summaryrefslogtreecommitdiffstats
path: root/base
diff options
context:
space:
mode:
Diffstat (limited to 'base')
-rw-r--r--base/common/shared/conf/catalina.properties4
-rw-r--r--base/common/shared/conf/server.xml1
-rw-r--r--base/deploy/config/pkideployment.cfg95
-rwxr-xr-xbase/deploy/src/pkidestroy26
-rwxr-xr-xbase/deploy/src/pkispawn28
-rw-r--r--base/deploy/src/scriptlets/infrastructure_layout.py16
-rw-r--r--base/deploy/src/scriptlets/initialization.py3
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py4
-rw-r--r--base/deploy/src/scriptlets/pkijython.py23
-rw-r--r--base/deploy/src/scriptlets/pkimessages.py10
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py94
11 files changed, 161 insertions, 143 deletions
diff --git a/base/common/shared/conf/catalina.properties b/base/common/shared/conf/catalina.properties
index c44758699..003089a43 100644
--- a/base/common/shared/conf/catalina.properties
+++ b/base/common/shared/conf/catalina.properties
@@ -51,10 +51,6 @@ package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
-#,[PKI_INSTANCE_PATH]/webapps/ca/WEB-INF/lib/pki-ca.jar
-#,[PKI_INSTANCE_PATH]/webapps/kra/WEB-INF/lib/pki-kra.jar
-#,[PKI_INSTANCE_PATH]/webapps/ocsp/WEB-INF/lib/pki-ocsp.jar
-#,[PKI_INSTANCE_PATH]/webapps/tks/WEB-INF/lib/pki-tks.jar
#
# List of comma-separated paths defining the contents of the "server"
diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml
index 46ee15b0b..375764294 100644
--- a/base/common/shared/conf/server.xml
+++ b/base/common/shared/conf/server.xml
@@ -126,7 +126,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
[PKI_SECURE_PORT_SERVER_COMMENT]
<!-- DO NOT REMOVE - Begin define PKI secure port
- 1
NOTE: The following 'keys' (and their assigned values) are exclusive to
the 'tomcatjss' JSSE module:
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
index a4513d712..fb04c85fa 100644
--- a/base/deploy/config/pkideployment.cfg
+++ b/base/deploy/config/pkideployment.cfg
@@ -15,85 +15,60 @@ pki_ds_password=
pki_pkcs12_password=
pki_security_domain_password=
###############################################################################
-## 'Mandatory' Data: ##
-## ##
-## Values in this section pertain to various PKI subsystems, and contain ##
-## required information which MUST ALWAYS be provided by users. ##
-###############################################################################
-[Mandatory]
-###############################################################################
-## 'Optional' Data: ##
+## 'Common' Data: ##
## ##
-## Values in this section pertain to various PKI subsystems, and contain ##
-## required information which MAY OPTIONALLY be provided by users. ##
+## Values in this section are common to more than one PKI subsystem, and ##
+## contain required information which MAY be overridden by users as ##
+## necessary. ##
## ##
## NOTE: Default values will be generated for any and all required ##
-## 'optional' data values which are left undefined. ##
-###############################################################################
-[Optional]
-pki_admin_domain_name=
-pki_admin_email=
-pki_admin_nickname=
-pki_admin_subject_dn=
-pki_audit_signing_nickname=
-pki_audit_signing_subject_dn=
-pki_audit_signing_token=
-pki_backup_file=
-pki_ca_signing_nickname=
-pki_ca_signing_subject_dn=
-pki_ca_signing_token=
-pki_ds_base_dn=
-pki_ds_database=
-pki_ds_hostname=
-pki_ocsp_signing_nickname=
-pki_ocsp_signing_subject_dn=
-pki_ocsp_signing_token=
-pki_security_domain_hostname=
-pki_security_domain_name=
-pki_ssl_server_nickname=
-pki_ssl_server_subject_dn=
-pki_ssl_server_token=
-pki_storage_nickname=
-pki_storage_subject_dn=
-pki_storage_token=
-pki_subsystem_nickname=
-pki_subsystem_subject_dn=
-pki_subsystem_token=
-pki_transport_nickname=
-pki_transport_subject_dn=
-pki_transport_token=
-###############################################################################
-## 'Common' Data: ##
-## ##
-## Values in this section are common to ALL PKI subsystems, and contain ##
-## required information which MAY be overridden by users as necessary. ##
+## 'common' data values which are left undefined. ##
###############################################################################
[Common]
pki_admin_cert_request_type=crmf
+pki_admin_domain_name=
pki_admin_dualkey=False
+pki_admin_email=
pki_admin_keysize=2048
pki_admin_name=admin
+pki_admin_nickname=
+pki_admin_subject_dn=
pki_admin_uid=admin
pki_audit_group=pkiaudit
pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
+pki_audit_signing_nickname=
pki_audit_signing_signing_algorithm=SHA256withRSA
+pki_audit_signing_subject_dn=
+pki_audit_signing_token=
+pki_backup_file=
pki_backup_keys=False
+pki_ds_base_dn=
pki_ds_bind_dn=cn=Directory Manager
+pki_ds_database=
+pki_ds_hostname=
pki_ds_http_port=389
pki_ds_https_port=636
pki_ds_remove_data=True
pki_ds_secure_connection=False
pki_group=pkiuser
+pki_security_domain_hostname=
pki_security_domain_https_port=8443
+pki_security_domain_name=
pki_security_domain_user=admin
pki_ssl_server_key_algorithm=SHA256withRSA
pki_ssl_server_key_size=2048
pki_ssl_server_key_type=rsa
+pki_ssl_server_nickname=
+pki_ssl_server_subject_dn=
+pki_ssl_server_token=
pki_subsystem_key_algorithm=SHA256withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa
+pki_subsystem_nickname=
+pki_subsystem_subject_dn=
+pki_subsystem_token=
pki_user=pkiuser
###############################################################################
## 'Apache' Data: ##
@@ -152,14 +127,21 @@ pki_tomcat_server_port=8005
pki_ca_signing_key_algorithm=SHA256withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
+pki_ca_signing_nickname=
pki_ca_signing_signing_algorithm=SHA256withRSA
+pki_ca_signing_subject_dn=
+pki_ca_signing_token=
pki_external=False
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
+pki_ocsp_signing_nickname=
pki_ocsp_signing_signing_algorithm=SHA256withRSA
+pki_ocsp_signing_subject_dn=
+pki_ocsp_signing_token=
pki_subordinate=False
pki_subsystem=CA
+pki_subsystem_name=
pki_war_name=ca.war
###############################################################################
## 'KRA' Data: ##
@@ -172,12 +154,19 @@ pki_war_name=ca.war
pki_storage_key_algorithm=SHA256withRSA
pki_storage_key_size=2048
pki_storage_key_type=rsa
+pki_storage_nickname=
pki_storage_signing_algorithm=SHA256withRSA
+pki_storage_subject_dn=
+pki_storage_token=
pki_subsystem=KRA
+pki_subsystem_name=
pki_transport_key_algorithm=SHA256withRSA
pki_transport_key_size=2048
pki_transport_key_type=rsa
+pki_transport_nickname=
pki_transport_signing_algorithm=SHA256withRSA
+pki_transport_subject_dn=
+pki_transport_token=
pki_war_name=kra.war
###############################################################################
## 'OCSP' Data: ##
@@ -190,8 +179,13 @@ pki_war_name=kra.war
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
+pki_ocsp_signing_nickname=
pki_ocsp_signing_signing_algorithm=SHA256withRSA
+pki_ocsp_signing_subject_dn=
+pki_ocsp_signing_token=
+pki_subordinate=False
pki_subsystem=OCSP
+pki_subsystem_name=
pki_war_name=ocsp.war
###############################################################################
## 'RA' Data: ##
@@ -201,6 +195,7 @@ pki_war_name=ocsp.war
###############################################################################
[RA]
pki_subsystem=RA
+pki_subsystem_name=
###############################################################################
## 'TKS' Data: ##
## ##
@@ -210,6 +205,7 @@ pki_subsystem=RA
###############################################################################
[TKS]
pki_subsystem=TKS
+pki_subsystem_name=
pki_war_name=tks.war
###############################################################################
## 'TPS' Data: ##
@@ -219,3 +215,4 @@ pki_war_name=tks.war
###############################################################################
[TPS]
pki_subsystem=TPS
+pki_subsystem_name=
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 5faa97cee..304b0bd0c 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -83,9 +83,11 @@ def main(argv):
config.pki_dns_domainname = subprocess.check_output("domainname",
shell=True)
config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n')
+ if not len(config.pki_dns_domainname):
+ print log.PKI_DNS_DOMAIN_NOT_SET
+ sys.exit(1)
except subprocess.CalledProcessError as exc:
- config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
- extra=config.PKI_INDENTATION_LEVEL_0)
+ print log.PKI_SUBPROCESS_ERROR_1 % exc
sys.exit(1)
# Initialize 'pretty print' for objects
@@ -97,7 +99,7 @@ def main(argv):
# Enable 'pkidestroy' logging.
if not config.pki_dry_run_flag:
config.pki_log_dir = config.pki_root_prefix +\
- "/var/log"
+ config.PKI_DEPLOYMENT_LOG_ROOT
config.pki_log_name = "pki" + "-" +\
config.pki_subsystem.lower() +\
"-" + "destroy" + "." +\
@@ -124,14 +126,6 @@ def main(argv):
sys.exit(1)
else:
# NEVER print out 'sensitive' name/value pairs!!!
- config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_optional_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
@@ -147,7 +141,7 @@ def main(argv):
# Override PKI configuration file values with 'custom' command-line values.
if not config.custom_pki_admin_domain_name is None:
- config.pki_optional_dict['pki_admin_domain_name'] =\
+ config.pki_common_dict['pki_admin_domain_name'] =\
config.custom_pki_admin_domain_name
if not config.custom_pki_instance_name is None:
config.pki_web_server_dict['pki_instance_name'] =\
@@ -162,14 +156,6 @@ def main(argv):
config.pki_web_server_dict['pki_ajp_port'] =\
config.custom_pki_ajp_port
# NEVER print out 'sensitive' name/value pairs!!!
- config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_optional_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index 931b9baf0..6f32d08d0 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -83,9 +83,11 @@ def main(argv):
config.pki_dns_domainname = subprocess.check_output("domainname",
shell=True)
config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n')
+ if not len(config.pki_dns_domainname):
+ print log.PKI_DNS_DOMAIN_NOT_SET
+ sys.exit(1)
except subprocess.CalledProcessError as exc:
- config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
- extra=config.PKI_INDENTATION_LEVEL_0)
+ print log.PKI_SUBPROCESS_ERROR_1 % exc
sys.exit(1)
# Generate random 'pin's for use as security database passwords
@@ -110,7 +112,7 @@ def main(argv):
if not config.pki_update_flag:
if not config.pki_dry_run_flag:
config.pki_log_dir = config.pki_root_prefix +\
- "/var/log"
+ config.PKI_DEPLOYMENT_LOG_ROOT
config.pki_log_name = "pki" + "-" +\
config.pki_subsystem.lower() +\
"-" + "spawn" + "." +\
@@ -126,7 +128,7 @@ def main(argv):
else:
if not config.pki_dry_run_flag:
config.pki_log_dir = config.pki_root_prefix +\
- "/var/log"
+ config.PKI_DEPLOYMENT_LOG_ROOT
config.pki_log_name = "pki" + "-" +\
config.pki_subsystem.lower() +\
"-" + "respawn" + "." +\
@@ -153,14 +155,6 @@ def main(argv):
sys.exit(1)
else:
# NEVER print out 'sensitive' name/value pairs!!!
- config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_optional_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
@@ -176,7 +170,7 @@ def main(argv):
# Override PKI configuration file values with 'custom' command-line values.
if not config.custom_pki_admin_domain_name is None:
- config.pki_optional_dict['pki_admin_domain_name'] =\
+ config.pki_common_dict['pki_admin_domain_name'] =\
config.custom_pki_admin_domain_name
if not config.custom_pki_instance_name is None:
config.pki_web_server_dict['pki_instance_name'] =\
@@ -191,14 +185,6 @@ def main(argv):
config.pki_web_server_dict['pki_ajp_port'] =\
config.custom_pki_ajp_port
# NEVER print out 'sensitive' name/value pairs!!!
- config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pp.pformat(config.pki_optional_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py
index 471739700..d5ce233c6 100644
--- a/base/deploy/src/scriptlets/infrastructure_layout.py
+++ b/base/deploy/src/scriptlets/infrastructure_layout.py
@@ -36,8 +36,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
# establish top-level infrastructure base
util.directory.create(master['pki_path'])
- # establish top-level infrastructure logs
- util.directory.create(master['pki_log_path'])
+ # no need to establish top-level infrastructure logs
+ # since it now stores 'pkispawn'/'pkidestroy' logs
+ # and will already exist
+ # util.directory.create(master['pki_log_path'])
# establish top-level infrastructure configuration
if master['pki_configuration_path'] !=\
config.PKI_DEPLOYMENT_CONFIGURATION_ROOT:
@@ -70,8 +72,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.instance.pki_subsystem_instances() == 0:
# remove top-level infrastructure base
util.directory.delete(master['pki_path'])
- # remove top-level infrastructure logs
- util.directory.delete(master['pki_log_path'])
+ # do NOT remove top-level infrastructure logs
+ # since it now stores 'pkispawn'/'pkidestroy' logs
+ # util.directory.delete(master['pki_log_path'])
# remove top-level infrastructure configuration
if util.directory.is_empty(master['pki_configuration_path'])\
and master['pki_configuration_path'] !=\
@@ -89,8 +92,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.instance.pki_subsystem_instances() == 1:
# remove top-level infrastructure base
util.directory.delete(master['pki_path'])
- # remove top-level infrastructure logs
- util.directory.delete(master['pki_log_path'])
+ # do NOT remove top-level infrastructure logs
+ # since it now stores 'pkispawn'/'pkidestroy' logs
+ # util.directory.delete(master['pki_log_path'])
# remove top-level infrastructure configuration
if util.directory.is_empty(master['pki_configuration_path'])\
and master['pki_configuration_path'] !=\
diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py
index 1ff8522ed..cc516532e 100644
--- a/base/deploy/src/scriptlets/initialization.py
+++ b/base/deploy/src/scriptlets/initialization.py
@@ -46,8 +46,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# establish 'uid' and 'gid'
util.identity.set_uid(master['pki_user'])
util.identity.set_gid(master['pki_group'])
- # verify existence of MANDATORY configuration file data
+ # verify existence of SENSITIVE configuration file data
util.configuration_file.verify_sensitive_data()
+ # verify existence of MUTUALLY EXCLUSIVE configuration file data
util.configuration_file.verify_mutually_exclusive_data()
return self.rv
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 59526e667..fc8ddac90 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -100,9 +100,9 @@ pki_one_time_pin = None
# PKI Deployment "Mandatory" Command-Line Variables
pki_subsystem = None
+pkideployment_cfg = "/usr/share/pki/deployment/config/pkideployment.cfg"
# PKI Deployment "Optional" Command-Line Variables
-pkideployment_cfg = "/usr/share/pki/deployment/config/pkideployment.cfg"
pki_dry_run_flag = False
pki_root_prefix = None
pki_update_flag = False
@@ -168,8 +168,6 @@ pki_console_log_level = None
# PKI Deployment Global Dictionaries
pki_sensitive_dict = None
-pki_mandatory_dict = None
-pki_optional_dict = None
pki_common_dict = None
pki_web_server_dict = None
pki_subsystem_dict = None
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index 7856ba8c1..b55c9ecec 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -299,65 +299,52 @@ class rest_client:
data.setPin(master['pki_one_time_pin'])
data.setToken(ConfigurationData.TOKEN_DEFAULT)
if master['pki_instance_type'] == "Tomcat":
+ data.setSubsystemName(master['pki_subsystem_name'])
if master['pki_subsystem'] == "CA":
if config.str2bool(master['pki_clone']):
# Cloned CA
data.setHierarchy("root")
data.setIsClone("true")
- data.setSubsystemName("Cloned CA Subsystem")
elif config.str2bool(master['pki_external']):
# External CA
data.setHierarchy("join")
data.setIsClone("false")
- data.setSubsystemName("External CA Subsystem")
elif config.str2bool(master['pki_subordinate']):
# Subordinate CA
data.setHierarchy("join")
data.setIsClone("false")
- data.setSubsystemName("Subordinate CA Subsystem")
else:
# PKI CA
data.setHierarchy("root")
data.setIsClone("false")
- data.setSubsystemName("PKI CA Subsystem")
elif master['pki_subsystem'] == "KRA":
if config.str2bool(master['pki_clone']):
# Cloned KRA
data.setIsClone("true")
- data.setSubsystemName("Cloned KRA Subsystem")
else:
# PKI KRA
data.setIsClone("false")
- data.setSubsystemName("PKI KRA Subsystem")
elif master['pki_subsystem'] == "OCSP":
if config.str2bool(master['pki_clone']):
# Cloned OCSP
data.setIsClone("true")
- data.setSubsystemName("Cloned OCSP Subsystem")
else:
# PKI OCSP
data.setIsClone("false")
- data.setSubsystemName("PKI OCSP Subsystem")
elif master['pki_subsystem'] == "TKS":
if config.str2bool(master['pki_clone']):
# Cloned TKS
data.setIsClone("true")
- data.setSubsystemName("Cloned TKS Subsystem")
else:
# PKI TKS
data.setIsClone("false")
- data.setSubsystemName("PKI TKS Subsystem")
# Security Domain Information
+ #
+ # NOTE: External CA's DO NOT require a security domain
if master['pki_instance_type'] == "Tomcat":
if master['pki_subsystem'] == "CA":
- if config.str2bool(master['pki_external']):
- # External CA
- data.setSecurityDomainType(
- ConfigurationData.NEW_DOMAIN)
- data.setSecurityDomainName(
- master['pki_security_domain_name'])
- elif not config.str2bool(master['pki_clone']) and\
- not config.str2bool(master['pki_subordinate']):
+ if not config.str2bool(master['pki_clone']) and\
+ not config.str2bool(master['pki_subordinate']):
# PKI CA
data.setSecurityDomainType(
ConfigurationData.NEW_DOMAIN)
diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
index 58b09dca3..d1326edb3 100644
--- a/base/deploy/src/scriptlets/pkimessages.py
+++ b/base/deploy/src/scriptlets/pkimessages.py
@@ -20,14 +20,6 @@
#
# PKI Deployment Engine Messages
-PKI_DICTIONARY_MANDATORY ="\n"\
-"=====================================================\n"\
-" DISPLAY CONTENTS OF PKI MANDATORY DICTIONARY\n"\
-"====================================================="
-PKI_DICTIONARY_OPTIONAL ="\n"\
-"=====================================================\n"\
-" DISPLAY CONTENTS OF PKI OPTIONAL DICTIONARY\n"\
-"====================================================="
PKI_DICTIONARY_COMMON ="\n"\
"=====================================================\n"\
" DISPLAY CONTENTS OF PKI COMMON DICTIONARY\n"\
@@ -80,6 +72,8 @@ PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1 = "Directory '%s' already "\
"directory!"
PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 = "Directory '%s' is either "\
"missing or is NOT a directory!"
+PKI_DNS_DOMAIN_NOT_SET = "A valid DNS domain name MUST be established "\
+ "to use PKI services!"
PKI_FILE_ALREADY_EXISTS_1 = "File '%s' already exists!"
PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 = "File '%s' already "\
"exists BUT it is NOT a "\
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 6c4574add..e824c8ac9 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -261,8 +261,6 @@ def read_pki_configuration_file():
parser.optionxform = str
parser.read(config.pkideployment_cfg)
config.pki_sensitive_dict = dict(parser._sections['Sensitive'])
- config.pki_mandatory_dict = dict(parser._sections['Mandatory'])
- config.pki_optional_dict = dict(parser._sections['Optional'])
config.pki_common_dict = dict(parser._sections['Common'])
if config.pki_subsystem == "CA":
config.pki_web_server_dict = dict(parser._sections['Tomcat'])
@@ -284,8 +282,6 @@ def read_pki_configuration_file():
config.pki_subsystem_dict = dict(parser._sections['TPS'])
# Insert empty record into dictionaries for "pretty print" statements
# NEVER print "sensitive" key value pairs!!!
- config.pki_mandatory_dict[0] = None
- config.pki_optional_dict[0] = None
config.pki_common_dict[0] = None
config.pki_web_server_dict[0] = None
config.pki_subsystem_dict[0] = None
@@ -316,8 +312,6 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg
# Configuration file name/value pairs
# NEVER add "sensitive" key value pairs to the master dictionary!!!
- config.pki_master_dict.update(config.pki_mandatory_dict)
- config.pki_master_dict.update(config.pki_optional_dict)
config.pki_master_dict.update(config.pki_common_dict)
config.pki_master_dict.update(config.pki_web_server_dict)
config.pki_master_dict.update(config.pki_subsystem_dict)
@@ -1435,6 +1429,7 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_subsystem'].lower() + "/" + "pki"
# Jython scriptlet
# 'Security Domain' Configuration name/value pairs
+ # 'Subsystem Name' Configuration name/value pairs
#
# Apache - [RA], [TPS]
# Tomcat - [CA], [KRA], [OCSP], [TKS]
@@ -1459,16 +1454,19 @@ def compose_pki_master_dictionary():
#
# config.pki_master_dict['pki_security_domain_hostname']
# config.pki_master_dict['pki_security_domain_name']
+ # config.pki_master_dict['pki_subsystem_name']
#
if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
if config.pki_subsystem == "CA":
if config.str2bool(config.pki_master_dict['pki_external']):
# External CA
- config.pki_master_dict['pki_security_domain_type'] = "new"
- if not len(config.pki_master_dict\
- ['pki_security_domain_name']):
- config.pki_master_dict['pki_security_domain_name'] =\
- "External CA Security Domain"
+ #
+ # NOTE: External CA's DO NOT require a security domain
+ if not len(config.pki_master_dict['pki_subsystem_name']):
+ config.pki_master_dict['pki_subsystem_name'] =\
+ "External CA" + " " +\
+ config.pki_master_dict['pki_hostname'] + " " +\
+ config.pki_master_dict['pki_https_port']
elif not config.str2bool(config.pki_master_dict['pki_clone'])\
and not\
config.str2bool(config.pki_master_dict['pki_subordinate']):
@@ -1479,6 +1477,11 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_security_domain_name'] =\
config.pki_master_dict['pki_dns_domainname'] +\
" " + "Security Domain"
+ if not len(config.pki_master_dict['pki_subsystem_name']):
+ config.pki_master_dict['pki_subsystem_name'] =\
+ "PKI CA" + " " +\
+ config.pki_master_dict['pki_hostname'] + " " +\
+ config.pki_master_dict['pki_https_port']
else:
# PKI Cloned or Subordinate CA
config.pki_master_dict['pki_security_domain_type'] =\
@@ -1492,8 +1495,24 @@ def compose_pki_master_dictionary():
"https" + "://" +\
config.pki_master_dict['pki_security_domain_hostname']\
+ ":" + config.pki_security_domain_https_port
+ if config.str2bool(config.pki_master_dict['pki_clone']):
+ # Cloned CA
+ if not\
+ len(config.pki_master_dict['pki_subsystem_name']):
+ config.pki_master_dict['pki_subsystem_name'] =\
+ "Cloned CA" + " " +\
+ config.pki_master_dict['pki_hostname'] + " " +\
+ config.pki_master_dict['pki_https_port']
+ else:
+ # Subordinate CA
+ if not\
+ len(config.pki_master_dict['pki_subsystem_name']):
+ config.pki_master_dict['pki_subsystem_name'] =\
+ "Subordinate CA" + " " +\
+ config.pki_master_dict['pki_hostname'] + " " +\
+ config.pki_master_dict['pki_https_port']
else:
- # PKI KRA, OCSP, or TKS
+ # PKI or Cloned KRA, OCSP, or TKS
config.pki_master_dict['pki_security_domain_type'] = "existing"
if not len(config.pki_master_dict\
['pki_security_domain_hostname']):
@@ -1505,6 +1524,57 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_security_domain_hostname'] +\
":" +\
config.pki_master_dict['pki_security_domain_https_port']
+ if config.pki_subsystem == "KRA":
+ if config.str2bool(config.pki_master_dict['pki_clone']):
+ # Cloned KRA
+ if not\
+ len(config.pki_master_dict['pki_subsystem_name']):
+ config.pki_master_dict['pki_subsystem_name'] =\
+ "Cloned KRA" + " " +\
+ config.pki_master_dict['pki_hostname'] + " " +\
+ config.pki_master_dict['pki_https_port']
+ else:
+ # PKI KRA
+ if not\
+ len(config.pki_master_dict['pki_subsystem_name']):
+ config.pki_master_dict['pki_subsystem_name'] =\
+ "PKI KRA" + " " +\
+ config.pki_master_dict['pki_hostname'] + " " +\
+ config.pki_master_dict['pki_https_port']
+ elif config.pki_subsystem == "OCSP":
+ if config.str2bool(config.pki_master_dict['pki_clone']):
+ # Cloned OCSP
+ if not\
+ len(config.pki_master_dict['pki_subsystem_name']):
+ config.pki_master_dict['pki_subsystem_name'] =\
+ "Cloned OCSP" + " " +\
+ config.pki_master_dict['pki_hostname'] + " " +\
+ config.pki_master_dict['pki_https_port']
+ else:
+ # PKI OCSP
+ if not\
+ len(config.pki_master_dict['pki_subsystem_name']):
+ config.pki_master_dict['pki_subsystem_name'] =\
+ "PKI OCSP" + " " +\
+ config.pki_master_dict['pki_hostname'] + " " +\
+ config.pki_master_dict['pki_https_port']
+ elif config.pki_subsystem == "TKS":
+ if config.str2bool(config.pki_master_dict['pki_clone']):
+ # Cloned TKS
+ if not\
+ len(config.pki_master_dict['pki_subsystem_name']):
+ config.pki_master_dict['pki_subsystem_name'] =\
+ "Cloned TKS" + " " +\
+ config.pki_master_dict['pki_hostname'] + " " +\
+ config.pki_master_dict['pki_https_port']
+ else:
+ # PKI TKS
+ if not\
+ len(config.pki_master_dict['pki_subsystem_name']):
+ config.pki_master_dict['pki_subsystem_name'] =\
+ "PKI TKS" + " " +\
+ config.pki_master_dict['pki_hostname'] + " " +\
+ config.pki_master_dict['pki_https_port']
# Jython scriptlet
# 'Directory Server' Configuration name/value pairs
#