diff options
Diffstat (limited to 'pki/base')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java | 24 | ||||
-rw-r--r-- | pki/base/silent/src/ca/ConfigureCA.java | 17 | ||||
-rw-r--r-- | pki/base/silent/src/drm/ConfigureDRM.java | 17 | ||||
-rw-r--r-- | pki/base/silent/src/ocsp/ConfigureOCSP.java | 16 | ||||
-rw-r--r-- | pki/base/silent/src/subca/ConfigureSubCA.java | 16 | ||||
-rw-r--r-- | pki/base/silent/src/tks/ConfigureTKS.java | 16 | ||||
-rwxr-xr-x | pki/base/silent/templates/pki_silent.template | 14 |
7 files changed, 108 insertions, 12 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java index 539a2eb0c..fc127700f 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java @@ -146,6 +146,7 @@ public class DatabasePanel extends WizardPanelBase { String database = null; String errorString = ""; String secure = "false"; + String cloneStartTLS = "false"; try { String s = cs.getString("preop.database.removeData"); } catch (Exception e) { @@ -166,6 +167,7 @@ public class DatabasePanel extends WizardPanelBase { binddn = cs.getString("internaldb.ldapauth.bindDN", ""); database = cs.getString("internaldb.database", ""); secure = cs.getString("internaldb.ldapconn.secureConn", ""); + cloneStartTLS = cs.getString("internaldb.ldapconn.cloneStartTLS", ""); errorString = cs.getString("preop.database.errorString", ""); } catch (Exception e) { CMS.debug("DatabasePanel display: " + e.toString()); @@ -220,7 +222,8 @@ public class DatabasePanel extends WizardPanelBase { context.put("binddn", binddn); context.put("bindpwd", bindpwd); context.put("database", database); - context.put("secureConn", (secure.equals("true")? "on":"off")); + context.put("secureConn", (secure.equals("true")? "on":"off")); + context.put("cloneStartTLS", (cloneStartTLS.equals("true")? "on":"off")); context.put("panel", "admin/console/config/databasepanel.vm"); context.put("errorString", errorString); } @@ -279,6 +282,9 @@ public class DatabasePanel extends WizardPanelBase { String secure = HttpInput.getCheckbox(request, "secureConn"); context.put("secureConn", secure); + String cloneStartTLS = HttpInput.getCheckbox(request, "cloneStartTLS"); + context.put("cloneStartTLS", cloneStartTLS); + String select = ""; try { select = cs.getString("preop.subsystem.select", ""); @@ -866,6 +872,9 @@ public class DatabasePanel extends WizardPanelBase { cs.putString("internaldb.database", database2); String secure = HttpInput.getCheckbox(request, "secureConn"); cs.putString("internaldb.ldapconn.secureConn", (secure.equals("on")?"true":"false")); + String cloneStartTLS = HttpInput.getCheckbox(request, "cloneStartTLS"); + cs.putString("internaldb.ldapconn.cloneStartTLS", (cloneStartTLS.equals("on")?"true":"false")); + String remove = HttpInput.getID(request, "removeData"); if (isPanelDone() && (remove == null || remove.equals(""))) { /* if user submits the same data, they just want to skip @@ -987,7 +996,7 @@ public class DatabasePanel extends WizardPanelBase { // setup replication after indexes have been created if (select.equals("clone")) { CMS.debug("Start setting up replication."); - setupReplication(request, context, (secure.equals("on")?"true":"false")); + setupReplication(request, context, (secure.equals("on")?"true":"false"), (cloneStartTLS.equals("on")?"true":"false")); CMS.debug("Finish setting up replication."); try { @@ -1016,7 +1025,7 @@ public class DatabasePanel extends WizardPanelBase { } private void setupReplication(HttpServletRequest request, - Context context, String secure) throws IOException { + Context context, String secure, String cloneStartTLS) throws IOException { String bindpwd = HttpInput.getPassword(request, "__bindpwd"); IConfigStore cs = CMS.getConfigStore(); @@ -1122,10 +1131,10 @@ public class DatabasePanel extends WizardPanelBase { CMS.debug("DatabasePanel setupReplication: Finished enabling replication"); createReplicationAgreement(replicadn, conn1, masterAgreementName, - master2_hostname, master2_port, master2_replicationpwd, basedn, cloneBindUser, secure); + master2_hostname, master2_port, master2_replicationpwd, basedn, cloneBindUser, secure, cloneStartTLS); createReplicationAgreement(replicadn, conn2, cloneAgreementName, - master1_hostname, master1_port, master1_replicationpwd, basedn, masterBindUser, secure); + master1_hostname, master1_port, master1_replicationpwd, basedn, masterBindUser, secure, cloneStartTLS); // initialize consumer initializeConsumer(replicadn, conn1, masterAgreementName); @@ -1320,7 +1329,7 @@ public class DatabasePanel extends WizardPanelBase { private void createReplicationAgreement(String replicadn, LDAPConnection conn, String name, String replicahost, int replicaport, - String replicapwd, String basedn, String bindUser, String secure) throws LDAPException { + String replicapwd, String basedn, String bindUser, String secure, String cloneStartTLS) throws LDAPException { String dn = "cn="+name+","+replicadn; CMS.debug("DatabasePanel createReplicationAgreement: dn: "+dn); LDAPEntry entry = null; @@ -1341,7 +1350,10 @@ public class DatabasePanel extends WizardPanelBase { if (secure.equals("true")) { attrs.add(new LDAPAttribute("nsDS5ReplicaTransportInfo", "SSL")); + } else if (cloneStartTLS.equals("true")) { + attrs.add(new LDAPAttribute("nsDS5ReplicaTransportInfo", "TLS")); } + CMS.debug("About to set description attr to " + name); attrs.add(new LDAPAttribute("description",name)); diff --git a/pki/base/silent/src/ca/ConfigureCA.java b/pki/base/silent/src/ca/ConfigureCA.java index f1fb63f9c..66fca89b9 100644 --- a/pki/base/silent/src/ca/ConfigureCA.java +++ b/pki/base/silent/src/ca/ConfigureCA.java @@ -99,6 +99,9 @@ public class ConfigureCA { public static String bind_password = null; public static String base_dn = null; public static String db_name = null; + public static String secure_conn = null; + public static String clone_start_tls = null; + public static String remove_data = null; public static String key_type = null; public static String key_size = null; @@ -517,7 +520,10 @@ public class ConfigureCA { + URLEncoder.encode(bind_password) + "&basedn=" + URLEncoder.encode(base_dn) + "&database=" + URLEncoder.encode(db_name) + "&display=" - + URLEncoder.encode("$displayStr") + ""; + + URLEncoder.encode("$displayStr") + + (secure_conn.equals("true")? "&secureConn=on": "") + + (clone_start_tls.equals("true")? "&cloneStartTLS=on": "") + + (remove_data.equals("true")? "&removeData=true": ""); hr = hc.sslConnect(cs_hostname, cs_port, wizard_uri, query_string); @@ -1447,6 +1453,9 @@ public class ConfigureCA { StringHolder x_bind_password = new StringHolder(); StringHolder x_base_dn = new StringHolder(); StringHolder x_db_name = new StringHolder(); + StringHolder x_secure_conn = new StringHolder(); + StringHolder x_clone_start_tls = new StringHolder(); + StringHolder x_remove_data = new StringHolder(); // key properties (defaults) StringHolder x_key_size = new StringHolder(); @@ -1556,6 +1565,9 @@ public class ConfigureCA { x_bind_password); parser.addOption("-base_dn %s #base dn", x_base_dn); parser.addOption("-db_name %s #db name", x_db_name); + parser.addOption("-secure_conn %s #use ldaps port (optional, default is false)", x_secure_conn); + parser.addOption("-remove_data %s #remove existing data under base_dn (optional, default is false) ", x_remove_data); + parser.addOption("-clone_start_tls %s #use startTLS for cloning replication agreement (optional, default is false)", x_clone_start_tls); // key and algorithm options (default) parser.addOption("-key_type %s #Key type [RSA,ECC] (optional, default is RSA)", x_key_type); @@ -1672,6 +1684,9 @@ public class ConfigureCA { bind_password = x_bind_password.value; base_dn = x_base_dn.value; db_name = x_db_name.value; + secure_conn = set_default(x_secure_conn.value, "false"); + remove_data = set_default(x_remove_data.value, "false"); + clone_start_tls = set_default(x_clone_start_tls.value, "false"); key_type = set_default(x_key_type.value, DEFAULT_KEY_TYPE); signing_key_type = set_default(x_signing_key_type.value, key_type); diff --git a/pki/base/silent/src/drm/ConfigureDRM.java b/pki/base/silent/src/drm/ConfigureDRM.java index fb9f112ce..5298811f3 100644 --- a/pki/base/silent/src/drm/ConfigureDRM.java +++ b/pki/base/silent/src/drm/ConfigureDRM.java @@ -102,6 +102,9 @@ public class ConfigureDRM public static String bind_password = null; public static String base_dn = null; public static String db_name = null; + public static String secure_conn = null; + public static String clone_start_tls = null; + public static String remove_data = null; public static String key_type = null; public static String key_size = null; @@ -456,7 +459,10 @@ public class ConfigureDRM "&__bindpwd=" + URLEncoder.encode(bind_password) + "&basedn=" + URLEncoder.encode(base_dn) + "&database=" + URLEncoder.encode(db_name) + - "&display=" + URLEncoder.encode("$displayStr"); + "&display=" + URLEncoder.encode("$displayStr") + + (secure_conn.equals("true")? "&secureConn=on": "") + + (clone_start_tls.equals("true")? "&cloneStartTLS=on": "") + + (remove_data.equals("true")? "&removeData=true": ""); hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string); @@ -1071,6 +1077,9 @@ public class ConfigureDRM StringHolder x_bind_password = new StringHolder(); StringHolder x_base_dn = new StringHolder(); StringHolder x_db_name = new StringHolder(); + StringHolder x_secure_conn = new StringHolder(); + StringHolder x_clone_start_tls = new StringHolder(); + StringHolder x_remove_data = new StringHolder(); // key properties (defaults) StringHolder x_key_size = new StringHolder(); @@ -1188,6 +1197,9 @@ public class ConfigureDRM x_base_dn); parser.addOption ("-db_name %s #db name", x_db_name); + parser.addOption("-secure_conn %s #use ldaps port (optional, default is false)", x_secure_conn); + parser.addOption("-remove_data %s #remove existing data under base_dn (optional, default is false) ", x_remove_data); + parser.addOption("-clone_start_tls %s #use startTLS for cloning replication agreement (optional, default is false)", x_clone_start_tls); // key and algorithm options (default) parser.addOption("-key_type %s #Key type [RSA,ECC] (optional, default is RSA)", x_key_type); @@ -1307,6 +1319,9 @@ public class ConfigureDRM bind_password = x_bind_password.value; base_dn = x_base_dn.value; db_name = x_db_name.value; + secure_conn = set_default(x_secure_conn.value, "false"); + remove_data = set_default(x_remove_data.value, "false"); + clone_start_tls = set_default(x_clone_start_tls.value, "false"); key_type = set_default(x_key_type.value, DEFAULT_KEY_TYPE); transport_key_type = set_default(x_transport_key_type.value, key_type); diff --git a/pki/base/silent/src/ocsp/ConfigureOCSP.java b/pki/base/silent/src/ocsp/ConfigureOCSP.java index ad23c70ee..9e5410bad 100644 --- a/pki/base/silent/src/ocsp/ConfigureOCSP.java +++ b/pki/base/silent/src/ocsp/ConfigureOCSP.java @@ -100,6 +100,9 @@ public class ConfigureOCSP public static String bind_password = null; public static String base_dn = null; public static String db_name = null; + public static String secure_conn = null; + public static String clone_start_tls = null; + public static String remove_data = null; public static String key_type = null; public static String key_size = null; @@ -401,7 +404,9 @@ public class ConfigureOCSP "&basedn=" + URLEncoder.encode(base_dn) + "&database=" + URLEncoder.encode(db_name) + "&display=" + URLEncoder.encode("$displayStr") + - ""; + (secure_conn.equals("true")? "&secureConn=on": "") + + (clone_start_tls.equals("true")? "&cloneStartTLS=on": "") + + (remove_data.equals("true")? "&removeData=true": ""); hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string); @@ -962,6 +967,9 @@ public class ConfigureOCSP StringHolder x_bind_password = new StringHolder(); StringHolder x_base_dn = new StringHolder(); StringHolder x_db_name = new StringHolder(); + StringHolder x_secure_conn = new StringHolder(); + StringHolder x_clone_start_tls = new StringHolder(); + StringHolder x_remove_data = new StringHolder(); // key properties (defaults) StringHolder x_key_size = new StringHolder(); @@ -1067,6 +1075,9 @@ public class ConfigureOCSP x_base_dn); parser.addOption ("-db_name %s #db name", x_db_name); + parser.addOption("-secure_conn %s #use ldaps port (optional, default is false)", x_secure_conn); + parser.addOption("-remove_data %s #remove existing data under base_dn (optional, default is false) ", x_remove_data); + parser.addOption("-clone_start_tls %s #use startTLS for cloning replication agreement (optional, default is false)", x_clone_start_tls); // key and algorithm options (default) parser.addOption("-key_type %s #Key type [RSA,ECC] (optional, default is RSA)", x_key_type); @@ -1173,6 +1184,9 @@ public class ConfigureOCSP bind_password = x_bind_password.value; base_dn = x_base_dn.value; db_name = x_db_name.value; + secure_conn = set_default(x_secure_conn.value, "false"); + remove_data = set_default(x_remove_data.value, "false"); + clone_start_tls = set_default(x_clone_start_tls.value, "false"); key_type = set_default(x_key_type.value, DEFAULT_KEY_TYPE); signing_key_type = set_default(x_signing_key_type.value, key_type); diff --git a/pki/base/silent/src/subca/ConfigureSubCA.java b/pki/base/silent/src/subca/ConfigureSubCA.java index 111879bb5..561f68e44 100644 --- a/pki/base/silent/src/subca/ConfigureSubCA.java +++ b/pki/base/silent/src/subca/ConfigureSubCA.java @@ -102,6 +102,9 @@ public class ConfigureSubCA public static String bind_password = null; public static String base_dn = null; public static String db_name = null; + public static String secure_conn = null; + public static String clone_start_tls = null; + public static String remove_data = null; public static String key_type = null; public static String key_size = null; @@ -430,7 +433,9 @@ public class ConfigureSubCA "&binddn=" + URLEncoder.encode(bind_dn) + "&__bindpwd=" + URLEncoder.encode(bind_password) + "&display=" + URLEncoder.encode("$displayStr") + - ""; + (secure_conn.equals("true")? "&secureConn=on": "") + + (clone_start_tls.equals("true")? "&cloneStartTLS=on": "") + + (remove_data.equals("true")? "&removeData=true": ""); hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string); @@ -1014,6 +1019,9 @@ public class ConfigureSubCA StringHolder x_bind_password = new StringHolder(); StringHolder x_base_dn = new StringHolder(); StringHolder x_db_name = new StringHolder(); + StringHolder x_secure_conn = new StringHolder(); + StringHolder x_clone_start_tls = new StringHolder(); + StringHolder x_remove_data = new StringHolder(); // key properties (defaults) StringHolder x_key_size = new StringHolder(); @@ -1126,6 +1134,9 @@ public class ConfigureSubCA x_base_dn); parser.addOption ("-db_name %s #db name", x_db_name); + parser.addOption("-secure_conn %s #use ldaps port (optional, default is false)", x_secure_conn); + parser.addOption("-remove_data %s #remove existing data under base_dn (optional, default is false) ", x_remove_data); + parser.addOption("-clone_start_tls %s #use startTLS for cloning replication agreement (optional, default is false)", x_clone_start_tls); // key and algorithm options (default) parser.addOption("-key_type %s #Key type [RSA,ECC] (optional, default is RSA)", x_key_type); @@ -1236,6 +1247,9 @@ public class ConfigureSubCA bind_password = x_bind_password.value; base_dn = x_base_dn.value; db_name = x_db_name.value; + secure_conn = set_default(x_secure_conn.value, "false"); + remove_data = set_default(x_remove_data.value, "false"); + clone_start_tls = set_default(x_clone_start_tls.value, "false"); key_type = set_default(x_key_type.value, DEFAULT_KEY_TYPE); signing_key_type = set_default(x_signing_key_type.value, key_type); diff --git a/pki/base/silent/src/tks/ConfigureTKS.java b/pki/base/silent/src/tks/ConfigureTKS.java index 25242dfd3..ec934c8f4 100644 --- a/pki/base/silent/src/tks/ConfigureTKS.java +++ b/pki/base/silent/src/tks/ConfigureTKS.java @@ -99,6 +99,9 @@ public class ConfigureTKS public static String bind_password = null; public static String base_dn = null; public static String db_name = null; + public static String secure_conn = null; + public static String clone_start_tls = null; + public static String remove_data = null; public static String key_type = null; public static String key_size = null; @@ -384,7 +387,9 @@ public class ConfigureTKS "&basedn=" + URLEncoder.encode(base_dn) + "&database=" + URLEncoder.encode(db_name) + "&display=" + URLEncoder.encode("$displayStr") + - ""; + (secure_conn.equals("true")? "&secureConn=on": "") + + (clone_start_tls.equals("true")? "&cloneStartTLS=on": "") + + (remove_data.equals("true")? "&removeData=true": ""); hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string); @@ -931,6 +936,9 @@ public class ConfigureTKS StringHolder x_bind_password = new StringHolder(); StringHolder x_base_dn = new StringHolder(); StringHolder x_db_name = new StringHolder(); + StringHolder x_secure_conn = new StringHolder(); + StringHolder x_clone_start_tls = new StringHolder(); + StringHolder x_remove_data = new StringHolder(); // key properties (defaults) StringHolder x_key_size = new StringHolder(); @@ -1028,6 +1036,9 @@ public class ConfigureTKS x_base_dn); parser.addOption ("-db_name %s #db name", x_db_name); + parser.addOption("-secure_conn %s #use ldaps port (optional, default is false)", x_secure_conn); + parser.addOption("-remove_data %s #remove existing data under base_dn (optional, default is false) ", x_remove_data); + parser.addOption("-clone_start_tls %s #use startTLS for cloning replication agreement (optional, default is false)", x_clone_start_tls); // key and algorithm options (default) parser.addOption("-key_type %s #Key type [RSA,ECC] (optional, default is RSA)", x_key_type); @@ -1124,6 +1135,9 @@ public class ConfigureTKS bind_password = x_bind_password.value; base_dn = x_base_dn.value; db_name = x_db_name.value; + secure_conn = set_default(x_secure_conn.value, "false"); + remove_data = set_default(x_remove_data.value, "false"); + clone_start_tls = set_default(x_clone_start_tls.value, "false"); key_type = set_default(x_key_type.value, DEFAULT_KEY_TYPE); audit_signing_key_type = set_default(x_audit_signing_key_type.value, key_type); diff --git a/pki/base/silent/templates/pki_silent.template b/pki/base/silent/templates/pki_silent.template index 31b40ff9c..344bcf8b8 100755 --- a/pki/base/silent/templates/pki_silent.template +++ b/pki/base/silent/templates/pki_silent.template @@ -379,7 +379,9 @@ pki_silent_tps_log=/tmp/tps.log ## ca_signing_signingalgorithm - optionally specify the algorithm used by the CA signing cert to sign objects ## ca_ocsp_signing_signingalgorithm - optionally specify the algorithm used by the CA ocsp signing cert to sign objects ## - +## NOTE: Additional variables to specify the LDAP connection are as follows: +## remove_data - set to true/false. Remove any existing data found under the baseDN +## secure_conn - use the ldaps port ca_agent_name="CA\ Administrator\ of\ Instance\ ${ca_instance_name}\'s\ ${pki_security_domain_name}\ ID" ca_agent_key_size=2048 ca_agent_key_type=rsa @@ -418,12 +420,16 @@ ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_s ## sd_admin_port= ## sd_admin_name= ## sd_admin_password= +## clone_start_tls=false ## ## NOTES: ## 1. ca_clone_p12_file must be just the filename relative to the alias directory. ## So in the example above, ca_clone_p12_file="ca-master.p12" ## 2. sd_* refer to the CA where the security domain is hosted. ## 3. clone_uri has the following format: https://<hostname>:<EE port> fo the CA to be cloned +## 4. clone_start_tls can be set to true if we require replication between the master and clone databases +## to be encrypted using startTLS on the standard (non-ldaps) port. The databases must +## be ssl enabled first or the replication will fail. ## ## ADDITIONAL NOTES: ## 1. The clone CA and master CA cannot share the same database instance. A new @@ -521,11 +527,15 @@ ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_s ## kra_clone_p12_file= ## kra_clone_p12_password= ## kra_clone_uri= +## clone_start_tls=false ## ## NOTES: ## 1. drm_clone_p12_file must be just the filename relative to the alias directory. ## So in the example above, drm_clone_p12_file="drm-master.p12" ## 2. drm_clone_uri has the following format: https://<hostname>:<EE port> of the DRM to be cloned +## 3. clone_start_tls can be set to true if we require replication between the master and clone databases +## to be encrypted using startTLS on the standard (non-ldaps) port. The databases must +## be ssl enabled first or the replication will fail. ## ## ADDITIONAL NOTES: ## 1. The clone DRM and master DRM cannot share the same database instance. A new @@ -1175,6 +1185,7 @@ pkisilent ConfigureCA \ # -sd_admin_port ${sd_admin_port} \ # -sd_admin_name ${sd_admin_name} \ # -sd_admin_password ${sd_admin_password} \ +# -clone_start_tls ${clone_start_tls} \ # | tee ${pki_silent_ca_log} ## Restart CA @@ -1440,6 +1451,7 @@ pkisilent ConfigureDRM \ # -clone_p12_file ${kra_clone_p12_file} \ # -clone_p12_password ${kra_clone_p12_password} \ # -clone_uri ${kra_uri} \ +# -clone_start_tls ${clone_start_tls} \ # | tee ${pki_silent_kra_log} ## Restart drm |