diff options
Diffstat (limited to 'base/deploy/src')
-rwxr-xr-x | base/deploy/src/pkidestroy | 4 | ||||
-rwxr-xr-x | base/deploy/src/pkispawn | 4 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/pkiconfig.py | 1 | ||||
-rw-r--r-- | base/deploy/src/scriptlets/pkiparser.py | 730 |
4 files changed, 51 insertions, 688 deletions
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 4e8bca9d1..69daa13ad 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -119,8 +119,6 @@ def main(argv): # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_common_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), @@ -133,8 +131,6 @@ def main(argv): # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_common_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index 73d236247..79ab1b230 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -139,8 +139,6 @@ def main(argv): # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_common_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), @@ -153,8 +151,6 @@ def main(argv): # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_common_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 35c80a5f7..ec6c5ea38 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -205,7 +205,6 @@ pki_console_log_level = None # PKI Deployment Global Dictionaries pki_default_dict = None -pki_common_dict = None pki_web_server_dict = None pki_subsystem_dict = None pki_master_dict = None diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index a99425960..05536f424 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -79,8 +79,7 @@ class PKIConfigParser: dest='pki_deployed_instance_name', action='store', nargs=1, required=True, metavar='<instance>', - help='FORMAT: ${pki_instance_name}' - '[.${pki_admin_domain_name}]') + help='FORMAT: ${pki_instance_name}') # Establish 'Optional' command-line options optional = parser.add_argument_group('optional arguments') optional.add_argument('-h', '--help', @@ -219,37 +218,51 @@ class PKIConfigParser: "Read configuration file sections into dictionaries" rv = 0 try: - self.pki_config = ConfigParser.ConfigParser() + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + default_instance_name = 'pki-tomcat' + default_http_port = '8080' + default_https_port = '8443' + else: + default_instance_name = 'pki-apache' + default_http_port = '80' + default_https_port = '443' + + predefined_dict = {'default_instance_name': default_instance_name, + 'default_http_port': default_http_port, + 'default_https_port': default_https_port, + 'dns_domainname': config.pki_dns_domainname, + 'subsystem_type' : config.pki_subsystem, + 'hostname': config.pki_hostname} + + self.pki_config = ConfigParser.SafeConfigParser(predefined_dict) # Make keys case-sensitive! self.pki_config.optionxform = str self.pki_config.read([ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE, config.pkideployment_cfg]) - config.pki_default_dict = self.pki_config.defaults() + config.pki_default_dict = dict(self.pki_config.items('DEFAULT')) pkilogging.sensitive_parameters = config.pki_default_dict['sensitive_parameters'].split() - config.pki_common_dict = dict(self.pki_config._sections['Common']) if config.pki_subsystem == "CA": - config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat']) - config.pki_subsystem_dict = dict(self.pki_config._sections['CA']) + config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) + config.pki_subsystem_dict = dict(self.pki_config.items('CA')) elif config.pki_subsystem == "KRA": - config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat']) - config.pki_subsystem_dict = dict(self.pki_config._sections['KRA']) + config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) + config.pki_subsystem_dict = dict(self.pki_config.items('KRA')) elif config.pki_subsystem == "OCSP": - config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat']) - config.pki_subsystem_dict = dict(self.pki_config._sections['OCSP']) + config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) + config.pki_subsystem_dict = dict(self.pki_config.items('OCSP')) elif config.pki_subsystem == "RA": - config.pki_web_server_dict = dict(self.pki_config._sections['Apache']) - config.pki_subsystem_dict = dict(self.pki_config._sections['RA']) + config.pki_web_server_dict = dict(self.pki_config.items('Apache')) + config.pki_subsystem_dict = dict(self.pki_config.items('RA')) elif config.pki_subsystem == "TKS": - config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat']) - config.pki_subsystem_dict = dict(self.pki_config._sections['TKS']) + config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) + config.pki_subsystem_dict = dict(self.pki_config.items('TKS')) elif config.pki_subsystem == "TPS": - config.pki_web_server_dict = dict(self.pki_config._sections['Apache']) - config.pki_subsystem_dict = dict(self.pki_config._sections['TPS']) + config.pki_web_server_dict = dict(self.pki_config.items('Apache')) + config.pki_subsystem_dict = dict(self.pki_config.items('TPS')) # Insert empty record into dictionaries for "pretty print" statements # NEVER print "sensitive" key value pairs!!! config.pki_default_dict[0] = None - config.pki_common_dict[0] = None config.pki_web_server_dict[0] = None config.pki_subsystem_dict[0] = None except ConfigParser.ParsingError, err: @@ -296,10 +309,10 @@ class PKIConfigParser: # Configuration file name/value pairs # NEVER add "sensitive" key value pairs to the master dictionary!!! config.pki_master_dict.update(config.pki_default_dict) - config.pki_master_dict.update(config.pki_common_dict) config.pki_master_dict.update(config.pki_web_server_dict) config.pki_master_dict.update(config.pki_subsystem_dict) config.pki_master_dict.update(__name__="PKI Master Dictionary") + # IMPORTANT: A "PKI instance" no longer corresponds to a single # pki subystem, but rather to a unique # "Tomcat web instance" or a unique "Apache web instance". @@ -345,17 +358,12 @@ class PKIConfigParser: # OLD: "pki-${pki_subsystem}" # (e. g. Tomcat: "pki-ca", "pki-kra", "pki-ocsp", "pki-tks") # (e. g. Apache: "pki-ra", "pki-tps") - # NEW: "${pki_instance_name}[.${pki_admin_domain_name}]" + # NEW: "${pki_instance_name}" # (e. g. Tomcat: "pki-tomcat", "pki-tomcat.example.com") # (e. g. Apache: "pki-apache", "pki-apache.example.com") # - if len(config.pki_master_dict['pki_admin_domain_name']): - config.pki_master_dict['pki_instance_id'] =\ - config.pki_master_dict['pki_instance_name'] + "." +\ - config.pki_master_dict['pki_admin_domain_name'] - else: - config.pki_master_dict['pki_instance_id'] =\ - config.pki_master_dict['pki_instance_name'] + config.pki_master_dict['pki_instance_id'] = config.pki_master_dict['pki_instance_name'] + # PKI Source name/value pairs config.pki_master_dict['pki_source_conf_path'] =\ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, @@ -1364,7 +1372,6 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and potentially overridden below: # - # config.pki_master_dict['pki_client_database_password'] # config.pki_master_dict['pki_client_dir'] # config.pki_master_dict['pki_client_subsystem_dir'] # @@ -1464,9 +1471,6 @@ class PKIConfigParser: # # config.pki_master_dict['pki_security_domain_user'] # config.pki_master_dict['pki_issuing_ca'] - # config.pki_master_dict['pki_security_domain_hostname'] - # config.pki_master_dict['pki_security_domain_name'] - # config.pki_master_dict['pki_subsystem_name'] # # if security domain user is not defined @@ -1478,44 +1482,16 @@ class PKIConfigParser: config.pki_master_dict['pki_security_domain_user'] =\ self.pki_config.get('CA', 'pki_admin_uid') - # or use the Common admin uid if it's defined - elif self.pki_config.has_option('Common', 'pki_admin_uid') and\ - len(self.pki_config.get('Common', 'pki_admin_uid')) > 0: + # or use the Default admin uid if it's defined + elif self.pki_config.has_option('DEFAULT', 'pki_admin_uid') and\ + len(self.pki_config.get('DEFAULT', 'pki_admin_uid')) > 0: config.pki_master_dict['pki_security_domain_user'] =\ - self.pki_config.get('Common', 'pki_admin_uid') + self.pki_config.get('DEFAULT', 'pki_admin_uid') # otherwise use the default CA admin uid else: config.pki_master_dict['pki_security_domain_user'] = "caadmin" - if not len(config.pki_master_dict['pki_subsystem_name']): - if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS and \ - config.str2bool(config.pki_master_dict['pki_clone']): - config.pki_master_dict['pki_subsystem_name'] =\ - config.PKI_DEPLOYMENT_CLONED_PKI_SUBSYSTEM + " " +\ - config.pki_subsystem + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - elif config.pki_subsystem == "CA" and \ - config.str2bool(config.pki_master_dict['pki_external']): - config.pki_master_dict['pki_subsystem_name'] =\ - config.PKI_DEPLOYMENT_EXTERNAL_CA + " " +\ - config.pki_subsystem + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - elif config.pki_subsystem == "CA" and \ - config.str2bool(config.pki_master_dict['pki_subordinate']): - config.pki_master_dict['pki_subsystem_name'] =\ - config.PKI_DEPLOYMENT_SUBORDINATE_CA + " " +\ - config.pki_subsystem + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - else: - config.pki_master_dict['pki_subsystem_name'] =\ - config.pki_subsystem + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] if config.pki_subsystem != "CA" or\ config.str2bool(config.pki_master_dict['pki_clone']) or\ config.str2bool(config.pki_master_dict['pki_subordinate']): @@ -1523,16 +1499,6 @@ class PKIConfigParser: # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or # Subordinate CA config.pki_master_dict['pki_security_domain_type'] = "existing" - if not len(config.pki_master_dict['pki_security_domain_name']): - # Guess that the security domain resides on the local host - config.pki_master_dict['pki_security_domain_name'] =\ - config.pki_master_dict['pki_dns_domainname'] + " " +\ - "Security Domain" - if not\ - len(config.pki_master_dict['pki_security_domain_hostname']): - # Guess that the security domain resides on the local host - config.pki_master_dict['pki_security_domain_hostname'] =\ - config.pki_master_dict['pki_hostname'] config.pki_master_dict['pki_security_domain_uri'] =\ "https" + "://" +\ config.pki_master_dict['pki_security_domain_hostname'] + ":" +\ @@ -1552,58 +1518,7 @@ class PKIConfigParser: else: # PKI CA config.pki_master_dict['pki_security_domain_type'] = "new" - if not len(config.pki_master_dict['pki_security_domain_name']): - # Guess that the security domain resides on the local host - config.pki_master_dict['pki_security_domain_name'] =\ - config.pki_master_dict['pki_dns_domainname'] + " " +\ - "Security Domain" - # Jython scriptlet - # 'Directory Server' Configuration name/value pairs - # - # Apache - [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_ds_password'] - # config.pki_master_dict['pki_clone_replication_security'] - # config.pki_master_dict['pki_ds_bind_dn'] - # config.pki_master_dict['pki_ds_ldap_port'] - # config.pki_master_dict['pki_ds_ldaps_port'] - # config.pki_master_dict['pki_ds_remove_data'] - # config.pki_master_dict['pki_ds_secure_connection'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_ds_base_dn'] - # config.pki_master_dict['pki_ds_database'] - # config.pki_master_dict['pki_ds_hostname'] - # - if not config.str2bool(config.pki_master_dict['pki_clone']): - if not len(config.pki_master_dict['pki_ds_base_dn']): - # if the instance is NOT a clone, create a default BASE DN - # of "o=${pki_instance_id}"; the reason that this default - # CANNOT be created if the instance is a clone is due to the - # fact that a master and clone MUST share the same BASE DN, - # and creating this default would prevent the ability to - # place a master and clone on the same machine (the method - # most often used for testing purposes) - config.pki_master_dict['pki_ds_base_dn'] =\ - "o=" + config.pki_master_dict['pki_instance_id'] +\ - "-" + config.pki_subsystem - if not len(config.pki_master_dict['pki_ds_database']): - config.pki_master_dict['pki_ds_database'] =\ - config.pki_master_dict['pki_instance_id'] +\ - "-" + config.pki_subsystem - if not len(config.pki_master_dict['pki_ds_hostname']): - # Guess that the Directory Server resides on the local host - config.pki_master_dict['pki_ds_hostname'] =\ - config.pki_master_dict['pki_hostname'] + # Jython scriptlet # 'External CA' Configuration name/value pairs # @@ -1639,566 +1554,23 @@ class PKIConfigParser: config.pki_master_dict['pki_database_path'] + "/" +\ config.pki_master_dict['pki_subsystem'].lower() + "_" +\ "backup" + "_" + "keys" + "." + "p12" - # Jython scriptlet - # 'Admin Certificate' Configuration name/value pairs - # - # Apache - [RA], [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_admin_password'] - # config.pki_master_dict['pki_admin_cert_request_type'] - # config.pki_master_dict['pki_admin_dualkey'] - # config.pki_master_dict['pki_admin_keysize'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_admin_name'] - # config.pki_master_dict['pki_admin_uid'] - # config.pki_master_dict['pki_admin_email'] - # config.pki_master_dict['pki_admin_nickname'] - # config.pki_master_dict['pki_admin_subject_dn'] - # + config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert" - if not len(config.pki_master_dict['pki_admin_uid']): - config.pki_master_dict['pki_admin_uid'] =\ - config.pki_subsystem.lower() + "admin" - if not len (config.pki_master_dict['pki_admin_name']): - config.pki_master_dict['pki_admin_name'] =\ - config.pki_master_dict['pki_admin_uid'] - if not len(config.pki_master_dict['pki_admin_email']): - config.pki_master_dict['pki_admin_email'] =\ - config.pki_master_dict['pki_admin_name'] + "@" +\ - config.pki_master_dict['pki_dns_domainname'] - if not len(config.pki_master_dict['pki_admin_nickname']): - config.pki_master_dict['pki_admin_nickname'] =\ - "PKI Administrator for " +\ - config.pki_master_dict['pki_dns_domainname'] if not 'pki_import_admin_cert' in config.pki_master_dict: config.pki_master_dict['pki_import_admin_cert'] = 'false' - if not len(config.pki_master_dict['pki_admin_subject_dn']): - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=PKI Administrator" +\ - ",e=" + config.pki_master_dict['pki_admin_email'] +\ - ",o=" + config.pki_master_dict['pki_security_domain_name'] - - # Jython scriptlet - # 'CA Signing Certificate' Configuration name/value pairs - # - # Tomcat - [CA] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_ca_signing_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_ca_signing_key_algorithm'] - # config.pki_master_dict['pki_ca_signing_key_size'] - # config.pki_master_dict['pki_ca_signing_key_type'] - # config.pki_master_dict['pki_ca_signing_signing_algorithm'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_ca_signing_nickname'] - # config.pki_master_dict['pki_ca_signing_subject_dn'] - # config.pki_master_dict['pki_ca_signing_token'] - # - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "CA": - # config.pki_master_dict['pki_ca_signing_nickname'] - if not len(config.pki_master_dict\ - ['pki_ca_signing_nickname']): - config.pki_master_dict['pki_ca_signing_nickname'] =\ - "caSigningCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - # config.pki_master_dict['pki_ca_signing_subject_dn'] - if config.str2bool(config.pki_master_dict['pki_external']): - # External CA - if not len(config.pki_master_dict\ - ['pki_ca_signing_subject_dn']): - config.pki_master_dict['pki_ca_signing_subject_dn']\ - = "cn=" + "External CA Signing Certificate" - elif config.str2bool( - config.pki_master_dict['pki_subordinate']): - # Subordinate CA - if not len(config.pki_master_dict\ - ['pki_ca_signing_subject_dn']): - config.pki_master_dict['pki_ca_signing_subject_dn']\ - = "cn=" + "SubCA Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - else: - # PKI CA - if not len(config.pki_master_dict\ - ['pki_ca_signing_subject_dn']): - config.pki_master_dict['pki_ca_signing_subject_dn']\ - = "cn=" + "CA Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - # config.pki_master_dict['pki_ca_signing_tag'] - config.pki_master_dict['pki_ca_signing_tag'] =\ - "signing" - # config.pki_master_dict['pki_ca_signing_token'] - if not len(config.pki_master_dict['pki_ca_signing_token']): - config.pki_master_dict['pki_ca_signing_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'OCSP Signing Certificate' Configuration name/value pairs - # - # Tomcat - [CA], [OCSP] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_ocsp_signing_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_ocsp_signing_key_algorithm'] - # config.pki_master_dict['pki_ocsp_signing_key_size'] - # config.pki_master_dict['pki_ocsp_signing_key_type'] - # config.pki_master_dict['pki_ocsp_signing_signing_algorithm'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_ocsp_signing_nickname'] - # config.pki_master_dict['pki_ocsp_signing_subject_dn'] - # config.pki_master_dict['pki_ocsp_signing_token'] - # - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "CA": - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_nickname']): - config.pki_master_dict['pki_ocsp_signing_nickname'] =\ - "ocspSigningCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if config.str2bool(config.pki_master_dict['pki_external']): - # External CA - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn']): - config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn'] =\ - "cn=" + "External CA OCSP Signing Certificate" - elif config.str2bool( - config.pki_master_dict['pki_subordinate']): - # Subordinate CA - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn']): - config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn'] =\ - "cn=" + "SubCA OCSP Signing Certificate"\ - + "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - else: - # PKI CA - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn']): - config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn'] =\ - "cn=" + "CA OCSP Signing Certificate"\ - + "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - config.pki_master_dict['pki_ocsp_signing_tag'] =\ - "ocsp_signing" - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_token']): - config.pki_master_dict['pki_ocsp_signing_token'] =\ - "Internal Key Storage Token" - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - # PKI OCSP - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_nickname']): - config.pki_master_dict['pki_ocsp_signing_nickname'] =\ - "ocspSigningCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn']): - config.pki_master_dict['pki_ocsp_signing_subject_dn'] =\ - "cn=" + "OCSP Signing Certificate" + "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_ocsp_signing_tag'] =\ - "signing" - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_token']): - config.pki_master_dict['pki_ocsp_signing_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'SSL Server Certificate' Configuration name/value pairs - # - # Apache - [RA], [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_ssl_server_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_ssl_server_key_algorithm'] - # config.pki_master_dict['pki_ssl_server_key_size'] - # config.pki_master_dict['pki_ssl_server_key_type'] - # config.pki_master_dict['pki_ssl_server_nickname'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_ssl_server_subject_dn'] - # config.pki_master_dict['pki_ssl_server_token'] - # - if not len(config.pki_master_dict['pki_ssl_server_nickname']): - config.pki_master_dict['pki_ssl_server_nickname'] =\ - "Server-Cert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] - if not len(config.pki_master_dict['pki_ssl_server_subject_dn']): - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - config.pki_master_dict['pki_ssl_server_subject_dn'] =\ - "cn=" + config.pki_master_dict['pki_hostname'] +\ - "," + "ou=" + config.pki_master_dict['pki_instance_id'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if config.pki_master_dict['pki_subsystem'] == "CA" and\ - config.str2bool(config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict['pki_ssl_server_subject_dn'] =\ - "cn=" + config.pki_master_dict['pki_hostname'] +\ - "," + "o=" + "External CA" - else: - # PKI or Cloned CA, KRA, OCSP, TKS, or Subordinate CA - config.pki_master_dict['pki_ssl_server_subject_dn'] =\ - "cn=" + config.pki_master_dict['pki_hostname'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_ca_signing_tag'] = "signing" + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_ocsp_signing_tag'] = "ocsp_signing" + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + config.pki_master_dict['pki_ocsp_signing_tag'] = "signing" config.pki_master_dict['pki_ssl_server_tag'] = "sslserver" - if not len(config.pki_master_dict['pki_ssl_server_token']): - config.pki_master_dict['pki_ssl_server_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'Subsystem Certificate' Configuration name/value pairs - # - # Apache - [RA], [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_subsystem_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_subsystem_key_algorithm'] - # config.pki_master_dict['pki_subsystem_key_size'] - # config.pki_master_dict['pki_subsystem_key_type'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_subsystem_nickname'] - # config.pki_master_dict['pki_subsystem_subject_dn'] - # config.pki_master_dict['pki_subsystem_token'] - # - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - if not len(config.pki_master_dict['pki_subsystem_nickname']): - config.pki_master_dict['pki_subsystem_nickname'] =\ - "subsystemCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict['pki_subsystem_subject_dn']): - if config.pki_master_dict['pki_subsystem'] == "RA": - # PKI RA - config.pki_master_dict['pki_subsystem_subject_dn'] =\ - "cn=" + "RA Subsystem Certificate" +\ - "," + "ou=" + config.pki_master_dict['pki_instance_id']\ - + "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "TPS": - # PKI TPS - config.pki_master_dict['pki_subsystem_subject_dn'] =\ - "cn=" + "TPS Subsystem Certificate" +\ - "," + "ou=" + config.pki_master_dict['pki_instance_id']\ - + "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_subsystem_tag'] = "subsystem" - if not len(config.pki_master_dict['pki_subsystem_token']): - config.pki_master_dict['pki_subsystem_token'] =\ - "Internal Key Storage Token" - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if not len(config.pki_master_dict['pki_subsystem_nickname']): - config.pki_master_dict['pki_subsystem_nickname'] =\ - "subsystemCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict['pki_subsystem_subject_dn']): - if config.pki_master_dict['pki_subsystem'] == "CA": - if config.str2bool( - config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict['pki_subsystem_subject_dn']\ - = "cn=" + "External CA Subsystem Certificate" - elif config.str2bool( - config.pki_master_dict['pki_subordinate']): - # Subordinate CA - config.pki_master_dict['pki_subsystem_subject_dn']\ - = "cn=" + "SubCA Subsystem Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - else: - # PKI CA - config.pki_master_dict['pki_subsystem_subject_dn']\ - = "cn=" + "CA Subsystem Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - config.pki_master_dict['pki_subsystem_subject_dn'] =\ - "cn=" + "DRM Subsystem Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - # PKI OCSP - config.pki_master_dict['pki_subsystem_subject_dn'] =\ - "cn=" + "OCSP Subsystem Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "TKS": - # PKI TKS - config.pki_master_dict['pki_subsystem_subject_dn'] =\ - "cn=" + "TKS Subsystem Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - config.pki_master_dict['pki_subsystem_tag'] = "subsystem" - if not len(config.pki_master_dict['pki_subsystem_token']): - config.pki_master_dict['pki_subsystem_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'Audit Signing Certificate' Configuration name/value pairs - # - # Apache - [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_audit_signing_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_audit_signing_key_algorithm'] - # config.pki_master_dict['pki_audit_signing_key_size'] - # config.pki_master_dict['pki_audit_signing_key_type'] - # config.pki_master_dict['pki_audit_signing_signing_algorithm'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_audit_signing_nickname'] - # config.pki_master_dict['pki_audit_signing_subject_dn'] - # config.pki_master_dict['pki_audit_signing_token'] - # - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - if config.pki_master_dict['pki_subsystem'] != "RA": - if not len(config.pki_master_dict\ - ['pki_audit_signing_nickname']): - config.pki_master_dict['pki_audit_signing_nickname'] =\ - "auditSigningCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] +" " +\ - config.pki_subsystem - if not len(config.pki_master_dict\ - ['pki_audit_signing_subject_dn']): - config.pki_master_dict['pki_audit_signing_subject_dn'] =\ - "cn=" + "TPS Audit Signing Certificate" +\ - "," + "ou=" + config.pki_master_dict['pki_instance_id']\ - + "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_audit_signing_tag'] =\ - "audit_signing" - if not len(config.pki_master_dict['pki_audit_signing_token']): - config.pki_master_dict['pki_audit_signing_token'] =\ - "Internal Key Storage Token" - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if not len(config.pki_master_dict\ - ['pki_audit_signing_nickname']): - config.pki_master_dict['pki_audit_signing_nickname'] =\ - "auditSigningCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict\ - ['pki_audit_signing_subject_dn']): - if config.pki_master_dict['pki_subsystem'] == "CA": - if config.str2bool( - config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict\ - ['pki_audit_signing_subject_dn'] =\ - "cn=" + "External CA Audit Signing Certificate" - elif config.str2bool( - config.pki_master_dict['pki_subordinate']): - # Subordinate CA - config.pki_master_dict\ - ['pki_audit_signing_subject_dn'] =\ - "cn=" + "SubCA Audit Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - else: - # PKI CA - config.pki_master_dict\ - ['pki_audit_signing_subject_dn'] =\ - "cn=" + "CA Audit Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - config.pki_master_dict['pki_audit_signing_subject_dn']\ - = "cn=" + "DRM Audit Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - # PKI OCSP - config.pki_master_dict['pki_audit_signing_subject_dn']\ - = "cn=" + "OCSP Audit Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "TKS": - # PKI TKS - config.pki_master_dict['pki_audit_signing_subject_dn']\ - = "cn=" + "TKS Audit Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_audit_signing_tag'] =\ - "audit_signing" - if not len(config.pki_master_dict['pki_audit_signing_token']): - config.pki_master_dict['pki_audit_signing_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'DRM Transport Certificate' Configuration name/value pairs - # - # Tomcat - [KRA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_transport_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_transport_key_algorithm'] - # config.pki_master_dict['pki_transport_key_size'] - # config.pki_master_dict['pki_transport_key_type'] - # config.pki_master_dict['pki_transport_signing_algorithm'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_transport_nickname'] - # config.pki_master_dict['pki_transport_subject_dn'] - # config.pki_master_dict['pki_transport_token'] - # - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - if not len(config.pki_master_dict\ - ['pki_transport_nickname']): - config.pki_master_dict['pki_transport_nickname'] =\ - "transportCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict\ - ['pki_transport_subject_dn']): - config.pki_master_dict['pki_transport_subject_dn']\ - = "cn=" + "DRM Transport Certificate" +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_transport_tag'] =\ - "transport" - if not len(config.pki_master_dict['pki_transport_token']): - config.pki_master_dict['pki_transport_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'DRM Storage Certificate' Configuration name/value pairs - # - # Tomcat - [KRA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_storage_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_storage_key_algorithm'] - # config.pki_master_dict['pki_storage_key_size'] - # config.pki_master_dict['pki_storage_key_type'] - # config.pki_master_dict['pki_storage_signing_algorithm'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_storage_nickname'] - # config.pki_master_dict['pki_storage_subject_dn'] - # config.pki_master_dict['pki_storage_token'] - # - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - if not len(config.pki_master_dict['pki_storage_nickname']): - config.pki_master_dict['pki_storage_nickname'] =\ - "storageCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict\ - ['pki_storage_subject_dn']): - config.pki_master_dict['pki_storage_subject_dn']\ - = "cn=" + "DRM Storage Certificate" +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_storage_tag'] =\ - "storage" - if not len(config.pki_master_dict['pki_storage_token']): - config.pki_master_dict['pki_storage_token'] =\ - "Internal Key Storage Token" + config.pki_master_dict['pki_subsystem_tag'] = "subsystem" + config.pki_master_dict['pki_audit_signing_tag'] = "audit_signing" + config.pki_master_dict['pki_transport_tag'] = "transport" + config.pki_master_dict['pki_storage_tag'] = "storage" + # Finalization name/value pairs config.pki_master_dict['pki_deployment_cfg_replica'] =\ os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], |