From 20b8b11f2e6cf0395f4aecc42fa1873877ed9547 Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Tue, 4 Dec 2012 07:19:43 -0500 Subject: Archiving default deployment configuration. The default deployment configuration file has been moved to /etc/pki/default.cfg to make it more accessible. The pkispawn has been modified to archieve the default deployment configuration along with the user-provided configuration in the registry. The pkidestroy has been modified to use both archived configuration files to ensure proper removal. Ticket #399 --- base/deploy/CMakeLists.txt | 11 +- base/deploy/config/deployment.cfg | 315 --------------------- base/deploy/etc/default.cfg | 315 +++++++++++++++++++++ base/deploy/src/pkidestroy | 52 +++- base/deploy/src/pkispawn | 29 +- base/deploy/src/scriptlets/finalization.py | 6 +- .../deploy/src/scriptlets/infrastructure_layout.py | 6 +- base/deploy/src/scriptlets/pkiconfig.py | 13 +- base/deploy/src/scriptlets/pkihelper.py | 52 ++-- base/deploy/src/scriptlets/pkiparser.py | 157 +++++----- specs/pki-core.spec | 6 +- 11 files changed, 515 insertions(+), 447 deletions(-) delete mode 100644 base/deploy/config/deployment.cfg create mode 100644 base/deploy/etc/default.cfg diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt index 3848bd499..a602d44a6 100644 --- a/base/deploy/CMakeLists.txt +++ b/base/deploy/CMakeLists.txt @@ -57,9 +57,16 @@ install( install( DIRECTORY - config + config/ DESTINATION - ${DATA_INSTALL_DIR}/deployment + ${DATA_INSTALL_DIR}/deployment/config +) + +install( + DIRECTORY + etc/ + DESTINATION + ${SYSCONF_INSTALL_DIR}/pki ) find_package(PythonInterp REQUIRED) diff --git a/base/deploy/config/deployment.cfg b/base/deploy/config/deployment.cfg deleted file mode 100644 index 316d3c8f9..000000000 --- a/base/deploy/config/deployment.cfg +++ /dev/null @@ -1,315 +0,0 @@ -############################################################################### -## Common Configuration: ## -## ## -## Values in this section are common to more than one PKI subsystem, and ## -## contain required information which MAY be overridden by users as ## -## necessary. ## -## ## -## There are also some meta-parameters that determine how the PKI ## -## configuratiion should work. ## -## ## -############################################################################### -[DEFAULT] - -# The sensitive_parameters contains a list of parameters which may contain -# sensitive information which must not be displayed to the console nor stored -# in log files for security reasons. -sensitive_parameters= - pki_admin_password - pki_backup_password - pki_client_database_password - pki_client_pin - pki_client_pkcs12_password - pki_clone_pkcs12_password - pki_ds_password - pki_one_time_pin - pki_pin - pki_security_domain_password - pki_token_password - -# The spawn_scriplets contains a list of scriplets to be executed by pkispawn. -spawn_scriplets= - initialization - infrastructure_layout - instance_layout - subsystem_layout - selinux_setup - webapp_deployment - slot_substitution - security_databases - configuration - finalization - -# The destroy_scriplets contains a list of scriplets to be executed by pkidestroy. -destroy_scriplets= - initialization - configuration - webapp_deployment - subsystem_layout - security_databases - instance_layout - selinux_setup - infrastructure_layout - finalization - -# By default, the following parameters will be set for Tomcat and Apache instances. -# There is no reason to uncomment these. They are provided for reference in -# case someone wants to override them in their config file. -# -# Tomcat instances: -# pki_subsystem_name=pki_tomcat -# pki_https_port=8443 -# pki_http_port=8080 -# -# Apache instances: -# pki_subsystem_name=pki_tomcat -# pki_https_port=443 -# pki_http_port=80 - -pki_admin_cert_request_type=crmf -pki_admin_dualkey=False -pki_admin_keysize=2048 -pki_admin_password= -pki_audit_group=pkiaudit -pki_audit_signing_key_algorithm=SHA256withRSA -pki_audit_signing_key_size=2048 -pki_audit_signing_key_type=rsa -pki_audit_signing_signing_algorithm=SHA256withRSA -pki_audit_signing_token=Internal Key Storage Token -pki_backup_keys=False -pki_backup_password= -pki_client_database_dir= -pki_client_database_password= -pki_client_database_purge=True -pki_client_dir= -pki_client_pkcs12_password= -pki_ds_bind_dn=cn=Directory Manager -pki_ds_ldap_port=389 -pki_ds_ldaps_port=636 -pki_ds_password= -pki_ds_remove_data=True -pki_ds_secure_connection=False -pki_group=pkiuser -pki_instance_id=%(pki_instance_name)s -pki_issuing_ca= -pki_restart_configured_instance=True -pki_security_domain_hostname=%(pki_hostname)s -pki_security_domain_https_port=8443 -pki_security_domain_name=%(pki_dns_domainname)s Security Domain -pki_security_domain_password= -pki_security_domain_user= -pki_skip_configuration=False -pki_skip_installation=False -pki_ssl_server_key_algorithm=SHA256withRSA -pki_ssl_server_key_size=2048 -pki_ssl_server_key_type=rsa -pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_id)s -pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s -pki_ssl_server_token=Internal Key Storage Token -pki_subsystem_key_algorithm=SHA256withRSA -pki_subsystem_key_size=2048 -pki_subsystem_key_type=rsa -pki_subsystem_token=Internal Key Storage Token -pki_token_name=internal -pki_token_password= -pki_user=pkiuser - -############################################################################### -## Apache Configuration: ## -## ## -## Values in this section are common to PKI subsystems that run ## -## as an instance of 'Apache' (RA and TPS subsystems), and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[Apache] - -############################################################################### -## Tomcat Configuration: ## -## ## -## Values in this section are common to PKI subsystems that run ## -## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## -## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## -## required information which MAY be overridden by users as necessary. ## -## ## -## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## -## or a 'TKS Clone', change the value of 'pki_clone' ## -## from 'False' to 'True'. ## -## ## -## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## -## are MUTUALLY EXCLUSIVE entities!!! ## -############################################################################### -[Tomcat] -pki_ajp_port=8009 -pki_clone=False -pki_clone_pkcs12_password= -pki_clone_pkcs12_path= -pki_clone_replicate_schema=True -pki_clone_replication_master_port= -pki_clone_replication_clone_port= -pki_clone_replication_security=None -pki_clone_uri= -pki_enable_java_debugger=False -pki_enable_proxy=False -pki_proxy_http_port=80 -pki_proxy_https_port=443 -pki_security_manager=true -pki_tomcat_server_port=8005 - -############################################################################### -## CA Configuration: ## -## ## -## Values in this section are common to CA subsystems including 'PKI CAs', ## -## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## -## required information which MAY be overridden by users as necessary. ## -## ## -## EXTERNAL CAs: To specify an 'External CA', change the value ## -## of 'pki_external' from 'False' to 'True'. ## -## ## -## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## -## of 'pki_subordinate' from 'False' to 'True'. ## -## ## -## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## -## are MUTUALLY EXCLUSIVE entities!!! ## -############################################################################### -[CA] -pki_ca_signing_key_algorithm=SHA256withRSA -pki_ca_signing_key_size=2048 -pki_ca_signing_key_type=rsa -pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_id)s CA -pki_ca_signing_signing_algorithm=SHA256withRSA -pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s -pki_ca_signing_token=Internal Key Storage Token -pki_external=False -pki_external_ca_cert_chain_path= -pki_external_ca_cert_path= -pki_external_csr_path= -pki_external_step_two=False -pki_import_admin_cert=False -pki_ocsp_signing_key_algorithm=SHA256withRSA -pki_ocsp_signing_key_size=2048 -pki_ocsp_signing_key_type=rsa -pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s CA -pki_ocsp_signing_signing_algorithm=SHA256withRSA -pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s -pki_ocsp_signing_token=Internal Key Storage Token -pki_subordinate=False -pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s -pki_admin_name=%(pki_admin_uid)s -pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s -pki_admin_uid=caadmin -pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s CA -pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s -pki_ds_base_dn=o=%(pki_instance_id)s-CA -pki_ds_database=%(pki_instance_name)s-CA -pki_ds_hostname=%(pki_hostname)s -pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s CA -pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s - - -############################################################################### -## KRA Configuration: ## -## ## -## Values in this section are common to KRA subsystems ## -## including 'PKI KRAs' and 'Cloned KRAs', and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[KRA] -pki_import_admin_cert=True -pki_storage_key_algorithm=SHA256withRSA -pki_storage_key_size=2048 -pki_storage_key_type=rsa -pki_storage_nickname=storageCert cert-%(pki_instance_id)s KRA -pki_storage_signing_algorithm=SHA256withRSA -pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s -pki_storage_token=Internal Key Storage Token -pki_transport_key_algorithm=SHA256withRSA -pki_transport_key_size=2048 -pki_transport_key_type=rsa -pki_transport_nickname=transportCert cert-%(pki_instance_id)s KRA -pki_transport_signing_algorithm=SHA256withRSA -pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s -pki_transport_token=Internal Key Storage Token -pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s -pki_admin_name=%(pki_admin_uid)s -pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s -pki_admin_uid=kraadmin -pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s KRA -pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s -pki_ds_base_dn=o=%(pki_instance_id)s-KRA -pki_ds_database=%(pki_instance_name)s-KRA -pki_ds_hostname=%(pki_hostname)s -pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s KRA -pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s - -############################################################################### -## OCSP Configuration: ## -## ## -## Values in this section are common to OCSP subsystems ## -## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[OCSP] -pki_import_admin_cert=True -pki_ocsp_signing_key_algorithm=SHA256withRSA -pki_ocsp_signing_key_size=2048 -pki_ocsp_signing_key_type=rsa -pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s OCSP -pki_ocsp_signing_signing_algorithm=SHA256withRSA -pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s -pki_ocsp_signing_token=Internal Key Storage Token -pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s -pki_admin_name=%(pki_admin_uid)s -pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s -pki_admin_uid=ocspadmin -pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s OCSP -pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s -pki_ds_base_dn=o=%(pki_instance_id)s-OCSP -pki_ds_database=%(pki_instance_name)s-OCSP -pki_ds_hostname=%(pki_hostname)s -pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s OCSP -pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s - -############################################################################### -## RA Configuration: ## -## ## -## Values in this section are common to PKI RA subsystems, and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[RA] - -############################################################################### -## TKS Configuration: ## -## ## -## Values in this section are common to TKS subsystems ## -## including 'PKI TKSs' and 'Cloned TKSs', and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[TKS] -pki_import_admin_cert=True -pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s -pki_admin_name=%(pki_admin_uid)s -pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s -pki_admin_uid=tksadmin -pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s TKS -pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s -pki_ds_base_dn=o=%(pki_instance_id)s-TKS -pki_ds_database=%(pki_instance_name)s-TKS -pki_ds_hostname=%(pki_hostname)s -pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s TKS -pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s - -############################################################################### -## TPS Configuration: ## -## ## -## Values in this section are common to PKI TPS subsystems, and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[TPS] diff --git a/base/deploy/etc/default.cfg b/base/deploy/etc/default.cfg new file mode 100644 index 000000000..316d3c8f9 --- /dev/null +++ b/base/deploy/etc/default.cfg @@ -0,0 +1,315 @@ +############################################################################### +## Common Configuration: ## +## ## +## Values in this section are common to more than one PKI subsystem, and ## +## contain required information which MAY be overridden by users as ## +## necessary. ## +## ## +## There are also some meta-parameters that determine how the PKI ## +## configuratiion should work. ## +## ## +############################################################################### +[DEFAULT] + +# The sensitive_parameters contains a list of parameters which may contain +# sensitive information which must not be displayed to the console nor stored +# in log files for security reasons. +sensitive_parameters= + pki_admin_password + pki_backup_password + pki_client_database_password + pki_client_pin + pki_client_pkcs12_password + pki_clone_pkcs12_password + pki_ds_password + pki_one_time_pin + pki_pin + pki_security_domain_password + pki_token_password + +# The spawn_scriplets contains a list of scriplets to be executed by pkispawn. +spawn_scriplets= + initialization + infrastructure_layout + instance_layout + subsystem_layout + selinux_setup + webapp_deployment + slot_substitution + security_databases + configuration + finalization + +# The destroy_scriplets contains a list of scriplets to be executed by pkidestroy. +destroy_scriplets= + initialization + configuration + webapp_deployment + subsystem_layout + security_databases + instance_layout + selinux_setup + infrastructure_layout + finalization + +# By default, the following parameters will be set for Tomcat and Apache instances. +# There is no reason to uncomment these. They are provided for reference in +# case someone wants to override them in their config file. +# +# Tomcat instances: +# pki_subsystem_name=pki_tomcat +# pki_https_port=8443 +# pki_http_port=8080 +# +# Apache instances: +# pki_subsystem_name=pki_tomcat +# pki_https_port=443 +# pki_http_port=80 + +pki_admin_cert_request_type=crmf +pki_admin_dualkey=False +pki_admin_keysize=2048 +pki_admin_password= +pki_audit_group=pkiaudit +pki_audit_signing_key_algorithm=SHA256withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_signing_algorithm=SHA256withRSA +pki_audit_signing_token=Internal Key Storage Token +pki_backup_keys=False +pki_backup_password= +pki_client_database_dir= +pki_client_database_password= +pki_client_database_purge=True +pki_client_dir= +pki_client_pkcs12_password= +pki_ds_bind_dn=cn=Directory Manager +pki_ds_ldap_port=389 +pki_ds_ldaps_port=636 +pki_ds_password= +pki_ds_remove_data=True +pki_ds_secure_connection=False +pki_group=pkiuser +pki_instance_id=%(pki_instance_name)s +pki_issuing_ca= +pki_restart_configured_instance=True +pki_security_domain_hostname=%(pki_hostname)s +pki_security_domain_https_port=8443 +pki_security_domain_name=%(pki_dns_domainname)s Security Domain +pki_security_domain_password= +pki_security_domain_user= +pki_skip_configuration=False +pki_skip_installation=False +pki_ssl_server_key_algorithm=SHA256withRSA +pki_ssl_server_key_size=2048 +pki_ssl_server_key_type=rsa +pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_id)s +pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s +pki_ssl_server_token=Internal Key Storage Token +pki_subsystem_key_algorithm=SHA256withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa +pki_subsystem_token=Internal Key Storage Token +pki_token_name=internal +pki_token_password= +pki_user=pkiuser + +############################################################################### +## Apache Configuration: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Apache' (RA and TPS subsystems), and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[Apache] + +############################################################################### +## Tomcat Configuration: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## +## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## +## or a 'TKS Clone', change the value of 'pki_clone' ## +## from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[Tomcat] +pki_ajp_port=8009 +pki_clone=False +pki_clone_pkcs12_password= +pki_clone_pkcs12_path= +pki_clone_replicate_schema=True +pki_clone_replication_master_port= +pki_clone_replication_clone_port= +pki_clone_replication_security=None +pki_clone_uri= +pki_enable_java_debugger=False +pki_enable_proxy=False +pki_proxy_http_port=80 +pki_proxy_https_port=443 +pki_security_manager=true +pki_tomcat_server_port=8005 + +############################################################################### +## CA Configuration: ## +## ## +## Values in this section are common to CA subsystems including 'PKI CAs', ## +## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## EXTERNAL CAs: To specify an 'External CA', change the value ## +## of 'pki_external' from 'False' to 'True'. ## +## ## +## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## +## of 'pki_subordinate' from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[CA] +pki_ca_signing_key_algorithm=SHA256withRSA +pki_ca_signing_key_size=2048 +pki_ca_signing_key_type=rsa +pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_id)s CA +pki_ca_signing_signing_algorithm=SHA256withRSA +pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s +pki_ca_signing_token=Internal Key Storage Token +pki_external=False +pki_external_ca_cert_chain_path= +pki_external_ca_cert_path= +pki_external_csr_path= +pki_external_step_two=False +pki_import_admin_cert=False +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s CA +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_token=Internal Key Storage Token +pki_subordinate=False +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=caadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s CA +pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-CA +pki_ds_database=%(pki_instance_name)s-CA +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s CA +pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s + + +############################################################################### +## KRA Configuration: ## +## ## +## Values in this section are common to KRA subsystems ## +## including 'PKI KRAs' and 'Cloned KRAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[KRA] +pki_import_admin_cert=True +pki_storage_key_algorithm=SHA256withRSA +pki_storage_key_size=2048 +pki_storage_key_type=rsa +pki_storage_nickname=storageCert cert-%(pki_instance_id)s KRA +pki_storage_signing_algorithm=SHA256withRSA +pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s +pki_storage_token=Internal Key Storage Token +pki_transport_key_algorithm=SHA256withRSA +pki_transport_key_size=2048 +pki_transport_key_type=rsa +pki_transport_nickname=transportCert cert-%(pki_instance_id)s KRA +pki_transport_signing_algorithm=SHA256withRSA +pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s +pki_transport_token=Internal Key Storage Token +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=kraadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s KRA +pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-KRA +pki_ds_database=%(pki_instance_name)s-KRA +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s KRA +pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s + +############################################################################### +## OCSP Configuration: ## +## ## +## Values in this section are common to OCSP subsystems ## +## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[OCSP] +pki_import_admin_cert=True +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s OCSP +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_token=Internal Key Storage Token +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=ocspadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s OCSP +pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-OCSP +pki_ds_database=%(pki_instance_name)s-OCSP +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s OCSP +pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s + +############################################################################### +## RA Configuration: ## +## ## +## Values in this section are common to PKI RA subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[RA] + +############################################################################### +## TKS Configuration: ## +## ## +## Values in this section are common to TKS subsystems ## +## including 'PKI TKSs' and 'Cloned TKSs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TKS] +pki_import_admin_cert=True +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=tksadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s TKS +pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-TKS +pki_ds_database=%(pki_instance_name)s-TKS +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s TKS +pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s + +############################################################################### +## TPS Configuration: ## +## ## +## Values in this section are common to PKI TPS subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TPS] diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 9e0a37396..7d30d743a 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -52,6 +52,8 @@ error was: def main(argv): "main entry point" + config.pki_deployment_executable = os.path.basename(argv[0]) + # Only run this program as "root". if not os.geteuid() == 0: sys.exit("'%s' must be run as root!" % argv[0]) @@ -88,8 +90,54 @@ def main(argv): sys.exit(1) # Read and process command-line arguments. - parser = PKIConfigParser() - parser.process_command_line_arguments(argv) + parser = PKIConfigParser( + 'PKI Instance Removal', + log.PKIDESTROY_EPILOG) + + parser.mandatory.add_argument('-i', + dest='pki_deployed_instance_name', + action='store', + nargs=1, required=True, metavar='', + help='FORMAT: ${pki_instance_name}') + + args = parser.process_command_line_arguments(argv) + + # -i + config.pki_deployed_instance_name =\ + str(args.pki_deployed_instance_name).strip('[\']') + + # verify that previously deployed instance exists + deployed_pki_instance_path = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_BASE_ROOT + "/" +\ + config.pki_deployed_instance_name + if not os.path.exists(deployed_pki_instance_path): + print "ERROR: " + log.PKI_INSTANCE_DOES_NOT_EXIST_1 %\ + deployed_pki_instance_path + print + parser.arg_parser.exit(-1); + + # verify that previously deployed subsystem for this instance exists + deployed_pki_subsystem_path = deployed_pki_instance_path + "/" +\ + config.pki_subsystem.lower() + if not os.path.exists(deployed_pki_subsystem_path): + print "ERROR: " + log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2 %\ + (config.pki_subsystem, deployed_pki_instance_path) + print + parser.arg_parser.exit(-1); + + # establish complete path to previously deployed configuration file + config.default_deployment_cfg =\ + deployed_pki_subsystem_path + "/" +\ + "registry" + "/" +\ + config.pki_subsystem.lower() + "/" +\ + config.DEFAULT_DEPLOYMENT_CONFIGURATION + config.user_deployment_cfg =\ + deployed_pki_subsystem_path + "/" +\ + "registry" + "/" +\ + config.pki_subsystem.lower() + "/" +\ + config.USER_DEPLOYMENT_CONFIGURATION + + parser.validate() # Enable 'pkidestroy' logging. config.pki_log_dir = config.pki_root_prefix +\ diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index 21da9aef7..f64d79575 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -52,6 +52,8 @@ error was: def main(argv): "main entry point" + config.pki_deployment_executable = os.path.basename(argv[0]) + # Only run this program as "root". if not os.geteuid() == 0: sys.exit("'%s' must be run as root!" % argv[0]) @@ -88,8 +90,31 @@ def main(argv): sys.exit(1) # Read and process command-line arguments. - parser = PKIConfigParser() - parser.process_command_line_arguments(argv) + parser = PKIConfigParser( + 'PKI Instance Installation and Configuration', + log.PKISPAWN_EPILOG) + + parser.mandatory.add_argument('-f', + dest='user_deployment_cfg', action='store', + nargs=1, required=True, metavar='', + help='configuration filename ' + '(MUST specify complete path)') + + parser.optional.add_argument('-u', + dest='pki_update_flag', action='store_true', + help='update instance of specified subsystem') + + args = parser.process_command_line_arguments(argv) + + config.default_deployment_cfg = config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + + # -f + config.user_deployment_cfg = str(args.user_deployment_cfg).strip('[\']') + + # -u + config.pki_update_flag = args.pki_update_flag + + parser.validate() if not os.path.exists(config.PKI_DEPLOYMENT_SOURCE_ROOT +\ "/" + config.pki_subsystem.lower()): diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py index 55a007bca..ec8fa6eff 100644 --- a/base/deploy/src/scriptlets/finalization.py +++ b/base/deploy/src/scriptlets/finalization.py @@ -41,8 +41,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) # For debugging/auditing purposes, save a timestamped copy of # this configuration file in the subsystem archive - util.file.copy(master['pki_deployment_cfg_replica'], - master['pki_deployment_cfg_spawn_archive']) + util.file.copy(master['pki_default_deployment_cfg_replica'], + master['pki_default_deployment_cfg_spawn_archive']) + util.file.copy(master['pki_user_deployment_cfg_replica'], + master['pki_user_deployment_cfg_spawn_archive']) # Save a copy of the installation manifest file config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, master['pki_manifest'], extra=config.PKI_INDENTATION_LEVEL_2) diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py index 8eed598cd..947fbcdfe 100644 --- a/base/deploy/src/scriptlets/infrastructure_layout.py +++ b/base/deploy/src/scriptlets/infrastructure_layout.py @@ -56,8 +56,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.create(master['pki_instance_type_registry_path']) util.directory.create(master['pki_instance_registry_path']) util.directory.create(master['pki_subsystem_registry_path']) - util.file.copy(master['pki_deployment_cfg'], - master['pki_deployment_cfg_replica']) + util.file.copy(master['pki_default_deployment_cfg'], + master['pki_default_deployment_cfg_replica']) + util.file.copy(master['pki_user_deployment_cfg'], + master['pki_user_deployment_cfg_replica']) # establish top-level infrastructure, instance, and subsystem # base directories and create the "registry" symbolic link that # the "pkidestroy" executable relies upon diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index ec6c5ea38..717b596fb 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -100,13 +100,13 @@ PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVICE_NAME = "tomcat" PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME = "pki-apache" PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME = "pki-tomcat" -PKI_DEPLOYMENT_CONFIGURATION_DIR =\ - "/usr/share/pki/deployment/config" -PKI_DEPLOYMENT_CONFIGURATION_FILE = "deployment.cfg" +DEFAULT_DEPLOYMENT_CONFIGURATION = "default.cfg" +USER_DEPLOYMENT_CONFIGURATION = "deployment.cfg" + PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE =\ - PKI_DEPLOYMENT_CONFIGURATION_DIR + "/" + PKI_DEPLOYMENT_CONFIGURATION_FILE + "/etc/pki/" + DEFAULT_DEPLOYMENT_CONFIGURATION PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\ - PKI_DEPLOYMENT_CONFIGURATION_DIR + "/pkislots.cfg" + "/usr/share/pki/deployment/config/pkislots.cfg" # subtypes of PKI subsystems PKI_DEPLOYMENT_CLONED_PKI_SUBSYSTEM = "Cloned" @@ -140,7 +140,8 @@ pki_deployment_executable = None # PKI Deployment "Mandatory" Command-Line Variables pki_subsystem = None # 'pkispawn' ONLY -pkideployment_cfg = None +default_deployment_cfg = None +user_deployment_cfg = None # 'pkidestroy' ONLY pki_deployed_instance_name = None diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index 8be6c5c5d..2d7b75938 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -442,7 +442,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_ds_password", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # Verify existence of Admin Password (except for Clones) @@ -452,7 +452,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_admin_password", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # If required, verify existence of Backup Password @@ -462,7 +462,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_backup_password", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # Verify existence of Client Pin for NSS client security databases @@ -471,7 +471,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2, "pki_client_database_password", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # Verify existence of Client PKCS #12 Password for Admin Cert @@ -480,7 +480,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_client_pkcs12_password", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # Verify existence of PKCS #12 Password (ONLY for Clones) @@ -490,7 +490,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_clone_pkcs12_password", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # Verify existence of Security Domain Password File @@ -503,7 +503,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_security_domain_password", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # If required, verify existence of Token Password @@ -513,7 +513,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_token_password", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) return @@ -527,28 +527,28 @@ class configuration_file: config.str2bool(master['pki_subordinate']): config.pki_log.error( log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA, - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) elif config.str2bool(master['pki_clone']) and\ config.str2bool(master['pki_external']): config.pki_log.error( log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA, - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) elif config.str2bool(master['pki_clone']) and\ config.str2bool(master['pki_subordinate']): config.pki_log.error( log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA, - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) elif config.str2bool(master['pki_external']) and\ config.str2bool(master['pki_subordinate']): config.pki_log.error( log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA, - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) @@ -571,7 +571,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_ds_base_dn", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) if not master.has_key('pki_ds_ldap_port') or\ @@ -582,7 +582,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_ds_ldap_port", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) if not master.has_key('pki_ds_ldaps_port') or\ @@ -593,7 +593,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_ds_ldaps_port", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # NOTE: Although this will be checked prior to getting to @@ -609,7 +609,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_ajp_port", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) if not master.has_key('pki_http_port') or\ @@ -620,7 +620,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_http_port", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) if not master.has_key('pki_https_port') or\ @@ -631,7 +631,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_https_port", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) if not master.has_key('pki_tomcat_server_port') or\ @@ -642,7 +642,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_tomcat_server_port", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) if not master.has_key('pki_clone_pkcs12_path') or\ @@ -650,7 +650,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_clone_pkcs12_path", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) elif not os.path.isfile(master['pki_clone_pkcs12_path']): @@ -664,7 +664,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_clone_replication_security", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) if not master.has_key('pki_clone_uri') or\ @@ -672,7 +672,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_clone_uri", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) elif master['pki_subsystem'] == "CA" and\ @@ -682,7 +682,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_external_step_two", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) if not config.str2bool(master['pki_step_two']): @@ -691,7 +691,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_external_csr_path", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) elif not os.path.isfile(master['pki_external_csr_path']): @@ -706,7 +706,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_external_ca_cert_chain_path", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) elif not os.path.isfile( @@ -721,7 +721,7 @@ class configuration_file: config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_external_ca_cert_path", - master['pki_deployment_cfg'], + master['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) elif not os.path.isfile( diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 6109e7486..04b165217 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -41,80 +41,52 @@ class PKIConfigParser: COMMENT_CHAR = '#' OPTION_CHAR = '=' - def __init__(self): + def __init__(self, description, epilog): self.pki_config = None - # PKI Deployment Helper Functions - def process_command_line_arguments(self, argv): "Read and process command-line options" - config.pki_deployment_executable = os.path.basename(argv[0]) - description = None - if config.pki_deployment_executable == 'pkispawn': - description = 'PKI Instance Installation and Configuration' - epilog = log.PKISPAWN_EPILOG - elif config.pki_deployment_executable == 'pkidestroy': - description = 'PKI Instance Removal' - epilog = log.PKIDESTROY_EPILOG - parser = argparse.ArgumentParser( + self.arg_parser = argparse.ArgumentParser( description=description, add_help=False, formatter_class=argparse.RawDescriptionHelpFormatter, epilog=epilog) + # Establish 'Mandatory' command-line options - mandatory = parser.add_argument_group('mandatory arguments') - mandatory.add_argument('-s', + self.mandatory = self.arg_parser.add_argument_group('mandatory arguments') + self.mandatory.add_argument('-s', dest='pki_subsystem', action='store', nargs=1, choices=config.PKI_SUBSYSTEMS, required=True, metavar='', help='where is ' 'CA, KRA, OCSP, RA, TKS, or TPS') - if config.pki_deployment_executable == 'pkispawn': - mandatory.add_argument('-f', - dest='pkideployment_cfg', action='store', - nargs=1, required=True, metavar='', - help='configuration filename ' - '(MUST specify complete path)') - elif config.pki_deployment_executable == 'pkidestroy': - mandatory.add_argument('-i', - dest='pki_deployed_instance_name', - action='store', - nargs=1, required=True, metavar='', - help='FORMAT: ${pki_instance_name}') # Establish 'Optional' command-line options - optional = parser.add_argument_group('optional arguments') - optional.add_argument('-h', '--help', + self.optional = self.arg_parser.add_argument_group('optional arguments') + self.optional.add_argument('-h', '--help', dest='help', action='help', help='show this help message and exit') - if config.pki_deployment_executable == 'pkispawn': - optional.add_argument('-u', - dest='pki_update_flag', action='store_true', - help='update instance of specified subsystem') - optional.add_argument('-v', + self.optional.add_argument('-v', dest='pki_verbosity', action='count', help='display verbose information (details below)') + # Establish 'Test' command-line options - test = parser.add_argument_group('test arguments') + test = self.arg_parser.add_argument_group('test arguments') test.add_argument('-p', dest='pki_root_prefix', action='store', nargs=1, metavar='', help='directory prefix to specify local directory ' '[TEST ONLY]') + + # PKI Deployment Helper Functions + def process_command_line_arguments(self, argv): + # Parse command-line options - args = parser.parse_args() + args = self.arg_parser.parse_args() + # Process 'Mandatory' command-line options # '-s' config.pki_subsystem = str(args.pki_subsystem).strip('[\']') - if config.pki_deployment_executable == 'pkispawn': - # '-f' - config.pkideployment_cfg = str(args.pkideployment_cfg).strip('[\']') - elif config.pki_deployment_executable == 'pkidestroy': - # '-i' - config.pki_deployed_instance_name =\ - str(args.pki_deployed_instance_name).strip('[\']') + # Process 'Optional' command-line options - if config.pki_deployment_executable == 'pkispawn': - # '-u' - config.pki_update_flag = args.pki_update_flag # '-v' if args.pki_verbosity == 1: config.pki_jython_log_level = config.PKI_JYTHON_INFO_LOG_LEVEL @@ -131,17 +103,24 @@ class PKIConfigParser: elif args.pki_verbosity > 3: print "ERROR: " + log.PKI_VERBOSITY_LEVELS_MESSAGE print - parser.print_help() - parser.exit(-1); + self.arg_parser.print_help() + self.arg_parser.exit(-1); else: # Set default log levels config.pki_jython_log_level = config.PKI_JYTHON_WARNING_LOG_LEVEL config.pki_console_log_level = logging.WARNING config.pki_log_level = logging.INFO + # Process 'Test' command-line options # '-p' if not args.pki_root_prefix is None: config.pki_root_prefix = str(args.pki_root_prefix).strip('[\']') + + return args + + + def validate(self): + # Validate command-line options if config.pki_root_prefix is None or\ len(config.pki_root_prefix) == 0: @@ -152,42 +131,28 @@ class PKIConfigParser: log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 %\ config.pki_root_prefix print - parser.print_help() - parser.exit(-1); - if config.pki_deployment_executable == 'pkidestroy': - # verify that previously deployed instance exists - deployed_pki_instance_path = config.pki_root_prefix +\ - config.PKI_DEPLOYMENT_BASE_ROOT + "/" +\ - config.pki_deployed_instance_name - if not os.path.exists(deployed_pki_instance_path): - print "ERROR: " + log.PKI_INSTANCE_DOES_NOT_EXIST_1 %\ - deployed_pki_instance_path - print - parser.exit(-1); - # verify that previously deployed subsystem for this instance exists - deployed_pki_subsystem_path = deployed_pki_instance_path + "/" +\ - config.pki_subsystem.lower() - if not os.path.exists(deployed_pki_subsystem_path): - print "ERROR: " + log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2 %\ - (config.pki_subsystem, deployed_pki_instance_path) - print - parser.exit(-1); - # establish complete path to previously deployed configuration file - config.pkideployment_cfg =\ - deployed_pki_subsystem_path + "/" +\ - "registry" + "/" +\ - config.pki_subsystem.lower() + "/" +\ - config.PKI_DEPLOYMENT_CONFIGURATION_FILE - # always verify that configuration file exists - if not os.path.exists(config.pkideployment_cfg) or\ - not os.path.isfile(config.pkideployment_cfg): + self.arg_parser.print_help() + self.arg_parser.exit(-1); + + # always default that configuration file exists + if not os.path.exists(config.default_deployment_cfg) or\ + not os.path.isfile(config.default_deployment_cfg): print "ERROR: " +\ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ - config.pkideployment_cfg + config.default_deployment_cfg print - parser.print_help() - parser.exit(-1); - return + self.arg_parser.print_help() + self.arg_parser.exit(-1); + + # verify user configuration file exists + if not os.path.exists(config.user_deployment_cfg) or\ + not os.path.isfile(config.user_deployment_cfg): + print "ERROR: " +\ + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ + config.user_deployment_cfg + print + self.arg_parser.print_help() + self.arg_parser.exit(-1); # The following code is based heavily upon @@ -238,8 +203,8 @@ class PKIConfigParser: # Make keys case-sensitive! self.pki_config.optionxform = str self.pki_config.read([ - config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE, - config.pkideployment_cfg]) + config.default_deployment_cfg, + config.user_deployment_cfg]) config.pki_default_dict = dict(self.pki_config.items('DEFAULT')) pkilogging.sensitive_parameters = config.pki_default_dict['sensitive_parameters'].split() if config.pki_subsystem == "CA": @@ -285,7 +250,8 @@ class PKIConfigParser: config.pki_master_dict['pki_architecture'] = config.pki_architecture config.pki_master_dict['pki_jython_log_level'] =\ config.pki_jython_log_level - config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg + config.pki_master_dict['pki_default_deployment_cfg'] = config.default_deployment_cfg + config.pki_master_dict['pki_user_deployment_cfg'] = config.user_deployment_cfg config.pki_master_dict['pki_deployed_instance_name'] =\ config.pki_deployed_instance_name # Generate random 'pin's for use as security database passwords @@ -1568,18 +1534,31 @@ class PKIConfigParser: config.pki_master_dict['pki_storage_tag'] = "storage" # Finalization name/value pairs - config.pki_master_dict['pki_deployment_cfg_replica'] =\ + config.pki_master_dict['pki_default_deployment_cfg_replica'] =\ os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], - config.PKI_DEPLOYMENT_CONFIGURATION_FILE) - config.pki_master_dict['pki_deployment_cfg_spawn_archive'] =\ + config.DEFAULT_DEPLOYMENT_CONFIGURATION) + config.pki_master_dict['pki_user_deployment_cfg_replica'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + config.USER_DEPLOYMENT_CONFIGURATION) + config.pki_master_dict['pki_default_deployment_cfg_spawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "spawn" + "_" +\ + config.DEFAULT_DEPLOYMENT_CONFIGURATION + "." +\ + config.pki_master_dict['pki_timestamp'] + config.pki_master_dict['pki_user_deployment_cfg_spawn_archive'] =\ config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ "spawn" + "_" +\ - config.PKI_DEPLOYMENT_CONFIGURATION_FILE + "." +\ + config.USER_DEPLOYMENT_CONFIGURATION + "." +\ + config.pki_master_dict['pki_timestamp'] + config.pki_master_dict['pki_default_deployment_cfg_respawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "respawn" + "_" +\ + config.DEFAULT_DEPLOYMENT_CONFIGURATION + "." +\ config.pki_master_dict['pki_timestamp'] - config.pki_master_dict['pki_deployment_cfg_respawn_archive'] =\ + config.pki_master_dict['pki_user_deployment_cfg_respawn_archive'] =\ config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ "respawn" + "_" +\ - config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + "." +\ + config.USER_DEPLOYMENT_CONFIGURATION + "." +\ config.pki_master_dict['pki_timestamp'] config.pki_master_dict['pki_manifest'] =\ config.pki_master_dict['pki_subsystem_registry_path'] + "/" +\ diff --git a/specs/pki-core.spec b/specs/pki-core.spec index d0cdfcb2f..aba656b79 100644 --- a/specs/pki-core.spec +++ b/specs/pki-core.spec @@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} Name: pki-core Version: 10.0.0 -Release: %{?relprefix}53%{?prerel}%{?dist} +Release: %{?relprefix}54%{?prerel}%{?dist} Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -816,6 +816,7 @@ fi %{python_sitelib}/pki/_* %{python_sitelib}/pki/deployment/ %dir %{_datadir}/pki/deployment +%{_sysconfdir}/pki/default.cfg %{_datadir}/pki/deployment/config/ %dir %{_datadir}/pki/scripts %{_datadir}/pki/scripts/operations @@ -958,6 +959,9 @@ fi %changelog +* Tue Dec 4 2012 Endi S. Dewata 10.0.0-0.54.b3 +- Moved default deployment configuration to /etc/pki. + * Mon Nov 19 2012 Ade Lee 10.0.0-0.53.b3 - Cleaned up spec file to provide only support rhel 7+, f17+ - Added resteasy-base dependency for rhel 7 -- cgit