diff options
Diffstat (limited to 'base/server')
4 files changed, 134 insertions, 0 deletions
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index d8ca7fe1f..88f9f780c 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -551,6 +551,7 @@ pki_ca_uri=https://%(pki_hostname)s:%(pki_https_port)s pki_kra_uri=https://%(pki_hostname)s:%(pki_https_port)s pki_tks_uri=https://%(pki_hostname)s:%(pki_https_port)s pki_enable_server_side_keygen=False +pki_import_shared_secret=False # Paths # These are used in the processing of pkispawn and are not supposed diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 9257cbfb8..ce800471b 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -2721,6 +2721,129 @@ class KRAConnector: # and this will raise an exception subprocess.check_output(command,stderr=subprocess.STDOUT) +class TPSConnector: + """PKI Deployment TPS Connector Class""" + + def __init__(self, deployer): + self.master_dict = deployer.master_dict + self.password = deployer.password + + def deregister(self, critical_failure=False): + try: + # this is applicable to TPSs only + if self.master_dict['pki_subsystem_type'] != "tps": + return + + config.pki_log.info( + log.PKIHELPER_TPSCONNECTOR_UPDATE_CONTACT, + extra=config.PKI_INDENTATION_LEVEL_2) + + cs_cfg = PKIConfigParser.read_simple_configuration_file( + self.master_dict['pki_target_cs_cfg']) + tpshost = cs_cfg.get('service.machineName') + tpsport = cs_cfg.get('pkicreate.secure_port') + tkshostport = cs_cfg.get('conn.tks1.hostport') + if tkshostport is None: + config.pki_log.warning( + log.PKIHELPER_TPSCONNECTOR_UPDATE_FAILURE, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_TKS_HOST_PORT, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + raise Exception(log.PKIHELPER_UNDEFINED_TKS_HOST_PORT) + else: + return + + #retrieve tks host and port + if ':' in tkshostport: + tkshost = tkshostport.split(':')[0] + tksport = tkshostport.split(':')[1] + else: + tkshost = tkshostport + tksport = '443' + + # retrieve subsystem nickname + subsystemnick = cs_cfg.get('tps.cert.subsystem.nickname') + if subsystemnick is None: + config.pki_log.warning( + log.PKIHELPER_TPSCONNECTOR_UPDATE_FAILURE, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + raise Exception(log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME) + else: + return + + # retrieve name of token based upon type (hardware/software) + if ':' in subsystemnick: + token_name = subsystemnick.split(':')[0] + else: + token_name = "internal" + + token_pwd = self.password.get_password( + self.master_dict['pki_shared_password_conf'], + token_name, + critical_failure) + + if token_pwd is None or token_pwd == '': + config.pki_log.warning( + log.PKIHELPER_TPSCONNECTOR_UPDATE_FAILURE, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_TOKEN_PASSWD_1, + token_name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + raise Exception(log.PKIHELPER_UNDEFINED_TOKEN_PASSWD_1 % token_name) + else: + return + + self.execute_using_pki(tkshost, tksport, subsystemnick, + token_pwd, tpshost, tpsport) + + except subprocess.CalledProcessError as exc: + config.pki_log.warning( + log.PKIHELPER_TPSCONNECTOR_UPDATE_FAILURE_2, + str(tkshost), + str(tksport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + raise + return + + def execute_using_pki(self, tkshost, tksport, subsystemnick, + token_pwd, tpshost, tpsport, critical_failure=False): + command = ["/bin/pki", + "-p", str(tksport), + "-h", tkshost, + "-n", subsystemnick, + "-P", "https", + "-d", self.master_dict['pki_database_path'], + "-c", token_pwd, + "-t", "tks", + "tks-tpsconnector-del", tpshost, str(tpsport)] + + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=False) + + error = re.findall("ClientResponseFailure:(.*?)", output) + if error: + config.pki_log.warning( + log.PKIHELPER_TPSCONNECTOR_UPDATE_FAILURE_2, + str(tpshost), + str(tpsport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, output, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + raise Exception(log.PKI_SUBPROCESS_ERROR_1 % output) + class SecurityDomain: """PKI Deployment Security Domain Class""" @@ -3498,6 +3621,7 @@ class ConfigClient: data.authdbPort = self.master_dict['pki_authdb_port'] data.authdbBaseDN = self.master_dict['pki_authdb_basedn'] data.authdbSecureConn = self.master_dict['pki_authdb_secure_conn'] + data.importSharedSecret = self.master_dict['pki_import_shared_secret'] def create_system_cert(self, tag): cert = pki.system.SystemCertData() @@ -3549,6 +3673,7 @@ class PKIDeployer: self.kra_connector = KRAConnector(self) self.security_domain = SecurityDomain(self) self.systemd = Systemd(self) + self.tps_connector = TPSConnector(self) self.config_client = ConfigClient(self) diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index a3be42e97..339ee149e 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -272,6 +272,10 @@ PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ PKIHELPER_TOMCAT_INSTANCES_2 = "PKI Tomcat registry '%s' contains '%d' "\ "Tomcat PKI instances" PKIHELPER_TOUCH_1 = "touch %s" +PKIHELPER_TPSCONNECTOR_UPDATE_CONTACT = \ + "contacting the TKS to update the TPS connector" +PKIHELPER_TPSCONNECTOR_UPDATE_FAILURE = "Failed to update TPS connector on TKS" +PKIHELPER_TPSCONNECTOR_UPDATE_FAILURE_2 = "Failed to update TPS connector for %s:%s" PKIHELPER_UID_2 = "UID of '%s' is %s" PKIHELPER_UNDEFINED_CA_HOST_PORT = "CA Host or Port is undefined" PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2 = \ @@ -280,6 +284,7 @@ PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2 = \ PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 = \ "A value for '%s' MUST be defined in '%s'" PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME = "subsystem nickname not defined" +PKIHELPER_UNDEFINED_TKS_HOST_PORT = "TKS Host or Port is undefined" PKIHELPER_UNDEFINED_TOKEN_PASSWD_1 = "Password for token '%s' not defined" PKIHELPER_USER_1 = "retrieving UID for '%s' . . ." PKIHELPER_USER_ADD_2 = "adding UID '%s' for user '%s' . . ." diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py index 54349fc01..ecfb4d195 100644 --- a/base/server/python/pki/server/deployment/scriptlets/initialization.py +++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py @@ -99,6 +99,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove kra connector from CA if this is a KRA deployer.kra_connector.deregister() + # remove tps connector from TKS if this is a TPS + deployer.tps_connector.deregister() + # de-register instance from its Security Domain # # NOTE: Since the security domain of an instance must be up |