summaryrefslogtreecommitdiffstats
path: root/base
diff options
context:
space:
mode:
Diffstat (limited to 'base')
-rw-r--r--base/deploy/config/pkideployment.cfg45
-rwxr-xr-xbase/deploy/src/pkidestroy2
-rwxr-xr-xbase/deploy/src/pkispawn2
-rw-r--r--base/deploy/src/scriptlets/configuration.jy17
-rw-r--r--base/deploy/src/scriptlets/configuration.py3
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py2
-rw-r--r--base/deploy/src/scriptlets/pkihelper.py45
-rw-r--r--base/deploy/src/scriptlets/pkijython.py16
-rw-r--r--base/deploy/src/scriptlets/pkimessages.py2
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py41
-rw-r--r--base/deploy/src/scriptlets/security_databases.py5
11 files changed, 92 insertions, 88 deletions
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
index 6630907..9582484 100644
--- a/base/deploy/config/pkideployment.cfg
+++ b/base/deploy/config/pkideployment.cfg
@@ -1,21 +1,24 @@
###############################################################################
-## 'Sensitive' Data: ##
-## ##
-## Values in this section pertain to various PKI subsystems, and contain ##
-## required 'sensitive' information which MUST ALWAYS be provided by users. ##
-## ##
-## IMPORTANT: Sensitive data values must NEVER be displayed to the ##
-## console NOR stored in log files!!! ##
-###############################################################################
-[Sensitive]
-pki_admin_password=
-pki_backup_password=
-pki_client_database_password=
-pki_client_pkcs12_password=
-pki_clone_pkcs12_password=
-pki_ds_password=
-pki_security_domain_password=
-pki_token_password=
+## 'Sensitive' Parameters: ##
+## ##
+## Parameters listed in below pertain to various PKI subsystems, and ##
+## contain 'sensitive' information which must NEVER be displayed to the ##
+## console NOR stored in log files!!! ##
+###############################################################################
+[DEFAULT]
+sensitive_parameters=
+ pki_admin_password
+ pki_backup_password
+ pki_client_database_password
+ pki_client_pkcs12_password
+ pki_clone_pkcs12_password
+ pki_ds_password
+ pki_security_domain_password
+ pki_token_password
+ pki_pin
+ pki_client_pin
+ pki_one_time_pin
+
###############################################################################
## 'Common' Data: ##
## ##
@@ -36,6 +39,7 @@ pki_admin_name=
pki_admin_nickname=
pki_admin_subject_dn=
pki_admin_uid=
+pki_admin_password=
pki_audit_group=pkiaudit
pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_key_size=2048
@@ -45,11 +49,15 @@ pki_audit_signing_signing_algorithm=SHA256withRSA
pki_audit_signing_subject_dn=
pki_audit_signing_token=
pki_backup_keys=False
+pki_backup_password=
pki_client_database_dir=
+pki_client_database_password=
pki_client_database_purge=True
pki_client_dir=
+pki_client_pkcs12_password=
pki_ds_base_dn=
pki_ds_bind_dn=cn=Directory Manager
+pki_ds_password=
pki_ds_database=
pki_ds_hostname=
pki_ds_ldap_port=389
@@ -63,6 +71,7 @@ pki_security_domain_hostname=
pki_security_domain_https_port=8443
pki_security_domain_name=
pki_security_domain_user=
+pki_security_domain_password=
pki_skip_configuration=False
pki_skip_installation=False
pki_ssl_server_key_algorithm=SHA256withRSA
@@ -78,6 +87,7 @@ pki_subsystem_nickname=
pki_subsystem_subject_dn=
pki_subsystem_token=
pki_token_name=internal
+pki_token_password=
pki_user=pkiuser
###############################################################################
## 'Apache' Data: ##
@@ -109,6 +119,7 @@ pki_https_port=443
pki_ajp_port=8009
pki_clone=False
pki_clone_pkcs12_path=
+pki_clone_pkcs12_password=
pki_clone_replicate_schema=True
pki_clone_replication_master_port=
pki_clone_replication_clone_port=
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 1597712..ed94c5b 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -116,7 +116,7 @@ def main(argv):
# Read the specified PKI configuration file.
rv = parser.read_pki_configuration_file()
if rv != 0:
- config.pki_log.error(PKI_UNABLE_TO_PARSE_1, rv,
+ config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv,
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
else:
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index fbb6b8e..a593c70 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -123,7 +123,7 @@ def main(argv):
# Read the specified PKI configuration file.
rv = parser.read_pki_configuration_file()
if rv != 0:
- config.pki_log.error(PKI_UNABLE_TO_PARSE_1, rv,
+ config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv,
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
else:
diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy
index bf89a01..80543b8 100644
--- a/base/deploy/src/scriptlets/configuration.jy
+++ b/base/deploy/src/scriptlets/configuration.jy
@@ -23,15 +23,9 @@ from com.netscape.certsrv.client import ClientConfig
def main(argv):
rv = 0
- # Establish 'master' and 'sensitive' as two separate PKI jython dictionaries
- master = dict()
- sensitive = dict()
-
# Import the master dictionary from 'pkispawn'
master = pickle.loads(argv[1])
-
- # Import the sensitive data dictionary from 'pkispawn'
- sensitive = pickle.loads(argv[2])
+ sensitive_parameters = master['sensitive_parameters'].split()
# Optionally enable a java debugger (e. g. - 'eclipse'):
if config.str2bool(master['pki_enable_java_debugger']):
@@ -63,8 +57,12 @@ def main(argv):
(log.PKI_JYTHON_INDENTATION_2,
javasystem.getProperties()['java.class.path'])
for key in master:
+ if key in sensitive_parameters:
+ value = 'XXXXXXXX'
+ else:
+ value = master[key]
print "%s '%s' = '%s'" %\
- (log.PKI_JYTHON_INDENTATION_2, key, master[key])
+ (log.PKI_JYTHON_INDENTATION_2, key, value)
# Initialize token
jyutil.security_databases.initialize_token(
@@ -84,8 +82,7 @@ def main(argv):
# Establish REST Client
client = jyutil.rest_client.initialize(
client_config,
- master,
- sensitive)
+ master)
# Construct PKI Subsystem Configuration Data
data = None
diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py
index c6c43d0..0ea5446 100644
--- a/base/deploy/src/scriptlets/configuration.py
+++ b/base/deploy/src/scriptlets/configuration.py
@@ -22,7 +22,6 @@
# PKI Deployment Imports
import pkiconfig as config
from pkiconfig import pki_master_dict as master
-from pkiconfig import pki_sensitive_dict as sensitive
import pkihelper as util
import pkimessages as log
import pkiscriptlet
@@ -51,7 +50,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# allowing 'certutil' to generate the security databases
util.password.create_password_conf(
master['pki_client_password_conf'],
- sensitive['pki_client_database_password'], pin_sans_token=True)
+ master['pki_client_database_password'], pin_sans_token=True)
util.file.modify(master['pki_client_password_conf'],
uid=0, gid=0)
# Similarly, create a simple password file containing the
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index b55037b..7e426b0 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -195,7 +195,7 @@ pki_console_log_level = None
# PKI Deployment Global Dictionaries
-pki_sensitive_dict = None
+pki_default_dict = None
pki_common_dict = None
pki_web_server_dict = None
pki_subsystem_dict = None
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index 904e086..8be6c5c 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -42,7 +42,6 @@ import seobject
# PKI Deployment Imports
import pkiconfig as config
from pkiconfig import pki_master_dict as master
-from pkiconfig import pki_sensitive_dict as sensitive
from pkiconfig import pki_slots_dict as slots
from pkiconfig import pki_selinux_config_ports as ports
import pkimanifest as manifest
@@ -419,7 +418,7 @@ class configuration_file:
# NOTE: This is the one and only parameter containing a sensitive
# parameter that may be stored in a log file.
config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_URL_1,
- sensitive['pki_configuration_url'],
+ master['pki_configuration_url'],
extra=config.PKI_INDENTATION_LEVEL_2)
config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_RESTART_1,
master['pki_registry_initscript_command'],
@@ -428,7 +427,7 @@ class configuration_file:
def display_configuration_url(self):
# NOTE: This is the one and only parameter containing a sensitive
# parameter that may be displayed to the screen.
- print log.PKI_CONFIGURATION_URL_1 % sensitive['pki_configuration_url']
+ print log.PKI_CONFIGURATION_URL_1 % master['pki_configuration_url']
print
print log.PKI_CONFIGURATION_RESTART_1 %\
master['pki_registry_initscript_command']
@@ -438,8 +437,8 @@ class configuration_file:
# Silently verify the existence of 'sensitive' data
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
# Verify existence of Directory Server Password (ALWAYS)
- if not sensitive.has_key('pki_ds_password') or\
- not len(sensitive['pki_ds_password']):
+ if not master.has_key('pki_ds_password') or\
+ not len(master['pki_ds_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_ds_password",
@@ -448,8 +447,8 @@ class configuration_file:
sys.exit(1)
# Verify existence of Admin Password (except for Clones)
if not config.str2bool(master['pki_clone']):
- if not sensitive.has_key('pki_admin_password') or\
- not len(sensitive['pki_admin_password']):
+ if not master.has_key('pki_admin_password') or\
+ not len(master['pki_admin_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_admin_password",
@@ -458,8 +457,8 @@ class configuration_file:
sys.exit(1)
# If required, verify existence of Backup Password
if config.str2bool(master['pki_backup_keys']):
- if not sensitive.has_key('pki_backup_password') or\
- not len(sensitive['pki_backup_password']):
+ if not master.has_key('pki_backup_password') or\
+ not len(master['pki_backup_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_backup_password",
@@ -467,8 +466,8 @@ class configuration_file:
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# Verify existence of Client Pin for NSS client security databases
- if not sensitive.has_key('pki_client_database_password') or\
- not len(sensitive['pki_client_database_password']):
+ if not master.has_key('pki_client_database_password') or\
+ not len(master['pki_client_database_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2,
"pki_client_database_password",
@@ -476,8 +475,8 @@ class configuration_file:
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# Verify existence of Client PKCS #12 Password for Admin Cert
- if not sensitive.has_key('pki_client_pkcs12_password') or\
- not len(sensitive['pki_client_pkcs12_password']):
+ if not master.has_key('pki_client_pkcs12_password') or\
+ not len(master['pki_client_pkcs12_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_client_pkcs12_password",
@@ -486,8 +485,8 @@ class configuration_file:
sys.exit(1)
# Verify existence of PKCS #12 Password (ONLY for Clones)
if config.str2bool(master['pki_clone']):
- if not sensitive.has_key('pki_clone_pkcs12_password') or\
- not len(sensitive['pki_clone_pkcs12_password']):
+ if not master.has_key('pki_clone_pkcs12_password') or\
+ not len(master['pki_clone_pkcs12_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_clone_pkcs12_password",
@@ -499,8 +498,8 @@ class configuration_file:
if config.str2bool(master['pki_clone']) or\
not master['pki_subsystem'] == "CA" or\
config.str2bool(master['pki_subordinate']):
- if not sensitive.has_key('pki_security_domain_password') or\
- not len(sensitive['pki_security_domain_password']):
+ if not master.has_key('pki_security_domain_password') or\
+ not len(master['pki_security_domain_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_security_domain_password",
@@ -509,8 +508,8 @@ class configuration_file:
sys.exit(1)
# If required, verify existence of Token Password
if not master['pki_token_name'] == "internal":
- if not sensitive.has_key('pki_token_password') or\
- not len(sensitive['pki_token_password']):
+ if not master.has_key('pki_token_password') or\
+ not len(master['pki_token_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_token_password",
@@ -1954,14 +1953,14 @@ class password:
extra=config.PKI_INDENTATION_LEVEL_2)
# overwrite the existing 'pkcs12_password.conf' file
with open(path, "wt") as fd:
- fd.write(sensitive['pki_client_pkcs12_password'])
+ fd.write(master['pki_client_pkcs12_password'])
fd.closed
else:
config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
extra=config.PKI_INDENTATION_LEVEL_2)
# create a new 'pkcs12_password.conf' file
with open(path, "wt") as fd:
- fd.write(sensitive['pki_client_pkcs12_password'])
+ fd.write(master['pki_client_pkcs12_password'])
fd.closed
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
@@ -2527,7 +2526,6 @@ class jython:
property = ""
# Compose this "jython" command
data = pickle.dumps(master)
- sensitive_data = pickle.dumps(sensitive)
ld_library_path = "LD_LIBRARY_PATH"
if master['pki_architecture'] == 64:
ld_library_path = ld_library_path + "=" +\
@@ -2537,8 +2535,7 @@ class jython:
ld_library_path = ld_library_path + "=" +\
"/usr/lib/jss:/usr/lib:/lib"
command = "export" + " " + ld_library_path + ";" + "jython" + " " +\
- property + " " + scriptlet + " " + "\"" + data + "\"" +\
- " " + "\"" + sensitive_data + "\""
+ property + " " + scriptlet + " " + "\"" + data + "\""
# Display this "jython" command
config.pki_log.info(
log.PKIHELPER_INVOKE_JYTHON_3,
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index e6098b0..e106f01 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -276,12 +276,10 @@ class security_databases:
class rest_client:
client = None
master = None
- sensitive = None
- def initialize(self, client_config, master, sensitive):
+ def initialize(self, client_config, master):
try:
self.master = master
- self.sensitive = sensitive
log_level = master['pki_jython_log_level']
if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
print "%s %s '%s'" %\
@@ -299,7 +297,7 @@ class rest_client:
data.setSecurityDomainUri(self.master['pki_security_domain_uri'])
data.setSecurityDomainUser(self.master['pki_security_domain_user'])
data.setSecurityDomainPassword(
- self.sensitive['pki_security_domain_password'])
+ self.master['pki_security_domain_password'])
def set_new_security_domain(self, data):
data.setSecurityDomainType(ConfigurationRequest.NEW_DOMAIN)
@@ -309,7 +307,7 @@ class rest_client:
data.setIsClone("true")
data.setCloneUri(self.master['pki_clone_uri'])
data.setP12File(self.master['pki_clone_pkcs12_path'])
- data.setP12Password(self.sensitive['pki_clone_pkcs12_password'])
+ data.setP12Password(self.master['pki_clone_pkcs12_password'])
data.setReplicateSchema(self.master['pki_clone_replicate_schema'])
data.setReplicationSecurity(
self.master['pki_clone_replication_security'])
@@ -326,7 +324,7 @@ class rest_client:
data.setBaseDN(self.master['pki_ds_base_dn'])
data.setBindDN(self.master['pki_ds_bind_dn'])
data.setDatabase(self.master['pki_ds_database'])
- data.setBindpwd(self.sensitive['pki_ds_password'])
+ data.setBindpwd(self.master['pki_ds_password'])
if config.str2bool(self.master['pki_ds_remove_data']):
data.setRemoveData("true")
else:
@@ -340,14 +338,14 @@ class rest_client:
if config.str2bool(self.master['pki_backup_keys']):
data.setBackupKeys("true")
data.setBackupFile(self.master['pki_backup_keys_p12'])
- data.setBackupPassword(self.sensitive['pki_backup_password'])
+ data.setBackupPassword(self.master['pki_backup_password'])
else:
data.setBackupKeys("false")
def set_admin_parameters(self, token, data):
data.setAdminEmail(self.master['pki_admin_email'])
data.setAdminName(self.master['pki_admin_name'])
- data.setAdminPassword(self.sensitive['pki_admin_password'])
+ data.setAdminPassword(self.master['pki_admin_password'])
data.setAdminProfileID(self.master['pki_admin_profile_id'])
data.setAdminUID(self.master['pki_admin_uid'])
data.setAdminSubjectDN(self.master['pki_admin_subject_dn'])
@@ -422,7 +420,7 @@ class rest_client:
data = ConfigurationRequest()
# Miscellaneous Configuration Information
- data.setPin(self.sensitive['pki_one_time_pin'])
+ data.setPin(master['pki_one_time_pin'])
data.setToken(ConfigurationRequest.TOKEN_DEFAULT)
data.setSubsystemName(master['pki_subsystem_name'])
diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
index 59fa7d3..9964794 100644
--- a/base/deploy/src/scriptlets/pkimessages.py
+++ b/base/deploy/src/scriptlets/pkimessages.py
@@ -189,7 +189,7 @@ PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s"
PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\
"context %s"
PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\
- "jython %s %s <master_dictionary> <sensitive_data>'"
+ "jython %s %s <master_dictionary>'"
PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory"
PKIHELPER_IS_A_FILE_1 = "'%s' is a file"
PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink"
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index e9d3488..e9c999b 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -215,7 +215,7 @@ class PKIConfigParser:
# Make keys case-sensitive!
self.pki_config.optionxform = str
self.pki_config.read(config.pkideployment_cfg)
- config.pki_sensitive_dict = dict(self.pki_config._sections['Sensitive'])
+ config.pki_default_dict = self.pki_config.defaults()
config.pki_common_dict = dict(self.pki_config._sections['Common'])
if config.pki_subsystem == "CA":
config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat'])
@@ -237,10 +237,12 @@ class PKIConfigParser:
config.pki_subsystem_dict = dict(self.pki_config._sections['TPS'])
# Insert empty record into dictionaries for "pretty print" statements
# NEVER print "sensitive" key value pairs!!!
+ config.pki_default_dict[0] = None
config.pki_common_dict[0] = None
config.pki_web_server_dict[0] = None
config.pki_subsystem_dict[0] = None
except ConfigParser.ParsingError, err:
+ print err
rv = err
return rv
@@ -270,18 +272,19 @@ class PKIConfigParser:
# the configuration file
pin_low = 100000000000
pin_high = 999999999999
- config.pki_sensitive_dict['pki_pin'] =\
+ config.pki_master_dict['pki_pin'] =\
random.randint(pin_low, pin_high)
- config.pki_sensitive_dict['pki_client_pin'] =\
+ config.pki_master_dict['pki_client_pin'] =\
random.randint(pin_low, pin_high)
# Generate a one-time pin to be used prior to configuration
# and add this to the "sensitive" key value pairs read in from
# the configuration file
- config.pki_sensitive_dict['pki_one_time_pin'] =\
+ config.pki_master_dict['pki_one_time_pin'] =\
''.join(random.choice(string.ascii_letters + string.digits)\
for x in range(20))
# Configuration file name/value pairs
# NEVER add "sensitive" key value pairs to the master dictionary!!!
+ config.pki_master_dict.update(config.pki_default_dict)
config.pki_master_dict.update(config.pki_common_dict)
config.pki_master_dict.update(config.pki_web_server_dict)
config.pki_master_dict.update(config.pki_subsystem_dict)
@@ -1134,7 +1137,7 @@ class PKIConfigParser:
config.pki_master_dict['PKI_AJP_REDIRECT_PORT_SLOT'] =\
config.pki_master_dict['pki_https_port']
config.pki_master_dict['PKI_CERT_DB_PASSWORD_SLOT'] =\
- config.pki_sensitive_dict['pki_pin']
+ config.pki_master_dict['pki_pin']
config.pki_master_dict['PKI_CFG_PATH_NAME_SLOT'] =\
config.pki_master_dict['pki_target_cs_cfg']
config.pki_master_dict\
@@ -1206,7 +1209,7 @@ class PKIConfigParser:
config.pki_master_dict['PKI_TMPDIR_SLOT'] =\
config.pki_master_dict['pki_tomcat_tmpdir_path']
config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\
- config.pki_sensitive_dict['pki_one_time_pin']
+ config.pki_master_dict['pki_one_time_pin']
config.pki_master_dict['PKI_SECURE_PORT_SLOT'] =\
config.pki_master_dict['pki_https_port']
config.pki_master_dict['PKI_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\
@@ -1344,19 +1347,19 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and is NOT redefined below:
#
- # config.pki_sensitive_dict['pki_client_pkcs12_password']
+ # config.pki_master_dict['pki_client_pkcs12_password']
# config.pki_master_dict['pki_client_database_purge']
#
# The following variables are established via the specified PKI
# deployment configuration file and potentially overridden below:
#
- # config.pki_sensitive_dict['pki_client_database_password']
+ # config.pki_master_dict['pki_client_database_password']
# config.pki_master_dict['pki_client_dir']
#
- if not len(config.pki_sensitive_dict['pki_client_database_password']):
+ if not len(config.pki_master_dict['pki_client_database_password']):
# use randomly generated client 'pin'
- config.pki_sensitive_dict['pki_client_database_password'] =\
- str(config.pki_sensitive_dict['pki_client_pin'])
+ config.pki_master_dict['pki_client_database_password'] =\
+ str(config.pki_master_dict['pki_client_pin'])
if not len(config.pki_master_dict['pki_client_dir']):
config.pki_master_dict['pki_client_dir'] =\
os.path.join(
@@ -1427,9 +1430,9 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and are NOT redefined below:
#
- # config.pki_sensitive_dict['pki_clone_pkcs12_password']
- # config.pki_sensitive_dict['pki_security_domain_password']
- # config.pki_sensitive_dict['pki_token_password']
+ # config.pki_master_dict['pki_clone_pkcs12_password']
+ # config.pki_master_dict['pki_security_domain_password']
+ # config.pki_master_dict['pki_token_password']
# config.pki_master_dict['pki_clone_pkcs12_path']
# config.pki_master_dict['pki_clone_uri']
# config.pki_master_dict['pki_security_domain_https_port']
@@ -1545,7 +1548,7 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and are NOT redefined below:
#
- # config.pki_sensitive_dict['pki_ds_password']
+ # config.pki_master_dict['pki_ds_password']
# config.pki_master_dict['pki_clone_replication_security']
# config.pki_master_dict['pki_ds_bind_dn']
# config.pki_master_dict['pki_ds_ldap_port']
@@ -1605,7 +1608,7 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and are NOT redefined below:
#
- # config.pki_sensitive_dict['pki_backup_password']
+ # config.pki_master_dict['pki_backup_password']
# config.pki_master_dict['pki_backup_keys']
#
if config.str2bool(config.pki_master_dict['pki_backup_keys']):
@@ -1626,7 +1629,7 @@ class PKIConfigParser:
# The following variables are established via the specified PKI
# deployment configuration file and are NOT redefined below:
#
- # config.pki_sensitive_dict['pki_admin_password']
+ # config.pki_master_dict['pki_admin_password']
# config.pki_master_dict['pki_admin_cert_request_type']
# config.pki_master_dict['pki_admin_dualkey']
# config.pki_master_dict['pki_admin_keysize']
@@ -2318,13 +2321,13 @@ class PKIConfigParser:
# parameter that may be stored in a log file and displayed
# to the screen.
#
- config.pki_sensitive_dict['pki_configuration_url'] =\
+ config.pki_master_dict['pki_configuration_url'] =\
"https://{}:{}/{}/{}?pin={}".format(
config.pki_master_dict['pki_hostname'],
config.pki_master_dict['pki_https_port'],
config.pki_master_dict['pki_subsystem'].lower(),
"admin/console/config/login",
- config.pki_sensitive_dict['pki_one_time_pin'])
+ config.pki_master_dict['pki_one_time_pin'])
# Compose this "systemd" execution management command
if config.pki_master_dict['pki_subsystem'] in\
config.PKI_APACHE_SUBSYSTEMS:
diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py
index be0eecf..847d0a5 100644
--- a/base/deploy/src/scriptlets/security_databases.py
+++ b/base/deploy/src/scriptlets/security_databases.py
@@ -22,7 +22,6 @@
# PKI Deployment Imports
import pkiconfig as config
from pkiconfig import pki_master_dict as master
-from pkiconfig import pki_sensitive_dict as sensitive
import pkihelper as util
import pkimessages as log
import pkiscriptlet
@@ -41,14 +40,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
util.password.create_password_conf(
master['pki_shared_password_conf'],
- sensitive['pki_pin'])
+ master['pki_pin'])
# Since 'certutil' does NOT strip the 'token=' portion of
# the 'token=password' entries, create a temporary server 'pfile'
# which ONLY contains the 'password' for the purposes of
# allowing 'certutil' to generate the security databases
util.password.create_password_conf(
master['pki_shared_pfile'],
- sensitive['pki_pin'], pin_sans_token=True)
+ master['pki_pin'], pin_sans_token=True)
util.file.modify(master['pki_shared_password_conf'])
util.certutil.create_security_databases(
master['pki_database_path'],