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+ def stop(self, critical_failure=True):
+ try:
+ # Compose this "systemd" execution management command
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "stop" + " " +\
+ "pki-apached" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "stop" + " " +\
+ "pki-tomcatd" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ # Display this "systemd" execution managment command
+ config.pki_log.info(
+ log.PKIHELPER_SYSTEMD_COMMAND_1, command,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ # Execute this "systemd" execution management command
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+ def restart(self, critical_failure=True):
+ try:
+ # Compose this "systemd" execution management command
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "restart" + " " +\
+ "pki-apached" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "restart" + " " +\
+ "pki-tomcatd" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ # Display this "systemd" execution managment command
+ config.pki_log.info(
+ log.PKIHELPER_SYSTEMD_COMMAND_1, command,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ # Execute this "systemd" execution management command
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+
# PKI Deployment 'jython' Class
class jython:
def invoke(self, scriptlet, critical_failure=True):
@@ -1681,6 +2010,8 @@ class jython:
# PKI Deployment Helper Class Instances
identity = identity()
+configuration_file = configuration_file()
+#xml_file = xml_file()
instance = instance()
directory = directory()
file = file()
@@ -1688,4 +2019,5 @@ symlink = symlink()
war = war()
password = password()
certutil = certutil()
+systemd = systemd()
jython = jython()
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index 9c8765a80..800826635 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -5,6 +5,7 @@ from java.io import BufferedReader
from java.io import ByteArrayInputStream
from java.io import FileReader
from java.io import IOException
+from java.lang import Integer
from java.lang import String as javastring
from java.lang import System as javasystem
from java.net import URISyntaxException
@@ -18,6 +19,7 @@ import jarray
# System Python Imports
+import ConfigParser
import os
import sys
pki_python_module_path = os.path.join(sys.prefix,
@@ -79,10 +81,15 @@ class classPathHacker:
jarLoad = classPathHacker()
# Webserver Jars
jarLoad.addFile("/usr/share/java/httpcomponents/httpclient.jar")
+jarLoad.addFile("/usr/share/java/httpcomponents/httpcore.jar")
jarLoad.addFile("/usr/share/java/apache-commons-cli.jar")
+jarLoad.addFile("/usr/share/java/apache-commons-codec.jar")
+jarLoad.addFile("/usr/share/java/apache-commons-logging.jar")
+jarLoad.addFile("/usr/share/java/istack-commons-runtime.jar")
# Resteasy Jars
jarLoad.addFile("/usr/share/java/glassfish-jaxb/jaxb-impl.jar")
jarLoad.addFile("/usr/share/java/resteasy/jaxrs-api.jar")
+jarLoad.addFile("/usr/share/java/resteasy/resteasy-atom-provider.jar")
jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxb-provider.jar")
jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxrs.jar")
jarLoad.addFile("/usr/share/java/resteasy/resteasy-jettison-provider.jar")
@@ -145,6 +152,63 @@ import pkiconfig as config
import pkimessages as log
+# PKI Deployment Jython Helper Functions
+def extract_sensitive_data(configuration_file):
+ "Read 'sensitive' configuration file section into a dictionary"
+ try:
+ parser = ConfigParser.ConfigParser()
+ # Make keys case-sensitive!
+ parser.optionxform = str
+ parser.read(configuration_file)
+ # return dict(parser._sections['Sensitive'])
+ dictionary = {}
+ for option in parser.options('Sensitive'):
+ dictionary[option] = parser.get('Sensitive', option)
+ return dictionary
+ except ConfigParser.ParsingError, err:
+ javasystem.out.println(log.PKI_JYTHON_EXCEPTION_PARSER + " '" +\
+ configuration_file + "': " + str(err))
+ javasystem.exit(1)
+
+def generateCRMFRequest(token, keysize, subjectdn, dualkey):
+ kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA)
+ x = Integer(keysize)
+ key_len = x.intValue()
+ kg.initialize(key_len)
+ # 1st key pair
+ pair = kg.genKeyPair()
+ # create CRMF
+ certTemplate = CertTemplate()
+ certTemplate.setVersion(INTEGER(2))
+ if not subjectdn is None:
+ name = X500Name(subjectdn)
+ cs = ByteArrayInputStream(name.getEncoded())
+ n = Name.getTemplate().decode(cs)
+ certTemplate.setSubject(n)
+ certTemplate.setPublicKey(SubjectPublicKeyInfo(pair.getPublic()))
+ seq = SEQUENCE()
+ certReq = CertRequest(INTEGER(1), certTemplate, seq)
+ popdata = jarray.array([0x0,0x3,0x0], 'b')
+ pop = ProofOfPossession.createKeyEncipherment(
+ POPOPrivKey.createThisMessage(BIT_STRING(popdata, 3)))
+ crmfMsg = CertReqMsg(certReq, pop, None)
+ s1 = SEQUENCE()
+ # 1st : Encryption key
+ s1.addElement(crmfMsg)
+ # 2nd : Signing Key
+ if dualkey:
+ javasystem.out.println(log.PKI_JYTHON_IS_DUALKEY)
+ seq1 = SEQUENCE()
+ certReqSigning = CertRequest(INTEGER(1), certTemplate, seq1)
+ signingMsg = CertReqMsg(certReqSigning, pop, None)
+ s1.addElement(signingMsg)
+ encoded = jarray.array(ASN1Util.encode(s1), 'b')
+ # encoder = BASE64Encoder()
+ # Req1 = encoder.encodeBuffer(encoded)
+ Req1 = Utils.base64encode(encoded)
+ return Req1
+
+
# PKI Deployment 'security databases' Class
class security_databases:
def initialize_token(self, pki_database_path, pki_dry_run_flag, log_level):
@@ -160,11 +224,13 @@ class security_databases:
# it is ok if it is already initialized
pass
except Exception, e:
- javasystem.out.println("INITIALIZATION ERROR: " + str(e))
+ javasystem.out.println(log.PKI_JYTHON_INITIALIZATION_ERROR +\
+ " " + str(e))
javasystem.exit(1)
def log_into_token(self, pki_database_path, password_conf,
pki_dry_run_flag, log_level):
+ token = None
try:
if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
print "%s %s '%s'" %\
@@ -174,10 +240,10 @@ class security_databases:
if not pki_dry_run_flag:
manager = CryptoManager.getInstance()
token = manager.getInternalKeyStorageToken()
- # Retrieve 'token_pwd' from 'password_conf'
+ # Retrieve 'password' from client-side 'password_conf'
#
# NOTE: For now, ONLY read the first line
- # (which contains the password)
+ # (which contains "password")
#
fd = open(password_conf, "r")
token_pwd = fd.readline()
@@ -188,13 +254,364 @@ class security_databases:
try:
token.login(password)
except Exception, e:
- javasystem.out.println("login Exception: " + str(e))
+ javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\
+ " " + str(e))
if not token.isLoggedIn():
token.initPassword(password, password)
+ javasystem.exit(1)
except Exception, e:
- javasystem.out.println("Exception in logging into token: " +\
- str(e))
+ javasystem.out.println(log.PKI_JYTHON_TOKEN_LOGIN_EXCEPTION +\
+ " " + str(e))
javasystem.exit(1)
+ return token
+
+
+# PKI Deployment 'REST Client' Class
+class rest_client:
+ client = None
+
+ def initialize(self, base_uri, pki_dry_run_flag, log_level):
+ try:
+ if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
+ print "%s %s '%s'" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_INITIALIZING_REST_CLIENT,
+ base_uri)
+ if not pki_dry_run_flag:
+ self.client = ConfigurationRESTClient(base_uri, None)
+ return self.client
+ except URISyntaxException, e:
+ e.printStackTrace()
+ javasystem.exit(1)
+
+ def construct_pki_configuration_data(self, master, token):
+ data = None
+ if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL:
+ print "%s %s '%s'" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CONSTRUCTING_PKI_DATA,
+ master['pki_subsystem'])
+ if not master['pki_dry_run_flag']:
+ sensitive = extract_sensitive_data(master['pki_deployment_cfg'])
+ data = ConfigurationData()
+ # Miscellaneous Configuration Information
+ data.setPin(master['pki_one_time_pin'])
+ data.setToken(ConfigurationData.TOKEN_DEFAULT)
+ if master['pki_instance_type'] == "Tomcat":
+ if master['pki_subsystem'] == "CA":
+ if config.str2bool(master['pki_clone']):
+ # Cloned CA
+ data.setHierarchy("root")
+ data.setIsClone("true")
+ data.setSubsystemName("Cloned CA Subsystem")
+ elif config.str2bool(master['pki_external']):
+ # External CA
+ data.setHierarchy("join")
+ data.setIsClone("false")
+ data.setSubsystemName("External CA Subsystem")
+ elif config.str2bool(master['pki_subordinate']):
+ # Subordinate CA
+ data.setHierarchy("join")
+ data.setIsClone("false")
+ data.setSubsystemName("Subordinate CA Subsystem")
+ else:
+ # PKI CA
+ data.setHierarchy("root")
+ data.setIsClone("false")
+ data.setSubsystemName("PKI CA Subsystem")
+ elif master['pki_subsystem'] == "KRA":
+ if config.str2bool(master['pki_clone']):
+ # Cloned KRA
+ data.setIsClone("true")
+ data.setSubsystemName("Cloned KRA Subsystem")
+ else:
+ # PKI KRA
+ data.setIsClone("false")
+ data.setSubsystemName("PKI KRA Subsystem")
+ elif master['pki_subsystem'] == "OCSP":
+ if config.str2bool(master['pki_clone']):
+ # Cloned OCSP
+ data.setIsClone("true")
+ data.setSubsystemName("Cloned OCSP Subsystem")
+ else:
+ # PKI OCSP
+ data.setIsClone("false")
+ data.setSubsystemName("PKI OCSP Subsystem")
+ elif master['pki_subsystem'] == "TKS":
+ if config.str2bool(master['pki_clone']):
+ # Cloned TKS
+ data.setIsClone("true")
+ data.setSubsystemName("Cloned TKS Subsystem")
+ else:
+ # PKI TKS
+ data.setIsClone("false")
+ data.setSubsystemName("PKI TKS Subsystem")
+ # Security Domain Information
+ if master['pki_instance_type'] == "Tomcat":
+ if master['pki_subsystem'] == "CA":
+ if config.str2bool(master['pki_external']):
+ # External CA
+ data.setSecurityDomainType(
+ ConfigurationData.NEW_DOMAIN)
+ data.setSecurityDomainName(
+ master['pki_security_domain_name'])
+ elif not config.str2bool(master['pki_clone']) and\
+ not config.str2bool(master['pki_subordinate']):
+ # PKI CA
+ data.setSecurityDomainType(
+ ConfigurationData.NEW_DOMAIN)
+ data.setSecurityDomainName(
+ master['pki_security_domain_name'])
+ else:
+ # PKI Cloned or Subordinate CA
+ data.setSecurityDomainType(
+ ConfigurationData.EXISTING_DOMAIN)
+ data.setSecurityDomainUri(
+ master['pki_security_domain_uri'])
+ data.setSecurityDomainUser(
+ master['pki_security_domain_user'])
+ data.setSecurityDomainPassword(
+ sensitive['pki_security_domain_password'])
+ else:
+ # PKI KRA, OCSP, or TKS
+ data.setSecurityDomainType(
+ ConfigurationData.EXISTING_DOMAIN)
+ data.setSecurityDomainUri(
+ master['pki_security_domain_uri'])
+ data.setSecurityDomainUser(
+ master['pki_security_domain_user'])
+ data.setSecurityDomainPassword(
+ sensitive['pki_security_domain_password'])
+ # Directory Server Information
+ if master['pki_subsystem'] != "RA":
+ data.setDsHost(master['pki_ds_hostname'])
+ data.setDsPort(master['pki_ds_http_port'])
+ data.setBaseDN(master['pki_ds_base_dn'])
+ data.setBindDN(master['pki_ds_bind_dn'])
+ data.setDatabase(master['pki_ds_database'])
+ data.setBindpwd(sensitive['pki_ds_password'])
+ if config.str2bool(master['pki_ds_remove_data']):
+ data.setRemoveData("true")
+ else:
+ data.setRemoveData("false")
+ if config.str2bool(master['pki_ds_secure_connection']):
+ data.setSecureConn("true")
+ else:
+ data.setSecureConn("false")
+ # Backup Information
+ if master['pki_instance_type'] == "Tomcat":
+ if config.str2bool(master['pki_backup_keys']):
+ data.setBackupKeys("true")
+ data.setBackupFile(master['pki_backup_file'])
+ data.setBackupPassword(
+ sensitive['pki_backup_password'])
+ else:
+ data.setBackupKeys("false")
+ # Admin Information
+ if master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ data.setAdminEmail(master['pki_admin_email'])
+ data.setAdminName(master['pki_admin_name'])
+ data.setAdminPassword(sensitive['pki_admin_password'])
+ data.setAdminProfileID(master['pki_admin_profile_id'])
+ data.setAdminUID(master['pki_admin_uid'])
+ data.setAdminSubjectDN(master['pki_admin_subject_dn'])
+ if master['pki_admin_cert_request_type'] == "crmf":
+ data.setAdminCertRequestType("crmf")
+ if config.str2bool(master['pki_admin_dualkey']):
+ crmf_request = generateCRMFRequest(
+ token,
+ master['pki_admin_keysize'],
+ master['pki_admin_subject_dn'],
+ "true")
+ else:
+ crmf_request = generateCRMFRequest(
+ token,
+ master['pki_admin_keysize'],
+ master['pki_admin_subject_dn'],
+ "false")
+ data.setAdminCertRequest(crmf_request)
+ else:
+ javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY)
+ javasystem.exit(1)
+ # Create system certs
+ systemCerts = ArrayList()
+ # Create 'CA Signing Certificate'
+ if master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "CA":
+ # External CA, Subordinate CA, or PKI CA
+ cert1 = CertData()
+ cert1.setTag(master['pki_ca_signing_tag'])
+ cert1.setKeyAlgorithm(
+ master['pki_ca_signing_key_algorithm'])
+ cert1.setKeySize(master['pki_ca_signing_key_size'])
+ cert1.setKeyType(master['pki_ca_signing_key_type'])
+ cert1.setNickname(master['pki_ca_signing_nickname'])
+ cert1.setSigningAlgorithm(
+ master['pki_ca_signing_signing_algorithm'])
+ cert1.setSubjectDN(master['pki_ca_signing_subject_dn'])
+ cert1.setToken(master['pki_ca_signing_token'])
+ systemCerts.add(cert1)
+ # Create 'OCSP Signing Certificate'
+ if master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "CA" or\
+ master['pki_subsystem'] == "OCSP":
+ # External CA, Subordinate CA, PKI CA, or PKI OCSP
+ cert2 = CertData()
+ cert2.setTag(master['pki_ocsp_signing_tag'])
+ cert2.setKeyAlgorithm(
+ master['pki_ocsp_signing_key_algorithm'])
+ cert2.setKeySize(master['pki_ocsp_signing_key_size'])
+ cert2.setKeyType(master['pki_ocsp_signing_key_type'])
+ cert2.setNickname(master['pki_ocsp_signing_nickname'])
+ cert2.setSigningAlgorithm(
+ master['pki_ocsp_signing_signing_algorithm'])
+ cert2.setSubjectDN(
+ master['pki_ocsp_signing_subject_dn'])
+ cert2.setToken(master['pki_ocsp_signing_token'])
+ systemCerts.add(cert2)
+ # Create 'SSL Server Certificate'
+ # PKI RA, PKI TPS,
+ # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
+ # PKI CA CLONE, PKI KRA CLONE, PKI OCSP CLONE, PKI TKS CLONE,
+ # External CA, or Subordinate CA
+ cert3 = CertData()
+ cert3.setTag(master['pki_ssl_server_tag'])
+ cert3.setKeyAlgorithm(master['pki_ssl_server_key_algorithm'])
+ cert3.setKeySize(master['pki_ssl_server_key_size'])
+ cert3.setKeyType(master['pki_ssl_server_key_type'])
+ cert3.setNickname(master['pki_ssl_server_nickname'])
+ cert3.setSubjectDN(master['pki_ssl_server_subject_dn'])
+ cert3.setToken(master['pki_ssl_server_token'])
+ systemCerts.add(cert3)
+ # Create 'Subsystem Certificate'
+ if master['pki_instance_type'] == "Apache":
+ # PKI RA or PKI TPS
+ cert4 = CertData()
+ cert4.setTag(master['pki_subsystem_tag'])
+ cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm'])
+ cert4.setKeySize(master['pki_subsystem_key_size'])
+ cert4.setKeyType(master['pki_subsystem_key_type'])
+ cert4.setNickname(master['pki_subsystem_nickname'])
+ cert4.setSubjectDN(master['pki_subsystem_subject_dn'])
+ cert4.setToken(master['pki_subsystem_token'])
+ systemCerts.add(cert4)
+ elif master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
+ # External CA, or Subordinate CA
+ cert4 = CertData()
+ cert4.setTag(master['pki_subsystem_tag'])
+ cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm'])
+ cert4.setKeySize(master['pki_subsystem_key_size'])
+ cert4.setKeyType(master['pki_subsystem_key_type'])
+ cert4.setNickname(master['pki_subsystem_nickname'])
+ cert4.setSubjectDN(master['pki_subsystem_subject_dn'])
+ cert4.setToken(master['pki_subsystem_token'])
+ systemCerts.add(cert4)
+ # Create 'Audit Signing Certificate'
+ if master['pki_instance_type'] == "Apache":
+ if master['pki_subsystem'] != "RA":
+ # PKI TPS
+ cert5 = CertData()
+ cert5.setTag(master['pki_audit_signing_tag'])
+ cert5.setKeyAlgorithm(
+ master['pki_audit_signing_key_algorithm'])
+ cert5.setKeySize(master['pki_audit_signing_key_size'])
+ cert5.setKeyType(master['pki_audit_signing_key_type'])
+ cert5.setNickname(master['pki_audit_signing_nickname'])
+ cert5.setKeyAlgorithm(
+ master['pki_audit_signing_signing_algorithm'])
+ cert5.setSubjectDN(master['pki_audit_signing_subject_dn'])
+ cert5.setToken(master['pki_audit_signing_token'])
+ systemCerts.add(cert5)
+ elif master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
+ # External CA, or Subordinate CA
+ cert5 = CertData()
+ cert5.setTag(master['pki_audit_signing_tag'])
+ cert5.setKeyAlgorithm(
+ master['pki_audit_signing_key_algorithm'])
+ cert5.setKeySize(master['pki_audit_signing_key_size'])
+ cert5.setKeyType(master['pki_audit_signing_key_type'])
+ cert5.setNickname(master['pki_audit_signing_nickname'])
+ cert5.setKeyAlgorithm(
+ master['pki_audit_signing_signing_algorithm'])
+ cert5.setSubjectDN(master['pki_audit_signing_subject_dn'])
+ cert5.setToken(master['pki_audit_signing_token'])
+ systemCerts.add(cert5)
+ # Create 'DRM Transport Certificate'
+ if master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "KRA":
+ # PKI KRA
+ cert6 = CertData()
+ cert6.setTag(master['pki_transport_tag'])
+ cert6.setKeyAlgorithm(
+ master['pki_transport_key_algorithm'])
+ cert6.setKeySize(master['pki_transport_key_size'])
+ cert6.setKeyType(master['pki_transport_key_type'])
+ cert6.setNickname(master['pki_transport_nickname'])
+ cert6.setKeyAlgorithm(
+ master['pki_transport_signing_algorithm'])
+ cert6.setSubjectDN(master['pki_transport_subject_dn'])
+ cert6.setToken(master['pki_transport_token'])
+ systemCerts.add(cert6)
+ # Create 'DRM Storage Certificate'
+ if master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "KRA":
+ # PKI KRA
+ cert7 = CertData()
+ cert7.setTag(master['pki_storage_tag'])
+ cert7.setKeyAlgorithm(
+ master['pki_storage_key_algorithm'])
+ cert7.setKeySize(master['pki_storage_key_size'])
+ cert7.setKeyType(master['pki_storage_key_type'])
+ cert7.setNickname(master['pki_storage_nickname'])
+ cert7.setKeyAlgorithm(
+ master['pki_storage_signing_algorithm'])
+ cert7.setSubjectDN(master['pki_storage_subject_dn'])
+ cert7.setToken(master['pki_storage_token'])
+ systemCerts.add(cert7)
+ # Create system certs
+ data.setSystemCerts(systemCerts)
+ return data
+
+ def configure_pki_data(self, data, pki_subsystem, pki_dry_run_flag,
+ log_level):
+ if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
+ print "%s %s '%s'" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CONFIGURING_PKI_DATA,
+ pki_subsystem)
+ if not pki_dry_run_flag:
+ try:
+ response = self.client.configure(data)
+ javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\
+ " " + response.getStatus())
+ javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\
+ " " + response.getAdminCert().getCert())
+ certs = response.getSystemCerts()
+ iterator = certs.iterator()
+ while iterator.hasNext():
+ cdata = iterator.next()
+ javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\
+ cdata.getTag())
+ javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\
+ cdata.getCert())
+ javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\
+ cdata.getRequest())
+ except Exception, e:
+ javasystem.out.println(
+ log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e))
+ javasystem.exit(1)
+ return
+
# PKI Deployment Jython Class Instances
security_databases = security_databases()
+rest_client = rest_client()
diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
index 806a64e4d..d7d50a63e 100644
--- a/base/deploy/src/scriptlets/pkimessages.py
+++ b/base/deploy/src/scriptlets/pkimessages.py
@@ -20,6 +20,14 @@
#
# PKI Deployment Engine Messages
+PKI_DICTIONARY_MANDATORY ="\n"\
+"=====================================================\n"\
+" DISPLAY CONTENTS OF PKI MANDATORY DICTIONARY\n"\
+"====================================================="
+PKI_DICTIONARY_OPTIONAL ="\n"\
+"=====================================================\n"\
+" DISPLAY CONTENTS OF PKI OPTIONAL DICTIONARY\n"\
+"====================================================="
PKI_DICTIONARY_COMMON ="\n"\
"=====================================================\n"\
" DISPLAY CONTENTS OF PKI COMMON DICTIONARY\n"\
@@ -40,6 +48,7 @@ PKI_DICTIONARY_WEB_SERVER="\n"\
"=====================================================\n"\
" DISPLAY CONTENTS OF PKI WEB SERVER DICTIONARY\n"\
"====================================================="
+# NEVER print out 'sensitive' data dictionary!!!
# PKI Deployment Log Messages
@@ -150,10 +159,16 @@ PKIHELPER_CP_P_2 = "cp -p %s %s"
PKIHELPER_CP_RP_2 = "cp -rp %s %s"
PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'"
PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'"
+PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1 = "KeyError: Master dictionary "\
+ "is missing the key called '%s'!"
PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty"
PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty"
PKIHELPER_GID_2 = "GID of '%s' is %s"
PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ."
+PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ."
+PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ."
+PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s"
+PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s"
PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\
"jython %s %s <master_dictionary>'"
PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory"
@@ -165,32 +180,82 @@ PKIHELPER_MKDIR_1 = "mkdir -p %s"
PKIHELPER_MODIFY_DIR_1 = "modifying '%s'"
PKIHELPER_MODIFY_FILE_1 = "modifying '%s'"
PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = "cloned CAs and external "\
+ "CAs MUST be MUTUALLY "\
+ "EXCLUSIVE in '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\
+ "CAs, and subordinate CAs"\
+ "MUST ALL be MUTUALLY "\
+ "EXCLUSIVE in '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\
+ "CAs MUST be MUTUALLY "\
+ "EXCLUSIVE in '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA = "external CAs and subordinate "\
+ "CAs MUST be MUTUALLY "\
+ "EXCLUSIVE in '%s'"
PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\
"filling it with '%d' random bytes"
PKIHELPER_PASSWORD_CONF_1 = "generating '%s'"
PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2 = "instance '%s' contains '%d' "\
"PKI subsystems"
+PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'"
PKIHELPER_RM_F_1 = "rm -f %s"
PKIHELPER_RM_RF_1 = "rm -rf %s"
PKIHELPER_RMDIR_1 = "rmdir %s"
PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'"
PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'"
+PKIHELPER_SYSTEMD_COMMAND_1 = "executing '%s'"
PKIHELPER_TOMCAT_INSTANCES_2 = "instance '%s' contains '%d' "\
"Tomcat PKI subsystems"
PKIHELPER_TOUCH_1 = "touch %s"
PKIHELPER_UID_2 = "UID of '%s' is %s"
+PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1 =\
+ "A value for 'pki_admin_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1 =\
+ "A value for 'pki_backup_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_DS_PASSWORD_1 =\
+ "A value for 'pki_ds_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1 =\
+ "A value for 'pki_pkcs12_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1 =\
+ "A value for 'pki_security_domain_password' MUST be defined in '%s'"
PKIHELPER_USER_1 = "retrieving UID for '%s' . . ."
+PKIHELPER_USER_ADD_2 = "adding UID '%s' for user '%s' . . ."
+PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ."
+PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s"
+PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s"
# PKI Deployment Jython "Scriptlet" Messages
# (MUST contain NO embedded formats since Jython 2.2 does not support logging!)
+PKI_JYTHON_CDATA_TAG = "tag:"
+PKI_JYTHON_CDATA_CERT = "cert:"
+PKI_JYTHON_CDATA_REQUEST = "request:"
+PKI_JYTHON_CLONED_PKI_SUBSYSTEM = "Cloned"
+PKI_JYTHON_CONFIGURING_PKI_DATA = "configuring PKI configuration data for"
+PKI_JYTHON_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data for"
+PKI_JYTHON_CRMF_SUPPORT_ONLY = "only the 'crmf' certificate request type "\
+ "is currently supported"
+PKI_JYTHON_IS_DUALKEY = "dualkey = true"
+PKI_JYTHON_EXCEPTION_PARSER = "Problem parsing"
+PKI_JYTHON_EXTERNAL_CA = "External"
PKI_JYTHON_INDENTATION_0 = "pkispawn : JYTHON "
PKI_JYTHON_INDENTATION_1 = "pkispawn : JYTHON ..."
PKI_JYTHON_INDENTATION_2 = "pkispawn : JYTHON ......."
PKI_JYTHON_INDENTATION_3 = "pkispawn : JYTHON ..........."
PKI_JYTHON_INDENTATION_4 = "pkispawn : JYTHON ..............."
+PKI_JYTHON_INITIALIZATION_ERROR = "INITIALIZATION ERROR:"
+PKI_JYTHON_INITIALIZING_REST_CLIENT = "initializing REST client via"
PKI_JYTHON_INITIALIZING_TOKEN = "initializing token located in"
+PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION =\
+ "Exception from Java Configuration Servlet:"
PKI_JYTHON_LOG_INTO_TOKEN = "logging into token located in"
+PKI_JYTHON_LOGIN_EXCEPTION = "login Exception:"
+PKI_JYTHON_RESPONSE_ADMIN_CERT = "adminCert:"
+PKI_JYTHON_RESPONSE_STATUS = "status:"
+PKI_JYTHON_TOKEN_LOGIN_EXCEPTION = "Exception in logging into token:"
+PKI_JYTHON_NOT_YET_IMPLEMENTED = "NOT YET IMPLEMENTED"
+PKI_JYTHON_SUBORDINATE_CA = "Subordinate"
# PKI Deployment "Scriptlet" Messages
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 0add192f7..5abfdc064 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -53,22 +53,18 @@ def process_command_line_arguments(argv):
required=True, metavar='<subsystem>',
help='where <subsystem> is '
'CA, KRA, OCSP, RA, TKS, or TPS')
+ if os.path.basename(argv[0]) == 'pkispawn':
+ mandatory.add_argument('-f',
+ dest='pkideployment_cfg', action='store',
+ nargs=1, required=True, metavar='<file>',
+ help='specifies configuration filename')
optional = parser.add_argument_group('optional arguments')
optional.add_argument('--dry_run',
dest='pki_dry_run_flag', action='store_true',
help='do not actually perform any actions')
- optional.add_argument('-f',
- dest='pkideployment_cfg', action='store',
- nargs=1, metavar='<file>',
- help='overrides default configuration filename')
optional.add_argument('-h', '--help',
dest='help', action='help',
help='show this help message and exit')
- optional.add_argument('-p',
- dest='pki_root_prefix', action='store',
- nargs=1, metavar='<prefix>',
- help='directory prefix to specify local directory '
- '[TEST ONLY]')
if os.path.basename(argv[0]) == 'pkispawn':
optional.add_argument('-u',
dest='pki_update_flag', action='store_true',
@@ -98,6 +94,12 @@ def process_command_line_arguments(argv):
dest='custom_pki_ajp_port', action='store',
nargs=1, metavar='<port>',
help='AJP port (CA, KRA, OCSP, TKS)')
+ test = parser.add_argument_group('test arguments')
+ test.add_argument('-p',
+ dest='pki_root_prefix', action='store',
+ nargs=1, metavar='<prefix>',
+ help='directory prefix to specify local directory '
+ '[TEST ONLY]')
args = parser.parse_args()
config.pki_subsystem = str(args.pki_subsystem).strip('[\']')
@@ -187,7 +189,7 @@ def process_command_line_arguments(argv):
print
parser.print_help()
parser.exit(-1);
- if not args.pkideployment_cfg is None:
+ if os.path.basename(argv[0]) == 'pkispawn':
config.pkideployment_cfg = str(args.pkideployment_cfg).strip('[\']')
elif os.path.basename(argv[0]) == 'pkidestroy':
# NOTE: When performing 'pkidestroy', a configuration file must be
@@ -258,6 +260,9 @@ def read_pki_configuration_file():
# Make keys case-sensitive!
parser.optionxform = str
parser.read(config.pkideployment_cfg)
+ config.pki_sensitive_dict = dict(parser._sections['Sensitive'])
+ config.pki_mandatory_dict = dict(parser._sections['Mandatory'])
+ config.pki_optional_dict = dict(parser._sections['Optional'])
config.pki_common_dict = dict(parser._sections['Common'])
if config.pki_subsystem == "CA":
config.pki_web_server_dict = dict(parser._sections['Tomcat'])
@@ -278,6 +283,9 @@ def read_pki_configuration_file():
config.pki_web_server_dict = dict(parser._sections['Apache'])
config.pki_subsystem_dict = dict(parser._sections['TPS'])
# Insert empty record into dictionaries for "pretty print" statements
+ # NEVER print "sensitive" key value pairs!!!
+ config.pki_mandatory_dict[0] = None
+ config.pki_optional_dict[0] = None
config.pki_common_dict[0] = None
config.pki_web_server_dict[0] = None
config.pki_subsystem_dict[0] = None
@@ -297,13 +305,19 @@ def compose_pki_master_dictionary():
config.pki_certificate_timestamp
config.pki_master_dict['pki_architecture'] = config.pki_architecture
config.pki_master_dict['pki_hostname'] = config.pki_hostname
+ config.pki_master_dict['pki_dns_domainname'] =\
+ config.pki_dns_domainname
config.pki_master_dict['pki_pin'] = config.pki_pin
config.pki_master_dict['pki_client_pin'] = config.pki_client_pin
config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin
config.pki_master_dict['pki_dry_run_flag'] = config.pki_dry_run_flag
config.pki_master_dict['pki_jython_log_level'] =\
config.pki_jython_log_level
+ config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg
# Configuration file name/value pairs
+ # NEVER add "sensitive" key value pairs to the master dictionary!!!
+ config.pki_master_dict.update(config.pki_mandatory_dict)
+ config.pki_master_dict.update(config.pki_optional_dict)
config.pki_master_dict.update(config.pki_common_dict)
config.pki_master_dict.update(config.pki_web_server_dict)
config.pki_master_dict.update(config.pki_subsystem_dict)
@@ -357,8 +371,7 @@ def compose_pki_master_dictionary():
# (e. g. Tomcat: "tomcat", "example.com-tomcat")
# (e. g. Apache: "apache", "example.com-apache")
#
- if not config.pki_master_dict['pki_admin_domain_name'] is None and\
- not config.pki_master_dict['pki_admin_domain_name'] is '':
+ if len(config.pki_master_dict['pki_admin_domain_name']):
config.pki_master_dict['pki_instance_id'] =\
config.pki_master_dict['pki_admin_domain_name'] +\
"-" + config.pki_master_dict['pki_instance_name']
@@ -458,6 +471,9 @@ def compose_pki_master_dictionary():
os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
"ca",
"emails")
+ config.pki_master_dict['pki_source_flatfile_txt'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "flatfile.txt")
config.pki_master_dict['pki_source_profiles'] =\
os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
"ca",
@@ -465,6 +481,43 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_source_proxy_conf'] =\
os.path.join(config.pki_master_dict['pki_source_conf_path'],
"proxy.conf")
+ config.pki_master_dict['pki_source_registry_cfg'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "registry.cfg")
+ # '*.profile'
+ config.pki_master_dict['pki_source_admincert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "adminCert.profile")
+ config.pki_master_dict['pki_source_caauditsigningcert_profile']\
+ = os.path.join(
+ config.pki_master_dict['pki_source_conf_path'],
+ "caAuditSigningCert.profile")
+ config.pki_master_dict['pki_source_cacert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "caCert.profile")
+ config.pki_master_dict['pki_source_caocspcert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "caOCSPCert.profile")
+ config.pki_master_dict['pki_source_servercert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "serverCert.profile")
+ config.pki_master_dict['pki_source_subsystemcert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "subsystemCert.profile")
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # '*.profile'
+ config.pki_master_dict['pki_source_servercert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "serverCert.profile")
+ config.pki_master_dict['pki_source_storagecert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "storageCert.profile")
+ config.pki_master_dict['pki_source_subsystemcert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "subsystemCert.profile")
+ config.pki_master_dict['pki_source_transportcert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "transportCert.profile")
# PKI top-level file system layout name/value pairs
# NOTE: Never use 'os.path.join()' whenever 'pki_root_prefix'
# is being prepended!!!
@@ -498,12 +551,14 @@ def compose_pki_master_dictionary():
if config.pki_master_dict['pki_subsystem'] in\
config.PKI_APACHE_SUBSYSTEMS:
# Apache instance base name/value pairs
+ config.pki_master_dict['pki_instance_type'] = "Apache"
# Apache instance log name/value pairs
# Apache instance configuration name/value pairs
# Apache instance registry name/value pairs
config.pki_master_dict['pki_instance_type_registry_path'] =\
- os.path.join(config.pki_master_dict['pki_registry_path'],
- "apache")
+ os.path.join(
+ config.pki_master_dict['pki_registry_path'],
+ config.pki_master_dict['pki_instance_type'].lower())
config.pki_master_dict['pki_instance_registry_path'] =\
os.path.join(
config.pki_master_dict['pki_instance_type_registry_path'],
@@ -513,12 +568,16 @@ def compose_pki_master_dictionary():
elif config.pki_master_dict['pki_subsystem'] in\
config.PKI_TOMCAT_SUBSYSTEMS:
# Tomcat instance base name/value pairs
+ config.pki_master_dict['pki_instance_type'] = "Tomcat"
config.pki_master_dict['pki_tomcat_common_path'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
"common")
config.pki_master_dict['pki_tomcat_common_lib_path'] =\
os.path.join(config.pki_master_dict['pki_tomcat_common_path'],
"lib")
+ config.pki_master_dict['pki_tomcat_tmpdir_path'] =\
+ os.path.join(config.pki_master_dict['pki_instance_path'],
+ "temp")
config.pki_master_dict['pki_tomcat_webapps_path'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
"webapps")
@@ -529,28 +588,43 @@ def compose_pki_master_dictionary():
os.path.join(
config.pki_master_dict['pki_tomcat_webapps_root_path'],
"WEB-INF")
- config.pki_master_dict['pki_tomcat_webapps_webinf_path'] =\
- os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
- "WEB-INF")
- config.pki_master_dict['pki_tomcat_webapps_webinf_classes_path'] =\
- os.path.join(
- config.pki_master_dict['pki_tomcat_webapps_webinf_path'],
- "classes")
- config.pki_master_dict['pki_tomcat_webapps_webinf_lib_path'] =\
- os.path.join(
- config.pki_master_dict['pki_tomcat_webapps_webinf_path'],
- "lib")
config.pki_master_dict['pki_tomcat_webapps_root_webinf_web_xml'] =\
os.path.join(
config.pki_master_dict\
['pki_tomcat_webapps_root_webinf_path'],
"web.xml")
+ config.pki_master_dict['pki_tomcat_work_path'] =\
+ os.path.join(config.pki_master_dict['pki_instance_path'],
+ "work")
+ config.pki_master_dict['pki_tomcat_work_catalina_path'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_work_path'],
+ "Catalina")
+ config.pki_master_dict['pki_tomcat_work_catalina_host_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_work_catalina_path'],
+ "localhost")
+ config.pki_master_dict['pki_tomcat_work_catalina_host_run_path'] =\
+ os.path.join(
+ config.pki_master_dict\
+ ['pki_tomcat_work_catalina_host_path'],
+ "_")
+ config.pki_master_dict\
+ ['pki_tomcat_work_catalina_host_subsystem_path'] =\
+ os.path.join(
+ config.pki_master_dict\
+ ['pki_tomcat_work_catalina_host_path'],
+ config.pki_master_dict['pki_subsystem'].lower())
# Tomcat instance log name/value pairs
# Tomcat instance configuration name/value pairs
+ config.pki_master_dict['pki_instance_log4j_properties'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_configuration_path'],
+ "log4j.properties")
# Tomcat instance registry name/value pairs
config.pki_master_dict['pki_instance_type_registry_path'] =\
- os.path.join(config.pki_master_dict['pki_registry_path'],
- "tomcat")
+ os.path.join(
+ config.pki_master_dict['pki_registry_path'],
+ config.pki_master_dict['pki_instance_type'].lower())
config.pki_master_dict['pki_instance_registry_path'] =\
os.path.join(
config.pki_master_dict['pki_instance_type_registry_path'],
@@ -562,9 +636,205 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_tomcat_lib_link'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
"lib")
+ config.pki_master_dict['pki_tomcat_lib_log4j_properties_link'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_lib_path'],
+ "log4j.properties")
config.pki_master_dict['pki_instance_systemd_link'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
config.pki_master_dict['pki_instance_id'])
+ # Tomcat instance common lib jars
+ if config.pki_master_dict['pki_architecture'] == 64:
+ config.pki_master_dict['pki_jss_jar'] =\
+ os.path.join("/usr/lib64/java",
+ "jss4.jar")
+ config.pki_master_dict['pki_symkey_jar'] =\
+ os.path.join("/usr/lib64/java",
+ "symkey.jar")
+ else:
+ config.pki_master_dict['pki_jss_jar'] =\
+ os.path.join("/usr/lib/java",
+ "jss4.jar")
+ config.pki_master_dict['pki_symkey_jar'] =\
+ os.path.join("/usr/lib/java",
+ "symkey.jar")
+ config.pki_master_dict['pki_apache_commons_collections_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "apache-commons-collections.jar")
+ config.pki_master_dict['pki_apache_commons_lang_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "apache-commons-lang.jar")
+ config.pki_master_dict['pki_apache_commons_logging_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "apache-commons-logging.jar")
+ config.pki_master_dict['pki_commons_codec_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "commons-codec.jar")
+ config.pki_master_dict['pki_httpclient_jar'] =\
+ os.path.join(
+ config.PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT,
+ "httpclient.jar")
+ config.pki_master_dict['pki_javassist_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "javassist.jar")
+ config.pki_master_dict['pki_resteasy_jaxrs_api_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+ "jaxrs-api.jar")
+ config.pki_master_dict['pki_jettison_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "jettison.jar")
+ config.pki_master_dict['pki_ldapjdk_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "ldapjdk.jar")
+ config.pki_master_dict['pki_certsrv_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-certsrv.jar")
+ config.pki_master_dict['pki_cmsbundle'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-cmsbundle.jar")
+ config.pki_master_dict['pki_cmscore'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-cmscore.jar")
+ config.pki_master_dict['pki_cms'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-cms.jar")
+ config.pki_master_dict['pki_cmsutil'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-cmsutil.jar")
+ config.pki_master_dict['pki_nsutil'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-nsutil.jar")
+ config.pki_master_dict['pki_resteasy_jaxb_provider_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+ "resteasy-jaxb-provider.jar")
+ config.pki_master_dict['pki_resteasy_jaxrs_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+ "resteasy-jaxrs.jar")
+ config.pki_master_dict['pki_resteasy_jettison_provider_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+ "resteasy-jettison-provider.jar")
+ config.pki_master_dict['pki_scannotation_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "scannotation.jar")
+ config.pki_master_dict['pki_tomcatjss_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "tomcatjss.jar")
+ config.pki_master_dict['pki_velocity_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "velocity.jar")
+ config.pki_master_dict['pki_xerces_j2_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "xerces-j2.jar")
+ config.pki_master_dict['pki_xml_commons_apis_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "xml-commons-apis.jar")
+ config.pki_master_dict['pki_xml_commons_resolver_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "xml-commons-resolver.jar")
+ # Tomcat instance common lib jar symbolic links
+ config.pki_master_dict['pki_jss_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "jss4.jar")
+ config.pki_master_dict['pki_symkey_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "symkey.jar")
+ config.pki_master_dict['pki_apache_commons_collections_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "apache-commons-collections.jar")
+ config.pki_master_dict['pki_apache_commons_lang_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "apache-commons-lang.jar")
+ config.pki_master_dict['pki_apache_commons_logging_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "apache-commons-logging.jar")
+ config.pki_master_dict['pki_commons_codec_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "apache-commons-codec.jar")
+ config.pki_master_dict['pki_httpclient_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "httpclient.jar")
+ config.pki_master_dict['pki_javassist_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "javassist.jar")
+ config.pki_master_dict['pki_resteasy_jaxrs_api_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "jaxrs-api.jar")
+ config.pki_master_dict['pki_jettison_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "jettison.jar")
+ config.pki_master_dict['pki_ldapjdk_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "ldapjdk.jar")
+ config.pki_master_dict['pki_certsrv_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-certsrv.jar")
+ config.pki_master_dict['pki_cmsbundle_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-cmsbundle.jar")
+ config.pki_master_dict['pki_cmscore_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-cmscore.jar")
+ config.pki_master_dict['pki_cms_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-cms.jar")
+ config.pki_master_dict['pki_cmsutil_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-cmsutil.jar")
+ config.pki_master_dict['pki_nsutil_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-nsutil.jar")
+ config.pki_master_dict['pki_resteasy_jaxb_provider_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "resteasy-jaxb-provider.jar")
+ config.pki_master_dict['pki_resteasy_jaxrs_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "resteasy-jaxrs.jar")
+ config.pki_master_dict['pki_resteasy_jettison_provider_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "resteasy-jettison-provider.jar")
+ config.pki_master_dict['pki_scannotation_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "scannotation.jar")
+ config.pki_master_dict['pki_tomcatjss_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "tomcatjss.jar")
+ config.pki_master_dict['pki_velocity_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "velocity.jar")
+ config.pki_master_dict['pki_xerces_j2_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "xerces-j2.jar")
+ config.pki_master_dict['pki_xml_commons_apis_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "xml-commons-apis.jar")
+ config.pki_master_dict['pki_xml_commons_resolver_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "xml-commons-resolver.jar")
# Instance layout NSS security database name/value pairs
config.pki_master_dict['pki_database_path'] =\
os.path.join(
@@ -612,9 +882,6 @@ def compose_pki_master_dictionary():
elif config.pki_master_dict['pki_subsystem'] in\
config.PKI_TOMCAT_SUBSYSTEMS:
# Instance-based Tomcat PKI subsystem base name/value pairs
- config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\
- os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
- config.pki_master_dict['pki_subsystem'].lower())
if config.pki_master_dict['pki_subsystem'] == "CA":
config.pki_master_dict['pki_subsystem_emails_path'] =\
os.path.join(config.pki_master_dict['pki_subsystem_path'],
@@ -632,18 +899,6 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_subsystem_tomcat_webapps_link'] =\
os.path.join(config.pki_master_dict['pki_subsystem_path'],
"webapps")
- config.pki_master_dict\
- ['pki_tomcat_webapps_subsystem_webinf_classes_link'] =\
- os.path.join(
- config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
- "WEB-INF",
- "classes")
- config.pki_master_dict\
- ['pki_tomcat_webapps_subsystem_webinf_lib_link'] =\
- os.path.join(
- config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
- "WEB-INF",
- "lib")
# Instance-based Apache/Tomcat PKI subsystem convenience symbolic links
config.pki_master_dict['pki_subsystem_database_link'] =\
os.path.join(config.pki_master_dict['pki_subsystem_path'],
@@ -654,6 +909,78 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_subsystem_logs_link'] =\
os.path.join(config.pki_master_dict['pki_subsystem_path'],
"logs")
+ # PKI Target (war file) name/value pairs
+ if config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_TOMCAT_SUBSYSTEMS:
+ # Tomcat PKI subsystem war file base name/value pairs
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
+ config.pki_master_dict['pki_subsystem'].lower())
+ config.pki_master_dict\
+ ['pki_tomcat_webapps_subsystem_webinf_classes_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+ "WEB-INF",
+ "classes")
+ config.pki_master_dict\
+ ['pki_tomcat_webapps_subsystem_webinf_lib_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+ "WEB-INF",
+ "lib")
+ # Tomcat PKI subsystem war file convenience symbolic links
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ config.pki_master_dict['pki_ca_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-ca.jar")
+ # config.pki_master_dict['pki_ca_jar_link'] =\
+ # os.path.join(
+ # config.pki_master_dict\
+ # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+ # "pki-ca.jar")
+ config.pki_master_dict['pki_ca_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-ca.jar")
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ config.pki_master_dict['pki_kra_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-kra.jar")
+ # config.pki_master_dict['pki_kra_jar_link'] =\
+ # os.path.join(
+ # config.pki_master_dict\
+ # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+ # "pki-kra.jar")
+ config.pki_master_dict['pki_kra_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-kra.jar")
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ config.pki_master_dict['pki_ocsp_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-ocsp.jar")
+ # config.pki_master_dict['pki_ocsp_jar_link'] =\
+ # os.path.join(
+ # config.pki_master_dict\
+ # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+ # "pki-ocsp.jar")
+ config.pki_master_dict['pki_ocsp_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-ocsp.jar")
+ elif config.pki_master_dict['pki_subsystem'] == "TKS":
+ config.pki_master_dict['pki_tks_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-tks.jar")
+ # config.pki_master_dict['pki_tks_jar_link'] =\
+ # os.path.join(
+ # config.pki_master_dict\
+ # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+ # "pki-tks.jar")
+ config.pki_master_dict['pki_tks_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-tks.jar")
# PKI Target (slot substitution) name/value pairs
config.pki_master_dict['pki_target_cs_cfg'] =\
os.path.join(
@@ -699,12 +1026,50 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
"WEB-INF",
"web.xml")
+ config.pki_master_dict['pki_target_subsystem_web_xml_orig'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+ "WEB-INF",
+ "web.xml.orig")
# subystem-specific slot substitution name/value pairs
if config.pki_master_dict['pki_subsystem'] == "CA":
+ config.pki_master_dict['pki_target_flatfile_txt'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "flatfile.txt")
config.pki_master_dict['pki_target_proxy_conf'] =\
os.path.join(config.pki_master_dict\
['pki_subsystem_configuration_path'],
"proxy.conf")
+ config.pki_master_dict['pki_target_registry_cfg'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "registry.cfg")
+ # '*.profile'
+ config.pki_master_dict['pki_target_admincert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "adminCert.profile")
+ config.pki_master_dict['pki_target_caauditsigningcert_profile']\
+ = os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "caAuditSigningCert.profile")
+ config.pki_master_dict['pki_target_cacert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "caCert.profile")
+ config.pki_master_dict['pki_target_caocspcert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "caOCSPCert.profile")
+ config.pki_master_dict['pki_target_servercert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "serverCert.profile")
+ config.pki_master_dict['pki_target_subsystemcert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "subsystemCert.profile")
# in-place slot substitution name/value pairs
config.pki_master_dict['pki_target_profileselect_template'] =\
os.path.join(
@@ -713,6 +1078,24 @@ def compose_pki_master_dictionary():
"ee",
config.pki_master_dict['pki_subsystem'].lower(),
"ProfileSelect.template")
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # '*.profile'
+ config.pki_master_dict['pki_target_servercert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "serverCert.profile")
+ config.pki_master_dict['pki_target_storagecert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "storageCert.profile")
+ config.pki_master_dict['pki_target_subsystemcert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "subsystemCert.profile")
+ config.pki_master_dict['pki_target_transportcert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "transportCert.profile")
# Slot assignment name/value pairs
# NOTE: Master key == Slots key; Master value ==> Slots value
config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\
@@ -830,6 +1213,8 @@ def compose_pki_master_dictionary():
"tomcat")
config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\
config.pki_master_dict['pki_proxy_https_port']
+ config.pki_master_dict['PKI_TMPDIR_SLOT'] =\
+ config.pki_master_dict['pki_tomcat_tmpdir_path']
config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\
config.pki_master_dict['pki_proxy_http_port']
config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\
@@ -846,6 +1231,8 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_security_manager']
config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\
config.pki_master_dict['pki_target_server_xml']
+ config.pki_master_dict['PKI_SUBSYSTEM_DIR_SLOT'] =\
+ config.pki_master_dict['pki_subsystem'].lower() + "/"
config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\
config.pki_master_dict['pki_subsystem'].lower()
config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\
@@ -924,6 +1311,10 @@ def compose_pki_master_dictionary():
"+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\
"+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
# Shared Apache/Tomcat NSS security database name/value pairs
+ config.pki_master_dict['pki_shared_pfile'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_configuration_path'],
+ "pfile")
config.pki_master_dict['pki_shared_password_conf'] =\
os.path.join(
config.pki_master_dict['pki_instance_configuration_path'],
@@ -941,13 +1332,13 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_self_signed_nickname'] =\
"Server-Cert cert-" + config.pki_master_dict['pki_instance_id']
config.pki_master_dict['pki_self_signed_subject'] =\
- "CN=" + config.pki_master_dict['pki_hostname'] + "," +\
- "O=" + config.pki_master_dict['pki_certificate_timestamp']
+ "cn=" + config.pki_master_dict['pki_hostname'] + "," +\
+ "o=" + config.pki_master_dict['pki_certificate_timestamp']
config.pki_master_dict['pki_self_signed_serial_number'] = 0
config.pki_master_dict['pki_self_signed_validity_period'] = 12
config.pki_master_dict['pki_self_signed_issuer_name'] =\
- "CN=" + config.pki_master_dict['pki_hostname'] + "," +\
- "O=" + config.pki_master_dict['pki_certificate_timestamp']
+ "cn=" + config.pki_master_dict['pki_hostname'] + "," +\
+ "o=" + config.pki_master_dict['pki_certificate_timestamp']
config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu"
config.pki_master_dict['pki_self_signed_noise_file'] =\
os.path.join(
@@ -992,10 +1383,778 @@ def compose_pki_master_dictionary():
"pki",
"deployment",
"configuration.jy")
+ config.pki_master_dict['pki_jython_base_uri'] =\
+ "https" + "://" + config.pki_master_dict['pki_hostname'] + ":" +\
+ config.pki_master_dict['pki_https_port'] + "/" +\
+ config.pki_master_dict['pki_subsystem'].lower() + "/" + "pki"
+ # Jython scriptlet
+ # 'Security Domain' Configuration name/value pairs
+ #
+ # Apache - [RA], [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_security_domain_type']
+ # config.pki_master_dict['pki_security_domain_uri']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_security_domain_https_port']
+ # config.pki_master_dict['pki_security_domain_password']
+ # config.pki_master_dict['pki_security_domain_user']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_security_domain_hostname']
+ # config.pki_master_dict['pki_security_domain_name']
+ #
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if config.pki_subsystem == "CA":
+ if config.str2bool(config.pki_master_dict['pki_external']):
+ # External CA
+ config.pki_master_dict['pki_security_domain_type'] = "new"
+ if not len(config.pki_master_dict\
+ ['pki_security_domain_name']):
+ config.pki_master_dict['pki_security_domain_name'] =\
+ "External CA Security Domain"
+ elif not config.str2bool(config.pki_master_dict['pki_clone'])\
+ and not\
+ config.str2bool(config.pki_master_dict['pki_subordinate']):
+ # PKI CA
+ config.pki_master_dict['pki_security_domain_type'] = "new"
+ if not len(config.pki_master_dict\
+ ['pki_security_domain_name']):
+ config.pki_master_dict['pki_security_domain_name'] =\
+ config.pki_master_dict['pki_dns_domainname'] +\
+ " " + "Security Domain"
+ else:
+ # PKI Cloned or Subordinate CA
+ config.pki_master_dict['pki_security_domain_type'] =\
+ "existing"
+ if not len(config.pki_master_dict\
+ ['pki_security_domain_hostname']):
+ # Guess that it is the local host
+ config.pki_master_dict['pki_security_domain_hostname']\
+ = config.pki_master_dict['pki_hostname']
+ config.pki_master_dict['pki_security_domain_uri'] =\
+ "https" + "://" +\
+ config.pki_master_dict['pki_security_domain_hostname']\
+ + ":" + config.pki_security_domain_https_port
+ else:
+ # PKI KRA, OCSP, or TKS
+ config.pki_master_dict['pki_security_domain_type'] = "existing"
+ if not len(config.pki_master_dict\
+ ['pki_security_domain_hostname']):
+ # Guess that it is the local host
+ config.pki_master_dict['pki_security_domain_hostname'] =\
+ config.pki_master_dict['pki_hostname']
+ config.pki_master_dict['pki_security_domain_uri'] =\
+ "https" + "://" +\
+ config.pki_master_dict['pki_security_domain_hostname'] +\
+ ":" +\
+ config.pki_master_dict['pki_security_domain_https_port']
+ # Jython scriptlet
+ # 'Directory Server' Configuration name/value pairs
+ #
+ # Apache - [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_ds_bind_dn']
+ # config.pki_master_dict['pki_ds_http_port']
+ # config.pki_master_dict['pki_ds_https_port']
+ # config.pki_master_dict['pki_ds_password']
+ # config.pki_master_dict['pki_ds_remove_data']
+ # config.pki_master_dict['pki_ds_secure_connection']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_ds_base_dn']
+ # config.pki_master_dict['pki_ds_database']
+ # config.pki_master_dict['pki_ds_hostname']
+ #
+ if not len(config.pki_master_dict['pki_ds_base_dn']):
+ config.pki_master_dict['pki_ds_base_dn'] =\
+ "o=" + config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict['pki_ds_database']):
+ config.pki_master_dict['pki_ds_database'] =\
+ "o=" + config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict['pki_ds_hostname']):
+ # Guess that the Directory Server resides on the local host
+ config.pki_master_dict['pki_ds_hostname'] =\
+ config.pki_master_dict['pki_hostname']
+ # Jython scriptlet
+ # 'Backup' Configuration name/value pairs
+ #
+ # Apache - [RA], [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_backup_keys']
+ # config.pki_master_dict['pki_backup_password']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_backup_file']
+ #
+ if config.str2bool(config.pki_master_dict['pki_backup_keys']):
+ if not len(config.pki_master_dict['pki_backup_file']):
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ if config.str2bool(
+ config.pki_master_dict['pki_external']):
+ # External CA
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "externalca.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ elif config.str2bool(
+ config.pki_master_dict['pki_subordinate']):
+ # Subordinate CA
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "subca.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ else:
+ # PKI CA
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "ca.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "kra.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ # PKI OCSP
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "ocsp.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ elif config.pki_master_dict['pki_subsystem'] == "TKS":
+ # PKI TKS
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "tks.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ # Jython scriptlet
+ # 'Admin Certificate' Configuration name/value pairs
+ #
+ # Apache - [RA], [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_admin_cert_request_type']
+ # config.pki_master_dict['pki_admin_dualkey']
+ # config.pki_master_dict['pki_admin_keysize']
+ # config.pki_master_dict['pki_admin_name']
+ # config.pki_master_dict['pki_admin_password']
+ # config.pki_master_dict['pki_admin_uid']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_admin_email']
+ # config.pki_master_dict['pki_admin_subject_dn']
+ #
+ config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert"
+ if not len(config.pki_master_dict['pki_admin_email']):
+ config.pki_master_dict['pki_admin_email'] =\
+ config.pki_master_dict['pki_admin_name'] + "@" +\
+ config.pki_master_dict['pki_dns_domainname']
+ if not len(config.pki_master_dict['pki_admin_subject_dn']):
+ if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+ if config.pki_master_dict['pki_subsystem'] == "RA":
+ # PKI RA
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "RA Administrator" + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "TPS":
+ # PKI TPS
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "TPS Administrator" + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ # PKI CA, Subordinate CA, or External CA
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "CA Administrator of Instance" + " " +\
+ config.pki_master_dict['pki_instance_id'] + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "KRA Administrator of Instance" + " " +\
+ config.pki_master_dict['pki_instance_id'] + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ # PKI OCSP
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "OCSP Administrator of Instance" + " " +\
+ config.pki_master_dict['pki_instance_id'] + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "TKS":
+ # PKI TKS
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "TKS Administrator of Instance" + " " +\
+ config.pki_master_dict['pki_instance_id'] + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ # Jython scriptlet
+ # 'CA Signing Certificate' Configuration name/value pairs
+ #
+ # Tomcat - [CA]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_ca_signing_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_ca_signing_key_algorithm']
+ # config.pki_master_dict['pki_ca_signing_key_size']
+ # config.pki_master_dict['pki_ca_signing_key_type']
+ # config.pki_master_dict['pki_ca_signing_signing_algorithm']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_ca_signing_nickname']
+ # config.pki_master_dict['pki_ca_signing_subject_dn']
+ # config.pki_master_dict['pki_ca_signing_token']
+ #
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ # config.pki_master_dict['pki_ca_signing_nickname']
+ if not len(config.pki_master_dict\
+ ['pki_ca_signing_nickname']):
+ config.pki_master_dict['pki_ca_signing_nickname'] =\
+ "caSigningCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ # config.pki_master_dict['pki_ca_signing_subject_dn']
+ if config.str2bool(config.pki_master_dict['pki_external']):
+ # External CA
+ if not len(config.pki_master_dict\
+ ['pki_ca_signing_subject_dn']):
+ config.pki_master_dict['pki_ca_signing_subject_dn']\
+ = "cn=" + "External CA Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.str2bool(
+ config.pki_master_dict['pki_subordinate']):
+ # Subordinate CA
+ if not len(config.pki_master_dict\
+ ['pki_ca_signing_subject_dn']):
+ config.pki_master_dict['pki_ca_signing_subject_dn']\
+ = "cn=" + "SubCA Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ else:
+ # PKI CA
+ if not len(config.pki_master_dict\
+ ['pki_ca_signing_subject_dn']):
+ config.pki_master_dict['pki_ca_signing_subject_dn']\
+ = "cn=" + "CA Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ # config.pki_master_dict['pki_ca_signing_tag']
+ config.pki_master_dict['pki_ca_signing_tag'] =\
+ "signing"
+ # config.pki_master_dict['pki_ca_signing_token']
+ if not len(config.pki_master_dict['pki_ca_signing_token']):
+ config.pki_master_dict['pki_ca_signing_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'OCSP Signing Certificate' Configuration name/value pairs
+ #
+ # Tomcat - [CA], [OCSP]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_ocsp_signing_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_ocsp_signing_key_algorithm']
+ # config.pki_master_dict['pki_ocsp_signing_key_size']
+ # config.pki_master_dict['pki_ocsp_signing_key_type']
+ # config.pki_master_dict['pki_ocsp_signing_signing_algorithm']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_ocsp_signing_nickname']
+ # config.pki_master_dict['pki_ocsp_signing_subject_dn']
+ # config.pki_master_dict['pki_ocsp_signing_token']
+ #
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_nickname']):
+ config.pki_master_dict['pki_ocsp_signing_nickname'] =\
+ "ocspSigningCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if config.str2bool(config.pki_master_dict['pki_external']):
+ # External CA
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn']):
+ config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn'] =\
+ "cn=" + "External CA OCSP Signing Certificate"\
+ + "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.str2bool(
+ config.pki_master_dict['pki_subordinate']):
+ # Subordinate CA
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn']):
+ config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn'] =\
+ "cn=" + "SubCA OCSP Signing Certificate"\
+ + "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ else:
+ # PKI CA
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn']):
+ config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn'] =\
+ "cn=" + "CA OCSP Signing Certificate"\
+ + "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ config.pki_master_dict['pki_ocsp_signing_tag'] =\
+ "ocsp_signing"
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_token']):
+ config.pki_master_dict['pki_ocsp_signing_token'] =\
+ "Internal Key Storage Token"
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ # PKI OCSP
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_nickname']):
+ config.pki_master_dict['pki_ocsp_signing_nickname'] =\
+ "ocspSigningCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn']):
+ config.pki_master_dict['pki_ocsp_signing_subject_dn'] =\
+ "cn=" + "OCSP Signing Certificate" + "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_ocsp_signing_tag'] =\
+ "signing"
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_token']):
+ config.pki_master_dict['pki_ocsp_signing_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'SSL Server Certificate' Configuration name/value pairs
+ #
+ # Apache - [RA], [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_ssl_server_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_ssl_server_key_algorithm']
+ # config.pki_master_dict['pki_ssl_server_key_size']
+ # config.pki_master_dict['pki_ssl_server_key_type']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_ssl_server_nickname']
+ # config.pki_master_dict['pki_ssl_server_subject_dn']
+ # config.pki_master_dict['pki_ssl_server_token']
+ #
+ if not len(config.pki_master_dict['pki_ssl_server_nickname']):
+ config.pki_master_dict['pki_ssl_server_nickname'] =\
+ "Server-Cert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict['pki_ssl_server_subject_dn']):
+ if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+ config.pki_master_dict['pki_ssl_server_subject_dn'] =\
+ "cn=" + config.pki_master_dict['pki_hostname'] +\
+ "," + "ou=" + config.pki_master_dict['pki_instance_id'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ config.pki_master_dict['pki_ssl_server_subject_dn'] =\
+ "cn=" + config.pki_master_dict['pki_hostname'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_ssl_server_tag'] = "sslserver"
+ if not len(config.pki_master_dict['pki_ssl_server_token']):
+ config.pki_master_dict['pki_ssl_server_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'Subsystem Certificate' Configuration name/value pairs
+ #
+ # Apache - [RA], [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_subsystem_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_subsystem_key_algorithm']
+ # config.pki_master_dict['pki_subsystem_key_size']
+ # config.pki_master_dict['pki_subsystem_key_type']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_subsystem_nickname']
+ # config.pki_master_dict['pki_subsystem_subject_dn']
+ # config.pki_master_dict['pki_subsystem_token']
+ #
+ if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+ if not len(config.pki_master_dict['pki_subsystem_nickname']):
+ config.pki_master_dict['pki_subsystem_nickname'] =\
+ "subsystemCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
+ if config.pki_master_dict['pki_subsystem'] == "RA":
+ # PKI RA
+ config.pki_master_dict['pki_subsystem_subject_dn'] =\
+ "cn=" + "RA Subsystem Certificate" +\
+ "," + "ou=" + config.pki_master_dict['pki_instance_id']\
+ + "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "TPS":
+ # PKI TPS
+ config.pki_master_dict['pki_subsystem_subject_dn'] =\
+ "cn=" + "TPS Subsystem Certificate" +\
+ "," + "ou=" + config.pki_master_dict['pki_instance_id']\
+ + "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
+ if not len(config.pki_master_dict['pki_subsystem_token']):
+ config.pki_master_dict['pki_subsystem_token'] =\
+ "Internal Key Storage Token"
+ elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if not len(config.pki_master_dict['pki_subsystem_nickname']):
+ config.pki_master_dict['pki_subsystem_nickname'] =\
+ "subsystemCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ if config.str2bool(
+ config.pki_master_dict['pki_external']):
+ # External CA
+ config.pki_master_dict['pki_subsystem_subject_dn']\
+ = "cn=" + "External CA Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.str2bool(
+ config.pki_master_dict['pki_subordinate']):
+ # Subordinate CA
+ config.pki_master_dict['pki_subsystem_subject_dn']\
+ = "cn=" + "SubCA Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ else:
+ # PKI CA
+ config.pki_master_dict['pki_subsystem_subject_dn']\
+ = "cn=" + "CA Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ config.pki_master_dict['pki_subsystem_subject_dn'] =\
+ "cn=" + "DRM Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ # PKI OCSP
+ config.pki_master_dict['pki_subsystem_subject_dn'] =\
+ "cn=" + "OCSP Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "TKS":
+ # PKI TKS
+ config.pki_master_dict['pki_subsystem_subject_dn'] =\
+ "cn=" + "TKS Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
+ if not len(config.pki_master_dict['pki_subsystem_token']):
+ config.pki_master_dict['pki_subsystem_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'Audit Signing Certificate' Configuration name/value pairs
+ #
+ # Apache - [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_audit_signing_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_audit_signing_key_algorithm']
+ # config.pki_master_dict['pki_audit_signing_key_size']
+ # config.pki_master_dict['pki_audit_signing_key_type']
+ # config.pki_master_dict['pki_audit_signing_signing_algorithm']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_audit_signing_nickname']
+ # config.pki_master_dict['pki_audit_signing_subject_dn']
+ # config.pki_master_dict['pki_audit_signing_token']
+ #
+ if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+ if config.pki_master_dict['pki_subsystem'] != "RA":
+ if not len(config.pki_master_dict\
+ ['pki_audit_signing_nickname']):
+ config.pki_master_dict['pki_audit_signing_nickname'] =\
+ "auditSigningCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict\
+ ['pki_audit_signing_subject_dn']):
+ config.pki_master_dict['pki_audit_signing_subject_dn'] =\
+ "cn=" + "TPS Audit Signing Certificate" +\
+ "," + "ou=" + config.pki_master_dict['pki_instance_id']\
+ + "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_audit_signing_tag'] =\
+ "audit_signing"
+ if not len(config.pki_master_dict['pki_audit_signing_token']):
+ config.pki_master_dict['pki_audit_signing_token'] =\
+ "Internal Key Storage Token"
+ elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if not len(config.pki_master_dict\
+ ['pki_audit_signing_nickname']):
+ config.pki_master_dict['pki_audit_signing_nickname'] =\
+ "auditSigningCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict\
+ ['pki_audit_signing_subject_dn']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ if config.str2bool(
+ config.pki_master_dict['pki_external']):
+ # External CA
+ config.pki_master_dict\
+ ['pki_audit_signing_subject_dn'] =\
+ "cn=" + "External CA Audit Signing Certificate"\
+ + "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.str2bool(
+ config.pki_master_dict['pki_subordinate']):
+ # Subordinate CA
+ config.pki_master_dict\
+ ['pki_audit_signing_subject_dn'] =\
+ "cn=" + "SubCA Audit Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ else:
+ # PKI CA
+ config.pki_master_dict\
+ ['pki_audit_signing_subject_dn'] =\
+ "cn=" + "CA Audit Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ config.pki_master_dict['pki_audit_signing_subject_dn']\
+ = "cn=" + "DRM Audit Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ # PKI OCSP
+ config.pki_master_dict['pki_audit_signing_subject_dn']\
+ = "cn=" + "OCSP Audit Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "TKS":
+ # PKI TKS
+ config.pki_master_dict['pki_audit_signing_subject_dn']\
+ = "cn=" + "TKS Audit Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_audit_signing_tag'] =\
+ "audit_signing"
+ if not len(config.pki_master_dict['pki_audit_signing_token']):
+ config.pki_master_dict['pki_audit_signing_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'DRM Transport Certificate' Configuration name/value pairs
+ #
+ # Tomcat - [KRA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_transport_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_transport_key_algorithm']
+ # config.pki_master_dict['pki_transport_key_size']
+ # config.pki_master_dict['pki_transport_key_type']
+ # config.pki_master_dict['pki_transport_signing_algorithm']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_transport_nickname']
+ # config.pki_master_dict['pki_transport_subject_dn']
+ # config.pki_master_dict['pki_transport_token']
+ #
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ if not len(config.pki_master_dict\
+ ['pki_transport_nickname']):
+ config.pki_master_dict['pki_transport_nickname'] =\
+ "transportCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict\
+ ['pki_transport_subject_dn']):
+ config.pki_master_dict['pki_transport_subject_dn']\
+ = "cn=" + "DRM Transport Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_transport_tag'] =\
+ "transport"
+ if not len(config.pki_master_dict['pki_transport_token']):
+ config.pki_master_dict['pki_transport_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'DRM Storage Certificate' Configuration name/value pairs
+ #
+ # Tomcat - [KRA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_storage_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_storage_key_algorithm']
+ # config.pki_master_dict['pki_storage_key_size']
+ # config.pki_master_dict['pki_storage_key_type']
+ # config.pki_master_dict['pki_storage_signing_algorithm']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_storage_nickname']
+ # config.pki_master_dict['pki_storage_subject_dn']
+ # config.pki_master_dict['pki_storage_token']
+ #
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ if not len(config.pki_master_dict['pki_storage_nickname']):
+ config.pki_master_dict['pki_storage_nickname'] =\
+ "storageCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict\
+ ['pki_storage_subject_dn']):
+ config.pki_master_dict['pki_storage_subject_dn']\
+ = "cn=" + "DRM Storage Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_storage_tag'] =\
+ "storage"
+ if not len(config.pki_master_dict['pki_storage_token']):
+ config.pki_master_dict['pki_storage_token'] =\
+ "Internal Key Storage Token"
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
+ except KeyError as err:
+ config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1,
+ err, extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
return
diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py
index 1a08fdccb..8364d9519 100644
--- a/base/deploy/src/scriptlets/security_databases.py
+++ b/base/deploy/src/scriptlets/security_databases.py
@@ -38,13 +38,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.password.create_password_conf(
master['pki_shared_password_conf'],
master['pki_pin'])
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a temporary server 'pfile'
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
+ util.password.create_password_conf(
+ master['pki_shared_pfile'],
+ master['pki_pin'], pin_sans_token=True)
util.file.modify(master['pki_shared_password_conf'])
util.certutil.create_security_databases(
master['pki_database_path'],
master['pki_cert_database'],
master['pki_key_database'],
master['pki_secmod_database'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
util.file.modify(master['pki_cert_database'], perms=\
config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
util.file.modify(master['pki_key_database'], perms=\
@@ -58,7 +65,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_secmod_database'],
master['pki_self_signed_token'],
master['pki_self_signed_nickname'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
if not rv:
util.file.generate_noise_file(
master['pki_self_signed_noise_file'],
@@ -76,18 +83,28 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_self_signed_issuer_name'],
master['pki_self_signed_trustargs'],
master['pki_self_signed_noise_file'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
+ # Delete the temporary 'noise' file
util.file.delete(master['pki_self_signed_noise_file'])
+ # Delete the temporary 'pfile'
+ util.file.delete(master['pki_shared_pfile'])
else:
util.password.create_password_conf(
master['pki_shared_password_conf'],
master['pki_pin'])
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a temporary server 'pfile'
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
+ util.password.create_password_conf(
+ master['pki_shared_pfile'],
+ master['pki_pin'], pin_sans_token=True)
util.certutil.create_security_databases(
master['pki_database_path'],
master['pki_cert_database'],
master['pki_key_database'],
master['pki_secmod_database'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
rv = util.certutil.verify_certificate_exists(
master['pki_database_path'],
master['pki_cert_database'],
@@ -95,7 +112,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_secmod_database'],
master['pki_self_signed_token'],
master['pki_self_signed_nickname'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
if not rv:
util.file.generate_noise_file(
master['pki_self_signed_noise_file'],
@@ -113,7 +130,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_self_signed_issuer_name'],
master['pki_self_signed_trustargs'],
master['pki_self_signed_noise_file'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
+ # Delete the temporary 'noise' file
+ util.file.delete(master['pki_self_signed_noise_file'])
+ # Delete the temporary 'pfile'
+ util.file.delete(master['pki_shared_pfile'])
return self.rv
def respawn(self):
diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py
index 93b0ae750..3467596e8 100644
--- a/base/deploy/src/scriptlets/slot_substitution.py
+++ b/base/deploy/src/scriptlets/slot_substitution.py
@@ -39,7 +39,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_target_cs_cfg'])
util.file.copy_with_slot_substitution(master['pki_source_registry'],
master['pki_target_registry'],
- overwrite_flag=True)
+ uid=0, gid=0, overwrite_flag=True)
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
util.file.copy_with_slot_substitution(
master['pki_source_catalina_properties'],
@@ -56,7 +56,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf_instance_id'],
- overwrite_flag=True)
+ uid=0, gid=0, overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf'],
@@ -69,6 +69,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_target_velocity_properties'])
util.file.apply_slot_substitution(
master['pki_target_subsystem_web_xml'])
+ # Strip "<filter>" section from subsystem "web.xml"
+ # This is ONLY necessary because XML comments cannot be "nested"!
+ #util.file.copy(master['pki_target_subsystem_web_xml'],
+ # master['pki_target_subsystem_web_xml_orig'])
+ #util.file.delete(master['pki_target_subsystem_web_xml'])
+ #util.xml_file.remove_filter_section_from_web_xml(
+ # master['pki_target_subsystem_web_xml_orig'],
+ # master['pki_target_subsystem_web_xml'])
+ #util.file.delete(master['pki_target_subsystem_web_xml_orig'])
if master['pki_subsystem'] == "CA":
util.file.copy_with_slot_substitution(
master['pki_source_proxy_conf'],
@@ -85,7 +94,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
overwrite_flag=True)
util.file.copy_with_slot_substitution(master['pki_source_registry'],
master['pki_target_registry'],
- overwrite_flag=True)
+ uid=0, gid=0, overwrite_flag=True)
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
util.file.copy_with_slot_substitution(
master['pki_source_catalina_properties'],
@@ -102,7 +111,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf_instance_id'],
- overwrite_flag=True)
+ uid=0, gid=0, overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf'],
@@ -115,6 +124,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_target_velocity_properties'])
util.file.apply_slot_substitution(
master['pki_target_subsystem_web_xml'])
+ # Strip "<filter>" section from subsystem "web.xml"
+ # This is ONLY necessary because XML comments cannot be "nested"!
+ #util.file.copy(master['pki_target_subsystem_web_xml'],
+ # master['pki_target_subsystem_web_xml_orig'])
+ #util.file.delete(master['pki_target_subsystem_web_xml'])
+ #util.xml_file.remove_filter_section_from_web_xml(
+ # master['pki_target_subsystem_web_xml_orig'],
+ # master['pki_target_subsystem_web_xml'])
+ #util.file.delete(master['pki_target_subsystem_web_xml_orig'])
if master['pki_subsystem'] == "CA":
util.file.copy_with_slot_substitution(
master['pki_source_proxy_conf'],
diff --git a/base/deploy/src/scriptlets/subsystem_layout.py b/base/deploy/src/scriptlets/subsystem_layout.py
index 4ea5e6f84..d9c597d60 100644
--- a/base/deploy/src/scriptlets/subsystem_layout.py
+++ b/base/deploy/src/scriptlets/subsystem_layout.py
@@ -56,6 +56,34 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_subsystem_profiles_path'])
# establish instance-based Tomcat PKI subsystem logs
# establish instance-based Tomcat PKI subsystem configuration
+ if master['pki_subsystem'] == "CA":
+ util.file.copy(master['pki_source_flatfile_txt'],
+ master['pki_target_flatfile_txt'])
+ util.file.copy(master['pki_source_registry_cfg'],
+ master['pki_target_registry_cfg'])
+ # '*.profile'
+ util.file.copy(master['pki_source_admincert_profile'],
+ master['pki_target_admincert_profile'])
+ util.file.copy(master['pki_source_caauditsigningcert_profile'],
+ master['pki_target_caauditsigningcert_profile'])
+ util.file.copy(master['pki_source_cacert_profile'],
+ master['pki_target_cacert_profile'])
+ util.file.copy(master['pki_source_caocspcert_profile'],
+ master['pki_target_caocspcert_profile'])
+ util.file.copy(master['pki_source_servercert_profile'],
+ master['pki_target_servercert_profile'])
+ util.file.copy(master['pki_source_subsystemcert_profile'],
+ master['pki_target_subsystemcert_profile'])
+ elif master['pki_subsystem'] == "KRA":
+ # '*.profile'
+ util.file.copy(master['pki_source_servercert_profile'],
+ master['pki_target_servercert_profile'])
+ util.file.copy(master['pki_source_storagecert_profile'],
+ master['pki_target_storagecert_profile'])
+ util.file.copy(master['pki_source_subsystemcert_profile'],
+ master['pki_target_subsystemcert_profile'])
+ util.file.copy(master['pki_source_transportcert_profile'],
+ master['pki_target_transportcert_profile'])
# establish instance-based Tomcat PKI subsystem registry
# establish instance-based Tomcat PKI subsystem convenience
# symbolic links
@@ -98,6 +126,46 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
overwrite_flag=True)
# update instance-based Tomcat PKI subsystem logs
# update instance-based Tomcat PKI subsystem configuration
+ if master['pki_subsystem'] == "CA":
+ # util.file.copy(master['pki_source_flatfile_txt'],
+ # master['pki_target_flatfile_txt'],
+ # overwrite_flag=True)
+ util.file.copy(master['pki_source_registry_cfg'],
+ master['pki_target_registry_cfg'],
+ overwrite_flag=True)
+ # '*.profile'
+ util.file.copy(master['pki_source_admincert_profile'],
+ master['pki_target_admincert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_caauditsigningcert_profile'],
+ master['pki_target_caauditsigningcert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_cacert_profile'],
+ master['pki_target_cacert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_caocspcert_profile'],
+ master['pki_target_caocspcert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_servercert_profile'],
+ master['pki_target_servercert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_subsystemcert_profile'],
+ master['pki_target_subsystemcert_profile'],
+ overwrite_flag=True)
+ elif master['pki_subsystem'] == "KRA":
+ # '*.profile'
+ util.file.copy(master['pki_source_servercert_profile'],
+ master['pki_target_servercert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_storagecert_profile'],
+ master['pki_target_storagecert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_subsystemcert_profile'],
+ master['pki_target_subsystemcert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_transportcert_profile'],
+ master['pki_target_transportcert_profile'],
+ overwrite_flag=True)
# update instance-based Tomcat PKI subsystem registry
# update instance-based Tomcat PKI subsystem convenience
# symbolic links
diff --git a/base/deploy/src/scriptlets/war_explosion.py b/base/deploy/src/scriptlets/war_explosion.py
index ca2ea601b..16113ba7d 100644
--- a/base/deploy/src/scriptlets/war_explosion.py
+++ b/base/deploy/src/scriptlets/war_explosion.py
@@ -39,11 +39,23 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.directory.create(master['pki_tomcat_webapps_subsystem_path'])
util.war.explode(master['pki_war'],
master['pki_tomcat_webapps_subsystem_path'])
- # establish convenience symbolic links
- util.symlink.create(master['pki_tomcat_webapps_webinf_classes_path'],
- master['pki_tomcat_webapps_subsystem_webinf_classes_link'])
- util.symlink.create(master['pki_tomcat_webapps_webinf_lib_path'],
- master['pki_tomcat_webapps_subsystem_webinf_lib_link'])
+ util.directory.create(
+ master['pki_tomcat_webapps_subsystem_webinf_classes_path'])
+ util.directory.create(
+ master['pki_tomcat_webapps_subsystem_webinf_lib_path'])
+ # establish Tomcat webapps subsystem WEB-INF lib symbolic links
+ if master['pki_subsystem'] == "CA":
+ util.symlink.create(master['pki_ca_jar'],
+ master['pki_ca_jar_link'])
+ elif master['pki_subsystem'] == "KRA":
+ util.symlink.create(master['pki_kra_jar'],
+ master['pki_kra_jar_link'])
+ elif master['pki_subsystem'] == "OCSP":
+ util.symlink.create(master['pki_ocsp_jar'],
+ master['pki_ocsp_jar_link'])
+ elif master['pki_subsystem'] == "TKS":
+ util.symlink.create(master['pki_tks_jar'],
+ master['pki_tks_jar_link'])
# set ownerships, permissions, and acls
util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path'])
return self.rv
@@ -56,8 +68,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.directory.modify(master['pki_tomcat_webapps_subsystem_path'])
util.war.explode(master['pki_war'],
master['pki_tomcat_webapps_subsystem_path'])
+ # update Tomcat webapps subsystem WEB-INF lib symbolic links
+ if master['pki_subsystem'] == "CA":
+ util.symlink.modify(master['pki_ca_jar_link'])
+ elif master['pki_subsystem'] == "KRA":
+ util.symlink.modify(master['pki_kra_jar_link'])
+ elif master['pki_subsystem'] == "OCSP":
+ util.symlink.modify(master['pki_ocsp_jar_link'])
+ elif master['pki_subsystem'] == "TKS":
+ util.symlink.modify(master['pki_tks_jar_link'])
# update ownerships, permissions, and acls
- # NOTE: This includes existing convenience symbolic links
util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path'])
return self.rv