diff options
Diffstat (limited to 'base/deploy/src/scriptlets')
| -rw-r--r-- | base/deploy/src/scriptlets/configuration.jy | 111 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/configuration.py | 44 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/finalization.py | 2 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/instance_layout.py | 2 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkiconfig.py | 10 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkihelper.py | 709 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkijython.py | 667 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkimessages.py | 67 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkiparser.py | 24 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/security_databases.py | 4 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/selinux_setup.py | 4 |
11 files changed, 710 insertions, 934 deletions
diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy deleted file mode 100644 index d6af9b1ca..000000000 --- a/base/deploy/src/scriptlets/configuration.jy +++ /dev/null @@ -1,111 +0,0 @@ -#!/usr/bin/jython - -# System Python Imports -import os -import pickle -import sys - - -# PKI Python Imports -import pkijython as jyutil -import pkiconfig as config -import pkimessages as log - - -# System Java Imports -from java.lang import System as javasystem - - -# PKI Java Imports -from com.netscape.certsrv.client import ClientConfig - - -def main(argv): - rv = 0 - - # Import the master dictionary from 'pkispawn' - master = pickle.loads(argv[1]) - sensitive_parameters = master['sensitive_parameters'].split() - - # Optionally enable a java debugger (e. g. - 'eclipse'): - if config.str2bool(master['pki_enable_java_debugger']): - config.wait_to_attach_an_external_java_debugger() - - - # IMPORTANT: Unfortunately, 'jython 2.2' does NOT support logging! - # - # Until, and unless, 'jython 2.5' or later is used, - # debugging will basically be limited to using 'print' - # since creating a logging mechanism for 'jython 2.2' - # would not make sense at this point in time, although - # a 'customized' manual log process could be created. - # - # Regardless of 'jython' version, the log file generated - # by this standalone 'jython' process would be unique and - # separate to the log file generated for the PKI - # deployment scriptlets 'python' process, as they exist - # as two separate processes (until and unless 'jython 2.7' - # could be used to completely replace 'python 2.7', - # in which case a single process could be executed - # end-to-end from installation through configuration). - # - if master['pki_jython_log_level'] >= config.PKI_JYTHON_DEBUG_LOG_LEVEL: - # javasystem.out.println("Hello") - print "%s %s" %\ - (log.PKI_JYTHON_INDENTATION_2, sys.path) - print "%s %s" %\ - (log.PKI_JYTHON_INDENTATION_2, - javasystem.getProperties()['java.class.path']) - for key in master: - if key in sensitive_parameters: - value = 'XXXXXXXX' - else: - value = master[key] - print "%s '%s' = '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, key, value) - - # Initialize token - jyutil.security_databases.initialize_token( - master['pki_client_database_dir'], - master['pki_jython_log_level']) - - # Log into token - token = jyutil.security_databases.log_into_token( - master['pki_client_database_dir'], - master['pki_client_password_conf'], - master['pki_jython_log_level']) - - # Setup connection parameters - client_config = ClientConfig() - client_config.setInstanceCreationMode(True) - client_config.setServerURI(master['pki_jython_base_uri']) - - # Establish REST Client - client = jyutil.rest_client.initialize( - client_config, - master) - - # Construct PKI Subsystem Configuration Data - data = None - if master['pki_instance_type'] == "Apache": - if master['pki_subsystem'] == "RA": - print "%s '%s' %s" %\ - (log.PKI_JYTHON_INDENTATION_2, - master['pki_subsystem'], - log.PKI_JYTHON_NOT_YET_IMPLEMENTED) - return rv - elif master['pki_subsystem'] == "TPS": - print "%s '%s' %s" %\ - (log.PKI_JYTHON_INDENTATION_2, - master['pki_subsystem'], - log.PKI_JYTHON_NOT_YET_IMPLEMENTED) - return rv - elif master['pki_instance_type'] == "Tomcat": - # PKI or Cloned CA, KRA, OCSP, or TKS, Subordinate CA, or External CA - data = jyutil.rest_client.construct_pki_configuration_data(token) - - # Formulate PKI Subsystem Configuration Data Response - jyutil.rest_client.configure_pki_data(data) - -if __name__ == "__main__": - main(sys.argv) diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py index 248a43cf7..7bd1b017a 100644 --- a/base/deploy/src/scriptlets/configuration.py +++ b/base/deploy/src/scriptlets/configuration.py @@ -25,6 +25,9 @@ from pkiconfig import pki_master_dict as master import pkihelper as util import pkimessages as log import pkiscriptlet +import json +import pki.system +import pki.encoder # PKI Deployment Configuration Scriptlet @@ -85,16 +88,45 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.prepare_for_an_external_java_debugger( master['pki_target_tomcat_conf_instance_id']) tomcat_instance_subsystems =\ - util.instance.tomcat_instance_subsystems() + len(util.instance.tomcat_instance_subsystems()) if tomcat_instance_subsystems == 1: util.systemd.start() elif tomcat_instance_subsystems > 1: util.systemd.restart() - # Pass control to the Java servlet via Jython 2.2 'configuration.jy' - util.jython.invoke( - master['pki_jython_configuration_scriptlet'], - master['resteasy_lib']) + # wait for startup + status = util.instance.wait_for_startup(60) + if status == None: + config.pki_log.error("server failed to restart", + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + # Optionally wait for debugger to attach (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.wait_to_attach_an_external_java_debugger() + + config_client = util.config_client() + # Construct PKI Subsystem Configuration Data + data = None + if master['pki_instance_type'] == "Apache": + if master['pki_subsystem'] == "RA": + config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, + master['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + return rv + elif master['pki_subsystem'] == "TPS": + config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, + master['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + return rv + elif master['pki_instance_type'] == "Tomcat": + # CA, KRA, OCSP, or TKS + data = config_client.construct_pki_configuration_data() + + # Configure the substem + config_client.configure_pki_data( + json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) + return self.rv def respawn(self): @@ -111,7 +143,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.delete(master['pki_client_dir']) util.symlink.delete(master['pki_systemd_service_link']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 1: + len(util.instance.tomcat_instance_subsystems()) == 1: if util.directory.exists(master['pki_client_dir']): util.directory.delete(master['pki_client_dir']) util.symlink.delete(master['pki_systemd_service_link']) diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py index 8fe643e15..6ddc98d03 100644 --- a/base/deploy/src/scriptlets/finalization.py +++ b/base/deploy/src/scriptlets/finalization.py @@ -105,7 +105,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.instance.apache_instance_subsystems() >= 1: util.systemd.start() elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() >= 1: + len(util.instance.tomcat_instance_subsystems()) >= 1: util.systemd.start() config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2, master['pki_subsystem'], diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py index 773305c13..843227a84 100644 --- a/base/deploy/src/scriptlets/instance_layout.py +++ b/base/deploy/src/scriptlets/instance_layout.py @@ -170,7 +170,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.delete( master['pki_instance_type_registry_path']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 0: + len(util.instance.tomcat_instance_subsystems()) == 0: # remove Tomcat instance base util.directory.delete(master['pki_instance_path']) # remove Tomcat instance logs diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 1a4c77cb1..ad6c22251 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -94,14 +94,6 @@ PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT = 8443 PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT = 8005 PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT = 8009 -# PKI Deployment Jython 2.2 Constants -PKI_JYTHON_CRITICAL_LOG_LEVEL = 1 -PKI_JYTHON_ERROR_LOG_LEVEL = 2 -PKI_JYTHON_WARNING_LOG_LEVEL = 3 -PKI_JYTHON_INFO_LOG_LEVEL = 4 -PKI_JYTHON_DEBUG_LOG_LEVEL = 5 - - # PKI Deployment Global Variables pki_install_time = None pki_timestamp = None @@ -173,7 +165,6 @@ def wait_to_attach_an_external_java_debugger(): # PKI Deployment Logger Variables -pki_jython_log_level = None pki_log = None pki_log_dir = None pki_log_name = None @@ -184,7 +175,6 @@ pki_console_log_level = None # PKI Deployment Global Dictionaries pki_master_dict = {} pki_slots_dict = None -pki_master_jython_dict = None # PKI Selinux Constants and parameters PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t" diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index 7eae9324d..92707c553 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -28,13 +28,16 @@ import fileinput import pickle import random import re +import requests import shutil import string import subprocess +import time from grp import getgrgid from grp import getgrnam from pwd import getpwnam from pwd import getpwuid +import xml.etree.ElementTree as ET import zipfile import selinux if selinux.is_selinux_enabled(): @@ -49,7 +52,9 @@ from pkiconfig import pki_selinux_config_ports as ports import pkimanifest as manifest import pkimessages as log from pkiparser import PKIConfigParser - +import pki.account +import pki.client +import pki.system # PKI Deployment Helper Functions def pki_copytree(src, dst, symlinks=False, ignore=None): @@ -921,19 +926,15 @@ class instance: return rv def tomcat_instance_subsystems(self): - rv = 0 + # Return list of PKI subsystems in the specified tomcat instance + rv = [] try: - # count number of PKI subsystems present - # within the specified Tomcat instance for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: path = master['pki_instance_path'] + "/" + subsystem.lower() if os.path.exists(path) and os.path.isdir(path): - rv = rv + 1 - config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], - rv, extra=config.PKI_INDENTATION_LEVEL_2) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, + rv.append(subsystem) + except OSErr as e: + config.pki_log.error(log.PKI_OSERROR_1, str(e), extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) return rv @@ -991,6 +992,38 @@ class instance: extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) + def get_instance_status(self): + self.connection = pki.client.PKIConnection( + protocol='https', + hostname=master['pki_hostname'], + port=master['pki_https_port'], + subsystem=master['pki_subsystem_type'], + accept = 'application/xml') + + try: + client = pki.system.SystemStatusClient(self.connection) + response = client.getStatus() + config.pki_log.debug(response, + extra=config.PKI_INDENTATION_LEVEL_3) + + root = ET.fromstring(response) + status = root.findtext("Status") + return status + except requests.exceptions.ConnectionError: + config.pki_log.debug("No connection", + extra=config.PKI_INDENTATION_LEVEL_3) + return None + + def wait_for_startup(self, timeout): + tries = 1 + status = self.get_instance_status() + while status != "running": + if tries >= timeout: + return None + time.sleep(1) + status = self.get_instance_status() + tries = tries + 1 + return status # PKI Deployment Directory Class class directory: @@ -2282,6 +2315,198 @@ class certutil: sys.exit(1) return + def import_cert(self, nickname, trust, input_file, password_file, + path=None, token=None, critical_failure=True): + try: + command = ["certutil","-A"] + if path: + command.extend(["-d", path]) + + if token: + command.extend(["-h", token]) + + if nickname: + command.extend(["-n", nickname ]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if trust: + command.extend(["-t", trust]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if input_file: + command.extend(["-i", input_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_INPUT_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if password_file: + command.extend(["-f", password_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def generate_certificate_request(self, subject, key_size, + password_file, noise_file, + output_file = None, path = None, + ascii_format = None, token = None, + critical_failure=True): + try: + command = ["certutil", "-R"] + if path: + command.extend(["-d", path]) + else: + command.extend(["-d", "."]) + + if token: + command.extend(["-h", token]) + + if subject: + command.extend(["-s", subject]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if key_size: + command.extend(["-g", str(key_size)]) + + if noise_file: + command.extend(["-z", noise_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if password_file: + command.extend(["-f", password_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if output_file: + command.extend(["-o", output_file]) + + # set acsii output + if ascii_format: + command.append("-a") + + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CERTUTIL_GENERATE_CSR_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not os.path.exists(noise_file): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + noise_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Execute this "certutil" command + with open(os.devnull, "w") as fnull: + subprocess.call(command, stdout=fnull, stderr=fnull) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + +# pk12util class +class pk12util: + def create_file(self, out_file, nickname, out_pwfile, + db_pwfile, path=None): + try: + command = ["pk12util"] + if path: + command.extend(["-d", path]) + if out_file: + command.extend(["-o", out_file]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_OUTFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if nickname: + command.extend(["-n", nickname]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if out_pwfile: + command.extend(["-w", out_pwfile]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_OUTPWFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if db_pwfile: + command.extend(["-k", db_pwfile]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + with open(os.devnull, "w") as fnull: + subprocess.call(command, stdout=fnull, stderr=fnull) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + # KRA Connector Class class kra_connector: def deregister(self, critical_failure=False): @@ -2748,73 +2973,411 @@ class systemd: return -# PKI Deployment 'jython' Class -class jython: - def invoke(self, scriptlet, resteasy_lib, critical_failure=True): +class config_client: + + def configure_pki_data(self, data): + config.pki_log.info(log.PKI_CONFIG_CONFIGURING_PKI_DATA, + extra=config.PKI_INDENTATION_LEVEL_2) + + self.connection = pki.client.PKIConnection( + protocol='https', + hostname=master['pki_hostname'], + port=master['pki_https_port'], + subsystem=master['pki_subsystem_type']) + try: - # JSS JNI Jars - # - # NOTE: Always load 64-bit JNI 'jss4.jar' - # PRIOR to 32-bit JNI 'jss4.jar' - # - classpath = "/usr/lib64/java/jss4.jar" +\ - ":/usr/lib/java/jss4.jar" +\ - ":/usr/share/java/httpcomponents/httpclient.jar" +\ - ":/usr/share/java/httpcomponents/httpcore.jar" +\ - ":/usr/share/java/apache-commons-cli.jar" +\ - ":/usr/share/java/apache-commons-codec.jar" +\ - ":/usr/share/java/apache-commons-logging.jar" +\ - ":/usr/share/java/istack-commons-runtime.jar" +\ - ":/usr/share/java/glassfish-jaxb/jaxb-impl.jar" +\ - ":/usr/share/java/scannotation.jar" - - # RESTEasy Jars - classpath = classpath +\ - ":" + resteasy_lib + "/jaxrs-api.jar" +\ - ":" + resteasy_lib + "/resteasy-atom-provider.jar" +\ - ":" + resteasy_lib + "/resteasy-jaxb-provider.jar" +\ - ":" + resteasy_lib + "/resteasy-jaxrs.jar" +\ - ":" + resteasy_lib + "/resteasy-jettison-provider.jar" - - # PKI Jars - classpath = classpath +\ - ":/usr/share/java/pki/pki-certsrv.jar" +\ - ":/usr/share/java/pki/pki-client.jar" +\ - ":/usr/share/java/pki/pki-cmsutil.jar" +\ - ":/usr/share/java/pki/pki-nsutil.jar" - - properties = "" - - # From 'http://www.jython.org/archive/22/userfaq.html': - # Setting this to false will allow Jython to provide access to - # non-public fields, methods, and constructors of Java objects. - # properties = properties + " -Dpython.security.respectJavaAccessibility=false" - - # Compose this "jython" command - data = pickle.dumps(master) - if master['pki_architecture'] == 64: - ld_library_path = "/usr/lib64/jss:/usr/lib64:/lib64:" +\ - "/usr/lib/jss:/usr/lib:/lib" - else: - ld_library_path = "/usr/lib/jss:/usr/lib:/lib" - command = "export LD_LIBRARY_PATH=" + ld_library_path +\ - ";export CLASSPATH=" + classpath +\ - ";jython " + properties + " " + scriptlet - # Display this "jython" command - config.pki_log.info( - log.PKIHELPER_INVOKE_JYTHON_1, - command, - extra=config.PKI_INDENTATION_LEVEL_2) - # Invoke this "jython" command - subprocess.call(command + " \"" + data + "\"", shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + client = pki.system.SystemConfigClient(self.connection) + response = client.configure(data) + + config.pki_log.debug(log.PKI_CONFIG_RESPONSE_STATUS +\ + " " + str(response['status']), extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) + certs = response['systemCerts'] + for cdata in certs: + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external']) and\ + not config.str2bool(master['pki_external_step_two']): + # External CA Step 1 + if cdata['tag'].lower() == "signing": + config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST +\ + " " + cdata['request'], + extra=config.PKI_INDENTATION_LEVEL_2) + + # Save 'External CA Signing Certificate' CSR (Step 1) + config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE +\ + " '" + master['pki_external_csr_path'] + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + directory.create( + os.path.dirname(master['pki_external_csr_path'])) + with open(master['pki_external_csr_path'], "w") as f: + f.write(cdata['request']) + return + else: + config.pki_log.debug(log.PKI_CONFIG_CDATA_TAG +\ + " " + cdata['tag'], + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKI_CONFIG_CDATA_CERT +\ + " " + cdata['cert'], + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKI_CONFIG_CDATA_REQUEST +\ + " " + cdata['request'], + extra=config.PKI_INDENTATION_LEVEL_2) + + # Cloned PKI subsystems do not return an Admin Certificate + if not config.str2bool(master['pki_clone']) and \ + not config.str2bool(master['pki_import_admin_cert']): + admin_cert = response['adminCert']['cert'] + self.process_admin_cert(admin_cert) + except Exception, e: + config.pki_log.error( + log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " + str(e), + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) return + def process_admin_cert(self, admin_cert): + config.pki_log.debug(log.PKI_CONFIG_RESPONSE_ADMIN_CERT +\ + " " + admin_cert, + extra=config.PKI_INDENTATION_LEVEL_2) + + # Store the Administration Certificate in a file + admin_cert_file = master['pki_client_admin_cert'] + admin_cert_bin_file = admin_cert_file + ".der" + config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE +\ + " '" + admin_cert_file + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + with open(admin_cert_file, "w") as f: + f.write(admin_cert) + + # convert the cert file to binary + command = ["AtoB", admin_cert_file, admin_cert_bin_file] + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + + os.chmod(admin_cert_file, + config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + + os.chmod(admin_cert_bin_file, + config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + + # Import the Administration Certificate + # into the client NSS security database + certutil.import_cert( + re.sub("'", "'", master['pki_admin_nickname']), + "u,u,u", + admin_cert_bin_file, + master['pki_client_password_conf'], + master['pki_client_database_dir'], + None, + True) + + # create directory for p12 file if it does not exist + directory.create(os.path.dirname( + master['pki_client_admin_cert_p12'])) + + # Export the Administration Certificate from the + # client NSS security database into a PKCS #12 file + pk12util.create_file( + master['pki_client_admin_cert_p12'], + re.sub("'","'", master['pki_admin_nickname']), + master['pki_client_pkcs12_password_conf'], + master['pki_client_password_conf'], + master['pki_client_database_dir']) + + os.chmod(master['pki_client_admin_cert_p12'], + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + + + def construct_pki_configuration_data(self): + config.pki_log.info(log.PKI_CONFIG_CONSTRUCTING_PKI_DATA, + extra=config.PKI_INDENTATION_LEVEL_2) + + data = pki.system.ConfigurationRequest() + + # Miscellaneous Configuration Information + data.pin = master['pki_one_time_pin'] + data.subsystemName = master['pki_subsystem_name'] + # Cloning parameters + if master['pki_instance_type'] == "Tomcat": + if config.str2bool(master['pki_clone']): + self.set_cloning_parameters(data) + else: + data.isClone = "false" + + # Hierarchy + self.set_hierarchy_parameters(data) + + # Security Domain + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or + # Subordinate CA + self.set_existing_security_domain(data) + else: + # PKI CA or External CA + self.set_new_security_domain(data) + + # database + if master['pki_subsystem'] != "RA": + self.set_database_parameters(data) + + # backup + if master['pki_instance_type'] == "Tomcat": + self.set_backup_parameters(data) + + # admin user + if not config.str2bool(master['pki_clone']): + self.set_admin_parameters(data) + + # Issuing CA Information + self.set_issuing_ca_parameters(data) + + # Create system certs + self.set_system_certs(data) + + return data + + def set_system_certs(self, data): + systemCerts = [] + + # Create 'CA Signing Certificate' + if master['pki_subsystem'] == "CA": + if not config.str2bool(master['pki_clone']): + cert1 = self.create_system_cert("ca_signing") + cert1.signingAlgorithm =\ + master['pki_ca_signing_signing_algorithm'] + if config.str2bool(master['pki_external_step_two']): + # Load the 'External CA Signing Certificate' (Step 2) + print( + log.PKI_CONFIG_EXTERNAL_CA_LOAD + " " +\ + "'" + master['pki_external_ca_cert_path'] + "'") + with open(master['pki_external_ca_cert_path']) as f: + external_cert = f.read() + cert1.cert = external_cert + + # Load the 'External CA Signing Certificate Chain' (Step 2) + print( + log.PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD + " " +\ + "'" + master['pki_external_ca_cert_chain_path'] +\ + "'") + with open(master['pki_external_ca_cert_chain_path']) as f: + external_cert_chain = f.read() + + cert1.certChain = external_cert_chain + systemCerts.append(cert1) + + # Create 'OCSP Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "CA" or\ + master['pki_subsystem'] == "OCSP": + # External CA, Subordinate CA, PKI CA, or PKI OCSP + cert2 = self.create_system_cert("ocsp_signing") + cert2.signingAlgorithm =\ + master['pki_ocsp_signing_signing_algorithm'] + systemCerts.append(cert2) + + # Create 'SSL Server Certificate' + # all subsystems + + # create new sslserver cert only if this is a new instance + cert3 = None + system_list = instance.tomcat_instance_subsystems() + if len(system_list) >= 2: + data.generateServerCert = "false" + for subsystem in system_list: + dst = master['pki_instance_path'] + '/conf/' +\ + subsystem.lower() + '/CS.cfg' + if subsystem != master['pki_subsystem'] and \ + os.path.exists(dst): + cert3 = self.retrieve_existing_server_cert(dst) + break + else: + cert3 = self.create_system_cert("ssl_server") + systemCerts.append(cert3) + + # Create 'Subsystem Certificate' + if not config.str2bool(master['pki_clone']): + cert4 = self.create_system_cert("subsystem") + systemCerts.append(cert4) + + # Create 'Audit Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] != "RA": + cert5 = self.create_system_cert("audit_signing") + cert5.signingAlgorithm =\ + master['pki_audit_signing_signing_algorithm'] + systemCerts.append(cert5) + + # Create DRM Transport and storage Certificates + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "KRA": + cert6 = self.create_system_cert("transport") + systemCerts.append(cert6) + + cert7 = self.create_system_cert("storage") + systemCerts.append(cert7) + + data.systemCerts = systemCerts + + def set_cloning_parameters(self, data): + data.isClone = "true" + data.cloneUri = master['pki_clone_uri'] + data.p12File = master['pki_clone_pkcs12_path'] + data.p12Password = master['pki_clone_pkcs12_password'] + data.replicateSchema = master['pki_clone_replicate_schema'] + data.replicationSecurity =\ + master['pki_clone_replication_security'] + if master['pki_clone_replication_master_port']: + data.masterReplicationPort =\ + master['pki_clone_replication_master_port'] + if master['pki_clone_replication_clone_port']: + data.cloneReplicationPort =\ + master['pki_clone_replication_clone_port'] + + def set_hierarchy_parameters(self, data): + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']): + # Cloned CA + data.hierarchy = "root" + elif config.str2bool(master['pki_external']): + # External CA + data.hierarchy = "join" + elif config.str2bool(master['pki_subordinate']): + # Subordinate CA + data.hierarchy = "join" + else: + # PKI CA + data.hierarchy = "root" + + def set_existing_security_domain(self, data): + data.securityDomainType = "existingdomain" + data.securityDomainUri = master['pki_security_domain_uri'] + data.securityDomainUser = master['pki_security_domain_user'] + data.securityDomainPassword = master['pki_security_domain_password'] + + def set_new_security_domain(self, data): + data.securityDomainType = "newdomain" + data.securityDomainName = master['pki_security_domain_name'] + + def set_database_parameters(self, data): + data.dsHost = master['pki_ds_hostname'] + data.dsPort = master['pki_ds_ldap_port'] + data.baseDN = master['pki_ds_base_dn'] + data.bindDN = master['pki_ds_bind_dn'] + data.database = master['pki_ds_database'] + data.bindpwd = master['pki_ds_password'] + if config.str2bool(master['pki_ds_remove_data']): + data.removeData = "true" + else: + data.removeData = "false" + if config.str2bool(master['pki_ds_secure_connection']): + data.secureConn = "true" + else: + data.secureConn = "false" + + def set_backup_parameters(self, data): + if config.str2bool(master['pki_backup_keys']): + data.backupKeys = "true" + data.backupFile = master['pki_backup_keys_p12'] + data.backupPassword = master['pki_backup_password'] + else: + data.backupKeys = "false" + + def set_admin_parameters(self, data): + data.adminEmail = master['pki_admin_email'] + data.adminName = master['pki_admin_name'] + data.adminPassword = master['pki_admin_password'] + data.adminProfileID = master['pki_admin_profile_id'] + data.adminUID = master['pki_admin_uid'] + data.adminSubjectDN = master['pki_admin_subject_dn'] + if config.str2bool(master['pki_import_admin_cert']): + data.importAdminCert = "true" + # read config from file + with open(master['pki_admin_cert_file']) as f: + b64 = f.read().replace('\n','') + data.adminCert = b64 + else: + data.importAdminCert = "false" + data.adminSubjectDN = master['pki_admin_subject_dn'] + if master['pki_admin_cert_request_type'] == "pkcs10": + data.adminCertRequestType = "pkcs10" + + noise_file = os.path.join( + master['pki_client_database_dir'], "noise") + + output_file = os.path.join( + master['pki_client_database_dir'], "admin_pkcs10.bin") + + file.generate_noise_file( + noise_file, int(master['pki_admin_keysize'])) + + certutil.generate_certificate_request( + master['pki_admin_subject_dn'], + master['pki_admin_keysize'], + master['pki_client_password_conf'], + noise_file, + output_file, + master['pki_client_database_dir'], + None, None, True) + + # convert output to ascii + command = ["BtoA", output_file, output_file + ".asc"] + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + + with open(output_file + ".asc") as f: + b64 = f.read().replace('\n','') + + data.adminCertRequest = b64 + else: + print "log.PKI_CONFIG_PKCS10_SUPPORT_ONLY" + sys.exit(1) + + def set_issuing_ca_parameters(self, data): + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']) or\ + config.str2bool(master['pki_external']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, + # Subordinate CA, or External CA + data.issuingCA = master['pki_issuing_ca'] + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external_step_two']): + # External CA Step 2 + data.stepTwo = "true"; + + def create_system_cert(self, tag): + cert = pki.system.SystemCertData() + cert.tag = master["pki_%s_tag" % tag] + cert.keyAlgorithm = master["pki_%s_key_algorithm" % tag] + cert.keySize = master["pki_%s_key_size" % tag] + cert.keyType = master["pki_%s_key_type" % tag] + cert.nickname = master["pki_%s_nickname" % tag] + cert.subjectDN = master["pki_%s_subject_dn" % tag] + cert.token = master["pki_%s_token" % tag] + return cert + + def retrieve_existing_server_cert(self, cfg_file): + cs_cfg = PKIConfigParser.read_simple_configuration_file(cfg_file) + cstype = cs_cfg.get('cs.type').lower() + cert = pki.system.SystemCertData() + cert.tag = master["pki_ssl_server_tag"] + cert.keyAlgorithm = master["pki_ssl_server_key_algorithm"] + cert.keySize = master["pki_ssl_server_key_size"] + cert.keyType = master["pki_ssl_server_key_type"] + cert.nickname = cs_cfg.get(cstype + ".sslserver.nickname") + cert.cert = cs_cfg.get(cstype + ".sslserver.cert") + cert.request = cs_cfg.get(cstype + ".sslserver.certreq") + cert.subjectDN = master["pki_ssl_server_subject_dn"] + cert.token = cs_cfg.get(cstype + ".sslserver.tokenname") + return cert + # PKI Deployment Helper Class Instances identity = identity() namespace = namespace() @@ -2827,7 +3390,7 @@ symlink = symlink() war = war() password = password() certutil = certutil() +pk12util = pk12util() security_domain = security_domain() kra_connector = kra_connector() systemd = systemd() -jython = jython() diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py deleted file mode 100644 index 4768d8af9..000000000 --- a/base/deploy/src/scriptlets/pkijython.py +++ /dev/null @@ -1,667 +0,0 @@ -#!/usr/bin/jython - -# System Java Imports -from java.io import BufferedReader -from java.io import ByteArrayInputStream -from java.io import FileReader -from java.io import IOException -from java.lang import Integer -from java.lang import String as javastring -from java.lang import System as javasystem -from java.net import URISyntaxException -from java.security import KeyPair -from java.security import NoSuchAlgorithmException -from java.util import ArrayList -from java.util import Collection -from java.util import Iterator -from org.python.core import PyDictionary -import jarray - - -# System Python Imports -import ConfigParser -import errno -import os -import re -import sys -pki_python_module_path = os.path.join(sys.prefix, - "lib", - "python" + str(sys.version_info[0]) + - "." + str(sys.version_info[1]), - "site-packages", - "pki", - "deployment", - "configuration.jy") -sys.path.append(pki_python_module_path) - - -# PKI Python Imports -import pkiconfig as config -import pkimessages as log - -# Apache Commons Java Imports -from org.apache.commons.cli import CommandLine -from org.apache.commons.cli import CommandLineParser -from org.apache.commons.cli import HelpFormatter -from org.apache.commons.cli import Options -from org.apache.commons.cli import ParseException -from org.apache.commons.cli import PosixParser - -# JSS Java Imports -from org.mozilla.jss import CryptoManager -from org.mozilla.jss.asn1 import ASN1Util -from org.mozilla.jss.asn1 import BIT_STRING -from org.mozilla.jss.asn1 import INTEGER -from org.mozilla.jss.asn1 import InvalidBERException -from org.mozilla.jss.asn1 import SEQUENCE -from org.mozilla.jss.crypto import AlreadyInitializedException -from org.mozilla.jss.crypto import CryptoToken -from org.mozilla.jss.crypto import KeyPairAlgorithm -from org.mozilla.jss.crypto import KeyPairGenerator -from org.mozilla.jss.crypto import TokenException -from org.mozilla.jss.pkix.crmf import CertReqMsg -from org.mozilla.jss.pkix.crmf import CertRequest -from org.mozilla.jss.pkix.crmf import CertTemplate -from org.mozilla.jss.pkix.crmf import POPOPrivKey -from org.mozilla.jss.pkix.crmf import ProofOfPossession -from org.mozilla.jss.pkix.primitive import Name -from org.mozilla.jss.pkix.primitive import SubjectPublicKeyInfo -from org.mozilla.jss.util import Password - -# PKI Java Imports -from com.netscape.certsrv.system import SystemConfigClient -from com.netscape.certsrv.system import SystemCertData -from com.netscape.certsrv.system import ConfigurationRequest -from com.netscape.certsrv.system import ConfigurationResponse -from com.netscape.cmsutil.util import Utils -from netscape.security.x509 import X500Name - -# PKI Deployment Jython Helper Functions -def generateCRMFRequest(token, keysize, subjectdn, dualkey): - kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA) - x = Integer(keysize) - key_len = x.intValue() - kg.initialize(key_len) - # 1st key pair - pair = kg.genKeyPair() - # create CRMF - certTemplate = CertTemplate() - certTemplate.setVersion(INTEGER(2)) - if not subjectdn is None: - name = X500Name(subjectdn) - cs = ByteArrayInputStream(name.getEncoded()) - n = Name.getTemplate().decode(cs) - certTemplate.setSubject(n) - certTemplate.setPublicKey(SubjectPublicKeyInfo(pair.getPublic())) - seq = SEQUENCE() - certReq = CertRequest(INTEGER(1), certTemplate, seq) - popdata = jarray.array([0x0,0x3,0x0], 'b') - pop = ProofOfPossession.createKeyEncipherment( - POPOPrivKey.createThisMessage(BIT_STRING(popdata, 3))) - crmfMsg = CertReqMsg(certReq, pop, None) - s1 = SEQUENCE() - # 1st : Encryption key - s1.addElement(crmfMsg) - # 2nd : Signing Key - if config.str2bool(dualkey): - javasystem.out.println(log.PKI_JYTHON_IS_DUALKEY) - seq1 = SEQUENCE() - certReqSigning = CertRequest(INTEGER(1), certTemplate, seq1) - signingMsg = CertReqMsg(certReqSigning, pop, None) - s1.addElement(signingMsg) - encoded = jarray.array(ASN1Util.encode(s1), 'b') - # encoder = BASE64Encoder() - # Req1 = encoder.encodeBuffer(encoded) - Req1 = Utils.base64encode(encoded) - return Req1 - -COMMENT_CHAR = '#' -OPTION_CHAR = '=' -def read_simple_configuration_file(filename): - values = {} - f = open(filename) - for line in f: - # First, remove comments: - if COMMENT_CHAR in line: - # split on comment char, keep only the part before - line, comment = line.split(COMMENT_CHAR, 1) - # Second, find lines with an name=value: - if OPTION_CHAR in line: - # split on name char: - name, value = line.split(OPTION_CHAR, 1) - # strip spaces: - name = name.strip() - value = value.strip() - # store in dictionary: - values[name] = value - f.close() - return values - - -# PKI Deployment 'security databases' Class -class security_databases: - def initialize_token(self, pki_database_path, log_level): - try: - if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: - print "%s %s '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, - log.PKI_JYTHON_INITIALIZING_TOKEN, - pki_database_path) - CryptoManager.initialize(pki_database_path) - except AlreadyInitializedException, e: - # it is ok if it is already initialized - pass - except Exception, e: - javasystem.out.println(log.PKI_JYTHON_INITIALIZATION_ERROR +\ - " " + str(e)) - javasystem.exit(1) - - def log_into_token(self, pki_database_path, password_conf, log_level): - token = None - try: - if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: - print "%s %s '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, - log.PKI_JYTHON_LOG_INTO_TOKEN, - pki_database_path) - manager = CryptoManager.getInstance() - token = manager.getInternalKeyStorageToken() - # Retrieve 'password' from client-side 'password_conf' - # - # NOTE: For now, ONLY read the first line - # (which contains "password") - # - fd = open(password_conf, "r") - token_pwd = fd.readline() - fd.close - # Convert 'token_pwd' into a 'java char[]' - jtoken_pwd = jarray.array(token_pwd, 'c') - password = Password(jtoken_pwd) - try: - token.login(password) - except Exception, e: - javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\ - " " + str(e)) - if not token.isLoggedIn(): - token.initPassword(password, password) - javasystem.exit(1) - except Exception, e: - javasystem.out.println(log.PKI_JYTHON_TOKEN_LOGIN_EXCEPTION +\ - " " + str(e)) - javasystem.exit(1) - return token - - -# PKI Deployment 'REST Client' Class -class rest_client: - client = None - master = None - - def initialize(self, client_config, master): - try: - self.master = master - log_level = master['pki_jython_log_level'] - if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: - print "%s %s '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, - log.PKI_JYTHON_INITIALIZING_REST_CLIENT, - client_config.serverURI) - self.client = SystemConfigClient(client_config) - return self.client - except URISyntaxException, e: - e.printStackTrace() - javasystem.exit(1) - - def set_existing_security_domain(self, data): - data.setSecurityDomainType(ConfigurationRequest.EXISTING_DOMAIN) - data.setSecurityDomainUri(self.master['pki_security_domain_uri']) - data.setSecurityDomainUser(self.master['pki_security_domain_user']) - data.setSecurityDomainPassword( - self.master['pki_security_domain_password']) - - def set_new_security_domain(self, data): - data.setSecurityDomainType(ConfigurationRequest.NEW_DOMAIN) - data.setSecurityDomainName(self.master['pki_security_domain_name']) - - def set_cloning_parameters(self, data): - data.setIsClone("true") - data.setCloneUri(self.master['pki_clone_uri']) - data.setP12File(self.master['pki_clone_pkcs12_path']) - data.setP12Password(self.master['pki_clone_pkcs12_password']) - data.setReplicateSchema(self.master['pki_clone_replicate_schema']) - data.setReplicationSecurity( - self.master['pki_clone_replication_security']) - if self.master['pki_clone_replication_master_port']: - data.setMasterReplicationPort( - self.master['pki_clone_replication_master_port']) - if self.master['pki_clone_replication_clone_port']: - data.setCloneReplicationPort( - self.master['pki_clone_replication_clone_port']) - - def set_database_parameters(self, data): - data.setDsHost(self.master['pki_ds_hostname']) - data.setDsPort(self.master['pki_ds_ldap_port']) - data.setBaseDN(self.master['pki_ds_base_dn']) - data.setBindDN(self.master['pki_ds_bind_dn']) - data.setDatabase(self.master['pki_ds_database']) - data.setBindpwd(self.master['pki_ds_password']) - if config.str2bool(self.master['pki_ds_remove_data']): - data.setRemoveData("true") - else: - data.setRemoveData("false") - if config.str2bool(self.master['pki_ds_secure_connection']): - data.setSecureConn("true") - else: - data.setSecureConn("false") - - def set_backup_parameters(self, data): - if config.str2bool(self.master['pki_backup_keys']): - data.setBackupKeys("true") - data.setBackupFile(self.master['pki_backup_keys_p12']) - data.setBackupPassword(self.master['pki_backup_password']) - else: - data.setBackupKeys("false") - - def set_admin_parameters(self, token, data): - data.setAdminEmail(self.master['pki_admin_email']) - data.setAdminName(self.master['pki_admin_name']) - data.setAdminPassword(self.master['pki_admin_password']) - data.setAdminProfileID(self.master['pki_admin_profile_id']) - data.setAdminUID(self.master['pki_admin_uid']) - data.setAdminSubjectDN(self.master['pki_admin_subject_dn']) - if config.str2bool(self.master['pki_import_admin_cert']): - data.setImportAdminCert("true") - # read config from file - f = open(self.master['pki_admin_cert_file']) - b64 = f.read().replace('\n','') - f.close() - data.setAdminCert(b64) - else: - data.setImportAdminCert("false") - data.setAdminSubjectDN(self.master['pki_admin_subject_dn']) - if self.master['pki_admin_cert_request_type'] == "crmf": - data.setAdminCertRequestType("crmf") - if config.str2bool(self.master['pki_admin_dualkey']): - crmf_request = generateCRMFRequest( - token, - self.master['pki_admin_keysize'], - self.master['pki_admin_subject_dn'], - "true") - else: - crmf_request = generateCRMFRequest( - token, - self.master['pki_admin_keysize'], - self.master['pki_admin_subject_dn'], - "false") - data.setAdminCertRequest(crmf_request) - else: - javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY) - javasystem.exit(1) - - def create_system_cert(self, tag): - cert = SystemCertData() - cert.setTag(self.master["pki_%s_tag" % tag]) - cert.setKeyAlgorithm(self.master["pki_%s_key_algorithm" % tag]) - cert.setKeySize(self.master["pki_%s_key_size" % tag]) - cert.setKeyType(self.master["pki_%s_key_type" % tag]) - cert.setNickname(self.master["pki_%s_nickname" % tag]) - cert.setSubjectDN(self.master["pki_%s_subject_dn" % tag]) - cert.setToken(self.master["pki_%s_token" % tag]) - return cert - - def mkdirs(self, path): - try: - os.makedirs(path) - except OSError, e: - if e.errno == 0: - # Avoid the following weird python/jython exception: - # - # [Errno 0] couldn't make directories: <path> - # - pass - elif e.errno == errno.EEXIST and os.path.isdir(path): - pass - else: - raise - - def write_data_to_file(self, filename, data): - FILE = open(filename, "w") - FILE.write(data) - FILE.close() - - def read_data_from_file(self, filename): - FILE = open(filename, "r") - data = FILE.read() - FILE.close() - return data - - def retrieve_existing_server_cert(self, cfg_file): - cs_cfg = read_simple_configuration_file(cfg_file) - cstype = cs_cfg.get('cs.type').lower() - cert = SystemCertData() - cert.setTag(self.master["pki_ssl_server_tag"]) - cert.setKeyAlgorithm(self.master["pki_ssl_server_key_algorithm"]) - cert.setKeySize(self.master["pki_ssl_server_key_size"]) - cert.setKeyType(self.master["pki_ssl_server_key_type"]) - cert.setNickname(cs_cfg.get(cstype + ".sslserver.nickname")) - cert.setCert(cs_cfg.get(cstype + ".sslserver.cert")) - cert.setRequest(cs_cfg.get(cstype + ".sslserver.certreq")) - cert.setSubjectDN(self.master["pki_ssl_server_subject_dn"]) - cert.setToken(cs_cfg.get(cstype + ".sslserver.tokenname")) - return cert - - def tomcat_instance_subsystems(self): - # Return list of PKI subsystems in the specified tomcat instance - rv = [] - try: - for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - path = self.master['pki_instance_path'] + "/" + subsystem.lower() - if os.path.exists(path) and os.path.isdir(path): - rv.append(subsystem) - except Exception, e: - javasystem.out.println( - log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e)) - javasystem.exit(1) - return rv - - - def construct_pki_configuration_data(self, token): - data = None - master = self.master - if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL: - print "%s %s '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, - log.PKI_JYTHON_CONSTRUCTING_PKI_DATA, - master['pki_subsystem']) - data = ConfigurationRequest() - - # Miscellaneous Configuration Information - data.setPin(master['pki_one_time_pin']) - data.setToken(ConfigurationRequest.TOKEN_DEFAULT) - data.setSubsystemName(master['pki_subsystem_name']) - - # Hierarchy - if master['pki_instance_type'] == "Tomcat": - if master['pki_subsystem'] == "CA": - if config.str2bool(master['pki_clone']): - # Cloned CA - data.setHierarchy("root") - elif config.str2bool(master['pki_external']): - # External CA - data.setHierarchy("join") - elif config.str2bool(master['pki_subordinate']): - # Subordinate CA - data.setHierarchy("join") - else: - # PKI CA - data.setHierarchy("root") - - # Cloning parameters - if master['pki_instance_type'] == "Tomcat": - if config.str2bool(master['pki_clone']): - self.set_cloning_parameters(data) - else: - data.setIsClone("false") - - # Security Domain - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or - # Subordinate CA - self.set_existing_security_domain(data) - else: - # PKI CA or External CA - self.set_new_security_domain(data) - - if master['pki_subsystem'] != "RA": - self.set_database_parameters(data) - - if master['pki_instance_type'] == "Tomcat": - self.set_backup_parameters(data) - - if not config.str2bool(master['pki_clone']): - self.set_admin_parameters(token, data) - - # Issuing CA Information - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']) or\ - config.str2bool(master['pki_external']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, - # Subordinate CA, or External CA - data.setIssuingCA(master['pki_issuing_ca']) - if master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external_step_two']): - # External CA Step 2 - data.setStepTwo("true"); - - # Create system certs - systemCerts = ArrayList() - - # Create 'CA Signing Certificate' - if master['pki_subsystem'] == "CA": - if not config.str2bool(master['pki_clone']): - cert1 = self.create_system_cert("ca_signing") - cert1.setSigningAlgorithm( - master['pki_ca_signing_signing_algorithm']) - if config.str2bool(master['pki_external_step_two']): - # Load the 'External CA Signing Certificate' (Step 2) - javasystem.out.println( - log.PKI_JYTHON_EXTERNAL_CA_LOAD + " " +\ - "'" + master['pki_external_ca_cert_path'] + "'") - external_cert = self.read_data_from_file( - master['pki_external_ca_cert_path']) - cert1.setCert(external_cert); - # Load the 'External CA Signing Certificate Chain' (Step 2) - javasystem.out.println( - log.PKI_JYTHON_EXTERNAL_CA_CHAIN_LOAD + " " +\ - "'" + master['pki_external_ca_cert_chain_path'] +\ - "'") - external_cert_chain = self.read_data_from_file( - master['pki_external_ca_cert_chain_path']) - cert1.setCertChain(external_cert_chain); - systemCerts.add(cert1) - - # Create 'OCSP Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "CA" or\ - master['pki_subsystem'] == "OCSP": - # External CA, Subordinate CA, PKI CA, or PKI OCSP - cert2 = self.create_system_cert("ocsp_signing") - cert2.setSigningAlgorithm( - master['pki_ocsp_signing_signing_algorithm']) - systemCerts.add(cert2) - - # Create 'SSL Server Certificate' - # all subsystems - - # create new sslserver cert only if this is a new instance - cert3 = None - system_list = self.tomcat_instance_subsystems() - if len(system_list) >= 2: - data.setGenerateServerCert("false") - for subsystem in system_list: - dst = master['pki_instance_path'] + '/conf/' +\ - subsystem.lower() + '/CS.cfg' - if subsystem != master['pki_subsystem'] and \ - os.path.exists(dst): - cert3 = self.retrieve_existing_server_cert(dst) - break - else: - cert3 = self.create_system_cert("ssl_server") - systemCerts.add(cert3) - - # Create 'Subsystem Certificate' - if not config.str2bool(master['pki_clone']): - cert4 = self.create_system_cert("subsystem") - systemCerts.add(cert4) - - # Create 'Audit Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] != "RA": - cert5 = self.create_system_cert("audit_signing") - cert5.setSigningAlgorithm( - master['pki_audit_signing_signing_algorithm']) - systemCerts.add(cert5) - - # Create DRM Transport and storage Certificates - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "KRA": - cert6 = self.create_system_cert("transport") - systemCerts.add(cert6) - - cert7 = self.create_system_cert("storage") - systemCerts.add(cert7) - - data.setSystemCerts(systemCerts) - - return data - - def configure_pki_data(self, data): - master = self.master - if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL: - print "%s %s '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, - log.PKI_JYTHON_CONFIGURING_PKI_DATA, - master['pki_subsystem']) - try: - response = self.client.configure(data) - javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\ - " " + response.getStatus()) - certs = response.getSystemCerts() - iterator = certs.iterator() - while iterator.hasNext(): - cdata = iterator.next() - if master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external']) and\ - not config.str2bool(master['pki_external_step_two']): - # External CA Step 1 - if cdata.getTag().lower() == "signing": - javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST +\ - " " + cdata.getRequest()) - # Save 'External CA Signing Certificate' CSR (Step 1) - javasystem.out.println(log.PKI_JYTHON_EXTERNAL_CSR_SAVE\ - + " " + "'" +\ - master['pki_external_csr_path']\ - + "'") - self.mkdirs( - os.path.dirname(master['pki_external_csr_path'])) - self.write_data_to_file(master['pki_external_csr_path'], - cdata.getRequest()) - return - else: - javasystem.out.println(log.PKI_JYTHON_CDATA_TAG +\ - " " + cdata.getTag()) - javasystem.out.println(log.PKI_JYTHON_CDATA_CERT +\ - " " + cdata.getCert()) - javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST +\ - " " + cdata.getRequest()) - # Cloned PKI subsystems do not return an Admin Certificate - if not config.str2bool(master['pki_clone']) and \ - not config.str2bool(master['pki_import_admin_cert']): - admin_cert = response.getAdminCert().getCert() - javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\ - " " + admin_cert) - # Store the Administration Certificate in a file - admin_cert_file = master['pki_client_admin_cert'] - admin_cert_bin_file = admin_cert_file + ".der" - javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\ - " " + "'" + admin_cert_file + "'") - self.write_data_to_file(admin_cert_file, admin_cert) - # convert the cert file to binary - command = "AtoB "+ admin_cert_file + " " + admin_cert_bin_file - javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_ATOB +\ - " " + "'" + command + "'") - os.system(command) - - # Since Jython runs under Java, it does NOT support the - # following operating system specific command: - # - # os.chmod( - # admin_cert_file, - # config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) - # - # Emulate it with a system call. - command = "chmod" + " 660 " + admin_cert_file - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - - command = "chmod" + " 660 " + admin_cert_bin_file - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - - # Import the Administration Certificate - # into the client NSS security database - command = "certutil" + " " +\ - "-A" + " " +\ - "-n" + " " + "\"" +\ - re.sub("'", - "'", master['pki_admin_nickname']) +\ - "\"" + " " +\ - "-t" + " " +\ - "\"" + "u,u,u" + "\"" + " " +\ - "-f" + " " +\ - master['pki_client_password_conf'] + " " +\ - "-d" + " " +\ - master['pki_client_database_dir'] + " " +\ - "-i" + " " +\ - admin_cert_bin_file - javasystem.out.println( - log.PKI_JYTHON_ADMIN_CERT_IMPORT +\ - " " + "'" + command + "'") - os.system(command) - - # create directory for p12 file if it does not exist - self.mkdirs(os.path.dirname( - master['pki_client_admin_cert_p12'])) - - # Export the Administration Certificate from the - # client NSS security database into a PKCS #12 file - command = "pk12util" + " " +\ - "-o" + " " +\ - master['pki_client_admin_cert_p12'] + " " +\ - "-n" + " " + "\"" +\ - re.sub("'", - "'", master['pki_admin_nickname']) +\ - "\"" + " " +\ - "-d" + " " +\ - master['pki_client_database_dir'] + " " +\ - "-k" + " " +\ - master['pki_client_password_conf'] + " " +\ - "-w" + " " +\ - master['pki_client_pkcs12_password_conf'] - javasystem.out.println( - log.PKI_JYTHON_ADMIN_CERT_EXPORT +\ - " " + "'" + command + "'") - os.system(command) - # Since Jython runs under Java, it does NOT support the - # following operating system specific command: - # - # os.chmod(master['pki_client_admin_cert_p12'], - # config.\ - # PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - # - # Emulate it with a system call. - command = "chmod" + " " + "664" + " " +\ - master['pki_client_admin_cert_p12'] - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - except Exception, e: - javasystem.out.println( - log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e)) - javasystem.exit(1) - return - - -# PKI Deployment Jython Class Instances -security_databases = security_databases() -rest_client = rest_client() diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index c16d3ce46..a6361dc8b 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -149,12 +149,17 @@ PKIHELPER_APACHE_INSTANCES_2 = "PKI Apache registry '%s' contains '%d' "\ "Apache PKI instances" PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\ "slot substitutions on '%s'" +PKIHELPER_CERTUTIL_GENERATE_CSR_1 = "executing '%s'" +PKIHELPER_CERTUTIL_MISSING_INPUT_FILE = "certutil: Missing "\ + "'-i input-file' option!" PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = "certutil: Missing "\ "'-c issuer-name' option!" PKIHELPER_CERTUTIL_MISSING_NICKNAME = "certutil: Missing "\ "'-n nickname' option!" PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = "certutil: Missing "\ "'-z noise-file' option!" +PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE = "certutil: Missing "\ + "'-f password-file' option!" PKIHELPER_CERTUTIL_MISSING_PATH = "certutil: Missing '-d path' option!" PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER = "certutil: Missing "\ "'-m serial-number' option!" @@ -189,7 +194,6 @@ PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\ "context %s" -PKIHELPER_INVOKE_JYTHON_1 = "executing '%s'" PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" PKIHELPER_IS_A_FILE_1 = "'%s' is a file" PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink" @@ -224,6 +228,15 @@ PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\ "filling it with '%d' random bytes" PKIHELPER_PASSWORD_CONF_1 = "generating '%s'" PKIHELPER_PASSWORD_NOT_FOUND_1 = "no password found for '%s'!" +PKIHELPER_PK12UTIL_MISSING_DBPWFILE = "pk12util missing "\ + "-k db-password-file option!" +PKIHELPER_PK12UTIL_MISSING_NICKNAME = "pk12util missing "\ + "-n nickname option!" +PKIHELPER_PK12UTIL_MISSING_OUTFILE = "pk12util missing "\ + "-o output-file option!" +PKIHELPER_PK12UTIL_MISSING_PWFILE = "pk12util missing "\ + "-w pw-file option!" + PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ "PKI subsystems" PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'" @@ -279,47 +292,25 @@ PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ." PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s" PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s" - -# PKI Deployment Jython "Scriptlet" Messages -# (MUST contain NO embedded formats since Jython 2.2 does not support logging!) -PKI_JYTHON_ADMIN_CERT_EXPORT = "exporting Admin Certificate from "\ - "NSS client security database:" -PKI_JYTHON_ADMIN_CERT_IMPORT = "importing Admin Certificate into "\ - "NSS client security database:" -PKI_JYTHON_ADMIN_CERT_SAVE = "saving Admin Certificate to file:" -PKI_JYTHON_ADMIN_CERT_ATOB = "converting Admin Certificate to binary:" -PKI_JYTHON_CDATA_TAG = "tag:" -PKI_JYTHON_CDATA_CERT = "cert:" -PKI_JYTHON_CDATA_REQUEST = "request:" -PKI_JYTHON_CHMOD = "performing chmod:" -PKI_JYTHON_CONFIGURING_PKI_DATA = "configuring PKI configuration data for" -PKI_JYTHON_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data for" -PKI_JYTHON_CRMF_SUPPORT_ONLY = "only the 'crmf' certificate request type "\ +PKI_CONFIG_ADMIN_CERT_SAVE = "saving Admin Certificate to file:" +PKI_CONFIG_ADMIN_CERT_ATOB = "converting Admin Certificate to binary:" +PKI_CONFIG_CDATA_TAG = "tag:" +PKI_CONFIG_CDATA_CERT = "cert:" +PKI_CONFIG_CDATA_REQUEST = "request:" +PKI_CONFIG_CONFIGURING_PKI_DATA = "configuring PKI configuration data." +PKI_CONFIG_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data." +PKI_CONFIG_PKCS10_SUPPORT_ONLY = "only the 'pkcs10' certificate request type "\ "is currently supported" -PKI_JYTHON_IS_DUALKEY = "dualkey = true" -PKI_JYTHON_EXCEPTION_PARSER = "Problem parsing" -PKI_JYTHON_EXTERNAL_CA_LOAD = "loading external CA signing certificate "\ +PKI_CONFIG_EXTERNAL_CA_LOAD = "loading external CA signing certificate "\ "from file:" -PKI_JYTHON_EXTERNAL_CA_CHAIN_LOAD = "loading external CA signing certificate "\ +PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD = "loading external CA signing certificate "\ "chain from file:" -PKI_JYTHON_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:" -PKI_JYTHON_INDENTATION_0 = "pkispawn : JYTHON " -PKI_JYTHON_INDENTATION_1 = "pkispawn : JYTHON ..." -PKI_JYTHON_INDENTATION_2 = "pkispawn : JYTHON ......." -PKI_JYTHON_INDENTATION_3 = "pkispawn : JYTHON ..........." -PKI_JYTHON_INDENTATION_4 = "pkispawn : JYTHON ..............." -PKI_JYTHON_INITIALIZATION_ERROR = "INITIALIZATION ERROR:" -PKI_JYTHON_INITIALIZING_REST_CLIENT = "initializing REST client via" -PKI_JYTHON_INITIALIZING_TOKEN = "initializing token located in" -PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION =\ +PKI_CONFIG_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:" +PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION =\ "Exception from Java Configuration Servlet:" -PKI_JYTHON_LOG_INTO_TOKEN = "logging into token located in" -PKI_JYTHON_LOGIN_EXCEPTION = "login Exception:" -PKI_JYTHON_RESPONSE_ADMIN_CERT = "adminCert:" -PKI_JYTHON_RESPONSE_STATUS = "status:" -PKI_JYTHON_TOKEN_LOGIN_EXCEPTION = "Exception in logging into token:" -PKI_JYTHON_NOT_YET_IMPLEMENTED = "NOT YET IMPLEMENTED" - +PKI_CONFIG_RESPONSE_ADMIN_CERT = "adminCert:" +PKI_CONFIG_RESPONSE_STATUS = "status:" +PKI_CONFIG_NOT_YET_IMPLEMENTED_1 = " %s NOT YET IMPLEMENTED" # PKI Deployment "Scriptlet" Messages ADMIN_DOMAIN_DESTROY_1 = "depopulating '%s'" diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 639b11820..c4bf9b886 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -96,15 +96,12 @@ class PKIConfigParser: # Process 'Optional' command-line options # '-v' if args.pki_verbosity == 1: - config.pki_jython_log_level = config.PKI_JYTHON_INFO_LOG_LEVEL config.pki_console_log_level = logging.INFO config.pki_log_level = logging.INFO elif args.pki_verbosity == 2: - config.pki_jython_log_level = config.PKI_JYTHON_INFO_LOG_LEVEL config.pki_console_log_level = logging.INFO config.pki_log_level = logging.DEBUG elif args.pki_verbosity == 3: - config.pki_jython_log_level = config.PKI_JYTHON_DEBUG_LOG_LEVEL config.pki_console_log_level = logging.DEBUG config.pki_log_level = logging.DEBUG elif args.pki_verbosity > 3: @@ -114,7 +111,6 @@ class PKIConfigParser: self.arg_parser.exit(-1); else: # Set default log levels - config.pki_jython_log_level = config.PKI_JYTHON_WARNING_LOG_LEVEL config.pki_console_log_level = logging.WARNING config.pki_log_level = logging.INFO @@ -424,8 +420,6 @@ class PKIConfigParser: config.pki_master_dict['pki_certificate_timestamp'] =\ config.pki_certificate_timestamp config.pki_master_dict['pki_architecture'] = config.pki_architecture - config.pki_master_dict['pki_jython_log_level'] =\ - config.pki_jython_log_level config.pki_master_dict['pki_default_deployment_cfg'] = config.default_deployment_cfg config.pki_master_dict['pki_user_deployment_cfg'] = config.user_deployment_cfg config.pki_master_dict['pki_deployed_instance_name'] =\ @@ -857,21 +851,7 @@ class PKIConfigParser: config.pki_master_dict['pki_client_database_password'] =\ str(config.pki_master_dict['pki_client_pin']) - # Jython scriptlet name/value pairs - config.pki_master_dict['pki_jython_configuration_scriptlet'] =\ - os.path.join(sys.prefix, - "lib", - "python" + str(sys.version_info[0]) + "." + - str(sys.version_info[1]), - "site-packages", - "pki", - "deployment", - "configuration.jy") - config.pki_master_dict['pki_jython_base_uri'] =\ - "https" + "://" + config.pki_master_dict['pki_hostname'] + ":" +\ - config.pki_master_dict['pki_https_port'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() - # Jython scriptlet + # Configuration scriptlet # 'Security Domain' Configuration name/value pairs # 'Subsystem Name' Configuration name/value pairs # 'Token' Configuration name/value pairs @@ -945,7 +925,6 @@ class PKIConfigParser: # PKI CA config.pki_master_dict['pki_security_domain_type'] = "new" - # Jython scriptlet # 'External CA' Configuration name/value pairs # # Tomcat - [External CA] @@ -959,7 +938,6 @@ class PKIConfigParser: # config.pki_master_dict['pki_external_step_two'] # - # Jython scriptlet # 'Backup' Configuration name/value pairs # # Apache - [RA], [TPS] diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index a74a4c157..9ac4784e5 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -62,7 +62,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.modify(master['pki_secmod_database'], perms=\ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - if util.instance.tomcat_instance_subsystems() < 2: + if len(util.instance.tomcat_instance_subsystems()) < 2: # only create a self signed cert for a new instance rv = util.certutil.verify_certificate_exists( master['pki_database_path'], @@ -111,7 +111,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.delete(master['pki_secmod_database']) util.file.delete(master['pki_shared_password_conf']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 0: + len(util.instance.tomcat_instance_subsystems()) == 0: util.file.delete(master['pki_cert_database']) util.file.delete(master['pki_key_database']) util.file.delete(master['pki_secmod_database']) diff --git a/base/deploy/src/scriptlets/selinux_setup.py b/base/deploy/src/scriptlets/selinux_setup.py index f3b7d1273..552ab3f41 100644 --- a/base/deploy/src/scriptlets/selinux_setup.py +++ b/base/deploy/src/scriptlets/selinux_setup.py @@ -66,7 +66,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ util.instance.apache_instance_subsystems() == 1 or\ master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 1: + len(util.instance.tomcat_instance_subsystems()) == 1: trans = seobject.semanageRecords("targeted") trans.start() @@ -133,7 +133,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ util.instance.apache_instance_subsystems() == 0 or\ master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 0: + len(util.instance.tomcat_instance_subsystems()) == 0: trans = seobject.semanageRecords("targeted") trans.start() |