From 55a12b03a24f584649be425554a3df4e00731b9b Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Wed, 28 Nov 2012 04:09:56 -0500 Subject: Reorganized configuration parameters. --- base/deploy/config/pkideployment.cfg | 45 +++++++++++++++--------- base/deploy/src/pkidestroy | 2 +- base/deploy/src/pkispawn | 2 +- base/deploy/src/scriptlets/configuration.jy | 17 ++++----- base/deploy/src/scriptlets/configuration.py | 3 +- base/deploy/src/scriptlets/pkiconfig.py | 2 +- base/deploy/src/scriptlets/pkihelper.py | 45 +++++++++++------------- base/deploy/src/scriptlets/pkijython.py | 16 ++++----- base/deploy/src/scriptlets/pkimessages.py | 2 +- base/deploy/src/scriptlets/pkiparser.py | 41 +++++++++++---------- base/deploy/src/scriptlets/security_databases.py | 5 ++- 11 files changed, 92 insertions(+), 88 deletions(-) diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index 6630907a7..958248412 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -1,21 +1,24 @@ ############################################################################### -## 'Sensitive' Data: ## -## ## -## Values in this section pertain to various PKI subsystems, and contain ## -## required 'sensitive' information which MUST ALWAYS be provided by users. ## -## ## -## IMPORTANT: Sensitive data values must NEVER be displayed to the ## -## console NOR stored in log files!!! ## -############################################################################### -[Sensitive] -pki_admin_password= -pki_backup_password= -pki_client_database_password= -pki_client_pkcs12_password= -pki_clone_pkcs12_password= -pki_ds_password= -pki_security_domain_password= -pki_token_password= +## 'Sensitive' Parameters: ## +## ## +## Parameters listed in below pertain to various PKI subsystems, and ## +## contain 'sensitive' information which must NEVER be displayed to the ## +## console NOR stored in log files!!! ## +############################################################################### +[DEFAULT] +sensitive_parameters= + pki_admin_password + pki_backup_password + pki_client_database_password + pki_client_pkcs12_password + pki_clone_pkcs12_password + pki_ds_password + pki_security_domain_password + pki_token_password + pki_pin + pki_client_pin + pki_one_time_pin + ############################################################################### ## 'Common' Data: ## ## ## @@ -36,6 +39,7 @@ pki_admin_name= pki_admin_nickname= pki_admin_subject_dn= pki_admin_uid= +pki_admin_password= pki_audit_group=pkiaudit pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_key_size=2048 @@ -45,11 +49,15 @@ pki_audit_signing_signing_algorithm=SHA256withRSA pki_audit_signing_subject_dn= pki_audit_signing_token= pki_backup_keys=False +pki_backup_password= pki_client_database_dir= +pki_client_database_password= pki_client_database_purge=True pki_client_dir= +pki_client_pkcs12_password= pki_ds_base_dn= pki_ds_bind_dn=cn=Directory Manager +pki_ds_password= pki_ds_database= pki_ds_hostname= pki_ds_ldap_port=389 @@ -63,6 +71,7 @@ pki_security_domain_hostname= pki_security_domain_https_port=8443 pki_security_domain_name= pki_security_domain_user= +pki_security_domain_password= pki_skip_configuration=False pki_skip_installation=False pki_ssl_server_key_algorithm=SHA256withRSA @@ -78,6 +87,7 @@ pki_subsystem_nickname= pki_subsystem_subject_dn= pki_subsystem_token= pki_token_name=internal +pki_token_password= pki_user=pkiuser ############################################################################### ## 'Apache' Data: ## @@ -109,6 +119,7 @@ pki_https_port=443 pki_ajp_port=8009 pki_clone=False pki_clone_pkcs12_path= +pki_clone_pkcs12_password= pki_clone_replicate_schema=True pki_clone_replication_master_port= pki_clone_replication_clone_port= diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 1597712e1..ed94c5b89 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -116,7 +116,7 @@ def main(argv): # Read the specified PKI configuration file. rv = parser.read_pki_configuration_file() if rv != 0: - config.pki_log.error(PKI_UNABLE_TO_PARSE_1, rv, + config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, extra=config.PKI_INDENTATION_LEVEL_0) sys.exit(1) else: diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index fbb6b8e26..a593c702a 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -123,7 +123,7 @@ def main(argv): # Read the specified PKI configuration file. rv = parser.read_pki_configuration_file() if rv != 0: - config.pki_log.error(PKI_UNABLE_TO_PARSE_1, rv, + config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, extra=config.PKI_INDENTATION_LEVEL_0) sys.exit(1) else: diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy index bf89a0170..80543b856 100644 --- a/base/deploy/src/scriptlets/configuration.jy +++ b/base/deploy/src/scriptlets/configuration.jy @@ -23,15 +23,9 @@ from com.netscape.certsrv.client import ClientConfig def main(argv): rv = 0 - # Establish 'master' and 'sensitive' as two separate PKI jython dictionaries - master = dict() - sensitive = dict() - # Import the master dictionary from 'pkispawn' master = pickle.loads(argv[1]) - - # Import the sensitive data dictionary from 'pkispawn' - sensitive = pickle.loads(argv[2]) + sensitive_parameters = master['sensitive_parameters'].split() # Optionally enable a java debugger (e. g. - 'eclipse'): if config.str2bool(master['pki_enable_java_debugger']): @@ -63,8 +57,12 @@ def main(argv): (log.PKI_JYTHON_INDENTATION_2, javasystem.getProperties()['java.class.path']) for key in master: + if key in sensitive_parameters: + value = 'XXXXXXXX' + else: + value = master[key] print "%s '%s' = '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, key, master[key]) + (log.PKI_JYTHON_INDENTATION_2, key, value) # Initialize token jyutil.security_databases.initialize_token( @@ -84,8 +82,7 @@ def main(argv): # Establish REST Client client = jyutil.rest_client.initialize( client_config, - master, - sensitive) + master) # Construct PKI Subsystem Configuration Data data = None diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py index c6c43d047..0ea544663 100644 --- a/base/deploy/src/scriptlets/configuration.py +++ b/base/deploy/src/scriptlets/configuration.py @@ -22,7 +22,6 @@ # PKI Deployment Imports import pkiconfig as config from pkiconfig import pki_master_dict as master -from pkiconfig import pki_sensitive_dict as sensitive import pkihelper as util import pkimessages as log import pkiscriptlet @@ -51,7 +50,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # allowing 'certutil' to generate the security databases util.password.create_password_conf( master['pki_client_password_conf'], - sensitive['pki_client_database_password'], pin_sans_token=True) + master['pki_client_database_password'], pin_sans_token=True) util.file.modify(master['pki_client_password_conf'], uid=0, gid=0) # Similarly, create a simple password file containing the diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index b55037b36..7e426b0f9 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -195,7 +195,7 @@ pki_console_log_level = None # PKI Deployment Global Dictionaries -pki_sensitive_dict = None +pki_default_dict = None pki_common_dict = None pki_web_server_dict = None pki_subsystem_dict = None diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index 904e08614..8be6c5c5d 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -42,7 +42,6 @@ import seobject # PKI Deployment Imports import pkiconfig as config from pkiconfig import pki_master_dict as master -from pkiconfig import pki_sensitive_dict as sensitive from pkiconfig import pki_slots_dict as slots from pkiconfig import pki_selinux_config_ports as ports import pkimanifest as manifest @@ -419,7 +418,7 @@ class configuration_file: # NOTE: This is the one and only parameter containing a sensitive # parameter that may be stored in a log file. config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_URL_1, - sensitive['pki_configuration_url'], + master['pki_configuration_url'], extra=config.PKI_INDENTATION_LEVEL_2) config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_RESTART_1, master['pki_registry_initscript_command'], @@ -428,7 +427,7 @@ class configuration_file: def display_configuration_url(self): # NOTE: This is the one and only parameter containing a sensitive # parameter that may be displayed to the screen. - print log.PKI_CONFIGURATION_URL_1 % sensitive['pki_configuration_url'] + print log.PKI_CONFIGURATION_URL_1 % master['pki_configuration_url'] print print log.PKI_CONFIGURATION_RESTART_1 %\ master['pki_registry_initscript_command'] @@ -438,8 +437,8 @@ class configuration_file: # Silently verify the existence of 'sensitive' data if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: # Verify existence of Directory Server Password (ALWAYS) - if not sensitive.has_key('pki_ds_password') or\ - not len(sensitive['pki_ds_password']): + if not master.has_key('pki_ds_password') or\ + not len(master['pki_ds_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_ds_password", @@ -448,8 +447,8 @@ class configuration_file: sys.exit(1) # Verify existence of Admin Password (except for Clones) if not config.str2bool(master['pki_clone']): - if not sensitive.has_key('pki_admin_password') or\ - not len(sensitive['pki_admin_password']): + if not master.has_key('pki_admin_password') or\ + not len(master['pki_admin_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_admin_password", @@ -458,8 +457,8 @@ class configuration_file: sys.exit(1) # If required, verify existence of Backup Password if config.str2bool(master['pki_backup_keys']): - if not sensitive.has_key('pki_backup_password') or\ - not len(sensitive['pki_backup_password']): + if not master.has_key('pki_backup_password') or\ + not len(master['pki_backup_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_backup_password", @@ -467,8 +466,8 @@ class configuration_file: extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # Verify existence of Client Pin for NSS client security databases - if not sensitive.has_key('pki_client_database_password') or\ - not len(sensitive['pki_client_database_password']): + if not master.has_key('pki_client_database_password') or\ + not len(master['pki_client_database_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2, "pki_client_database_password", @@ -476,8 +475,8 @@ class configuration_file: extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # Verify existence of Client PKCS #12 Password for Admin Cert - if not sensitive.has_key('pki_client_pkcs12_password') or\ - not len(sensitive['pki_client_pkcs12_password']): + if not master.has_key('pki_client_pkcs12_password') or\ + not len(master['pki_client_pkcs12_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_client_pkcs12_password", @@ -486,8 +485,8 @@ class configuration_file: sys.exit(1) # Verify existence of PKCS #12 Password (ONLY for Clones) if config.str2bool(master['pki_clone']): - if not sensitive.has_key('pki_clone_pkcs12_password') or\ - not len(sensitive['pki_clone_pkcs12_password']): + if not master.has_key('pki_clone_pkcs12_password') or\ + not len(master['pki_clone_pkcs12_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_clone_pkcs12_password", @@ -499,8 +498,8 @@ class configuration_file: if config.str2bool(master['pki_clone']) or\ not master['pki_subsystem'] == "CA" or\ config.str2bool(master['pki_subordinate']): - if not sensitive.has_key('pki_security_domain_password') or\ - not len(sensitive['pki_security_domain_password']): + if not master.has_key('pki_security_domain_password') or\ + not len(master['pki_security_domain_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_security_domain_password", @@ -509,8 +508,8 @@ class configuration_file: sys.exit(1) # If required, verify existence of Token Password if not master['pki_token_name'] == "internal": - if not sensitive.has_key('pki_token_password') or\ - not len(sensitive['pki_token_password']): + if not master.has_key('pki_token_password') or\ + not len(master['pki_token_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_token_password", @@ -1954,14 +1953,14 @@ class password: extra=config.PKI_INDENTATION_LEVEL_2) # overwrite the existing 'pkcs12_password.conf' file with open(path, "wt") as fd: - fd.write(sensitive['pki_client_pkcs12_password']) + fd.write(master['pki_client_pkcs12_password']) fd.closed else: config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, extra=config.PKI_INDENTATION_LEVEL_2) # create a new 'pkcs12_password.conf' file with open(path, "wt") as fd: - fd.write(sensitive['pki_client_pkcs12_password']) + fd.write(master['pki_client_pkcs12_password']) fd.closed except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, @@ -2527,7 +2526,6 @@ class jython: property = "" # Compose this "jython" command data = pickle.dumps(master) - sensitive_data = pickle.dumps(sensitive) ld_library_path = "LD_LIBRARY_PATH" if master['pki_architecture'] == 64: ld_library_path = ld_library_path + "=" +\ @@ -2537,8 +2535,7 @@ class jython: ld_library_path = ld_library_path + "=" +\ "/usr/lib/jss:/usr/lib:/lib" command = "export" + " " + ld_library_path + ";" + "jython" + " " +\ - property + " " + scriptlet + " " + "\"" + data + "\"" +\ - " " + "\"" + sensitive_data + "\"" + property + " " + scriptlet + " " + "\"" + data + "\"" # Display this "jython" command config.pki_log.info( log.PKIHELPER_INVOKE_JYTHON_3, diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index e6098b01a..e106f0141 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -276,12 +276,10 @@ class security_databases: class rest_client: client = None master = None - sensitive = None - def initialize(self, client_config, master, sensitive): + def initialize(self, client_config, master): try: self.master = master - self.sensitive = sensitive log_level = master['pki_jython_log_level'] if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: print "%s %s '%s'" %\ @@ -299,7 +297,7 @@ class rest_client: data.setSecurityDomainUri(self.master['pki_security_domain_uri']) data.setSecurityDomainUser(self.master['pki_security_domain_user']) data.setSecurityDomainPassword( - self.sensitive['pki_security_domain_password']) + self.master['pki_security_domain_password']) def set_new_security_domain(self, data): data.setSecurityDomainType(ConfigurationRequest.NEW_DOMAIN) @@ -309,7 +307,7 @@ class rest_client: data.setIsClone("true") data.setCloneUri(self.master['pki_clone_uri']) data.setP12File(self.master['pki_clone_pkcs12_path']) - data.setP12Password(self.sensitive['pki_clone_pkcs12_password']) + data.setP12Password(self.master['pki_clone_pkcs12_password']) data.setReplicateSchema(self.master['pki_clone_replicate_schema']) data.setReplicationSecurity( self.master['pki_clone_replication_security']) @@ -326,7 +324,7 @@ class rest_client: data.setBaseDN(self.master['pki_ds_base_dn']) data.setBindDN(self.master['pki_ds_bind_dn']) data.setDatabase(self.master['pki_ds_database']) - data.setBindpwd(self.sensitive['pki_ds_password']) + data.setBindpwd(self.master['pki_ds_password']) if config.str2bool(self.master['pki_ds_remove_data']): data.setRemoveData("true") else: @@ -340,14 +338,14 @@ class rest_client: if config.str2bool(self.master['pki_backup_keys']): data.setBackupKeys("true") data.setBackupFile(self.master['pki_backup_keys_p12']) - data.setBackupPassword(self.sensitive['pki_backup_password']) + data.setBackupPassword(self.master['pki_backup_password']) else: data.setBackupKeys("false") def set_admin_parameters(self, token, data): data.setAdminEmail(self.master['pki_admin_email']) data.setAdminName(self.master['pki_admin_name']) - data.setAdminPassword(self.sensitive['pki_admin_password']) + data.setAdminPassword(self.master['pki_admin_password']) data.setAdminProfileID(self.master['pki_admin_profile_id']) data.setAdminUID(self.master['pki_admin_uid']) data.setAdminSubjectDN(self.master['pki_admin_subject_dn']) @@ -422,7 +420,7 @@ class rest_client: data = ConfigurationRequest() # Miscellaneous Configuration Information - data.setPin(self.sensitive['pki_one_time_pin']) + data.setPin(master['pki_one_time_pin']) data.setToken(ConfigurationRequest.TOKEN_DEFAULT) data.setSubsystemName(master['pki_subsystem_name']) diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index 59fa7d3a6..99647946c 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -189,7 +189,7 @@ PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\ "context %s" PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\ - "jython %s %s '" + "jython %s %s '" PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" PKIHELPER_IS_A_FILE_1 = "'%s' is a file" PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink" diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index e9d348840..e9c999bbf 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -215,7 +215,7 @@ class PKIConfigParser: # Make keys case-sensitive! self.pki_config.optionxform = str self.pki_config.read(config.pkideployment_cfg) - config.pki_sensitive_dict = dict(self.pki_config._sections['Sensitive']) + config.pki_default_dict = self.pki_config.defaults() config.pki_common_dict = dict(self.pki_config._sections['Common']) if config.pki_subsystem == "CA": config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat']) @@ -237,10 +237,12 @@ class PKIConfigParser: config.pki_subsystem_dict = dict(self.pki_config._sections['TPS']) # Insert empty record into dictionaries for "pretty print" statements # NEVER print "sensitive" key value pairs!!! + config.pki_default_dict[0] = None config.pki_common_dict[0] = None config.pki_web_server_dict[0] = None config.pki_subsystem_dict[0] = None except ConfigParser.ParsingError, err: + print err rv = err return rv @@ -270,18 +272,19 @@ class PKIConfigParser: # the configuration file pin_low = 100000000000 pin_high = 999999999999 - config.pki_sensitive_dict['pki_pin'] =\ + config.pki_master_dict['pki_pin'] =\ random.randint(pin_low, pin_high) - config.pki_sensitive_dict['pki_client_pin'] =\ + config.pki_master_dict['pki_client_pin'] =\ random.randint(pin_low, pin_high) # Generate a one-time pin to be used prior to configuration # and add this to the "sensitive" key value pairs read in from # the configuration file - config.pki_sensitive_dict['pki_one_time_pin'] =\ + config.pki_master_dict['pki_one_time_pin'] =\ ''.join(random.choice(string.ascii_letters + string.digits)\ for x in range(20)) # Configuration file name/value pairs # NEVER add "sensitive" key value pairs to the master dictionary!!! + config.pki_master_dict.update(config.pki_default_dict) config.pki_master_dict.update(config.pki_common_dict) config.pki_master_dict.update(config.pki_web_server_dict) config.pki_master_dict.update(config.pki_subsystem_dict) @@ -1134,7 +1137,7 @@ class PKIConfigParser: config.pki_master_dict['PKI_AJP_REDIRECT_PORT_SLOT'] =\ config.pki_master_dict['pki_https_port'] config.pki_master_dict['PKI_CERT_DB_PASSWORD_SLOT'] =\ - config.pki_sensitive_dict['pki_pin'] + config.pki_master_dict['pki_pin'] config.pki_master_dict['PKI_CFG_PATH_NAME_SLOT'] =\ config.pki_master_dict['pki_target_cs_cfg'] config.pki_master_dict\ @@ -1206,7 +1209,7 @@ class PKIConfigParser: config.pki_master_dict['PKI_TMPDIR_SLOT'] =\ config.pki_master_dict['pki_tomcat_tmpdir_path'] config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\ - config.pki_sensitive_dict['pki_one_time_pin'] + config.pki_master_dict['pki_one_time_pin'] config.pki_master_dict['PKI_SECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_https_port'] config.pki_master_dict['PKI_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ @@ -1344,19 +1347,19 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and is NOT redefined below: # - # config.pki_sensitive_dict['pki_client_pkcs12_password'] + # config.pki_master_dict['pki_client_pkcs12_password'] # config.pki_master_dict['pki_client_database_purge'] # # The following variables are established via the specified PKI # deployment configuration file and potentially overridden below: # - # config.pki_sensitive_dict['pki_client_database_password'] + # config.pki_master_dict['pki_client_database_password'] # config.pki_master_dict['pki_client_dir'] # - if not len(config.pki_sensitive_dict['pki_client_database_password']): + if not len(config.pki_master_dict['pki_client_database_password']): # use randomly generated client 'pin' - config.pki_sensitive_dict['pki_client_database_password'] =\ - str(config.pki_sensitive_dict['pki_client_pin']) + config.pki_master_dict['pki_client_database_password'] =\ + str(config.pki_master_dict['pki_client_pin']) if not len(config.pki_master_dict['pki_client_dir']): config.pki_master_dict['pki_client_dir'] =\ os.path.join( @@ -1427,9 +1430,9 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and are NOT redefined below: # - # config.pki_sensitive_dict['pki_clone_pkcs12_password'] - # config.pki_sensitive_dict['pki_security_domain_password'] - # config.pki_sensitive_dict['pki_token_password'] + # config.pki_master_dict['pki_clone_pkcs12_password'] + # config.pki_master_dict['pki_security_domain_password'] + # config.pki_master_dict['pki_token_password'] # config.pki_master_dict['pki_clone_pkcs12_path'] # config.pki_master_dict['pki_clone_uri'] # config.pki_master_dict['pki_security_domain_https_port'] @@ -1545,7 +1548,7 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and are NOT redefined below: # - # config.pki_sensitive_dict['pki_ds_password'] + # config.pki_master_dict['pki_ds_password'] # config.pki_master_dict['pki_clone_replication_security'] # config.pki_master_dict['pki_ds_bind_dn'] # config.pki_master_dict['pki_ds_ldap_port'] @@ -1605,7 +1608,7 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and are NOT redefined below: # - # config.pki_sensitive_dict['pki_backup_password'] + # config.pki_master_dict['pki_backup_password'] # config.pki_master_dict['pki_backup_keys'] # if config.str2bool(config.pki_master_dict['pki_backup_keys']): @@ -1626,7 +1629,7 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and are NOT redefined below: # - # config.pki_sensitive_dict['pki_admin_password'] + # config.pki_master_dict['pki_admin_password'] # config.pki_master_dict['pki_admin_cert_request_type'] # config.pki_master_dict['pki_admin_dualkey'] # config.pki_master_dict['pki_admin_keysize'] @@ -2318,13 +2321,13 @@ class PKIConfigParser: # parameter that may be stored in a log file and displayed # to the screen. # - config.pki_sensitive_dict['pki_configuration_url'] =\ + config.pki_master_dict['pki_configuration_url'] =\ "https://{}:{}/{}/{}?pin={}".format( config.pki_master_dict['pki_hostname'], config.pki_master_dict['pki_https_port'], config.pki_master_dict['pki_subsystem'].lower(), "admin/console/config/login", - config.pki_sensitive_dict['pki_one_time_pin']) + config.pki_master_dict['pki_one_time_pin']) # Compose this "systemd" execution management command if config.pki_master_dict['pki_subsystem'] in\ config.PKI_APACHE_SUBSYSTEMS: diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index be0eecf56..847d0a59f 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -22,7 +22,6 @@ # PKI Deployment Imports import pkiconfig as config from pkiconfig import pki_master_dict as master -from pkiconfig import pki_sensitive_dict as sensitive import pkihelper as util import pkimessages as log import pkiscriptlet @@ -41,14 +40,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) util.password.create_password_conf( master['pki_shared_password_conf'], - sensitive['pki_pin']) + master['pki_pin']) # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a temporary server 'pfile' # which ONLY contains the 'password' for the purposes of # allowing 'certutil' to generate the security databases util.password.create_password_conf( master['pki_shared_pfile'], - sensitive['pki_pin'], pin_sans_token=True) + master['pki_pin'], pin_sans_token=True) util.file.modify(master['pki_shared_password_conf']) util.certutil.create_security_databases( master['pki_database_path'], -- cgit