summaryrefslogtreecommitdiffstats
path: root/pki/base
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base')
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java24
-rw-r--r--pki/base/silent/src/ca/ConfigureCA.java17
-rw-r--r--pki/base/silent/src/drm/ConfigureDRM.java17
-rw-r--r--pki/base/silent/src/ocsp/ConfigureOCSP.java16
-rw-r--r--pki/base/silent/src/subca/ConfigureSubCA.java16
-rw-r--r--pki/base/silent/src/tks/ConfigureTKS.java16
-rwxr-xr-xpki/base/silent/templates/pki_silent.template14
7 files changed, 108 insertions, 12 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
index 539a2eb0c..fc127700f 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
@@ -146,6 +146,7 @@ public class DatabasePanel extends WizardPanelBase {
String database = null;
String errorString = "";
String secure = "false";
+ String cloneStartTLS = "false";
try {
String s = cs.getString("preop.database.removeData");
} catch (Exception e) {
@@ -166,6 +167,7 @@ public class DatabasePanel extends WizardPanelBase {
binddn = cs.getString("internaldb.ldapauth.bindDN", "");
database = cs.getString("internaldb.database", "");
secure = cs.getString("internaldb.ldapconn.secureConn", "");
+ cloneStartTLS = cs.getString("internaldb.ldapconn.cloneStartTLS", "");
errorString = cs.getString("preop.database.errorString", "");
} catch (Exception e) {
CMS.debug("DatabasePanel display: " + e.toString());
@@ -220,7 +222,8 @@ public class DatabasePanel extends WizardPanelBase {
context.put("binddn", binddn);
context.put("bindpwd", bindpwd);
context.put("database", database);
- context.put("secureConn", (secure.equals("true")? "on":"off"));
+ context.put("secureConn", (secure.equals("true")? "on":"off"));
+ context.put("cloneStartTLS", (cloneStartTLS.equals("true")? "on":"off"));
context.put("panel", "admin/console/config/databasepanel.vm");
context.put("errorString", errorString);
}
@@ -279,6 +282,9 @@ public class DatabasePanel extends WizardPanelBase {
String secure = HttpInput.getCheckbox(request, "secureConn");
context.put("secureConn", secure);
+ String cloneStartTLS = HttpInput.getCheckbox(request, "cloneStartTLS");
+ context.put("cloneStartTLS", cloneStartTLS);
+
String select = "";
try {
select = cs.getString("preop.subsystem.select", "");
@@ -866,6 +872,9 @@ public class DatabasePanel extends WizardPanelBase {
cs.putString("internaldb.database", database2);
String secure = HttpInput.getCheckbox(request, "secureConn");
cs.putString("internaldb.ldapconn.secureConn", (secure.equals("on")?"true":"false"));
+ String cloneStartTLS = HttpInput.getCheckbox(request, "cloneStartTLS");
+ cs.putString("internaldb.ldapconn.cloneStartTLS", (cloneStartTLS.equals("on")?"true":"false"));
+
String remove = HttpInput.getID(request, "removeData");
if (isPanelDone() && (remove == null || remove.equals(""))) {
/* if user submits the same data, they just want to skip
@@ -987,7 +996,7 @@ public class DatabasePanel extends WizardPanelBase {
// setup replication after indexes have been created
if (select.equals("clone")) {
CMS.debug("Start setting up replication.");
- setupReplication(request, context, (secure.equals("on")?"true":"false"));
+ setupReplication(request, context, (secure.equals("on")?"true":"false"), (cloneStartTLS.equals("on")?"true":"false"));
CMS.debug("Finish setting up replication.");
try {
@@ -1016,7 +1025,7 @@ public class DatabasePanel extends WizardPanelBase {
}
private void setupReplication(HttpServletRequest request,
- Context context, String secure) throws IOException {
+ Context context, String secure, String cloneStartTLS) throws IOException {
String bindpwd = HttpInput.getPassword(request, "__bindpwd");
IConfigStore cs = CMS.getConfigStore();
@@ -1122,10 +1131,10 @@ public class DatabasePanel extends WizardPanelBase {
CMS.debug("DatabasePanel setupReplication: Finished enabling replication");
createReplicationAgreement(replicadn, conn1, masterAgreementName,
- master2_hostname, master2_port, master2_replicationpwd, basedn, cloneBindUser, secure);
+ master2_hostname, master2_port, master2_replicationpwd, basedn, cloneBindUser, secure, cloneStartTLS);
createReplicationAgreement(replicadn, conn2, cloneAgreementName,
- master1_hostname, master1_port, master1_replicationpwd, basedn, masterBindUser, secure);
+ master1_hostname, master1_port, master1_replicationpwd, basedn, masterBindUser, secure, cloneStartTLS);
// initialize consumer
initializeConsumer(replicadn, conn1, masterAgreementName);
@@ -1320,7 +1329,7 @@ public class DatabasePanel extends WizardPanelBase {
private void createReplicationAgreement(String replicadn,
LDAPConnection conn, String name, String replicahost, int replicaport,
- String replicapwd, String basedn, String bindUser, String secure) throws LDAPException {
+ String replicapwd, String basedn, String bindUser, String secure, String cloneStartTLS) throws LDAPException {
String dn = "cn="+name+","+replicadn;
CMS.debug("DatabasePanel createReplicationAgreement: dn: "+dn);
LDAPEntry entry = null;
@@ -1341,7 +1350,10 @@ public class DatabasePanel extends WizardPanelBase {
if (secure.equals("true")) {
attrs.add(new LDAPAttribute("nsDS5ReplicaTransportInfo", "SSL"));
+ } else if (cloneStartTLS.equals("true")) {
+ attrs.add(new LDAPAttribute("nsDS5ReplicaTransportInfo", "TLS"));
}
+
CMS.debug("About to set description attr to " + name);
attrs.add(new LDAPAttribute("description",name));
diff --git a/pki/base/silent/src/ca/ConfigureCA.java b/pki/base/silent/src/ca/ConfigureCA.java
index f1fb63f9c..66fca89b9 100644
--- a/pki/base/silent/src/ca/ConfigureCA.java
+++ b/pki/base/silent/src/ca/ConfigureCA.java
@@ -99,6 +99,9 @@ public class ConfigureCA {
public static String bind_password = null;
public static String base_dn = null;
public static String db_name = null;
+ public static String secure_conn = null;
+ public static String clone_start_tls = null;
+ public static String remove_data = null;
public static String key_type = null;
public static String key_size = null;
@@ -517,7 +520,10 @@ public class ConfigureCA {
+ URLEncoder.encode(bind_password) + "&basedn="
+ URLEncoder.encode(base_dn) + "&database="
+ URLEncoder.encode(db_name) + "&display="
- + URLEncoder.encode("$displayStr") + "";
+ + URLEncoder.encode("$displayStr")
+ + (secure_conn.equals("true")? "&secureConn=on": "")
+ + (clone_start_tls.equals("true")? "&cloneStartTLS=on": "")
+ + (remove_data.equals("true")? "&removeData=true": "");
hr = hc.sslConnect(cs_hostname, cs_port, wizard_uri, query_string);
@@ -1447,6 +1453,9 @@ public class ConfigureCA {
StringHolder x_bind_password = new StringHolder();
StringHolder x_base_dn = new StringHolder();
StringHolder x_db_name = new StringHolder();
+ StringHolder x_secure_conn = new StringHolder();
+ StringHolder x_clone_start_tls = new StringHolder();
+ StringHolder x_remove_data = new StringHolder();
// key properties (defaults)
StringHolder x_key_size = new StringHolder();
@@ -1556,6 +1565,9 @@ public class ConfigureCA {
x_bind_password);
parser.addOption("-base_dn %s #base dn", x_base_dn);
parser.addOption("-db_name %s #db name", x_db_name);
+ parser.addOption("-secure_conn %s #use ldaps port (optional, default is false)", x_secure_conn);
+ parser.addOption("-remove_data %s #remove existing data under base_dn (optional, default is false) ", x_remove_data);
+ parser.addOption("-clone_start_tls %s #use startTLS for cloning replication agreement (optional, default is false)", x_clone_start_tls);
// key and algorithm options (default)
parser.addOption("-key_type %s #Key type [RSA,ECC] (optional, default is RSA)", x_key_type);
@@ -1672,6 +1684,9 @@ public class ConfigureCA {
bind_password = x_bind_password.value;
base_dn = x_base_dn.value;
db_name = x_db_name.value;
+ secure_conn = set_default(x_secure_conn.value, "false");
+ remove_data = set_default(x_remove_data.value, "false");
+ clone_start_tls = set_default(x_clone_start_tls.value, "false");
key_type = set_default(x_key_type.value, DEFAULT_KEY_TYPE);
signing_key_type = set_default(x_signing_key_type.value, key_type);
diff --git a/pki/base/silent/src/drm/ConfigureDRM.java b/pki/base/silent/src/drm/ConfigureDRM.java
index fb9f112ce..5298811f3 100644
--- a/pki/base/silent/src/drm/ConfigureDRM.java
+++ b/pki/base/silent/src/drm/ConfigureDRM.java
@@ -102,6 +102,9 @@ public class ConfigureDRM
public static String bind_password = null;
public static String base_dn = null;
public static String db_name = null;
+ public static String secure_conn = null;
+ public static String clone_start_tls = null;
+ public static String remove_data = null;
public static String key_type = null;
public static String key_size = null;
@@ -456,7 +459,10 @@ public class ConfigureDRM
"&__bindpwd=" + URLEncoder.encode(bind_password) +
"&basedn=" + URLEncoder.encode(base_dn) +
"&database=" + URLEncoder.encode(db_name) +
- "&display=" + URLEncoder.encode("$displayStr");
+ "&display=" + URLEncoder.encode("$displayStr") +
+ (secure_conn.equals("true")? "&secureConn=on": "") +
+ (clone_start_tls.equals("true")? "&cloneStartTLS=on": "") +
+ (remove_data.equals("true")? "&removeData=true": "");
hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string);
@@ -1071,6 +1077,9 @@ public class ConfigureDRM
StringHolder x_bind_password = new StringHolder();
StringHolder x_base_dn = new StringHolder();
StringHolder x_db_name = new StringHolder();
+ StringHolder x_secure_conn = new StringHolder();
+ StringHolder x_clone_start_tls = new StringHolder();
+ StringHolder x_remove_data = new StringHolder();
// key properties (defaults)
StringHolder x_key_size = new StringHolder();
@@ -1188,6 +1197,9 @@ public class ConfigureDRM
x_base_dn);
parser.addOption ("-db_name %s #db name",
x_db_name);
+ parser.addOption("-secure_conn %s #use ldaps port (optional, default is false)", x_secure_conn);
+ parser.addOption("-remove_data %s #remove existing data under base_dn (optional, default is false) ", x_remove_data);
+ parser.addOption("-clone_start_tls %s #use startTLS for cloning replication agreement (optional, default is false)", x_clone_start_tls);
// key and algorithm options (default)
parser.addOption("-key_type %s #Key type [RSA,ECC] (optional, default is RSA)", x_key_type);
@@ -1307,6 +1319,9 @@ public class ConfigureDRM
bind_password = x_bind_password.value;
base_dn = x_base_dn.value;
db_name = x_db_name.value;
+ secure_conn = set_default(x_secure_conn.value, "false");
+ remove_data = set_default(x_remove_data.value, "false");
+ clone_start_tls = set_default(x_clone_start_tls.value, "false");
key_type = set_default(x_key_type.value, DEFAULT_KEY_TYPE);
transport_key_type = set_default(x_transport_key_type.value, key_type);
diff --git a/pki/base/silent/src/ocsp/ConfigureOCSP.java b/pki/base/silent/src/ocsp/ConfigureOCSP.java
index ad23c70ee..9e5410bad 100644
--- a/pki/base/silent/src/ocsp/ConfigureOCSP.java
+++ b/pki/base/silent/src/ocsp/ConfigureOCSP.java
@@ -100,6 +100,9 @@ public class ConfigureOCSP
public static String bind_password = null;
public static String base_dn = null;
public static String db_name = null;
+ public static String secure_conn = null;
+ public static String clone_start_tls = null;
+ public static String remove_data = null;
public static String key_type = null;
public static String key_size = null;
@@ -401,7 +404,9 @@ public class ConfigureOCSP
"&basedn=" + URLEncoder.encode(base_dn) +
"&database=" + URLEncoder.encode(db_name) +
"&display=" + URLEncoder.encode("$displayStr") +
- "";
+ (secure_conn.equals("true")? "&secureConn=on": "") +
+ (clone_start_tls.equals("true")? "&cloneStartTLS=on": "") +
+ (remove_data.equals("true")? "&removeData=true": "");
hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string);
@@ -962,6 +967,9 @@ public class ConfigureOCSP
StringHolder x_bind_password = new StringHolder();
StringHolder x_base_dn = new StringHolder();
StringHolder x_db_name = new StringHolder();
+ StringHolder x_secure_conn = new StringHolder();
+ StringHolder x_clone_start_tls = new StringHolder();
+ StringHolder x_remove_data = new StringHolder();
// key properties (defaults)
StringHolder x_key_size = new StringHolder();
@@ -1067,6 +1075,9 @@ public class ConfigureOCSP
x_base_dn);
parser.addOption ("-db_name %s #db name",
x_db_name);
+ parser.addOption("-secure_conn %s #use ldaps port (optional, default is false)", x_secure_conn);
+ parser.addOption("-remove_data %s #remove existing data under base_dn (optional, default is false) ", x_remove_data);
+ parser.addOption("-clone_start_tls %s #use startTLS for cloning replication agreement (optional, default is false)", x_clone_start_tls);
// key and algorithm options (default)
parser.addOption("-key_type %s #Key type [RSA,ECC] (optional, default is RSA)", x_key_type);
@@ -1173,6 +1184,9 @@ public class ConfigureOCSP
bind_password = x_bind_password.value;
base_dn = x_base_dn.value;
db_name = x_db_name.value;
+ secure_conn = set_default(x_secure_conn.value, "false");
+ remove_data = set_default(x_remove_data.value, "false");
+ clone_start_tls = set_default(x_clone_start_tls.value, "false");
key_type = set_default(x_key_type.value, DEFAULT_KEY_TYPE);
signing_key_type = set_default(x_signing_key_type.value, key_type);
diff --git a/pki/base/silent/src/subca/ConfigureSubCA.java b/pki/base/silent/src/subca/ConfigureSubCA.java
index 111879bb5..561f68e44 100644
--- a/pki/base/silent/src/subca/ConfigureSubCA.java
+++ b/pki/base/silent/src/subca/ConfigureSubCA.java
@@ -102,6 +102,9 @@ public class ConfigureSubCA
public static String bind_password = null;
public static String base_dn = null;
public static String db_name = null;
+ public static String secure_conn = null;
+ public static String clone_start_tls = null;
+ public static String remove_data = null;
public static String key_type = null;
public static String key_size = null;
@@ -430,7 +433,9 @@ public class ConfigureSubCA
"&binddn=" + URLEncoder.encode(bind_dn) +
"&__bindpwd=" + URLEncoder.encode(bind_password) +
"&display=" + URLEncoder.encode("$displayStr") +
- "";
+ (secure_conn.equals("true")? "&secureConn=on": "") +
+ (clone_start_tls.equals("true")? "&cloneStartTLS=on": "") +
+ (remove_data.equals("true")? "&removeData=true": "");
hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string);
@@ -1014,6 +1019,9 @@ public class ConfigureSubCA
StringHolder x_bind_password = new StringHolder();
StringHolder x_base_dn = new StringHolder();
StringHolder x_db_name = new StringHolder();
+ StringHolder x_secure_conn = new StringHolder();
+ StringHolder x_clone_start_tls = new StringHolder();
+ StringHolder x_remove_data = new StringHolder();
// key properties (defaults)
StringHolder x_key_size = new StringHolder();
@@ -1126,6 +1134,9 @@ public class ConfigureSubCA
x_base_dn);
parser.addOption ("-db_name %s #db name",
x_db_name);
+ parser.addOption("-secure_conn %s #use ldaps port (optional, default is false)", x_secure_conn);
+ parser.addOption("-remove_data %s #remove existing data under base_dn (optional, default is false) ", x_remove_data);
+ parser.addOption("-clone_start_tls %s #use startTLS for cloning replication agreement (optional, default is false)", x_clone_start_tls);
// key and algorithm options (default)
parser.addOption("-key_type %s #Key type [RSA,ECC] (optional, default is RSA)", x_key_type);
@@ -1236,6 +1247,9 @@ public class ConfigureSubCA
bind_password = x_bind_password.value;
base_dn = x_base_dn.value;
db_name = x_db_name.value;
+ secure_conn = set_default(x_secure_conn.value, "false");
+ remove_data = set_default(x_remove_data.value, "false");
+ clone_start_tls = set_default(x_clone_start_tls.value, "false");
key_type = set_default(x_key_type.value, DEFAULT_KEY_TYPE);
signing_key_type = set_default(x_signing_key_type.value, key_type);
diff --git a/pki/base/silent/src/tks/ConfigureTKS.java b/pki/base/silent/src/tks/ConfigureTKS.java
index 25242dfd3..ec934c8f4 100644
--- a/pki/base/silent/src/tks/ConfigureTKS.java
+++ b/pki/base/silent/src/tks/ConfigureTKS.java
@@ -99,6 +99,9 @@ public class ConfigureTKS
public static String bind_password = null;
public static String base_dn = null;
public static String db_name = null;
+ public static String secure_conn = null;
+ public static String clone_start_tls = null;
+ public static String remove_data = null;
public static String key_type = null;
public static String key_size = null;
@@ -384,7 +387,9 @@ public class ConfigureTKS
"&basedn=" + URLEncoder.encode(base_dn) +
"&database=" + URLEncoder.encode(db_name) +
"&display=" + URLEncoder.encode("$displayStr") +
- "";
+ (secure_conn.equals("true")? "&secureConn=on": "") +
+ (clone_start_tls.equals("true")? "&cloneStartTLS=on": "") +
+ (remove_data.equals("true")? "&removeData=true": "");
hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string);
@@ -931,6 +936,9 @@ public class ConfigureTKS
StringHolder x_bind_password = new StringHolder();
StringHolder x_base_dn = new StringHolder();
StringHolder x_db_name = new StringHolder();
+ StringHolder x_secure_conn = new StringHolder();
+ StringHolder x_clone_start_tls = new StringHolder();
+ StringHolder x_remove_data = new StringHolder();
// key properties (defaults)
StringHolder x_key_size = new StringHolder();
@@ -1028,6 +1036,9 @@ public class ConfigureTKS
x_base_dn);
parser.addOption ("-db_name %s #db name",
x_db_name);
+ parser.addOption("-secure_conn %s #use ldaps port (optional, default is false)", x_secure_conn);
+ parser.addOption("-remove_data %s #remove existing data under base_dn (optional, default is false) ", x_remove_data);
+ parser.addOption("-clone_start_tls %s #use startTLS for cloning replication agreement (optional, default is false)", x_clone_start_tls);
// key and algorithm options (default)
parser.addOption("-key_type %s #Key type [RSA,ECC] (optional, default is RSA)", x_key_type);
@@ -1124,6 +1135,9 @@ public class ConfigureTKS
bind_password = x_bind_password.value;
base_dn = x_base_dn.value;
db_name = x_db_name.value;
+ secure_conn = set_default(x_secure_conn.value, "false");
+ remove_data = set_default(x_remove_data.value, "false");
+ clone_start_tls = set_default(x_clone_start_tls.value, "false");
key_type = set_default(x_key_type.value, DEFAULT_KEY_TYPE);
audit_signing_key_type = set_default(x_audit_signing_key_type.value, key_type);
diff --git a/pki/base/silent/templates/pki_silent.template b/pki/base/silent/templates/pki_silent.template
index 31b40ff9c..344bcf8b8 100755
--- a/pki/base/silent/templates/pki_silent.template
+++ b/pki/base/silent/templates/pki_silent.template
@@ -379,7 +379,9 @@ pki_silent_tps_log=/tmp/tps.log
## ca_signing_signingalgorithm - optionally specify the algorithm used by the CA signing cert to sign objects
## ca_ocsp_signing_signingalgorithm - optionally specify the algorithm used by the CA ocsp signing cert to sign objects
##
-
+## NOTE: Additional variables to specify the LDAP connection are as follows:
+## remove_data - set to true/false. Remove any existing data found under the baseDN
+## secure_conn - use the ldaps port
ca_agent_name="CA\ Administrator\ of\ Instance\ ${ca_instance_name}\'s\ ${pki_security_domain_name}\ ID"
ca_agent_key_size=2048
ca_agent_key_type=rsa
@@ -418,12 +420,16 @@ ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_s
## sd_admin_port=
## sd_admin_name=
## sd_admin_password=
+## clone_start_tls=false
##
## NOTES:
## 1. ca_clone_p12_file must be just the filename relative to the alias directory.
## So in the example above, ca_clone_p12_file="ca-master.p12"
## 2. sd_* refer to the CA where the security domain is hosted.
## 3. clone_uri has the following format: https://<hostname>:<EE port> fo the CA to be cloned
+## 4. clone_start_tls can be set to true if we require replication between the master and clone databases
+## to be encrypted using startTLS on the standard (non-ldaps) port. The databases must
+## be ssl enabled first or the replication will fail.
##
## ADDITIONAL NOTES:
## 1. The clone CA and master CA cannot share the same database instance. A new
@@ -521,11 +527,15 @@ ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_s
## kra_clone_p12_file=
## kra_clone_p12_password=
## kra_clone_uri=
+## clone_start_tls=false
##
## NOTES:
## 1. drm_clone_p12_file must be just the filename relative to the alias directory.
## So in the example above, drm_clone_p12_file="drm-master.p12"
## 2. drm_clone_uri has the following format: https://<hostname>:<EE port> of the DRM to be cloned
+## 3. clone_start_tls can be set to true if we require replication between the master and clone databases
+## to be encrypted using startTLS on the standard (non-ldaps) port. The databases must
+## be ssl enabled first or the replication will fail.
##
## ADDITIONAL NOTES:
## 1. The clone DRM and master DRM cannot share the same database instance. A new
@@ -1175,6 +1185,7 @@ pkisilent ConfigureCA \
# -sd_admin_port ${sd_admin_port} \
# -sd_admin_name ${sd_admin_name} \
# -sd_admin_password ${sd_admin_password} \
+# -clone_start_tls ${clone_start_tls} \
# | tee ${pki_silent_ca_log}
## Restart CA
@@ -1440,6 +1451,7 @@ pkisilent ConfigureDRM \
# -clone_p12_file ${kra_clone_p12_file} \
# -clone_p12_password ${kra_clone_p12_password} \
# -clone_uri ${kra_uri} \
+# -clone_start_tls ${clone_start_tls} \
# | tee ${pki_silent_kra_log}
## Restart drm
generated by cgit (git 2.34.1) at 2024-06-30 07:38:38 +0000