diff options
Diffstat (limited to 'base/server/python/pki/server/deployment/pkihelper.py')
-rw-r--r-- | base/server/python/pki/server/deployment/pkihelper.py | 36 |
1 files changed, 29 insertions, 7 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index e8591398d..ab6562ba0 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -619,10 +619,17 @@ class ConfigurationFile: self.confirm_data_exists("pki_client_database_password") # Verify existence of Client PKCS #12 Password for Admin Cert self.confirm_data_exists("pki_client_pkcs12_password") + if self.clone: + # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones) if not config.str2bool(self.mdict['pki_hsm_enable']): - self.confirm_data_exists("pki_clone_pkcs12_password") + + # If system certificates are already provided via pki_server_pkcs12 + # there's no need to provide pki_clone_pkcs12. + if not self.mdict['pki_server_pkcs12_path']: + self.confirm_data_exists("pki_clone_pkcs12_password") + # Verify absence of all PKCS #12 clone parameters for HSMs elif (os.path.exists(self.mdict['pki_clone_pkcs12_path']) or ('pki_clone_pkcs12_password' in self.mdict and @@ -632,6 +639,7 @@ class ConfigurationFile: extra=config.PKI_INDENTATION_LEVEL_2) raise Exception( log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS) + # Verify existence of Security Domain Password # (ONLY for PKI KRA, PKI OCSP, PKI TKS, PKI TPS, Clones, or # Subordinate CA that will be automatically configured and @@ -736,11 +744,18 @@ class ConfigurationFile: self.confirm_data_exists("pki_http_port") self.confirm_data_exists("pki_https_port") self.confirm_data_exists("pki_tomcat_server_port") + + # Check clone parameters for non-HSM clone if not config.str2bool(self.mdict['pki_hsm_enable']): - # Check clone parameters for non-HSM clone - self.confirm_data_exists("pki_clone_pkcs12_path") - self.confirm_file_exists("pki_clone_pkcs12_path") + + # If system certificates are already provided via pki_server_pkcs12 + # there's no need to provide pki_clone_pkcs12. + if not self.mdict['pki_server_pkcs12_path']: + self.confirm_data_exists("pki_clone_pkcs12_path") + self.confirm_file_exists("pki_clone_pkcs12_path") + self.confirm_data_exists("pki_clone_replication_security") + elif self.external: # External CA if not self.external_step_two: @@ -3996,6 +4011,8 @@ class ConfigClient: # Issuing CA Information self.set_issuing_ca_parameters(data) + data.systemCertsImported = self.mdict['pki_server_pkcs12_path'] != '' + # Create system certs self.set_system_certs(data) @@ -4268,10 +4285,15 @@ class ConfigClient: def set_cloning_parameters(self, data): data.isClone = "true" data.cloneUri = self.mdict['pki_clone_uri'] + + # Set these clone parameters for non-HSM clones only if not config.str2bool(self.mdict['pki_hsm_enable']): - # Set these clone parameters for non-HSM clones only - data.p12File = self.mdict['pki_clone_pkcs12_path'] - data.p12Password = self.mdict['pki_clone_pkcs12_password'] + # If system certificates are already provided via pki_server_pkcs12 + # there's no need to provide pki_clone_pkcs12. + if not self.mdict['pki_server_pkcs12_path']: + data.p12File = self.mdict['pki_clone_pkcs12_path'] + data.p12Password = self.mdict['pki_clone_pkcs12_password'] + if config.str2bool(self.mdict['pki_clone_replicate_schema']): data.replicateSchema = "true" else: |