summaryrefslogtreecommitdiffstats
path: root/base
diff options
context:
space:
mode:
Diffstat (limited to 'base')
-rw-r--r--base/deploy/config/pkideployment.cfg1
-rw-r--r--base/deploy/src/scriptlets/pkijython.py63
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py176
3 files changed, 71 insertions, 169 deletions
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
index ae02bb450..80816e495 100644
--- a/base/deploy/config/pkideployment.cfg
+++ b/base/deploy/config/pkideployment.cfg
@@ -57,6 +57,7 @@ pki_ds_ldaps_port=636
pki_ds_remove_data=True
pki_ds_secure_connection=False
pki_group=pkiuser
+pki_issuing_ca=
pki_restart_configured_instance=True
pki_security_domain_hostname=
pki_security_domain_https_port=8443
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index e08b4901e..5adc7e022 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -180,7 +180,7 @@ def generateCRMFRequest(token, keysize, subjectdn, dualkey):
# 1st : Encryption key
s1.addElement(crmfMsg)
# 2nd : Signing Key
- if dualkey:
+ if config.str2bool(dualkey):
javasystem.out.println(log.PKI_JYTHON_IS_DUALKEY)
seq1 = SEQUENCE()
certReqSigning = CertRequest(INTEGER(1), certTemplate, seq1)
@@ -338,36 +338,28 @@ class rest_client:
data.setIsClone("false")
# Security Domain Information
#
- # NOTE: External CA's DO NOT require a security domain
- if master['pki_instance_type'] == "Tomcat":
- if master['pki_subsystem'] == "CA":
- if not config.str2bool(master['pki_clone']) and\
- not config.str2bool(master['pki_subordinate']):
- # PKI CA
- data.setSecurityDomainType(
- ConfigurationData.NEW_DOMAIN)
- data.setSecurityDomainName(
- master['pki_security_domain_name'])
- else:
- # PKI Cloned or Subordinate CA
- data.setSecurityDomainType(
- ConfigurationData.EXISTING_DOMAIN)
- data.setSecurityDomainUri(
- master['pki_security_domain_uri'])
- data.setSecurityDomainUser(
- master['pki_security_domain_user'])
- data.setSecurityDomainPassword(
- sensitive['pki_security_domain_password'])
- else:
- # PKI KRA, OCSP, or TKS
- data.setSecurityDomainType(
- ConfigurationData.EXISTING_DOMAIN)
- data.setSecurityDomainUri(
- master['pki_security_domain_uri'])
- data.setSecurityDomainUser(
- master['pki_security_domain_user'])
- data.setSecurityDomainPassword(
- sensitive['pki_security_domain_password'])
+ # NOTE: External CA's DO NOT require a security domain
+ #
+ if master['pki_subsystem'] != "CA" or\
+ config.str2bool(master['pki_clone']) or\
+ config.str2bool(master['pki_subordinate']):
+ # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
+ # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or
+ # Subordinate CA
+ data.setSecurityDomainType(
+ ConfigurationData.EXISTING_DOMAIN)
+ data.setSecurityDomainUri(
+ master['pki_security_domain_uri'])
+ data.setSecurityDomainUser(
+ master['pki_security_domain_user'])
+ data.setSecurityDomainPassword(
+ sensitive['pki_security_domain_password'])
+ elif not config.str2bool(master['pki_external']):
+ # PKI CA
+ data.setSecurityDomainType(
+ ConfigurationData.NEW_DOMAIN)
+ data.setSecurityDomainName(
+ master['pki_security_domain_name'])
# Directory Server Information
if master['pki_subsystem'] != "RA":
data.setDsHost(master['pki_ds_hostname'])
@@ -420,6 +412,15 @@ class rest_client:
else:
javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY)
javasystem.exit(1)
+ # Issuing CA Information
+ if master['pki_subsystem'] != "CA" or\
+ config.str2bool(master['pki_clone']) or\
+ config.str2bool(master['pki_subordinate']) or\
+ config.str2bool(master['pki_external']):
+ # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
+ # CA Clone, KRA Clone, OCSP Clone, TKS Clone,
+ # Subordinate CA, or External CA
+ data.setIssuingCA(master['pki_issuing_ca'])
# Create system certs
systemCerts = ArrayList()
# Create 'CA Signing Certificate'
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index bf22a4d18..dd1f93bd3 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -1455,157 +1455,57 @@ def compose_pki_master_dictionary():
# The following variables are established via the specified PKI
# deployment configuration file and potentially overridden below:
#
+ # config.pki_master_dict['pki_issuing_ca']
# config.pki_master_dict['pki_security_domain_hostname']
# config.pki_master_dict['pki_security_domain_name']
# config.pki_master_dict['pki_subsystem_name']
#
- if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- # PKI RA or TPS
+ if not len(config.pki_master_dict['pki_subsystem_name']):
+ config.pki_master_dict['pki_subsystem_name'] =\
+ config.pki_subsystem + " " +\
+ config.pki_master_dict['pki_hostname'] + " " +\
+ config.pki_master_dict['pki_https_port']
+ if config.pki_subsystem != "CA" or\
+ config.str2bool(config.pki_master_dict['pki_clone']) or\
+ config.str2bool(config.pki_master_dict['pki_subordinate']):
+ # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
+ # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or
+ # Subordinate CA
config.pki_master_dict['pki_security_domain_type'] = "existing"
- if not len(config.pki_master_dict['pki_security_domain_hostname']):
- # Guess that it is the local host
+ if not len(config.pki_master_dict['pki_security_domain_name']):
+ # Guess that the security domain resides on the local host
+ config.pki_master_dict['pki_security_domain_name'] =\
+ config.pki_master_dict['pki_dns_domainname'] + " " +\
+ "Security Domain"
+ if not\
+ len(config.pki_master_dict['pki_security_domain_hostname']):
+ # Guess that the security domain resides on the local host
config.pki_master_dict['pki_security_domain_hostname'] =\
config.pki_master_dict['pki_hostname']
config.pki_master_dict['pki_security_domain_uri'] =\
"https" + "://" +\
config.pki_master_dict['pki_security_domain_hostname'] + ":" +\
config.pki_master_dict['pki_security_domain_https_port']
+ if not len(config.pki_master_dict['pki_issuing_ca']):
+ # Guess that it is the same as the
+ # config.pki_master_dict['pki_security_domain_uri']
+ config.pki_master_dict['pki_issuing_ca'] =\
+ config.pki_master_dict['pki_security_domain_uri']
+ elif config.str2bool(config.pki_master_dict['pki_external']):
+ # External CA
+ #
+ # NOTE: External CA's DO NOT require a security domain
+ #
+ if not len(config.pki_master_dict['pki_issuing_ca']):
+ config.pki_master_dict['pki_issuing_ca'] = "External CA"
+ else:
+ # PKI CA
+ config.pki_master_dict['pki_security_domain_type'] = "new"
if not len(config.pki_master_dict['pki_security_domain_name']):
- # Guess that security domain is on the local host
+ # Guess that the security domain resides on the local host
config.pki_master_dict['pki_security_domain_name'] =\
- config.pki_master_dict['pki_dns_domainname'] +\
- " " + "Security Domain"
- elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if config.pki_subsystem == "CA":
- if config.str2bool(config.pki_master_dict['pki_external']):
- # External CA
- #
- # NOTE: External CA's DO NOT require a security domain
- if not len(config.pki_master_dict['pki_subsystem_name']):
- config.pki_master_dict['pki_subsystem_name'] =\
- "External CA" + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- elif not config.str2bool(config.pki_master_dict['pki_clone'])\
- and not\
- config.str2bool(config.pki_master_dict['pki_subordinate']):
- # PKI CA
- config.pki_master_dict['pki_security_domain_type'] = "new"
- if not len(config.pki_master_dict\
- ['pki_security_domain_name']):
- config.pki_master_dict['pki_security_domain_name'] =\
- config.pki_master_dict['pki_dns_domainname'] +\
- " " + "Security Domain"
- if not len(config.pki_master_dict['pki_subsystem_name']):
- config.pki_master_dict['pki_subsystem_name'] =\
- "PKI CA" + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- else:
- # PKI Cloned or Subordinate CA
- config.pki_master_dict['pki_security_domain_type'] =\
- "existing"
- if not len(config.pki_master_dict\
- ['pki_security_domain_hostname']):
- # Guess that it is the local host
- config.pki_master_dict['pki_security_domain_hostname']\
- = config.pki_master_dict['pki_hostname']
- config.pki_master_dict['pki_security_domain_uri'] =\
- "https" + "://" +\
- config.pki_master_dict['pki_security_domain_hostname']\
- + ":" +\
- config.pki_master_dict['pki_security_domain_https_port']
- if not len(config.pki_master_dict\
- ['pki_security_domain_name']):
- # Guess that security domain is on the local host
- config.pki_master_dict['pki_security_domain_name']\
- = config.pki_master_dict['pki_dns_domainname']\
- + " " + "Security Domain"
- if config.str2bool(config.pki_master_dict['pki_clone']):
- # Cloned CA
- if not\
- len(config.pki_master_dict['pki_subsystem_name']):
- config.pki_master_dict['pki_subsystem_name'] =\
- "Cloned CA" + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- else:
- # Subordinate CA
- if not\
- len(config.pki_master_dict['pki_subsystem_name']):
- config.pki_master_dict['pki_subsystem_name'] =\
- "Subordinate CA" + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- else:
- # PKI or Cloned KRA, OCSP, or TKS
- config.pki_master_dict['pki_security_domain_type'] = "existing"
- if not len(config.pki_master_dict\
- ['pki_security_domain_hostname']):
- # Guess that it is the local host
- config.pki_master_dict['pki_security_domain_hostname'] =\
- config.pki_master_dict['pki_hostname']
- config.pki_master_dict['pki_security_domain_uri'] =\
- "https" + "://" +\
- config.pki_master_dict['pki_security_domain_hostname'] +\
- ":" +\
- config.pki_master_dict['pki_security_domain_https_port']
- if not len(config.pki_master_dict['pki_security_domain_name']):
- # Guess that security domain is on the local host
- config.pki_master_dict['pki_security_domain_name'] =\
- config.pki_master_dict['pki_dns_domainname'] +\
- " " + "Security Domain"
- if config.pki_subsystem == "KRA":
- if config.str2bool(config.pki_master_dict['pki_clone']):
- # Cloned KRA
- if not\
- len(config.pki_master_dict['pki_subsystem_name']):
- config.pki_master_dict['pki_subsystem_name'] =\
- "Cloned KRA" + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- else:
- # PKI KRA
- if not\
- len(config.pki_master_dict['pki_subsystem_name']):
- config.pki_master_dict['pki_subsystem_name'] =\
- "PKI KRA" + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- elif config.pki_subsystem == "OCSP":
- if config.str2bool(config.pki_master_dict['pki_clone']):
- # Cloned OCSP
- if not\
- len(config.pki_master_dict['pki_subsystem_name']):
- config.pki_master_dict['pki_subsystem_name'] =\
- "Cloned OCSP" + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- else:
- # PKI OCSP
- if not\
- len(config.pki_master_dict['pki_subsystem_name']):
- config.pki_master_dict['pki_subsystem_name'] =\
- "PKI OCSP" + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- elif config.pki_subsystem == "TKS":
- if config.str2bool(config.pki_master_dict['pki_clone']):
- # Cloned TKS
- if not\
- len(config.pki_master_dict['pki_subsystem_name']):
- config.pki_master_dict['pki_subsystem_name'] =\
- "Cloned TKS" + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
- else:
- # PKI TKS
- if not\
- len(config.pki_master_dict['pki_subsystem_name']):
- config.pki_master_dict['pki_subsystem_name'] =\
- "PKI TKS" + " " +\
- config.pki_master_dict['pki_hostname'] + " " +\
- config.pki_master_dict['pki_https_port']
+ config.pki_master_dict['pki_dns_domainname'] + " " +\
+ "Security Domain"
# Jython scriptlet
# 'Directory Server' Configuration name/value pairs
#