From 03a6350687e033461306d6b9000ef8ea34af96f9 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Sun, 2 Dec 2012 22:42:36 -0500 Subject: Common User: pkispawn changes --- base/deploy/config/deployment.cfg | 4 + base/deploy/src/scriptlets/pkijython.py | 48 ++++++---- base/deploy/src/scriptlets/pkiparser.py | 152 +++++--------------------------- 3 files changed, 55 insertions(+), 149 deletions(-) diff --git a/base/deploy/config/deployment.cfg b/base/deploy/config/deployment.cfg index 278df62d3..6ff7a35bb 100644 --- a/base/deploy/config/deployment.cfg +++ b/base/deploy/config/deployment.cfg @@ -194,6 +194,7 @@ pki_external_ca_cert_chain_path= pki_external_ca_cert_path= pki_external_csr_path= pki_external_step_two=False +pki_import_admin_cert=False pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa @@ -213,6 +214,7 @@ pki_subsystem_name= ## required information which MAY be overridden by users as necessary. ## ############################################################################### [KRA] +pki_import_admin_cert=True pki_storage_key_algorithm=SHA256withRSA pki_storage_key_size=2048 pki_storage_key_type=rsa @@ -238,6 +240,7 @@ pki_transport_token= ## required information which MAY be overridden by users as necessary. ## ############################################################################### [OCSP] +pki_import_admin_cert=True pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa @@ -266,6 +269,7 @@ pki_subsystem_name= ## required information which MAY be overridden by users as necessary. ## ############################################################################### [TKS] +pki_import_admin_cert=True pki_subsystem=TKS pki_subsystem_name= diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index e106f0141..c1bec9327 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -349,24 +349,34 @@ class rest_client: data.setAdminProfileID(self.master['pki_admin_profile_id']) data.setAdminUID(self.master['pki_admin_uid']) data.setAdminSubjectDN(self.master['pki_admin_subject_dn']) - if self.master['pki_admin_cert_request_type'] == "crmf": - data.setAdminCertRequestType("crmf") - if config.str2bool(self.master['pki_admin_dualkey']): - crmf_request = generateCRMFRequest( - token, - self.master['pki_admin_keysize'], - self.master['pki_admin_subject_dn'], - "true") - else: - crmf_request = generateCRMFRequest( - token, - self.master['pki_admin_keysize'], - self.master['pki_admin_subject_dn'], - "false") - data.setAdminCertRequest(crmf_request) + if config.str2bool(self.master['pki_import_admin_cert']): + data.setImportAdminCert("true") + # read config from file + f = open(self.master['pki_admin_cert_file']) + b64 = f.read().replace('\n','') + f.close() + data.setAdminCert(b64) else: - javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY) - javasystem.exit(1) + data.setImportAdminCert("false") + data.setAdminSubjectDN(self.master['pki_admin_subject_dn']) + if self.master['pki_admin_cert_request_type'] == "crmf": + data.setAdminCertRequestType("crmf") + if config.str2bool(self.master['pki_admin_dualkey']): + crmf_request = generateCRMFRequest( + token, + self.master['pki_admin_keysize'], + self.master['pki_admin_subject_dn'], + "true") + else: + crmf_request = generateCRMFRequest( + token, + self.master['pki_admin_keysize'], + self.master['pki_admin_subject_dn'], + "false") + data.setAdminCertRequest(crmf_request) + else: + javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY) + javasystem.exit(1) def create_system_cert(self, tag): cert = SystemCertData() @@ -566,8 +576,10 @@ class rest_client: cdata.getCert()) javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\ cdata.getRequest()) + # Cloned PKI subsystems do not return an Admin Certificate - if not config.str2bool(master['pki_clone']): + if not config.str2bool(master['pki_clone']) and \ + not config.str2bool(master['pki_import_admin_cert']): admin_cert = response.getAdminCert().getCert() javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\ " " + admin_cert) diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index d05870e04..edb2fd556 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -1408,6 +1408,15 @@ class PKIConfigParser: config.pki_master_dict['pki_database_path'] + "/" +\ config.pki_master_dict['pki_subsystem'].lower() + "_" +\ "admin" + "_" + "cert" + "." + "p12" + + # the admin cert is stored with the NSS server databases + # in case we want to use a common admin user cert + if not 'pki_admin_cert_file' in config.pki_master_dict or\ + not len(config.pki_master_dict['pki_admin_cert_file']): + config.pki_master_dict['pki_admin_cert_file'] =\ + config.pki_master_dict['pki_database_path'] +\ + "/ca_admin.cert" + # Jython scriptlet name/value pairs config.pki_master_dict['pki_jython_configuration_scriptlet'] =\ os.path.join(sys.prefix, @@ -1666,138 +1675,19 @@ class PKIConfigParser: config.pki_master_dict['pki_admin_name'] + "@" +\ config.pki_master_dict['pki_dns_domainname'] if not len(config.pki_master_dict['pki_admin_nickname']): - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - if config.pki_master_dict['pki_subsystem'] == "RA": - # PKI RA - config.pki_master_dict['pki_admin_nickname'] =\ - "RA Administrator's" + " " +\ - config.pki_master_dict['pki_security_domain_name'] +\ - " " + "ID" - elif config.pki_master_dict['pki_subsystem'] == "TPS": - # PKI TPS - config.pki_master_dict['pki_admin_nickname'] =\ - "TPS Administrator's" + " " +\ - config.pki_master_dict['pki_security_domain_name'] +\ - " " + "ID" - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "CA": - if config.str2bool( - config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict['pki_admin_nickname'] =\ - "CA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "'s" + " " +\ - "External CA ID" - else: - # PKI CA or Subordinate CA - config.pki_master_dict['pki_admin_nickname'] =\ - "CA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "'s" + " " +\ - config.pki_master_dict\ - ['pki_security_domain_name'] + " " + "ID" - elif config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - config.pki_master_dict['pki_admin_nickname'] =\ - "KRA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "'s" + " " +\ - config.pki_master_dict['pki_security_domain_name']\ - + " " + "ID" - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - # PKI OCSP - config.pki_master_dict['pki_admin_nickname'] =\ - "OCSP Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "'s" + " " +\ - config.pki_master_dict['pki_security_domain_name']\ - + " " + "ID" - elif config.pki_master_dict['pki_subsystem'] == "TKS": - # PKI TKS - config.pki_master_dict['pki_admin_nickname'] =\ - "TKS Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "'s" + " " +\ - config.pki_master_dict['pki_security_domain_name']\ - + " " + "ID" + config.pki_master_dict['pki_admin_nickname'] =\ + "PKI Administrator for " +\ + config.pki_master_dict['pki_dns_domainname'] + + if not 'pki_import_admin_cert' in config.pki_master_dict: + config.pki_master_dict['pki_import_admin_cert'] = 'false' + if not len(config.pki_master_dict['pki_admin_subject_dn']): - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - if config.pki_master_dict['pki_subsystem'] == "RA": - # PKI RA - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "RA Administrator" + "," +\ - "uid=" + config.pki_master_dict['pki_admin_uid'] +\ - "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "TPS": - # PKI TPS - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "TPS Administrator" + "," +\ - "uid=" + config.pki_master_dict['pki_admin_uid'] +\ - "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "CA": - if config.str2bool( - config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "CA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "," + "uid=" +\ - config.pki_master_dict['pki_admin_uid']\ - + "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" + "External CA" - else: - # PKI CA or Subordinate CA - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "CA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "," + "uid=" +\ - config.pki_master_dict['pki_admin_uid']\ - + "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "KRA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] + "," +\ - "uid=" + config.pki_master_dict['pki_admin_uid'] +\ - "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - # PKI OCSP - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "OCSP Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] + "," +\ - "uid=" + config.pki_master_dict['pki_admin_uid'] +\ - "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "TKS": - # PKI TKS - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "TKS Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] + "," +\ - "uid=" + config.pki_master_dict['pki_admin_uid'] +\ - "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=PKI Administrator" +\ + ",e=" + config.pki_master_dict['pki_admin_email'] +\ + ",o=" + config.pki_master_dict['pki_security_domain_name'] + # Jython scriptlet # 'CA Signing Certificate' Configuration name/value pairs # -- cgit