From 62033f12b40e6eb3270c352e966a7461f152dfd6 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 18 Dec 2012 16:05:55 -0500 Subject: Make admin cert p12 file location configurable Ticket 437. Also moved a bunch of client path parameters to default.cfg template file. --- base/deploy/etc/default.cfg | 13 +++++-- base/deploy/src/scriptlets/pkijython.py | 5 +++ base/deploy/src/scriptlets/pkiparser.py | 61 ++------------------------------- 3 files changed, 18 insertions(+), 61 deletions(-) diff --git a/base/deploy/etc/default.cfg b/base/deploy/etc/default.cfg index d619cdc94..d99faf2c4 100644 --- a/base/deploy/etc/default.cfg +++ b/base/deploy/etc/default.cfg @@ -66,6 +66,7 @@ destroy_scriplets= # pki_https_port=443 # pki_http_port=80 +pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert pki_admin_cert_request_type=crmf pki_admin_dualkey=False pki_admin_keysize=2048 @@ -78,10 +79,10 @@ pki_audit_signing_signing_algorithm=SHA256withRSA pki_audit_signing_token=Internal Key Storage Token pki_backup_keys=False pki_backup_password= -pki_client_database_dir= +pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12 pki_client_database_password= pki_client_database_purge=True -pki_client_dir= +pki_client_dir=%(home_dir)s/.pki/%(pki_instance_name)s pki_client_pkcs12_password= pki_ds_bind_dn=cn=Directory Manager pki_ds_ldap_port=389 @@ -117,6 +118,14 @@ pki_user=pkiuser # These are used in the processing of pkispawn and are not supposed # to be overwritten by user configuration files. # +pki_client_database_dir=%(pki_client_subsystem_dir)s/alias +pki_client_subsystem_dir=%(pki_client_dir)s/%(pki_subsystem_type)s +pki_client_password_conf=%(pki_client_subsystem_dir)s/password.conf +pki_client_pkcs12_password_conf=%(pki_client_subsystem_dir)s/pkcs12_password.conf +pki_client_cert_database=%(pki_client_database_dir)s/cert8.db +pki_client_key_database=%(pki_client_database_dir)s/key3.db +pki_client_secmod_database=%(pki_client_database_dir)s/secmod.db +pki_client_admin_cert=%(pki_subsystem_type)s_admin.cert pki_source_conf_path=/usr/share/pki/%(pki_subsystem_type)s/conf pki_source_setup_path=/usr/share/pki/setup pki_source_server_path=/usr/share/pki/server/conf diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index e6a4a915e..fac352fdb 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -613,6 +613,11 @@ class rest_client: log.PKI_JYTHON_ADMIN_CERT_IMPORT +\ " " + "'" + command + "'") os.system(command) + + # create directory for p12 file if it does not exist + self.mkdirs(os.path.dirname( + master['pki_client_admin_cert_p12'])) + # Export the Administration Certificate from the # client NSS security database into a PKCS #12 file command = "pk12util" + " " +\ diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 2a4111f91..ba4f376da 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -213,6 +213,7 @@ class PKIConfigParser: 'pki_root_prefix' : config.pki_root_prefix, 'resteasy_lib': resteasy_lib, 'arch_java_lib': arch_java_lib, + 'home_dir': os.path.expanduser("~"), 'pki_hostname': config.pki_hostname} self.pki_config = ConfigParser.SafeConfigParser(predefined_dict) @@ -698,69 +699,11 @@ class PKIConfigParser: os.path.join( config.pki_master_dict['pki_subsystem_configuration_path'], "password.conf") - # Client NSS security database name/value pairs - # - # The following variables are established via the specified PKI - # deployment configuration file and is NOT redefined below: - # - # config.pki_master_dict['pki_client_pkcs12_password'] - # config.pki_master_dict['pki_client_database_purge'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_client_dir'] - # config.pki_master_dict['pki_client_subsystem_dir'] - # + if not len(config.pki_master_dict['pki_client_database_password']): # use randomly generated client 'pin' config.pki_master_dict['pki_client_database_password'] =\ str(config.pki_master_dict['pki_client_pin']) - if not len(config.pki_master_dict['pki_client_dir']): - config.pki_master_dict['pki_client_dir'] =\ - os.path.join( - os.path.expanduser("~"), ".pki", - config.pki_master_dict['pki_instance_name']) - config.pki_master_dict['pki_client_subsystem_dir'] =\ - os.path.join( - config.pki_master_dict['pki_client_dir'], - config.pki_master_dict['pki_subsystem'].lower()) - if not len(config.pki_master_dict['pki_client_database_dir']): - config.pki_master_dict['pki_client_database_dir'] =\ - os.path.join( - config.pki_master_dict['pki_client_subsystem_dir'], - "alias") - config.pki_master_dict['pki_client_password_conf'] =\ - os.path.join( - config.pki_master_dict['pki_client_subsystem_dir'], - "password.conf") - config.pki_master_dict['pki_client_pkcs12_password_conf'] =\ - os.path.join( - config.pki_master_dict['pki_client_subsystem_dir'], - "pkcs12_password.conf") - config.pki_master_dict['pki_client_cert_database'] =\ - os.path.join(config.pki_master_dict['pki_client_database_dir'], - "cert8.db") - config.pki_master_dict['pki_client_key_database'] =\ - os.path.join(config.pki_master_dict['pki_client_database_dir'], - "key3.db") - config.pki_master_dict['pki_client_secmod_database'] =\ - os.path.join(config.pki_master_dict['pki_client_database_dir'], - "secmod.db") - config.pki_master_dict['pki_client_admin_cert'] =\ - config.pki_master_dict['pki_subsystem'].lower() + "_" +\ - "admin" + "." + "cert" - - config.pki_master_dict['pki_client_admin_cert_p12'] =\ - config.pki_master_dict['pki_client_dir'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() + "_" +\ - "admin" + "_" + "cert" + "." + "p12" - - if not 'pki_admin_cert_file' in config.pki_master_dict or\ - not len(config.pki_master_dict['pki_admin_cert_file']): - config.pki_master_dict['pki_admin_cert_file'] =\ - config.pki_master_dict['pki_client_dir'] +\ - "/ca_admin.cert" # Jython scriptlet name/value pairs config.pki_master_dict['pki_jython_configuration_scriptlet'] =\ -- cgit