diff options
Diffstat (limited to 'base/server/python/pki/server/deployment/scriptlets/configuration.py')
| -rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/configuration.py | 206 |
1 files changed, 5 insertions, 201 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index d8cf1145a..5a59faf27 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -23,6 +23,7 @@ import json # PKI Deployment Imports from .. import pkiconfig as config +from .. import pkihelper from .. import pkimessages as log from .. import pkiscriptlet @@ -46,214 +47,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - deployer.instance.verify_subsystem_exists() - - instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) - instance.load() - - subsystem = instance.get_subsystem( - deployer.mdict['pki_subsystem'].lower()) - - token = deployer.mdict['pki_token_name'] - nssdb = instance.open_nssdb(token) - - existing = deployer.configuration_file.existing - external = deployer.configuration_file.external - standalone = deployer.configuration_file.standalone - step_one = deployer.configuration_file.external_step_one - step_two = deployer.configuration_file.external_step_two - - try: - if existing or external and step_two: - # existing CA or external CA step 2 - - # If specified, import CA signing CSR into CS.cfg. - signing_csr_path = deployer.mdict['pki_external_csr_path'] - if signing_csr_path: - config.pki_log.info( - "importing CA signing CSR from %s", - signing_csr_path, - extra=config.PKI_INDENTATION_LEVEL_2) - with open(signing_csr_path) as f: - signing_csr = f.read() - signing_csr = pki.nssdb.convert_csr( - signing_csr, 'pem', 'base64') - subsystem.config['ca.signing.certreq'] = signing_csr - - # If specified, import CA signing cert into NSS database. - signing_nickname = deployer.mdict['pki_ca_signing_nickname'] - signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] - if signing_cert_file: - config.pki_log.info( - "importing %s from %s", - signing_nickname, signing_cert_file, - extra=config.PKI_INDENTATION_LEVEL_2) - nssdb.add_cert( - nickname=signing_nickname, - cert_file=signing_cert_file, - trust_attributes='CT,C,C') - - # If specified, import certs and keys from PKCS #12 file - # into NSS database. - pkcs12_file = deployer.mdict['pki_external_pkcs12_path'] - if pkcs12_file: - config.pki_log.info( - "importing certificates and keys from %s", pkcs12_file, - extra=config.PKI_INDENTATION_LEVEL_2) - pkcs12_password = deployer.mdict[ - 'pki_external_pkcs12_password'] - nssdb.import_pkcs12(pkcs12_file, pkcs12_password) - - # If specified, import cert chain into NSS database. - # Note: Cert chain must be imported after the system certs - # to ensure that the system certs are imported with - # the correct nicknames. - external_ca_cert_chain_nickname = \ - deployer.mdict['pki_external_ca_cert_chain_nickname'] - external_ca_cert_chain_file = deployer.mdict[ - 'pki_external_ca_cert_chain_path'] - if external_ca_cert_chain_file: - config.pki_log.info( - "importing certificate chain %s from %s", - external_ca_cert_chain_nickname, - external_ca_cert_chain_file, - extra=config.PKI_INDENTATION_LEVEL_2) - cert_chain, _nicks = nssdb.import_cert_chain( - nickname=external_ca_cert_chain_nickname, - cert_chain_file=external_ca_cert_chain_file, - trust_attributes='CT,C,C') - subsystem.config['ca.external_ca_chain.cert'] = cert_chain - - # Export CA signing cert from NSS database and import - # it into CS.cfg. - signing_cert_data = nssdb.get_cert( - nickname=signing_nickname, - output_format='base64') - subsystem.config['ca.signing.nickname'] = signing_nickname - subsystem.config['ca.signing.tokenname'] = ( - deployer.mdict['pki_ca_signing_token']) - subsystem.config['ca.signing.cert'] = signing_cert_data - subsystem.config['ca.signing.cacertnickname'] = signing_nickname - subsystem.config['ca.signing.defaultSigningAlgorithm'] = ( - deployer.mdict['pki_ca_signing_signing_algorithm']) - - subsystem.save() - - elif standalone and step_two: - - # To be implemented in ticket #1692. - # Import standalone system certificates into NSS database. - - pass - - else: # self-signed CA - - # To be implemented in ticket #1692. - # Generate self-signed CA cert. - # Import self-signed CA cert into NSS database. - - pass - - finally: - nssdb.close() - - if external and step_one: - return - - if len(deployer.instance.tomcat_instance_subsystems()) < 2: - - deployer.password.create_password_conf( - deployer.mdict['pki_shared_pfile'], - deployer.mdict['pki_pin'], pin_sans_token=True) - - # only create a self signed cert for a new instance - # - # NOTE: ALWAYS create the temporary sslserver certificate - # in the software DB regardless of whether the - # instance will utilize 'softokn' or an HSM - # - rv = deployer.certutil.verify_certificate_exists( - deployer.mdict['pki_database_path'], - deployer.mdict['pki_cert_database'], - deployer.mdict['pki_key_database'], - deployer.mdict['pki_secmod_database'], - deployer.mdict['pki_self_signed_token'], - deployer.mdict['pki_self_signed_nickname'], - password_file=deployer.mdict['pki_shared_pfile']) - - if not rv: - - # note: in the function below, certutil is used to generate - # the request for the self signed cert. The keys are generated - # by NSS, which does not actually use the data in the noise - # file, so it does not matter what is in this file. Certutil - # still requires it though, otherwise it waits for keyboard - # input - with open( - deployer.mdict['pki_self_signed_noise_file'], 'w') as f: - f.write("not_so_random_data") - - deployer.certutil.generate_self_signed_certificate( - deployer.mdict['pki_database_path'], - deployer.mdict['pki_cert_database'], - deployer.mdict['pki_key_database'], - deployer.mdict['pki_secmod_database'], - deployer.mdict['pki_self_signed_token'], - deployer.mdict['pki_self_signed_nickname'], - deployer.mdict['pki_self_signed_subject'], - deployer.mdict['pki_self_signed_serial_number'], - deployer.mdict['pki_self_signed_validity_period'], - deployer.mdict['pki_self_signed_issuer_name'], - deployer.mdict['pki_self_signed_trustargs'], - deployer.mdict['pki_self_signed_noise_file'], - password_file=deployer.mdict['pki_shared_pfile']) - - # Delete the temporary 'noise' file - deployer.file.delete( - deployer.mdict['pki_self_signed_noise_file']) - - # Always delete the temporary 'pfile' - deployer.file.delete(deployer.mdict['pki_shared_pfile']) - - # Start/Restart this Tomcat PKI Process - # Optionally prepare to enable a java debugger - # (e. g. - 'eclipse'): - if config.str2bool(deployer.mdict['pki_enable_java_debugger']): - config.prepare_for_an_external_java_debugger( - deployer.mdict['pki_target_tomcat_conf_instance_id']) - tomcat_instance_subsystems = \ - len(deployer.instance.tomcat_instance_subsystems()) - if tomcat_instance_subsystems == 1: - deployer.systemd.start() - elif tomcat_instance_subsystems > 1: - deployer.systemd.restart() - - # wait for startup - status = deployer.instance.wait_for_startup(60) - if status is None: - config.pki_log.error( - "server failed to restart", - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception("server failed to restart") - - # Optionally wait for debugger to attach (e. g. - 'eclipse'): - if config.str2bool(deployer.mdict['pki_enable_java_debugger']): - config.wait_to_attach_an_external_java_debugger() + config_client = pkihelper.ConfigClient(deployer) + config_client.connect() # Construct PKI Subsystem Configuration Data - data = None - if deployer.mdict['pki_instance_type'] == "Tomcat": - # CA, KRA, OCSP, TKS, or TPS - data = deployer.config_client.construct_pki_configuration_data() + data = config_client.construct_pki_configuration_data() # Configure the subsystem - deployer.config_client.configure_pki_data( + config_client.configure_pki_data( json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) def destroy(self, deployer): config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - if len(deployer.instance.tomcat_instance_subsystems()) == 1: - if deployer.directory.exists(deployer.mdict['pki_client_dir']): - deployer.directory.delete(deployer.mdict['pki_client_dir']) |