From 62ccd4ca0addd8a4c74bcbdfca6aea0c9381907f Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Fri, 5 Apr 2013 15:20:01 -0400 Subject: Renamed base/deploy to base/server. The base/deploy folder has been renamed to base/server to match the package name. The pki.conf has been moved into pki-base package. Ticket #553, #564 --- base/CMakeLists.txt | 2 +- base/deploy/CMakeLists.txt | 144 - base/deploy/LICENSE | 291 -- base/deploy/config/pkislots.cfg | 92 - base/deploy/config/sample.cfg | 6 - base/deploy/config/sampleCAclone.cfg | 15 - .../deploy/config/sampleExternalSignedCA-step1.cfg | 10 - .../deploy/config/sampleExternalSignedCA-step2.cfg | 12 - base/deploy/config/sampleKRA.cfg | 12 - base/deploy/config/sampleKRAclone.cfg | 16 - base/deploy/config/sampleSubordinateCA.cfg | 13 - base/deploy/etc/default.cfg | 531 --- base/deploy/etc/pki.conf | 4 - base/deploy/man/man5/pki_default.cfg.5 | 275 -- base/deploy/man/man8/pkidestroy.8 | 67 - base/deploy/man/man8/pkispawn.8 | 374 --- base/deploy/scripts/operations | 1703 ---------- base/deploy/scripts/pkidaemon | 78 - base/deploy/src/engine/pkiconfig.py | 185 -- base/deploy/src/engine/pkihelper.py | 3397 -------------------- base/deploy/src/engine/pkilogging.py | 76 - base/deploy/src/engine/pkimanifest.py | 101 - base/deploy/src/engine/pkimessages.py | 361 --- base/deploy/src/engine/pkiparser.py | 1069 ------ base/deploy/src/engine/pkiscriptlet.py | 46 - base/deploy/src/pkidestroy | 264 -- base/deploy/src/pkispawn | 413 --- base/deploy/src/scriptlets/configuration.py | 150 - base/deploy/src/scriptlets/finalization.py | 114 - .../deploy/src/scriptlets/infrastructure_layout.py | 116 - base/deploy/src/scriptlets/initialization.py | 126 - base/deploy/src/scriptlets/instance_layout.py | 190 -- base/deploy/src/scriptlets/security_databases.py | 119 - base/deploy/src/scriptlets/selinux_setup.py | 175 - base/deploy/src/scriptlets/slot_substitution.py | 103 - base/deploy/src/scriptlets/subsystem_layout.py | 126 - base/deploy/src/scriptlets/webapp_deployment.py | 170 - base/server/CMakeLists.txt | 144 + base/server/LICENSE | 291 ++ base/server/config/pkislots.cfg | 92 + base/server/config/sample.cfg | 6 + base/server/config/sampleCAclone.cfg | 15 + .../server/config/sampleExternalSignedCA-step1.cfg | 10 + .../server/config/sampleExternalSignedCA-step2.cfg | 12 + base/server/config/sampleKRA.cfg | 12 + base/server/config/sampleKRAclone.cfg | 16 + base/server/config/sampleSubordinateCA.cfg | 13 + base/server/etc/default.cfg | 531 +++ base/server/etc/pki.conf | 4 + base/server/man/man5/pki_default.cfg.5 | 275 ++ base/server/man/man8/pkidestroy.8 | 67 + base/server/man/man8/pkispawn.8 | 374 +++ base/server/scripts/operations | 1703 ++++++++++ base/server/scripts/pkidaemon | 78 + base/server/src/engine/pkiconfig.py | 185 ++ base/server/src/engine/pkihelper.py | 3397 ++++++++++++++++++++ base/server/src/engine/pkilogging.py | 76 + base/server/src/engine/pkimanifest.py | 101 + base/server/src/engine/pkimessages.py | 361 +++ base/server/src/engine/pkiparser.py | 1069 ++++++ base/server/src/engine/pkiscriptlet.py | 46 + base/server/src/pkidestroy | 264 ++ base/server/src/pkispawn | 413 +++ base/server/src/scriptlets/configuration.py | 150 + base/server/src/scriptlets/finalization.py | 114 + .../server/src/scriptlets/infrastructure_layout.py | 116 + base/server/src/scriptlets/initialization.py | 126 + base/server/src/scriptlets/instance_layout.py | 190 ++ base/server/src/scriptlets/security_databases.py | 119 + base/server/src/scriptlets/selinux_setup.py | 175 + base/server/src/scriptlets/slot_substitution.py | 103 + base/server/src/scriptlets/subsystem_layout.py | 126 + base/server/src/scriptlets/webapp_deployment.py | 170 + scripts/compose_pki_core_packages | 2 +- specs/pki-core.spec | 14 +- 75 files changed, 10955 insertions(+), 10951 deletions(-) delete mode 100644 base/deploy/CMakeLists.txt delete mode 100644 base/deploy/LICENSE delete mode 100644 base/deploy/config/pkislots.cfg delete mode 100644 base/deploy/config/sample.cfg delete mode 100644 base/deploy/config/sampleCAclone.cfg delete mode 100644 base/deploy/config/sampleExternalSignedCA-step1.cfg delete mode 100644 base/deploy/config/sampleExternalSignedCA-step2.cfg delete mode 100644 base/deploy/config/sampleKRA.cfg delete mode 100644 base/deploy/config/sampleKRAclone.cfg delete mode 100644 base/deploy/config/sampleSubordinateCA.cfg delete mode 100644 base/deploy/etc/default.cfg delete mode 100644 base/deploy/etc/pki.conf delete mode 100644 base/deploy/man/man5/pki_default.cfg.5 delete mode 100644 base/deploy/man/man8/pkidestroy.8 delete mode 100644 base/deploy/man/man8/pkispawn.8 delete mode 100644 base/deploy/scripts/operations delete mode 100755 base/deploy/scripts/pkidaemon delete mode 100644 base/deploy/src/engine/pkiconfig.py delete mode 100644 base/deploy/src/engine/pkihelper.py delete mode 100644 base/deploy/src/engine/pkilogging.py delete mode 100644 base/deploy/src/engine/pkimanifest.py delete mode 100644 base/deploy/src/engine/pkimessages.py delete mode 100644 base/deploy/src/engine/pkiparser.py delete mode 100644 base/deploy/src/engine/pkiscriptlet.py delete mode 100755 base/deploy/src/pkidestroy delete mode 100755 base/deploy/src/pkispawn delete mode 100644 base/deploy/src/scriptlets/configuration.py delete mode 100644 base/deploy/src/scriptlets/finalization.py delete mode 100644 base/deploy/src/scriptlets/infrastructure_layout.py delete mode 100644 base/deploy/src/scriptlets/initialization.py delete mode 100644 base/deploy/src/scriptlets/instance_layout.py delete mode 100644 base/deploy/src/scriptlets/security_databases.py delete mode 100644 base/deploy/src/scriptlets/selinux_setup.py delete mode 100644 base/deploy/src/scriptlets/slot_substitution.py delete mode 100644 base/deploy/src/scriptlets/subsystem_layout.py delete mode 100644 base/deploy/src/scriptlets/webapp_deployment.py create mode 100644 base/server/CMakeLists.txt create mode 100644 base/server/LICENSE create mode 100644 base/server/config/pkislots.cfg create mode 100644 base/server/config/sample.cfg create mode 100644 base/server/config/sampleCAclone.cfg create mode 100644 base/server/config/sampleExternalSignedCA-step1.cfg create mode 100644 base/server/config/sampleExternalSignedCA-step2.cfg create mode 100644 base/server/config/sampleKRA.cfg create mode 100644 base/server/config/sampleKRAclone.cfg create mode 100644 base/server/config/sampleSubordinateCA.cfg create mode 100644 base/server/etc/default.cfg create mode 100644 base/server/etc/pki.conf create mode 100644 base/server/man/man5/pki_default.cfg.5 create mode 100644 base/server/man/man8/pkidestroy.8 create mode 100644 base/server/man/man8/pkispawn.8 create mode 100644 base/server/scripts/operations create mode 100755 base/server/scripts/pkidaemon create mode 100644 base/server/src/engine/pkiconfig.py create mode 100644 base/server/src/engine/pkihelper.py create mode 100644 base/server/src/engine/pkilogging.py create mode 100644 base/server/src/engine/pkimanifest.py create mode 100644 base/server/src/engine/pkimessages.py create mode 100644 base/server/src/engine/pkiparser.py create mode 100644 base/server/src/engine/pkiscriptlet.py create mode 100755 base/server/src/pkidestroy create mode 100755 base/server/src/pkispawn create mode 100644 base/server/src/scriptlets/configuration.py create mode 100644 base/server/src/scriptlets/finalization.py create mode 100644 base/server/src/scriptlets/infrastructure_layout.py create mode 100644 base/server/src/scriptlets/initialization.py create mode 100644 base/server/src/scriptlets/instance_layout.py create mode 100644 base/server/src/scriptlets/security_databases.py create mode 100644 base/server/src/scriptlets/selinux_setup.py create mode 100644 base/server/src/scriptlets/slot_substitution.py create mode 100644 base/server/src/scriptlets/subsystem_layout.py create mode 100644 base/server/src/scriptlets/webapp_deployment.py diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt index f646cfb60..0a8e51647 100644 --- a/base/CMakeLists.txt +++ b/base/CMakeLists.txt @@ -9,7 +9,7 @@ if (APPLICATION_FLAVOR_PKI_CORE) add_subdirectory(common) add_subdirectory(native-tools) add_subdirectory(java-tools) - add_subdirectory(deploy) + add_subdirectory(server) if(BUILD_PKI_SELINUX) add_subdirectory(selinux) endif(BUILD_PKI_SELINUX) diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt deleted file mode 100644 index 9c2b7f942..000000000 --- a/base/deploy/CMakeLists.txt +++ /dev/null @@ -1,144 +0,0 @@ -project(deploy) - -set(PKI_SUBSYSTEMS - ca - kra - ocsp - ra - tks - tps -) - -set(TOMCAT_SUBSYSTEMS - ca - kra - ocsp - tks -) - -set(APACHE_SUBSYSTEMS - ra - tps -) - -install( - FILES - man/man5/pki_default.cfg.5 - DESTINATION - ${MAN_INSTALL_DIR}/man5 - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -install( - FILES - man/man8/pkispawn.8 - man/man8/pkidestroy.8 - DESTINATION - ${MAN_INSTALL_DIR}/man8 - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -install( - FILES - src/pkispawn - src/pkidestroy - DESTINATION - ${SBIN_INSTALL_DIR} - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -install( - FILES - scripts/pkidaemon - DESTINATION - ${BIN_INSTALL_DIR} - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -install( - FILES - scripts/operations - DESTINATION - ${DATA_INSTALL_DIR}/scripts/ - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -install( - DIRECTORY - config - DESTINATION - ${DATA_INSTALL_DIR}/deployment -) - -install( - DIRECTORY - etc/ - DESTINATION - ${SYSCONF_INSTALL_DIR}/pki - PATTERN "pki.conf" EXCLUDE -) - -configure_file( - ${CMAKE_CURRENT_SOURCE_DIR}/etc/pki.conf - ${CMAKE_CURRENT_BINARY_DIR}/etc/pki.conf -) - -install( - FILES - ${CMAKE_CURRENT_BINARY_DIR}/etc/pki.conf - DESTINATION - ${SYSCONF_INSTALL_DIR}/pki/ -) - -install( - FILES - src/engine/pkiconfig.py - src/engine/pkihelper.py - src/engine/pkilogging.py - src/engine/pkimanifest.py - src/engine/pkimessages.py - src/engine/pkiparser.py - src/engine/pkiscriptlet.py - src/scriptlets/configuration.py - src/scriptlets/finalization.py - src/scriptlets/infrastructure_layout.py - src/scriptlets/initialization.py - src/scriptlets/instance_layout.py - src/scriptlets/security_databases.py - src/scriptlets/selinux_setup.py - src/scriptlets/slot_substitution.py - src/scriptlets/subsystem_layout.py - src/scriptlets/webapp_deployment.py - DESTINATION - ${PYTHON_SITE_PACKAGES}/pki/deployment - PERMISSIONS - OWNER_WRITE OWNER_READ - GROUP_READ - WORLD_READ -) -install( - CODE - "execute_process( - COMMAND - ${CMAKE_COMMAND} -E touch - \"\$ENV{DESTDIR}${PYTHON_SITE_PACKAGES}/pki/deployment/__init__.py\")" -) - -# install empty directories -install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/lock/pki)") -install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/run/pki)") diff --git a/base/deploy/LICENSE b/base/deploy/LICENSE deleted file mode 100644 index e281f4362..000000000 --- a/base/deploy/LICENSE +++ /dev/null @@ -1,291 +0,0 @@ -This Program is free software; you can redistribute it and/or modify -it under the terms of the GNU General Public License as published -by the Free Software Foundation; version 2 of the License. - -This Program is distributed in the hope that it will be useful, but -WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -for more details. - -You should have received a copy of the GNU General Public License -along with this Program; if not, write to the Free Software -Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. - - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Lesser General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg deleted file mode 100644 index 1cb463bfe..000000000 --- a/base/deploy/config/pkislots.cfg +++ /dev/null @@ -1,92 +0,0 @@ -[Apache] -FORTITUDE_APACHE_SLOT=[FORTITUDE_APACHE] -FORTITUDE_AUTH_MODULES_SLOT=[FORTITUDE_AUTH_MODULES] -FORTITUDE_DIR_SLOT=[FORTITUDE_DIR] -FORTITUDE_LIB_DIR_SLOT=[FORTITUDE_LIB_DIR] -FORTITUDE_MODULE_SLOT=[FORTITUDE_MODULE] -FORTITUDE_NSS_MODULES_SLOT=[FORTITUDE_NSS_MODULES] -HTTPD_CONF_SLOT=[HTTPD_CONF] -LIB_PREFIX_SLOT=[LIB_PREFIX] -NON_CLIENTAUTH_SECURE_PORT_SLOT=[NON_CLIENTAUTH_SECURE_PORT] -NSS_CONF_SLOT=[NSS_CONF] -OBJ_EXT_SLOT=[OBJ_EXT] -PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID] -PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT] -PKI_LOCKDIR_SLOT=[PKI_LOCKDIR] -PKI_PIDDIR_SLOT=[PKI_PIDDIR] -PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE] -PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE] -PORT_SLOT=[PORT] -PROCESS_ID_SLOT=[PROCESS_ID] -REQUIRE_CFG_PL_SLOT=[REQUIRE_CFG_PL] -SECURE_PORT_SLOT=[SECURE_PORT] -SECURITY_LIBRARIES_SLOT=[SECURITY_LIBRARIES] -SERVER_NAME_SLOT=[SERVER_NAME] -SERVER_ROOT_SLOT=[SERVER_ROOT] -SYSTEM_LIBRARIES_SLOT=[SYSTEM_LIBRARIES] -SYSTEM_USER_LIBRARIES_SLOT=[SYSTEM_USER_LIBRARIES] -TMP_DIR_SLOT=[TMP_DIR] -TPS_DIR_SLOT=[TPS_DIR] -[Tomcat] -INSTALL_TIME_SLOT=[INSTALL_TIME] -PKI_ADMIN_SECURE_PORT_SLOT=[PKI_ADMIN_SECURE_PORT] -PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME] -PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] -PKI_AGENT_CLIENTAUTH_SLOT=[PKI_AGENT_CLIENTAUTH] -PKI_AGENT_SECURE_PORT_SLOT=[PKI_AGENT_SECURE_PORT] -PKI_AJP_PORT_SLOT=[PKI_AJP_PORT] -PKI_AJP_REDIRECT_PORT_SLOT=[PKI_AJP_REDIRECT_PORT] -PKI_CERT_DB_PASSWORD_SLOT=[PKI_CERT_DB_PASSWORD] -PKI_CFG_PATH_NAME_SLOT=[PKI_CFG_PATH_NAME] -PKI_CLOSE_AJP_PORT_COMMENT_SLOT=[PKI_CLOSE_AJP_PORT_COMMENT] -PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT=[PKI_CLOSE_ENABLE_PROXY_COMMENT] -PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] -PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] -PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT] -PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME] -PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT] -PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_UI] -PKI_EE_SECURE_PORT_SLOT=[PKI_EE_SECURE_PORT] -PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_PORT_CONNECTOR_NAME] -PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_PORT_SERVER_COMMENT] -PKI_GROUP_SLOT=[PKI_GROUP] -PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID] -PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT] -PKI_INSTANCE_PATH_SLOT=[PKI_INSTANCE_PATH] -PKI_INSTANCE_ROOT_SLOT=[PKI_INSTANCE_ROOT] -PKI_LOCKDIR_SLOT=[PKI_LOCKDIR] -PKI_MACHINE_NAME_SLOT=[PKI_MACHINE_NAME] -PKI_OPEN_AJP_PORT_COMMENT_SLOT=[PKI_OPEN_AJP_PORT_COMMENT] -PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT=[PKI_OPEN_ENABLE_PROXY_COMMENT] -PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT] -PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] -PKI_PIDDIR_SLOT=[PKI_PIDDIR] -PKI_PROXY_SECURE_PORT_SLOT=[PKI_PROXY_SECURE_PORT] -PKI_PROXY_UNSECURE_PORT_SLOT=[PKI_PROXY_UNSECURE_PORT] -PKI_RANDOM_NUMBER_SLOT=[PKI_RANDOM_NUMBER] -PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE] -PKI_RESTEASY_LIB_SLOT=[PKI_RESTEASY_LIB] -PKI_SECURE_PORT_SLOT=[PKI_SECURE_PORT] -PKI_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_SECURE_PORT_CONNECTOR_NAME] -PKI_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_SECURE_PORT_SERVER_COMMENT] -PKI_SECURITY_MANAGER_SLOT=[PKI_SECURITY_MANAGER] -PKI_SERVER_XML_CONF_SLOT=[PKI_SERVER_XML_CONF] -PKI_SUBSYSTEM_DIR_SLOT=[PKI_SUBSYSTEM_DIR] -PKI_SUBSYSTEM_TYPE_SLOT=[PKI_SUBSYSTEM_TYPE] -PKI_SYSTEMD_SERVICENAME_SLOT=[PKI_SYSTEMD_SERVICENAME] -PKI_TMPDIR_SLOT=[PKI_TMPDIR] -PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT] -PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME] -PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT] -PKI_USER_SLOT=[PKI_USER] -PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE] -PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME] -TOMCAT_CFG_SLOT=[TOMCAT_CFG] -TOMCAT_INSTANCE_COMMON_LIB_SLOT=[TOMCAT_INSTANCE_COMMON_LIB] -TOMCAT_LOG_DIR_SLOT=[TOMCAT_LOG_DIR] -TOMCAT_PIDFILE_SLOT=[TOMCAT_PIDFILE] -TOMCAT_SERVER_PORT_SLOT=[TOMCAT_SERVER_PORT] -TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS] -TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS] -TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS] -TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS] diff --git a/base/deploy/config/sample.cfg b/base/deploy/config/sample.cfg deleted file mode 100644 index d2334c754..000000000 --- a/base/deploy/config/sample.cfg +++ /dev/null @@ -1,6 +0,0 @@ -[DEFAULT] -pki_admin_password= -pki_client_pkcs12_password= -pki_ds_password= -##Required for all subsystems that are not root CAs -#pki_security_domain_password= diff --git a/base/deploy/config/sampleCAclone.cfg b/base/deploy/config/sampleCAclone.cfg deleted file mode 100644 index 0aef7b25a..000000000 --- a/base/deploy/config/sampleCAclone.cfg +++ /dev/null @@ -1,15 +0,0 @@ -[DEFAULT] -pki_admin_password= -pki_client_pkcs12_password= -pki_ds_password= -pki_security_domain_password= -pki_security_domain_hostname= -pki_security_domain_https_port= -pki_security_domain_user= - -[CA] -pki_clone=True -pki_clone_pkcs12_password= -pki_clone_pkcs12_path= -pki_clone_replicate_schema= -pki_clone_uri= \ No newline at end of file diff --git a/base/deploy/config/sampleExternalSignedCA-step1.cfg b/base/deploy/config/sampleExternalSignedCA-step1.cfg deleted file mode 100644 index 35b3d2460..000000000 --- a/base/deploy/config/sampleExternalSignedCA-step1.cfg +++ /dev/null @@ -1,10 +0,0 @@ -[DEFAULT] -pki_admin_password= -pki_client_pkcs12_password= -pki_ds_password= -pki_security_domain_password= - -[CA] -pki_external=True -pki_external_csr_path= -pki_ca_signing_subject_dn= \ No newline at end of file diff --git a/base/deploy/config/sampleExternalSignedCA-step2.cfg b/base/deploy/config/sampleExternalSignedCA-step2.cfg deleted file mode 100644 index c106d63c0..000000000 --- a/base/deploy/config/sampleExternalSignedCA-step2.cfg +++ /dev/null @@ -1,12 +0,0 @@ -[DEFAULT] -pki_admin_password= -pki_client_pkcs12_password= -pki_ds_password= -pki_security_domain_password= - -[CA] -pki_external=True -pki_external_ca_cert_chain_path= -pki_external_ca_cert_path= -pki_external_step_two=True -pki_ca_signing_subject_dn= \ No newline at end of file diff --git a/base/deploy/config/sampleKRA.cfg b/base/deploy/config/sampleKRA.cfg deleted file mode 100644 index 8cdfb9fa0..000000000 --- a/base/deploy/config/sampleKRA.cfg +++ /dev/null @@ -1,12 +0,0 @@ -[DEFAULT] -pki_admin_password= -pki_client_pkcs12_password= -pki_ds_password= -pki_security_domain_password= -pki_security_domain_hostname= -pki_security_domain_https_port= -pki_security_domain_user= -pki_issuing_ca_uri= - -[KRA] -pki_import_admin_cert= \ No newline at end of file diff --git a/base/deploy/config/sampleKRAclone.cfg b/base/deploy/config/sampleKRAclone.cfg deleted file mode 100644 index 96025cf07..000000000 --- a/base/deploy/config/sampleKRAclone.cfg +++ /dev/null @@ -1,16 +0,0 @@ -[DEFAULT] -pki_admin_password= -pki_client_pkcs12_password= -pki_ds_password= -pki_security_domain_password= -pki_security_domain_hostname= -pki_security_domain_https_port= -pki_security_domain_user= - -[KRA] -pki_clone=True -pki_clone_pkcs12_password= -pki_clone_pkcs12_path= -pki_clone_replicate_schema= -pki_clone_uri= -pki_issuing_ca= \ No newline at end of file diff --git a/base/deploy/config/sampleSubordinateCA.cfg b/base/deploy/config/sampleSubordinateCA.cfg deleted file mode 100644 index 8b616163a..000000000 --- a/base/deploy/config/sampleSubordinateCA.cfg +++ /dev/null @@ -1,13 +0,0 @@ -[DEFAULT] -pki_admin_password= -pki_client_pkcs12_password= -pki_ds_password= -pki_security_domain_password= -pki_security_domain_hostname= -pki_security_domain_https_port= -pki_security_domain_user= - -[CA] -pki_subordinate=True -pki_issuing_ca= -pki_ca_signing_subject_dn= \ No newline at end of file diff --git a/base/deploy/etc/default.cfg b/base/deploy/etc/default.cfg deleted file mode 100644 index e848363ab..000000000 --- a/base/deploy/etc/default.cfg +++ /dev/null @@ -1,531 +0,0 @@ -############################################################################### -## Default Configuration: ## -## ## -## Values in this section are common to more than one PKI subsystem, and ## -## contain required information which MAY be overridden by users as ## -## necessary. ## -## ## -## There are also some meta-parameters that determine how the PKI ## -## configuratiion should work. ## -## ## -############################################################################### -[DEFAULT] - -# The sensitive_parameters contains a list of parameters which may contain -# sensitive information which must not be displayed to the console nor stored -# in log files for security reasons. -sensitive_parameters= - pki_admin_password - pki_backup_password - pki_client_database_password - pki_client_pin - pki_client_pkcs12_password - pki_clone_pkcs12_password - pki_ds_password - pki_one_time_pin - pki_pin - pki_security_domain_password - pki_token_password - -# The spawn_scriplets contains a list of scriplets to be executed by pkispawn. -spawn_scriplets= - initialization - infrastructure_layout - instance_layout - subsystem_layout - selinux_setup - webapp_deployment - slot_substitution - security_databases - configuration - finalization - -# The destroy_scriplets contains a list of scriplets to be executed by pkidestroy. -destroy_scriplets= - initialization - configuration - webapp_deployment - subsystem_layout - security_databases - instance_layout - selinux_setup - infrastructure_layout - finalization - -# By default, the following parameters will be set for Tomcat and Apache instances. -# There is no reason to uncomment these. They are provided for reference in -# case someone wants to override them in their config file. -# -# Tomcat instances: -# pki_instance_name=pki-tomcat -# pki_https_port=8443 -# pki_http_port=8080 -# -# Apache instances: -# pki_instance_name=pki-apache -# pki_https_port=443 -# pki_http_port=80 - -pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert -pki_admin_cert_request_type=pkcs10 -pki_admin_dualkey=False -pki_admin_keysize=2048 -pki_admin_password= -pki_audit_group=pkiaudit -pki_audit_signing_key_algorithm=SHA256withRSA -pki_audit_signing_key_size=2048 -pki_audit_signing_key_type=rsa -pki_audit_signing_signing_algorithm=SHA256withRSA -pki_audit_signing_token=Internal Key Storage Token -pki_backup_keys=False -pki_backup_password= -pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12 -pki_client_database_password= -pki_client_database_purge=True -pki_client_dir=%(home_dir)s/.pki/%(pki_instance_name)s -pki_client_pkcs12_password= -pki_ds_bind_dn=cn=Directory Manager -pki_ds_ldap_port=389 -pki_ds_ldaps_port=636 -pki_ds_password= -pki_ds_remove_data=True -pki_ds_secure_connection=False -pki_group=pkiuser -pki_issuing_ca_hostname=%(pki_security_domain_hostname)s -pki_issuing_ca_https_port=%(pki_security_domain_https_port)s -pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s -pki_issuing_ca=%(pki_issuing_ca_uri)s -pki_restart_configured_instance=True -pki_security_domain_hostname=%(pki_hostname)s -pki_security_domain_https_port=8443 -pki_security_domain_name=%(pki_dns_domainname)s Security Domain -pki_security_domain_password= -pki_security_domain_user=caadmin -pki_skip_configuration=False -pki_skip_installation=False -pki_ssl_server_key_algorithm=SHA256withRSA -pki_ssl_server_key_size=2048 -pki_ssl_server_key_type=rsa -pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s -pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s -pki_ssl_server_token=Internal Key Storage Token -pki_subsystem_key_algorithm=SHA256withRSA -pki_subsystem_key_size=2048 -pki_subsystem_key_type=rsa -pki_subsystem_token=Internal Key Storage Token -pki_theme_enable=True -pki_theme_server_dir=/usr/share/pki/common-ui -pki_token_name=internal -pki_token_password= -pki_user=pkiuser - -# Paths: -# These are used in the processing of pkispawn and are not supposed -# to be overwritten by user configuration files. -# -pki_client_database_dir=%(pki_client_subsystem_dir)s/alias -pki_client_subsystem_dir=%(pki_client_dir)s/%(pki_subsystem_type)s -pki_client_password_conf=%(pki_client_subsystem_dir)s/password.conf -pki_client_pkcs12_password_conf=%(pki_client_subsystem_dir)s/pkcs12_password.conf -pki_client_cert_database=%(pki_client_database_dir)s/cert8.db -pki_client_key_database=%(pki_client_database_dir)s/key3.db -pki_client_secmod_database=%(pki_client_database_dir)s/secmod.db -pki_client_admin_cert=%(pki_client_dir)s/%(pki_subsystem_type)s_admin.cert -pki_source_conf_path=/usr/share/pki/%(pki_subsystem_type)s/conf -pki_source_setup_path=/usr/share/pki/setup -pki_source_server_path=/usr/share/pki/server/conf -pki_source_cs_cfg=/usr/share/pki/%(pki_subsystem_type)s/conf/CS.cfg -pki_source_registry=/usr/share/pki/setup/pkidaemon_registry -pki_path=%(pki_root_prefix)s/var/lib/pki -pki_log_path=%(pki_root_prefix)s/var/log/pki -pki_configuration_path=%(pki_root_prefix)s/etc/pki -pki_registry_path=%(pki_root_prefix)s/etc/sysconfig/pki -pki_instance_path=%(pki_path)s/%(pki_instance_name)s -pki_instance_log_path=%(pki_log_path)s/%(pki_instance_name)s -pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s -pki_database_path=%(pki_instance_configuration_path)s/alias -pki_instance_database_link=%(pki_instance_path)s/alias -pki_instance_conf_link=%(pki_instance_path)s/conf -pki_instance_logs_link=%(pki_instance_path)s/logs -pki_subsystem_path=%(pki_instance_path)s/%(pki_subsystem_type)s -pki_subsystem_log_path=%(pki_instance_log_path)s/%(pki_subsystem_type)s -pki_subsystem_archive_log_path=%(pki_subsystem_log_path)s/archive -pki_subsystem_configuration_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s -pki_subsystem_database_link=%(pki_subsystem_path)s/alias -pki_subsystem_conf_link=%(pki_subsystem_path)s/conf -pki_subsystem_logs_link=%(pki_subsystem_path)s/logs -pki_subsystem_registry_link=%(pki_subsystem_path)s/registry - - -############################################################################### -## Apache Configuration: ## -## ## -## Values in this section are common to PKI subsystems that run ## -## as an instance of 'Apache' (RA and TPS subsystems), and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[Apache] - -# Paths -# These are used in the processing of pkispawn and are not supposed -# to be overwritten by user configuration files. -# -pki_systemd_service=/lib/systemd/system/pki-apached@.service -pki_systemd_target=/lib/systemd/system/pki-apached.target -pki_systemd_target_wants=/etc/systemd/system/pki-apached.target.wants -pki_systemd_service_link=%(pki_systemd_target_wants)s/pki-apached@%(pki_instance_name)s.service -pki_cgroup_systemd_service_path=/sys/fs/cgroup/systemd/system/%(pki_systemd_service)s -pki_cgroup_systemd_service=%(pki_cgroup_systemd_service_path)s/%(pki_instance_name)s -pki_cgroup_cpu_systemd_service_path=/sys/fs/cgroup/cpu\,cpuacct/system/%(pki_systemd_service)s -pki_cgroup_cpu_systemd_service=%(pki_cgroup_cpu_systemd_service_path)s/%(pki_systemd_service)s -pki_instance_type=Apache -pki_instance_type_registry_path =%(pki_registry_path)s/apache -pki_instance_registry_path=%(pki_instance_type_registry_path)s/%(pki_instance_name)s -pki_subsystem_registry_path=%(pki_instance_registry_path)s/%(pki_subsystem_type)s - -############################################################################### -## Tomcat Configuration: ## -## ## -## Values in this section are common to PKI subsystems that run ## -## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## -## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## -## required information which MAY be overridden by users as necessary. ## -## ## -## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## -## or a 'TKS Clone', change the value of 'pki_clone' ## -## from 'False' to 'True'. ## -## ## -## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## -## are MUTUALLY EXCLUSIVE entities!!! ## -############################################################################### -[Tomcat] -pki_ajp_port=8009 -pki_clone=False -pki_clone_pkcs12_password= -pki_clone_pkcs12_path= -pki_clone_replicate_schema=True -pki_clone_replication_master_port= -pki_clone_replication_clone_port= -pki_clone_replication_security=None -pki_clone_uri= -pki_enable_java_debugger=False -pki_enable_proxy=False -pki_proxy_http_port=80 -pki_proxy_https_port=443 -pki_security_manager=true -pki_tomcat_server_port=8005 - -# Paths -# These are used in the processing of pkispawn and are not supposed -# to be overwritten by user configuration files. -# -pki_systemd_service=/lib/systemd/system/pki-tomcatd@.service -pki_systemd_target=/lib/systemd/system/pki-tomcatd.target -pki_systemd_target_wants=/etc/systemd/system/pki-tomcatd.target.wants -pki_systemd_service_link=%(pki_systemd_target_wants)s/pki-tomcatd@%(pki_instance_name)s.service -pki_cgroup_systemd_service_path=/sys/fs/cgroup/systemd/system/%(pki_systemd_service)s -pki_cgroup_systemd_service=%(pki_cgroup_systemd_service_path)s/%(pki_instance_name)s -pki_cgroup_cpu_systemd_service_path=/sys/fs/cgroup/cpu\,cpuacct/system/%(pki_systemd_service)s -pki_cgroup_cpu_systemd_service=%(pki_cgroup_cpu_systemd_service_path)s/%(pki_systemd_service)s -pki_tomcat_bin_path=/usr/share/tomcat/bin -pki_tomcat_lib_path=/usr/share/tomcat/lib -pki_tomcat_systemd=/usr/sbin/tomcat-sysd -pki_source_catalina_properties=%(pki_source_server_path)s/catalina.properties -pki_source_servercertnick_conf=%(pki_source_server_path)s/serverCertNick.conf -pki_source_server_xml=%(pki_source_server_path)s/server.xml -pki_source_context_xml=%(pki_source_server_path)s/context.xml -pki_source_tomcat_conf=%(pki_source_server_path)s/tomcat.conf -pki_instance_type=Tomcat -pki_tomcat_common_path=%(pki_instance_path)s/common -pki_tomcat_common_lib_path=%(pki_tomcat_common_path)s/lib -pki_tomcat_tmpdir_path=%(pki_instance_path)s/temp -pki_tomcat_webapps_path=%(pki_instance_path)s/webapps -pki_tomcat_webapps_root_path=%(pki_tomcat_webapps_path)s/ROOT -pki_tomcat_webapps_common_path=%(pki_tomcat_webapps_path)s/pki -pki_tomcat_webapps_root_webinf_path=%(pki_tomcat_webapps_root_path)s/WEB-INF -pki_tomcat_work_path=%(pki_instance_path)s/work -pki_tomcat_work_catalina_path=%(pki_tomcat_work_path)s/Catalina -pki_tomcat_work_catalina_host_path=%(pki_tomcat_work_catalina_path)s/localhost -pki_tomcat_work_catalina_host_run_path=%(pki_tomcat_work_catalina_host_path)s/_ -pki_tomcat_work_catalina_host_subsystem_path=%(pki_tomcat_work_catalina_host_path)s/%(pki_subsystem_type)s -pki_instance_conf_log4j_properties=%(pki_instance_configuration_path)s/log4j.properties -pki_instance_type_registry_path=%(pki_registry_path)s/tomcat -pki_instance_registry_path=%(pki_instance_type_registry_path)s/%(pki_instance_name)s -pki_subsystem_registry_path=%(pki_instance_registry_path)s/%(pki_subsystem_type)s -pki_tomcat_bin_link=%(pki_instance_path)s/bin -pki_instance_lib=%(pki_instance_path)s/lib -pki_instance_lib_log4j_properties=%(pki_instance_lib)s/log4j.properties -pki_instance_systemd_link=%(pki_instance_path)s/%(pki_instance_name)s -pki_subsystem_signed_audit_log_path=%(pki_subsystem_log_path)s/signedAudit -pki_subsystem_tomcat_webapps_link=%(pki_subsystem_path)s/webapps -pki_tomcat_webapps_subsystem_path=%(pki_tomcat_webapps_path)s/%(pki_subsystem_type)s -pki_tomcat_webapps_subsystem_webinf_classes_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/classes -pki_tomcat_webapps_subsystem_webinf_lib_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/lib -pki_certsrv_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-certsrv.jar -pki_cmsbundle_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsbundle.jar -pki_cmscore_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmscore.jar -pki_cms_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cms.jar -pki_cmsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsutil.jar -pki_nsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-nsutil.jar - - -# JAR paths -# These are used in the processing of pkispawn and are not supposed -# to be overwritten by user configuration files -pki_jss_jar=%(jni_jar_dir)s/jss4.jar -pki_symkey_jar=%(jni_jar_dir)s/symkey.jar -pki_apache_commons_collections_jar=/usr/share/java/apache-commons-collections.jar -pki_apache_commons_lang_jar=/usr/share/java/apache-commons-lang.jar -pki_apache_commons_logging_jar=/usr/share/java/apache-commons-logging.jar -pki_commons_codec_jar=/usr/share/java/commons-codec.jar -pki_httpclient_jar=/usr/share/java/httpcomponents/httpclient.jar -pki_httpcore_jar=/usr/share/java/httpcomponents/httpcore.jar -pki_javassist_jar=/usr/share/java/javassist.jar -pki_jettison_jar=/usr/share/java/jettison.jar -pki_ldapjdk_jar=/usr/share/java/ldapjdk.jar -pki_certsrv_jar=/usr/share/java/pki/pki-certsrv.jar -pki_cmsbundle=/usr/share/java/pki/pki-cmsbundle.jar -pki_cmscore=/usr/share/java/pki/pki-cmscore.jar -pki_cms=/usr/share/java/pki/pki-cms.jar -pki_cmsutil=/usr/share/java/pki/pki-cmsutil.jar -pki_resteasy_jaxrs_api_jar=%(resteasy_lib)s/jaxrs-api.jar -pki_nsutil=/usr/share/java/pki/pki-nsutil.jar -pki_tomcat_jar=/usr/share/java/pki/pki-tomcat.jar -pki_resteasy_atom_provider_jar=%(resteasy_lib)s/resteasy-atom-provider.jar -pki_resteasy_jaxb_provider_jar=%(resteasy_lib)s/resteasy-jaxb-provider.jar -pki_resteasy_jaxrs_jar=%(resteasy_lib)s/resteasy-jaxrs.jar -pki_resteasy_jettison_provider_jar=%(resteasy_lib)s/resteasy-jettison-provider.jar -pki_scannotation_jar=/usr/share/java/scannotation.jar -pki_tomcatjss_jar=/usr/share/java/tomcatjss.jar -pki_velocity_jar=/usr/share/java/velocity.jar -pki_xerces_j2_jar=/usr/share/java/xerces-j2.jar -pki_xml_commons_apis_jar=/usr/share/java/xml-commons-apis.jar -pki_xml_commons_resolver_jar=/usr/share/java/xml-commons-resolver.jar -pki_jss_jar_link=%(pki_tomcat_common_lib_path)s/jss4.jar -pki_symkey_jar_link=%(pki_tomcat_common_lib_path)s/symkey.jar -pki_apache_commons_collections_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-collections.jar -pki_apache_commons_lang_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-lang.jar -pki_apache_commons_logging_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-logging.jar -pki_commons_codec_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-codec.jar -pki_httpclient_jar_link=%(pki_tomcat_common_lib_path)s/httpclient.jar -pki_httpcore_jar_link=%(pki_tomcat_common_lib_path)s/httpcore.jar -pki_javassist_jar_link=%(pki_tomcat_common_lib_path)s/javassist.jar -pki_resteasy_jaxrs_api_jar_link=%(pki_tomcat_common_lib_path)s/jaxrs-api.jar -pki_jettison_jar_link=%(pki_tomcat_common_lib_path)s/jettison.jar -pki_ldapjdk_jar_link=%(pki_tomcat_common_lib_path)s/ldapjdk.jar -pki_tomcat_jar_link=%(pki_tomcat_common_lib_path)s/pki-tomcat.jar -pki_resteasy_atom_provider_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-atom-provider.jar -pki_resteasy_jaxb_provider_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-jaxb-provider.jar -pki_resteasy_jaxrs_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-jaxrs.jar -pki_resteasy_jettison_provider_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-jettison-provider.jar -pki_scannotation_jar_link=%(pki_tomcat_common_lib_path)s/scannotation.jar -pki_tomcatjss_jar_link=%(pki_tomcat_common_lib_path)s/tomcatjss.jar -pki_velocity_jar_link=%(pki_tomcat_common_lib_path)s/velocity.jar -pki_xerces_j2_jar_link=%(pki_tomcat_common_lib_path)s/xerces-j2.jar -pki_xml_commons_apis_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-apis.jar -pki_xml_commons_resolver_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-resolver.jar -pki_ca_jar=/usr/share/java/pki/pki-ca.jar -pki_ca_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ca.jar -pki_kra_jar=/usr/share/java/pki/pki-kra.jar -pki_kra_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-kra.jar -pki_ocsp_jar=/usr/share/java/pki/pki-ocsp.jar -pki_ocsp_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ocsp.jar -pki_tks_jar=/usr/share/java/pki/pki-tks.jar -pki_tks_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-tks.jar - - - -############################################################################### -## CA Configuration: ## -## ## -## Values in this section are common to CA subsystems including 'PKI CAs', ## -## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## -## required information which MAY be overridden by users as necessary. ## -## ## -## EXTERNAL CAs: To specify an 'External CA', change the value ## -## of 'pki_external' from 'False' to 'True'. ## -## ## -## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## -## of 'pki_subordinate' from 'False' to 'True'. ## -## ## -## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## -## are MUTUALLY EXCLUSIVE entities!!! ## -############################################################################### -[CA] -pki_ca_signing_key_algorithm=SHA256withRSA -pki_ca_signing_key_size=2048 -pki_ca_signing_key_type=rsa -pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA -pki_ca_signing_signing_algorithm=SHA256withRSA -pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s -pki_ca_signing_token=Internal Key Storage Token -pki_external=False -pki_external_ca_cert_chain_path= -pki_external_ca_cert_path= -pki_external_csr_path= -pki_external_step_two=False -pki_import_admin_cert=False -pki_ocsp_signing_key_algorithm=SHA256withRSA -pki_ocsp_signing_key_size=2048 -pki_ocsp_signing_key_type=rsa -pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA -pki_ocsp_signing_signing_algorithm=SHA256withRSA -pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s -pki_ocsp_signing_token=Internal Key Storage Token -pki_subordinate=False -pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s -pki_admin_name=%(pki_admin_uid)s -pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s -pki_admin_uid=caadmin -pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA -pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s -pki_ds_base_dn=o=%(pki_instance_name)s-CA -pki_ds_database=%(pki_instance_name)s-CA -pki_ds_hostname=%(pki_hostname)s -pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s CA -pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s - -# Paths -# These are used in the processing of pkispawn and are not supposed -# to be overwritten by user configuration files. -# -pki_source_emails=/usr/share/pki/ca/emails -pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt -pki_source_profiles=/usr/share/pki/ca/profiles -pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf -pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg -pki_source_admincert_profile=%(pki_source_conf_path)s/adminCert.profile -pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile -pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile -pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile -pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile -pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile -pki_subsystem_emails_path=%(pki_subsystem_path)s/emails -pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles - - - - -############################################################################### -## KRA Configuration: ## -## ## -## Values in this section are common to KRA subsystems ## -## including 'PKI KRAs' and 'Cloned KRAs', and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[KRA] -pki_import_admin_cert=True -pki_storage_key_algorithm=SHA256withRSA -pki_storage_key_size=2048 -pki_storage_key_type=rsa -pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA -pki_storage_signing_algorithm=SHA256withRSA -pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s -pki_storage_token=Internal Key Storage Token -pki_transport_key_algorithm=SHA256withRSA -pki_transport_key_size=2048 -pki_transport_key_type=rsa -pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA -pki_transport_signing_algorithm=SHA256withRSA -pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s -pki_transport_token=Internal Key Storage Token -pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s -pki_admin_name=%(pki_admin_uid)s -pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s -pki_admin_uid=kraadmin -pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA -pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s -pki_ds_base_dn=o=%(pki_instance_name)s-KRA -pki_ds_database=%(pki_instance_name)s-KRA -pki_ds_hostname=%(pki_hostname)s -pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s KRA -pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s - -# Paths -# These are used in the processing of pkispawn and are not supposed -# to be overwritten by user configuration files. -# -pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile -pki_source_storagecert_profile=%(pki_source_conf_path)s/storageCert.profile -pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile -pki_source_transportcert_profile=%(pki_source_conf_path)s/transportCert.profile - -############################################################################### -## OCSP Configuration: ## -## ## -## Values in this section are common to OCSP subsystems ## -## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[OCSP] -pki_import_admin_cert=True -pki_ocsp_signing_key_algorithm=SHA256withRSA -pki_ocsp_signing_key_size=2048 -pki_ocsp_signing_key_type=rsa -pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP -pki_ocsp_signing_signing_algorithm=SHA256withRSA -pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s -pki_ocsp_signing_token=Internal Key Storage Token -pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s -pki_admin_name=%(pki_admin_uid)s -pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s -pki_admin_uid=ocspadmin -pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP -pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s -pki_ds_base_dn=o=%(pki_instance_name)s-OCSP -pki_ds_database=%(pki_instance_name)s-OCSP -pki_ds_hostname=%(pki_hostname)s -pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s OCSP -pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s - -############################################################################### -## RA Configuration: ## -## ## -## Values in this section are common to PKI RA subsystems, and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[RA] - -############################################################################### -## TKS Configuration: ## -## ## -## Values in this section are common to TKS subsystems ## -## including 'PKI TKSs' and 'Cloned TKSs', and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[TKS] -pki_import_admin_cert=True -pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s -pki_admin_name=%(pki_admin_uid)s -pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s -pki_admin_uid=tksadmin -pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS -pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s -pki_ds_base_dn=o=%(pki_instance_name)s-TKS -pki_ds_database=%(pki_instance_name)s-TKS -pki_ds_hostname=%(pki_hostname)s -pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s TKS -pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s - -############################################################################### -## TPS Configuration: ## -## ## -## Values in this section are common to PKI TPS subsystems, and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[TPS] - -# Paths -# These are used in the processing of pkispawn and are not supposed -# to be overwritten by user configuration files. -# -pki_subsystem_signed_audit_log_path=%(pki_subsystem_log_path)s/signedAudit - diff --git a/base/deploy/etc/pki.conf b/base/deploy/etc/pki.conf deleted file mode 100644 index 24decec52..000000000 --- a/base/deploy/etc/pki.conf +++ /dev/null @@ -1,4 +0,0 @@ -# RESTEasy library -RESTEASY_LIB=${RESTEASY_LIB} -# JNI jar file location -JNI_JAR_DIR=${JNI_JAR_DIR} diff --git a/base/deploy/man/man5/pki_default.cfg.5 b/base/deploy/man/man5/pki_default.cfg.5 deleted file mode 100644 index ec2379a9f..000000000 --- a/base/deploy/man/man5/pki_default.cfg.5 +++ /dev/null @@ -1,275 +0,0 @@ -.\" First parameter, NAME, should be all caps -.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection -.\" other parameters are allowed: see man(7), man(1) -.TH pki_default.cfg 5 "December 13, 2012" "version 1.0" "PKI Default Instance Configuration" Ade Lee -.\" Please adjust this date whenever revising the man page. -.\" -.\" Some roff macros, for reference: -.\" .nh disable hyphenation -.\" .hy enable hyphenation -.\" .ad l left justify -.\" .ad b justify to both left and right margins -.\" .nf disable filling -.\" .fi enable filling -.\" .br insert line break -.\" .sp insert n+1 empty lines -.\" for man page specific macros, see man(7) -.SH NAME -pki_default.cfg \- Certificate Server instance default config file. - -.SH LOCATION -/etc/pki/default.cfg - -.SH DESCRIPTION -This file contains the default settings for a Certificate Server instance created using \fBpkispawn\fP. This file should not be edited, as it can be modified when the Certificate Server packages are updated. Rather, when setting up a Certificate Server instance, a user-provided configuration file can provide overrides to the defaults in /etc/pki/default.cfg. See \fBpkispawn(8)\fR for details. - -.SH SECTIONS -\fIdefault.cfg\fP is divided into subsystem-based sections ([DEFAULT] for general configuration and subsystem-type sections such as [CA] and [KRA]). These sections are stacked, so that parameters read in earlier sections can be overwritten by parameters in later sections. For the Java subsystems (CA, KRA, OCSP, and TKS), the sections read are [DEFAULT], [Tomcat] and the subsystem type section -- [CA], [KRA], [OCSP], and [TKS] -- in that order. This allows the ability to specify parameters to be shared by all subsystems in [DEFAULT] or [Tomcat], and subsystem-specific upgrades in the other sections. -.PP -There are a small number of bootstrap parameters which are passed in the configuration file by \fBpkispawn\fP. Other parameter's values can be interpolated tokens rather than explicit values. For example: -.PP -\fBpki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA\fP -.PP -This substitutes the value of pki_instance_name into the parameter value. It is possible to interpolate any parameter within a section or in [DEFAULT]. Any parameter used in interpolation can \fBONLY\fP be overridden within the same section. So, for example, pki_instance_name should only be overridden in [DEFAULT]; otherwise, interpolations can fail. - -.SH GENERAL INSTANCE PARAMETERS -The parameters described below, as well as the parameters located in the following sections, can be customized as part of a deployment. This list is not exhaustive. -.TP -.B pki_instance_name -.IP -Name of the instance. The instance is located at /var/lib/pki/. For Java subsystems, the default is specified as pki-tomcat. -.TP -.B pki_https_port, pki_http_port -.IP -Secure and unsecure ports. Defaults to standard Tomcat ports 8443 and 8080, respectively, for Java subsystems, and 443 and 80 for Apache subsystems. -.TP -.B pki_ajp_port, pki_tomcat_server_port -.IP -Ports for Tomcat subsystems. Defaults to standard Tomcat ports of 8009 and 8005, respectively. -.TP -.B pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy -.IP -Ports for an Apache proxy server. Certificate Server instances can be run behind an Apache proxy server, which will communicate with the Tomcat instance through the AJP port. See the Red Hat Certificate System documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/ for details. -.TP -.B pki_user, pki_group, pki_audit_group -.IP -Specifies the default administrative user, group, and auditor group identities for PKI instances. The default user and group are both specified as \fBpkiuser\fR, and the default audit group is specified as \fBpkiaudit\fR. -.TP -.B pki_token_name, pki_token_password -.IP -The token and password where this instance's system certificate and keys are stored. Defaults to the NSS internal software token. - -.SS SYSTEM CERTIFICATE PARAMETERS -\fBpkispawn\fP sets up a number of system certificates for each subsystem. The system certificates which are required differ between subsystems. Each system certificate is denoted by a tag, as noted below. The different system certificates are: -.IP -* signing certificate ("signing"). Used to sign other certificates. Required for CA. -.IP -* OCSP signing certificate ("ocsp_signing" in CA, "signing" in OCSP). Used to sign CRLs. Required for OCSP and CA. -.IP -* storage certificate ("storage"). Used to encrypt keys for storage in KRA. Required for KRA only. -.IP -* transport certificate ("transport"). Used to encrypt keys in transport to the KRA. Required for KRA only. -.IP -* subsystem certificate ("subsystem"). Used to communicate between subsystems within the security domain. Issued by the security domain CA. Required for all subsystems. -.IP -* server certificate ("sslserver"). Used for communication with the server. One server certificate is required for each Certificate Server instance. -.IP -* audit signing certificate ("audit_signing"). Used to sign audit logs. Required for all subsystems except the RA. -.PP -Each system certificate can be customized using the parameters below: -.TP -.B pki__key_type, pki__keysize, pki__key_algorithm -.IP -Characteristics of the private key. See the Red Hat Certificate System documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/ for possible options. The defaults are RSA for the type, 2048 bits for the key size, and SHA256withRSA for the algorithm. -.TP -.B pki__signing_algorithm -.IP -For signing certificates, the algorithm used for signing. Defaults to SHA256withRSA. -.TP -.B pki__token -.IP -Location where the certificate and private key are stored. Defaults to the internal software NSS token database. -.TP -.B pki__nickname -.IP -Nickname for the certificate in the token database. -.TP -.B pki__subject_dn -.IP -Subject DN for the certificate. The subject DN for the SSL Server certificate must include CN=. -.SS ADMIN USER PARAMETERS -\fBpkispawn\fP creates a bootstrap administrative user that is a member of all the necessary groups to administer the installed subsystem. On a security domain CA, the CA administrative user is also a member of the groups required to register a new subsystem on the security domain. The certificate and keys for this administrative user are stored in a PKCS #12 file in \fBpki_client_dir\fP, and can be imported into a browser to administer the system. -.TP -.B pki_admin_name, pki_admin_uid -.IP -Name and UID of this administrative user. Defaults to caadmin for CA, kraadmin for KRA, etc. -.TP -.B pki_admin_password -.IP -Password for the admin user. This password is used to log into the pki-console (unless client authentication is enabled), as well as log into the security domain CA. -.TP -.B pki_admin_email -.IP -Email address for the admin user. -.TP -.B pki_admin_dualkey, pki_admin_keysize, pki_admin_keytype -.IP -Settings for the administrator certificate and keys. -.TP -.B pki_admin_subject_dn -.IP -Subject DN for the administrator certificate. Defaults to \fBcn=PKI Administrator, e=%(pki_admin_email)s, o=%(pki_security_domain_name)s\fP. -.TP -.B pki_admin_nickname -Nickname for the administrator certificate. -.TP -.B pki_import_admin_cert -.IP -Set to True to import an existing admin certificate for the admin user, rather than generating a new one. A subsystem-specific administrator will still be created within the subsystem's LDAP tree. This is useful to allow multiple subsystems within the same instance to be more easily administered from the same browser by using a single certificate. - -By default, this is set to False for CA subsystems and true for KRA, OCSP, and TKS subsystems. In this case, the admin certificate is read from the file ca_admin.cert in \fBpki_client_dir\fP. - -Note that cloned subsystems do not create a new administrative user. The administrative user of the master subsystem is used instead, and the details of this master user are replicated during the install. -.TP -.B pki_client_admin_cert_p12 -.IP -Location for the PKCS #12 file containing the administrative user's certificate and keys. For a CA, this defaults to \fIca_admin_cert.p12\fP in the \fBpki_client_dir\fP directory. -.SS BACKUP PARAMETERS -.TP -.B pki_backup_keys, pki_backup_password -.IP -Set to True to back up the subsystem certificates and keys to a PKCS #12 file. This file will be located in \fI/var/lib/pki//alias\fP. pki_backup_password is the password of the PKCS#12 file. - -.SS CLIENT DIRECTORY PARAMETERS -.TP -.B pki_client_dir -.IP -This is the location where all client data used during the installation is stored. At the end of the invocation of \fBpkispawn\fP, the administrative user's certificate and keys are stored in a PKCS #12 file in this location. -.TP -.B pki_client_database_dir, pki_client_database_password -.IP -Location where an NSS token database is created in order to generate a key for the administrative user. Usually, the data in this location is removed at the end of the installation, as the keys and certificates are stored in a PKCS #12 file in \fBpki_client_dir\fP. -.TP -.B pki_client_database_purge -.IP -Set to True to remove \fBpki_client_database_dir\fP at the end of the installation. Defaults to True. -.SS INTERNAL DATABASE PARAMETERS -\x'-1'\fBpki_ds_hostname, pki_ds_ldap_port, pki_ds_ldaps_port\fR -.IP -Hostname and ports for the internal database. Defaults to localhost, 389, and 636, respectively. -.PP -.B pki_ds_bind_dn, pki_ds_password -.IP -Credentials to connect to the database during installation. Directory Manager-level access is required during installation to set up the relevant schema and database. During the installation, a more restricted Certificate Server user is set up to client authentication connections to the database. Some additional configuration is required, including setting up the directory server to use SSL. See the documentation for details. -.PP -.B pki_ds_secure_connection -.IP -Sets whether to require connections to the Directory Server using LDAPS. This requires SSL to be set up on the Directory Server first. Defaults to false. -.PP -.B pki_ds_remove_data -.IP -Sets whether to remove any data from the base DN before starting the installation. Defaults to True. -.PP -.B pki_ds_base_dn -.IP -The base DN for the internal database. It is advised that the Certificate Server have its own base DN for its internal database. If the base DN does not exist, it will be created during the running of \fBpkispawn\fP. For a cloned subsystem, the base DN for the clone subsystem MUST be the same as for the master subsystem. -.PP -.B pki_ds_database -.IP -Name of the back-end database. It is advised that the Certificate Server have its own base DN for its internal database. If the back-end does not exist, it will be created during the running of \fBpkispawn\fP. -.SS ISSUING CA PARAMETERS -\x'-1'\fBpki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri\fR -.IP -Hostname and port, or URI of the issuing CA. Required for installations of subordinate CA and non-CA subsystems. This should point to the CA that will issue the relevant system certificates for the subsystem. In a default install, this defaults to the CA subsystem within the same instance. The URI has the format https://:. - -.SS MISCELLANEOUS PARAMETERS -\x'-1'\fBpki_restart_configured_instance\fR -.IP -Sets whether to restart the instance after configuration is complete. Defaults to True. -.PP -.B pki_skip_configuration -.IP -Sets whether to execute the configuration steps when running \fBpkispawn\fP. If this is true, then the process is analogous to running \fBpkicreate\fP, when the configuration was performed separately from the instance creation. A configuration URL will be provided. This URL can be used as a starting point for the browser-based configuration panels. Defaults to False. -.PP -.B pki_skip_installation -.IP -Sets whether to skip the installation steps. With pki_skip_configuration set to False, this is analogous to running pkisilent. Defaults to False. -.PP -.B pki_enable_java_debugger -.IP -Sets whether to attach a Java debugger such as Eclipse to the instance for troubleshooting. Defaults to False. -.PP -.B pki_security_manager -.IP -Enables the Java security manager policies provided by the JDK to be used with the instance. Defaults to True. -.PP -.SS SECURITY DOMAIN PARAMETERS -The security domain is a component that facilitates communication between subsystems. The first CA installed hosts this component and is used to register subsequent subsystems with the security domain. These subsystems can communicate with each other using their subsystem certificate, which is issued by the security domain CA. For more information about the security domain component, see the Red Hat Certificate System documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/. -.TP -.B pki_security_domain_hostname, pki_security_domain_https_port -.IP -Location of the security domain. Required for KRA, OCSP, and TKS subsystems and for CA subsystems joining a security domain. Defaults to the location of the CA subsystem within the same instance. -.TP -.B pki_security_domain_user, pki_security_domain_password -.IP -Administrative user of the security domain. Required for KRA, OCSP, and TKS subsystems, and for CA subsystems joining a security domain. Defaults to the administrative user for the CA subsystem within the same instance (caadmin). -.TP -.B pki_security_domain_name -.IP -The name of the security domain. This is required for the security domain CA. - -.SS CLONE PARAMETERS -.TP -.B pki_clone -.IP -Installs a clone, rather than original, subsystem. -.TP -.B pki_clone_pkcs12_password, pki_clone_pkcs12_path -.IP -Location and password of the PKCS #12 file containing the system certificates for the master subsystem being cloned. This file should be readable by the user that the Certificate Server is running as (default of pkiuser), and have the correct selinux context (pki_tomcat_cert_t). This can be achieved by placing the file in \fI/var/lib/pki//alias\fP. -.TP -.B pki_clone_replication_master_port, pki_clone_replication_clone_port -.IP -Ports on which replication occurs. These are the ports on the master and clone databases respectively. Defaults to the internal database port. -.TP -.B pki_clone_repicate_schema -.IP -Replicate schema when the replication agreement is set up and the new instance (consumer) is initialized. Otherwise, the schema must be installed in the clone as a separate step beforehand. This does not usually have to be changed. Defaults to True. -.TP -.B pki_clone_replication_security -.IP -The type of security used for the replication data. This can be set to SSL (using LDAPS), TLS, or None. Defaults to None. For SSL and TLS, SSL must be set up for the database instances beforehand. -.TP -.B pki_clone_uri -.IP -A pointer to the subsystem being cloned. The format is https://:. - -.SS EXTERNAL CA CERTIFICATE PARAMETERS -\x'-1'\fBpki_external\fR -.IP -Sets whether the new CA will have a signing certificate that will be issued by an external CA. This is a two step process. In the first step, a CSR to be presented to the external CA is generated. In the second step, the issued signing certificate and certificate chain are provided to the \fBpkispawn\fP utility to complete the installation. Defaults to False. -.PP -.B pki_external_csr_path -.IP -Required in the first step of the external CA signing process. The CSR will be printed to the screen and stored in this location. -.PP -.B pki_external_step_two -.IP -Specifies that this is the second step of the external CA process. Defaults to False. -.PP -.B pki_external_cert_path, pki_external_cert_chain_path -.IP -Required for the second step of the external CA signing process. This is the location of the CA signing cert (as issued by the external CA) and the external CA's certificate chain. -.SS SUBORDINATE CA CERTIFICATE PARAMETERS -\x'-1'\fBpki_subordinate\fR -.IP -Specifies whether the new CA which will be a subordinate of another CA. The master CA is specified by \fBpki_issuing_ca\fP. Defaults to False. - -.SH AUTHORS -Ade Lee . \fBpkispawn\fP was written by the Dogtag project. - -.SH COPYRIGHT -Copyright (c) 2012 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. - -.SH SEE ALSO -.BR pkispawn(8) diff --git a/base/deploy/man/man8/pkidestroy.8 b/base/deploy/man/man8/pkidestroy.8 deleted file mode 100644 index 407a915aa..000000000 --- a/base/deploy/man/man8/pkidestroy.8 +++ /dev/null @@ -1,67 +0,0 @@ -.\" First parameter, NAME, should be all caps -.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection -.\" other parameters are allowed: see man(7), man(1) -.TH pkidestroy 8 "December 13, 2012" "version 1.0" "PKI Instance Removal Utility" Ade Lee -.\" Please adjust this date whenever revising the man page. -.\" -.\" Some roff macros, for reference: -.\" .nh disable hyphenation -.\" .hy enable hyphenation -.\" .ad l left justify -.\" .ad b justify to both left and right margins -.\" .nf disable filling -.\" .fi enable filling -.\" .br insert line break -.\" .sp insert n+1 empty lines -.\" for man page specific macros, see man(7) -.SH NAME -pkidestroy \- Removes a subsystem from an instance of Certificate Server. - -.SH SYNOPSIS -pkidestroy -s -i [-u ] [-W ] [-h] [-v] [-p ] - -.SH DESCRIPTION -Removes a subsystem from an instance of Certificate Server. This utility removes any of the Java-based Certificate Server subsystems (CA, KRA, OCSP, and TKS). -.PP -.TP -\fBNote:\fP -This utility is only used for Java-based subsystems. The Apache-based Certificate Server subsystems (RA and TPS) are removed using \fBpkiremove\fP. -.PP -An instance can contain multiple subsystems, although it may contain at most one of each type of subsystem. So, for example, an instance could contain CA and KRA subsystems, but not two CA subsystems. If \fBpkidestroy\fP is invoked on the last subsystem in the instance, then that instance is removed. Typically, as subsystems need to contact the CA to update the security domain, the CA instance should be the last instance to be removed. - -.SH OPTIONS -.TP -.B -s -Specifies the subsystem to be removed, where is CA, KRA, OCSP, or TKS. If this option is not specified, \fBpkidestroy\fP -will prompt for its value. -.TP -.B -i -Specifies the name of the instance from which the subsystem should be removed. The instance is located at /var/log/pki/. If this option is not specified, \fBpkidestroy\fP -will prompt for its value. -.TP -.B -u -Specifies the username of the security domain of the subsystem. This is an \fBoptional\fP parameter. -.TP -.B -W -Specifies the file containing the password of the security domain of the subsystem. This is an \fBoptional\fP parameter. -.TP -.B -h, --help -Prints additional help information. -.TP -.B -v -Displays verbose information about the installation. This flag can be provided multiple times to increase verbosity. See -.B pkidestroy -h -for details. - - -.SH BUGS -Report bugs to http://bugzilla.redhat.com. - -.SH AUTHORS -Ade Lee . \fBpkidestroy\fP was written by the Certificate Server project. - -.SH COPYRIGHT -Copyright (c) 2012 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. - -.SH SEE ALSO -.BR pkispawn(8) diff --git a/base/deploy/man/man8/pkispawn.8 b/base/deploy/man/man8/pkispawn.8 deleted file mode 100644 index d3e980302..000000000 --- a/base/deploy/man/man8/pkispawn.8 +++ /dev/null @@ -1,374 +0,0 @@ -.\" First parameter, NAME, should be all caps -.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection -.\" other parameters are allowed: see man(7), man(1) -.TH pkispawn 8 "December 13, 2012" "version 1.0" "PKI Instance Creation Utility" Ade Lee -.\" Please adjust this date whenever revising the man page. -.\" -.\" Some roff macros, for reference: -.\" .nh disable hyphenation -.\" .hy enable hyphenation -.\" .ad l left justify -.\" .ad b justify to both left and right margins -.\" .nf disable filling -.\" .fi enable filling -.\" .br insert line break -.\" .sp insert n+1 empty lines -.\" for man page specific macros, see man(7) -.SH NAME -pkispawn \- Sets up an instance of Certificate Server. - -.SH SYNOPSIS -pkispawn -s -f [-h] [-u] [-v] [-p ] - -.SH DESCRIPTION -Sets up an instance of Certificate Server. This utility creates any of the Java-based Certificate Server subsystems (CA, KRA, OCSP, and TKS). -.TP -\fBNote:\fP -A 389 Directory Server instance must be configured and running before this script can be run. Certificate Server requires an internal directory database. The default configuration assumes a Directory Server instance running on the same machine on port 389. For more information on creating a Directory Server instance, see -.B setup-ds.pl(8). -.TP -\fBNote:\fP -This utility creates only Java-based subsystems. The Apache-based Certificate Server subsystems (RA and TPS) are created using \fBpkicreate\fP. -.PP -An instance can contain multiple subsystems, although it may contain at most one of each type of subsystem on a single machine. So, for example, an instance could contain CA and KRA subsystems, but not two CA subsystems. To create an instance with a CA and a KRA, simply run pkispawn twice, with values -.I -s CA -and -.I -s KRA -respectively. -.PP -The instances are created based on values for configuration parameters in the default configuration (/etc/pki/default.cfg) and the user-provided configuration file. The user-provided configuration file is read after the default configuration file, so any parameters defined in that file will override parameters in the default configuration file. In general, most users will store only those parameters which are different from the default configuration in their user-provided configuration file. -.PP -This configuration file contains directives that are divided into sections for different subsystem types (such as [DEFAULT], [CA], and [KRA]). These sections are stacked, so that parameters read in earlier sections can be overwritten by parameters in later sections. For the Java subsystems (CA, KRA, OCSP and TKS), the sections read are [DEFAULT], [Tomcat] and the subsystem-type section ([CA], [KRA], [OCSP], or [TKS]), in that order. This allows the ability to specify parameters to be shared by all subsystems in [DEFAULT] or [Tomcat], and system-specific upgrades in the [CA], [KRA], and other sections. -.PP -At a minimum, the user-defined configuration file must provide some passwords needed for the install. An example configuration file is provided in the -.B EXAMPLES -section below. For more information on the default configuration file and the parameters it contains (and can be customized), see -.B pki_default.cfg(5). -.PP -The \fBpkispawn\fP run creates several different installation files that can be referenced later, if need be: -.IP -* For Tomcat-based instances, a Tomcat instance is created at \fT/var/lib/pki/\fP, where pki_instance_name is defined in the configuration file. -.IP -* A log file of \fBpkispawn\fP operations is written to \fI/var/log/pki/pki-spawn--.log\fP. -.IP -* A .p12 (PKCS #12) file containing a certificate for a subsystem administrator is stored in pki_client_dir. -.PP -When the utility is done running, the CA can be accessed by pointing a browser to https://:/. The agent pages can be accessed by importing the CA certificate and administrator certificate into the browser. -.PP -The Certificate Server instance can also be accessed using the \fBpki\fP command line interface. See -\fBpki(1)\fP. For more extensive documentation on how to use Certificate Server features, see the Red Hat Certificate System Documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/. -.PP -Instances created using \fBpkispawn\fP can be removed using \fBpkidestroy\fP. See -.BR pkidestroy(8). -.PP -\fBpkispawn\fP supersedes and combines the functionality of \fBpkicreate\fP and \fBpkisilent\fP, which were available in earlier releases of Certificate Server. It is now possible to completely create and configure the Certificate Server subsystem in a single step using \fBpkispawn\fP. To use the browser-based configuration panels with \fBpkispawn\fP instead, set the configuration parameter \fBpki_skip_configuration\fP to True. - -.SH OPTIONS -.TP -.B -s -Specifies the subsystem to be installed and configured, where is CA, KRA, OCSP, or TKS. -.TP -.B -f -Specifies the path to the user-defined configuration file. This file contains differences between the default configuration and the custom configuration. -.TP -.B -h, --help -Prints additional help information. -.TP -.B -u -Runs this script in upgrade mode, to update an existing instance. -.TP -.B -v -Displays verbose information about the installation. This flag can be provided multiple times to increase verbosity. See -.B pkispawn -h -for details. - -.SH INTERACTIVE MODE -.PP -If no options are specified, pkispawn will provide an interactive menu to collect the parameters needed to install -the Certificate Server instance. Note that only the most basic installation options are provided. This includes root CAs, -KRAs, OCSPs and TKS, connecting to the LDAP port of a directory server. More complicated setups such as: cloned subsystems, subordinate or externally signed CAs, subsystems that connect to the directory server using LDAPS, and subsystems that are customized beyond the options described below - require the use of a configuration file with the --f option. -.PP -The interactive option is most useful for those users getting familiar with Certificate Server. The parameters collected are -written to the installation file of the subsystem, which can be found at \fB/etc/sysconfig/pki/tomcat///deployment.cfg.\fP -.PP -The following parameters are queried interactively during the installation process: -.PP -\fBSubsystem Type\fP -.TP -\fISubsystem (CA/KRA/OCSP/TKS):\fP -the type of subsystem to be installed. Prompted when the -s option is not specified. The default value chosen is CA. -.PP -\fBInstance Specific Parameters\fP -.TP -\fIInstance name:\fP -the name of the tomcat instance in which the subsystem is to be installed. The default value is pki-tomcat. -.br -\fBNote:\fP Only one subsystem of a given type (CA, KRA, OCSP, TKS) can exist within a given instance. -.TP -\fIHTTP port:\fP -the HTTP port of the Tomcat instance. The default value is 8080. -.TP -\fISecure HTTP port:\fP -the HTTPS port of the Tomcat instance. The default value is 8443. -.TP -\fIAJP port:\fP -the AJP port of the Tomcat instance. The default value is 8009. -.TP -\fIManagement port:\fP -the management port of the Tomcat instance. The default value is 8005. -.PP -\fBAdministrative User Parameters\f -.TP -\fIUsername:\fP -the username of the administrator of this subsystem. The default value is admin. -.TP -\fIPassword:\fP -password for the administrator user. -.TP -\fIImport certificate:\fP -An optional parameter that can be used to import an already available CA admin certificate into this instance. -.TP -\fIExport certificate:\fP -setup the path where the admin certificate of this should be stored. The default value is /root/.pki/pki-tomcat/_admin.cert. -.PP -\fBDirectory Server Parameters\f -.TP -\fIHostname:\fP -Hostname of the directory server instance. The default value is the hostname of the system. -.TP -\fIPort:\fP -Port for the directory server instance. The default value is 389. -.TP -\fIBase DN:\fP -the Base DN to be used for the internal database for this subsystem. The default value is o=pki-tomcat-. -.TP -\fIBind DN:\fP -the bind DN required to connect for the directory server. This user must have sufficient permissions to install the required schema and database. The default value is cn=Directory Manager. -.TP -\fIPassword:\fP -password for the bind DN. -.PP -\fBSecurity Domain Parameters\f -.TP -\fIName:\fP -the name of the security domain. Required only if installing a root CA. Default value: Security Domain. -.TP -\fIHostname:\fP -the hostname for the security domain CA. Required only for non-CA subsystems. The default value is the hostname of this system. -.TP -\fISecure HTTP port:\fP -the https port for the security domain. Required only for non-CA subsystems. The default value is 8443. -.TP -\fIUsername:\fP -the username of the security domain administrator of the CA. Required only for non-CA subsystems. The default value is caadmin. -.TP -\fIPassword:\fP -password for the security domain administrator. Required for all subsystems that are not root CAs. - -.SH EXAMPLES -.SS CA using default configuration -\x'-1'\fBpkispawn -s CA -f myconfig.txt\fR -.PP -where \fImyconfig.txt\fP contains the following text: -.IP -.nf -[DEFAULT] -pki_admin_password=\fIpassword123\fP -pki_client_pkcs12_password=\fIpassword123\fP -pki_ds_password=\fIpassword123\fP -.fi -.PP -Prior to running this command, a Directory Server instance should be created and running. This command assumes that the Directory Server instance is using its default configuration: -.IP -* Installed on the local machine -.IP -* Listening on port 389 -.IP -* The user is cn=Directory Manager, with the password specified in pki_ds_password - -This invocation of \fBpkispawn\fP creates a Tomcat instance containing a CA running on the local machine with secure port 8443 and unsecure port 8080. To access this CA, simply point a browser to https://:8443. -.PP -The instance name (defined by pki_instance_name) is pki-tomcat, and it is located at \fI/var/lib/pki/pki-tomcat\fP. Logs for the instance are located at \fI/var/log/pki/pki-tomcat\fP, and an installation log is written to \fI/var/log/pki/pkispawn-pki-tomcat-.log\fP. -.PP -A PKCS #12 file containing the administrator certificate is created in \fI$HOME/.pki/pki-tomcat\fP. This PKCS #12 file uses the password designated by pki_client_pkcs12_password in the configuration file. -.PP -To access the agent pages, first import the CA certificate by accessing the CA End Entity Pages and clicking on the Retrieval Tab. Be sure to trust the CA certificate. Then, import the administrator certificate in the PKCS #12 file. -.SS KRA, OCSP, or TKS using default configuration -\x'-1'\fBpkispawn -s -f myconfig.txt\fR -.PP -where subsystem is KRA, OCSP, or TKS, and \fImyconfig.txt\fP contains the following text: -.IP -.nf -[DEFAULT] -pki_admin_password=\fIpassword123\fP -pki_client_pkcs12_password=\fIpassword123\fP -pki_ds_password=\fIpassword123\fP -pki_security_domain_password=\fIpassword123\fP -.fi -.PP -The \fBpki_security_domain_password\fP is the admin password of the CA installed in the same default instance. This command should be run after a CA is installed. This installs another subsystem within the same default instance using the certificate generated for the CA administrator for the subsystem's administrator. This allows a user to access both subsystems on the browser with a single administrator certificate. To access the new subsystem's functionality, simply point the browser to https://:8443 and click the relevant top-level links. -.SS KRA, OCSP, or TKS connecting to a remote CA -\x'-1'\fBpkispawn -s -f myconfig.txt\fR -.PP -where subsystem is KRA, OCSP, or TKS, and \fImyconfig.txt\fP contains the following text: -.IP -.nf -[DEFAULT] -pki_admin_password=\fIpassword123\fP -pki_client_pkcs12_password=\fIpassword123\fP -pki_ds_password=\fIpassword123\fP -pki_security_domain_password=\fIpassword123\fP -pki_security_domain_hostname= -pki_security_domain_https_port= -pki_security_domain_user=caadmin -pki_issuing_ca_uri=https://: - -[KRA] -pki_import_admin_cert=False -.fi -.PP -A remote CA is one where the CA resides in another Certificate Server instance, either on the local machine or a remote machine. In this case, \fImyconfig.txt\fP must specify the connection information for the remote CA and the information about the security domain (the trusted collection of subsystems within an instance). -.PP -The subsystem section is [KRA], [OCSP], or [TKS]. This example assumes that the specified CA hosts the security domain. The CA must be running and accessible. -.PP -A new administrator certificate is generated for the new subsystem and stored in a PKCS #12 file in \fI$HOME/.pki/pki-tomcat\fP. -.SS Installing a CA clone -\x'-1'\fBpkispawn -s CA -f myconfig.txt\fR -.PP -where \fImyconfig.txt\fP contains the following text: -.IP -.nf -[DEFAULT] -pki_admin_password=\fIpassword123\fP -pki_client_pkcs12_password=\fIpassword123\fP -pki_ds_password=\fIpassword123\fP -pki_security_domain_password=\fIpassword123\fP -pki_security_domain_hostname= -pki_security_domain_https_port= -pki_security_domain_user=caadmin - -[CA] -pki_clone=True -pki_clone_pkcs12_password=\fIpassword123\fP -pki_clone_pkcs12_path= -pki_clone_replicate_schema=True -pki_clone_uri=https://: -.fi -.PP -A cloned CA is a CA which uses the same signing, OCSP signing, and audit signing certificates as the master CA, but issues certificates within a different serial number range. It has its own internal database -- separate from the master CA database -- but using the same base DN, that keeps in sync with the master CA through replication agreements between the databases. This is very useful for load sharing and disaster recovery. To create a clone, the \fImyconfig.txt\fP uses pki_clone-* parameters in its [CA] section which identify the original CA to use as a master template. Additionally, it connects to the master CA as a remote CA and uses its security domain. -.PP -Before the clone can be generated, the Directory Server must be created that is separate from the master CA's Directory Server. The example assumes that the master CA and cloned CA are on different machines, and that their Directory Servers are on port 389. In addition, the master's system certs and keys have been stored in a PKCS #12 file that is copied over to the clone subsystem in the location specified in . This file is created when the master CA is installed; it can also be generated using \fBPKCS12Export\fP. The file needs to be readable by the user the Certificate Server runs as (by default, pkiuser) and be given the SELinux context pki_tomcat_cert_t. -.PP -.SS Installing a KRA, OCSP, or TKS clone -\x'-1'\fBpkispawn -s -f myconfig.txt\fR -.PP -where subsystem is KRA, OCSP, or TKS, and \fImyconfig.txt\fP contains the following text: -.IP -.nf -[DEFAULT] -pki_admin_password=\fIpassword123\fP -pki_client_pkcs12_password=\fIpassword123\fP -pki_ds_password=\fIpassword123\fP -pki_security_domain_password=\fIpassword123\fP -pki_security_domain_hostname= -pki_security_domain_https_port= -pki_security_domain_user=caadmin - -[KRA] -pki_clone=True -pki_clone_pkcs12_password=\fIpassword123\fP -pki_clone_pkcs12_path= -pki_clone_replicate_schema=True -pki_clone_uri=https://: -pki_issuing_ca=https://: -.fi -.PP -As with a CA clone, a KRA, OCSP, or TKS clone uses the same certificates and basic configuration as the original subsystem. The configuration points to the original subsystem to copy its configuration. This example also assumes that the CA is on a remote machine and specifies the CA and security domain information. -.PP -The subsystem section is [KRA], [OCSP], or [TKS]. -.SS Installing a subordinate CA -\x'-1'\fBpkispawn -s CA -f myconfig.txt\fR -.PP -where \fImyconfig.txt\fP contains the following text: -.IP -.nf -[DEFAULT] -pki_admin_password=\fIpassword123\fP -pki_client_pkcs12_password=\fIpassword123\fP -pki_ds_password=\fIpassword123\fP -pki_security_domain_password=\fIpassword123\fP -pki_security_domain_hostname= -pki_security_domain_https_port= -pki_security_domain_user=caadmin - -[CA] -pki_subordinate=True -pki_issuing_ca=https://: -pki_ca_signing_subject_dn=cn=CA Subordinate Signing ,o=example.com -.fi -.PP -A sub-CA derives its certificate configuration -- such as allowed extensions and validity periods -- from a superior or root CA. Otherwise, the configuration of the CA is independent of the root CA, so it is its own instance rather than a clone. A sub-CA is configured using the pki_subordinate parameter and a pointer to the CA which issues the sub-CA's certificates. -.PP -\fBNote:\fP The value of \fBpki_ca_signing_subject_dn\fP of a subordinate CA should be different from the root CA's signing subject DN. -.SS Installing an externally signed CA -\x'-1'\fBpkispawn -s CA -f myconfig.txt\fR -.PP -This is a two step process. -.PP -In the first step, a certificate signing request (CSR) is generated for the signing certificate and \fImyconfig.txt\fP contains the following text: -.IP -.nf -[DEFAULT] -pki_admin_password=\fIpassword123\fP -pki_client_pkcs12_password=\fIpassword123\fP -pki_ds_password=\fIpassword123\fP -pki_security_domain_password=\fIpassword123\fP - -[CA] -pki_external=True -pki_external_csr_path=/tmp/ca_signing.csr -pki_ca_signing_subject_dn=cn=CA Signing,ou=External,o=example.com -.fi -.PP -The CSR is written to pki_external_csr_path. The pki_ca_signing_subject_dn should be different from the subject DN of the external CA that is signing the request. The pki_ca_signing_subject_dn parameter can be used to specify the signing certificate's subject DN. - -.PP -The CSR is then submitted to the external CA, and the resulting certificate and certificate chain are saved to files on the system. - -.PP -In the second step, the configuration file has been modified to install the issued certificates. In place of the original CSR, the configuration file now points to the issued CA certificate and certificate chain. There is also a flag to indicate that this completes the installation process (pki_external_step_two). -.IP -.nf -[DEFAULT] -pki_admin_password=\fIpassword123\fP -pki_client_pkcs12_password=\fIpassword123\fP -pki_ds_password=\fIpassword123\fP -pki_security_domain_password=\fIpassword123\fP - -[CA] -pki_external=True -pki_external_ca_cert_chain_path=/tmp/ca_cert_chain.cert -pki_external_ca_cert_path=/tmp/ca_signing.cert -pki_external_step_two=True -pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=External,o=example.com -.fi -.PP -Then, the \fBpkispawn\fP command is run again: -.PP -.B pkispawn -s CA -f myconfig.txt - -.SH BUGS -Report bugs to http://bugzilla.redhat.com. - -.SH AUTHORS -Ade Lee . \fBpkispawn\fP was written by the Certificate Server project. - -.SH COPYRIGHT -Copyright (c) 2012 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. - -.SH SEE ALSO -.BR pkidestroy(8), -.BR pki_default.cfg(5), -.BR pki(1), -.BR setup-ds.pl(8) diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations deleted file mode 100644 index 50dd4e4fd..000000000 --- a/base/deploy/scripts/operations +++ /dev/null @@ -1,1703 +0,0 @@ -#!/bin/bash -X - -# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": -# -# Status Exit Codes -# -# 0 program is running or service is OK -# 1 program is dead and /var/run pid file exists -# 2 program is dead and /var/lock lock file exists -# 3 program is not running -# 4 program or service status is unknown -# 5-99 reserved for future LSB use -# 100-149 reserved for distribution use -# 150-199 reserved for application use -# 200-254 reserved -# -# Non-Status Exit Codes -# -# 0 action was successful -# 1 generic or unspecified error (current practice) -# 2 invalid or excess argument(s) -# 3 unimplemented feature (for example, "reload") -# 4 user had insufficient privilege -# 5 program is not installed -# 6 program is not configured -# 7 program is not running -# 8-99 reserved for future LSB use -# 100-149 reserved for distribution use -# 150-199 reserved for application use -# 200-254 reserved -# - -if [ -f /etc/pki/pki.conf ] ; then - . /etc/pki/pki.conf -fi - -# PKI subsystem-level directory and file values for locks -lockfile="/var/lock/subsys/${SERVICE_NAME}" - -default_error=0 - -case $command in - start|stop|restart|condrestart|force-restart|try-restart) - # 1 generic or unspecified error (current practice) - default_error=1 - ;; - reload) - default_error=3 - ;; - status) - # 4 program or service status is unknown - default_error=4 - ;; - *) - # 2 invalid argument(s) - default_error=2 - ;; -esac - -# Enable nullglob, if set then shell pattern globs which do not match any -# file returns the empty string rather than the unmodified glob pattern. -shopt -s nullglob - -OS=`uname -s` -ARCHITECTURE=`uname -i` - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$PROG_NAME' from non-existent directory!" - exit ${default_error} -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -PKI_CA_PATH="/usr/share/pki/ca" -PKI_KRA_PATH="/usr/share/pki/kra" -PKI_OCSP_PATH="/usr/share/pki/ocsp" -PKI_RA_PATH="/usr/share/pki/ra" -PKI_TKS_PATH="/usr/share/pki/tks" -PKI_TPS_PATH="/usr/share/pki/tps" -if [ '${PKI_TYPE}' == "apache" ] ; then - if [ ! -d ${PKI_RA_PATH} ] && - [ ! -d ${PKI_TPS_PATH} ] ; then - echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" - if [ "${command}" != "status" ]; then - # 5 program is not installed - exit 5 - else - exit ${default_error} - fi - fi -elif [ '${PKI_TYPE}' == "tomcat" ] ; then - if [ ! -d ${PKI_CA_PATH} ] && - [ ! -d ${PKI_KRA_PATH} ] && - [ ! -d ${PKI_OCSP_PATH} ] && - [ ! -d ${PKI_TKS_PATH} ] ; then - echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" - if [ "${command}" != "status" ]; then - # 5 program is not installed - exit 5 - else - exit ${default_error} - fi - fi -fi - -# This script must be run as root! -RV=0 -if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$PROG_NAME'!" - if [ "${command}" != "status" ]; then - # 4 user had insufficient privilege - exit 4 - else - # 4 program or service status is unknown - exit 4 - fi -fi - -PKI_INSTANCE_TYPES="apache tomcat" -PKI_REGISTRY_ENTRIES="" -PKI_SUBSYSTEMS="" -TOTAL_PKI_REGISTRY_ENTRIES=0 -TOTAL_UNCONFIGURED_PKI_ENTRIES=0 - -# Gather ALL registered instances of this PKI web server type -for INSTANCE in ${PKI_REGISTRY}/*; do - if [ -d "$INSTANCE" ] ; then - for REGISTRY in ${INSTANCE}/*; do - if [ -f "$REGISTRY" ] ; then - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $REGISTRY" - TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` - fi - done - fi -done - -# Execute the specified registered instance of this PKI web server type -if [ -n "${pki_instance_id}" ]; then - for INSTANCE in ${PKI_REGISTRY_ENTRIES}; do - if [ "`basename ${INSTANCE}`" == "${pki_instance_id}" ]; then - PKI_REGISTRY_ENTRIES="${INSTANCE}" - TOTAL_PKI_REGISTRY_ENTRIES=1 - break - fi - done -fi - -usage() -{ - echo -n "Usage: ${SERVICE_PROG} ${SERVICE_NAME}" - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "[instance-name]" - echo - echo -} - -usage_systemd() -{ - echo -n "Usage: /usr/bin/pkidaemon " - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "instance-type " - echo -n "[instance-name]" - echo - echo -} - -list_systemd_instance_types() -{ - echo - for PKI_INSTANCE_TYPE in $PKI_INSTANCE_TYPES; do - echo " $PKI_INSTANCE_TYPE" - done - echo -} - -list_instances() -{ - echo - for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do - instance_name=`basename $PKI_REGISTRY_ENTRY` - echo " $instance_name" - done - echo -} - -list_systemd_instances() -{ - echo - for INSTANCE in /etc/sysconfig/pki/apache/*; do - if [ -d "${INSTANCE}" ] ; then - instance_name=`basename ${INSTANCE}` - echo " $instance_name" - fi - done - for INSTANCE in /etc/sysconfig/pki/tomcat/*; do - if [ -d "${INSTANCE}" ] ; then - instance_name=`basename ${INSTANCE}` - echo " $instance_name" - fi - done - echo -} - -get_subsystems() -{ - # Re-initialize PKI_SUBSYSTEMS for each instance - PKI_SUBSYSTEMS="" - case ${PKI_WEB_SERVER_TYPE} in - tomcat) - for SUBSYSTEM in ca kra ocsp tks; do - if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then - if [ '${PKI_SUBSYSTEMS}' == "" ] ; then - PKI_SUBSYSTEMS="${SUBSYSTEM}" - else - PKI_SUBSYSTEMS="${PKI_SUBSYSTEMS} ${SUBSYSTEM}" - fi - fi - done - ;; - apache) - for SUBSYSTEM in ra tps; do - if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then - if [ '${PKI_SUBSYSTEMS}' == "" ] ; then - PKI_SUBSYSTEMS="${SUBSYSTEM}" - else - PKI_SUBSYSTEMS="${PKI_SUBSYSTEMS} ${SUBSYSTEM}" - fi - fi - done - ;; - *) - echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" - exit ${default_error} - ;; - esac -} - -# Check arguments -if [ $SYSTEMD ]; then - if [ $# -lt 2 ] ; then - # [insufficient arguments] - echo "$PROG_NAME: Insufficient arguments!" - echo - usage_systemd - echo "where valid instance types include:" - list_systemd_instance_types - echo "and where valid instance names include:" - list_systemd_instances - exit 3 - elif [ ${default_error} -eq 2 ] ; then - # 2 invalid argument - echo "$PROG_NAME: Invalid arguments!" - echo - usage_systemd - echo "where valid instance types include:" - list_systemd_instance_types - echo "and where valid instance names include:" - list_systemd_instances - exit 2 - elif [ $# -gt 3 ] ; then - echo "$PROG_NAME: Excess arguments!" - echo - usage_systemd - echo "where valid instance types include:" - list_systemd_instance_types - echo "and where valid instance names include:" - list_systemd_instances - if [ "${command}" != "status" ]; then - # 2 excess arguments - exit 2 - else - # 4 program or service status is unknown - exit 4 - fi - fi -else - if [ $# -lt 1 ] ; then - # 3 unimplemented feature (for example, "reload") - # [insufficient arguments] - echo "$PROG_NAME: Insufficient arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 - elif [ ${default_error} -eq 2 ] ; then - # 2 invalid argument - echo "$PROG_NAME: Invalid arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 2 - elif [ $# -gt 2 ] ; then - echo "$PROG_NAME: Excess arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - if [ "${command}" != "status" ]; then - # 2 excess arguments - exit 2 - else - # 4 program or service status is unknown - exit 4 - fi - fi -fi - -# If an "instance" was supplied, check that it is a "valid" instance -if [ -n "${pki_instance_id}" ]; then - valid=0 - for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do - instance_name=`basename $PKI_REGISTRY_ENTRY` - if [ "${pki_instance_id}" == "${instance_name}" ]; then - valid=1 - break - fi - done - if [ $valid -eq 0 ]; then - if [ "${pki_instance_type}" != "apache" ] && - [ "${pki_instance_type}" != "tomcat" ]; then - echo -n "unknown instance type (${pki_instance_type})" - else - echo -n "${pki_instance_id} is an invalid '${PKI_TYPE}' instance" - fi - if [ ! $SYSTEMD ]; then - echo_failure - fi - echo - - if [ "${command}" != "status" ]; then - # 5 program is not installed - exit 5 - else - # 4 program or service status is unknown - exit 4 - fi - fi -fi - -check_pki_configuration_status() -{ - rv=0 - - case ${PKI_WEB_SERVER_TYPE} in - tomcat) - for SUBSYSTEM in ca kra ocsp tks; do - if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then - rv=`grep -c ^preop ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg` - rv=`expr ${rv} + 0` - fi - done - ;; - apache) - # TBD - ;; - *) - echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" - exit ${default_error} - ;; - esac - - if [ $rv -ne 0 ] ; then - echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" - echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" - if [ "${command}" != "status" ]; then - # 6 program is not configured - rv=6 - else - # 4 program or service status is unknown - rv=4 - fi - TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` - elif [ -f ${RESTART_SERVER} ] ; then - echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " - echo -n "it must still be RESTARTED!" - echo - if [ "${command}" != "status" ]; then - # 1 generic or unspecified error (current practice) - rv=1 - else - # 4 program or service status is unknown - rv=4 - fi - fi - - return $rv -} - -get_pki_status_definitions() -{ - case $PKI_WEB_SERVER_TYPE in - tomcat) - PKI_SERVER_XML_CONF=${PKI_INSTANCE_PATH}/conf/server.xml - get_pki_status_definitions_tomcat - return $? - ;; - ra) - get_pki_status_definitions_ra - return $? - ;; - tps) - get_pki_status_definitions_tps - return $? - ;; - *) - echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" - exit ${default_error} - ;; - esac -} - -get_pki_status_definitions_ra() -{ - # establish well-known strings - total_ports=0 - UNSECURE_PORT="" - CLIENTAUTH_PORT="" - NON_CLIENTAUTH_PORT="" - - # check to see that an instance-specific "httpd.conf" file exists - if [ ! -f ${PKI_HTTPD_CONF} ] ; then - echo "File '${PKI_HTTPD_CONF}' does not exist!" - exit ${default_error} - fi - - # check to see that an instance-specific "nss.conf" file exists - if [ ! -f ${PKI_NSS_CONF} ] ; then - echo "File '${PKI_NSS_CONF}' does not exist!" - exit ${default_error} - fi - - # Iterate over Listen statements - for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do - UNSECURE_PORT=$port - if [ $total_ports -eq 0 ]; then - echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" - else - echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" - fi - total_ports=`expr ${total_ports} + 1` - - done - - # Iterate over Listen statements - for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do - UNSECURE_PORT=$port - if [ $total_ports -eq 1 ]; then - CLIENTAUTH_PORT=$port - echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" - fi - if [ $total_ports -eq 2 ]; then - NON_CLIENTAUTH_PORT=$port - echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" - fi - total_ports=`expr ${total_ports} + 1` - - done - - return 0; -} - -get_pki_status_definitions_tps() -{ - # establish well-known strings - total_ports=0 - UNSECURE_PORT="" - CLIENTAUTH_PORT="" - NON_CLIENTAUTH_PORT="" - - # check to see that an instance-specific "httpd.conf" file exists - if [ ! -f ${PKI_HTTPD_CONF} ] ; then - echo "File '${PKI_HTTPD_CONF}' does not exist!" - exit ${default_error} - fi - - # check to see that an instance-specific "nss.conf" file exists - if [ ! -f ${PKI_NSS_CONF} ] ; then - echo "File '${PKI_NSS_CONF}' does not exist!" - exit ${default_error} - fi - - # Iterate over Listen statements - for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do - UNSECURE_PORT=$port - if [ $total_ports -eq 0 ]; then - echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" - echo " (ESC Security Officer Enrollment)" - echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi" - echo " (ESC Phone Home)" - else - echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" - fi - total_ports=`expr ${total_ports} + 1` - - done - - # Iterate over Listen statements - for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do - UNSECURE_PORT=$port - if [ $total_ports -eq 1 ]; then - CLIENTAUTH_PORT=$port - echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" - echo " (ESC Security Officer Workstation)" - echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus" - echo " (TPS Roles - Operator/Administrator/Agent)" - fi - if [ $total_ports -eq 2 ]; then - NON_CLIENTAUTH_PORT=$port - echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" - echo " (ESC Security Officer Enrollment)" - echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" - echo " (ESC Phone Home)" - fi - total_ports=`expr ${total_ports} + 1` - - done - - return 0; -} - -get_pki_status_definitions_tomcat() -{ - # establish well-known strings - begin_pki_status_comment="" - begin_ca_status_comment="" - begin_kra_status_comment="" - begin_ocsp_status_comment="" - begin_tks_status_comment="" - end_pki_status_comment="" - total_ports=0 - unsecure_port_statement="Unsecure Port" - secure_agent_port_statement="Secure Agent Port" - secure_ee_port_statement="Secure EE Port" - secure_ee_client_auth_port_statement="EE Client Auth Port" - secure_admin_port_statement="Secure Admin Port" - pki_console_port_statement="PKI Console Port" - tomcat_port_statement="Tomcat Port" - - # initialize looping variables - pki_status_comment_found=0 - display_pki_ca_status_banner=0 - display_pki_kra_status_banner=0 - display_pki_ocsp_status_banner=0 - display_pki_tks_status_banner=0 - process_pki_ca_status=0 - process_pki_kra_status=0 - process_pki_ocsp_status=0 - process_pki_tks_status=0 - - # first check to see that an instance-specific "server.xml" file exists - if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then - echo "File '${PKI_SERVER_XML_CONF}' does not exist!" - exit ${default_error} - fi - - # identify all PKI subsystems present within this PKI instance - if [ -e ${PKI_INSTANCE_PATH}/ca ]; then - display_pki_ca_status_banner=1 - fi - if [ -e ${PKI_INSTANCE_PATH}/kra ]; then - display_pki_kra_status_banner=1 - fi - if [ -e ${PKI_INSTANCE_PATH}/ocsp ]; then - display_pki_ocsp_status_banner=1 - fi - if [ -e ${PKI_INSTANCE_PATH}/tks ]; then - display_pki_tks_status_banner=1 - fi - - # read this instance-specific "server.xml" file line-by-line - # to obtain the current PKI Status Definitions - exec < ${PKI_SERVER_XML_CONF} - while read line; do - # first look for the well-known end PKI Status comment - # (to turn off processing) - if [ "$line" == "$end_pki_status_comment" ] ; then - # always turn off processing TKS status at this point - process_pki_tks_status=0 - pki_status_comment_found=0 - break; - fi - - # then look for the well-known begin PKI Status comment - # (to turn on processing) - if [ "$line" == "$begin_pki_status_comment" ] ; then - pki_status_comment_found=1 - fi - - # once the well-known begin PKI Status comment has been found, - # begin processing to obtain all of the PKI Status Definitions - if [ $pki_status_comment_found -eq 1 ] ; then - head=`echo "$line" | sed -e 's/^\([^=]*\)[ \t]*= .*$/\1/' -e 's/[ \t]*$//'` - if [ "$line" == "$begin_ca_status_comment" ] ; then - if [ $display_pki_ca_status_banner -eq 1 ] ; then - # print CA Status Definition banner - echo - echo " [CA Status Definitions]" - # turn on processing CA status at this point - process_pki_ca_status=1 - fi - elif [ "$line" == "$begin_kra_status_comment" ] ; then - # always turn off processing CA status at this point - process_pki_ca_status=0 - if [ $display_pki_kra_status_banner -eq 1 ] ; then - # print DRM Status Definition banner - echo - echo " [DRM Status Definitions]" - # turn on processing DRM status at this point - process_pki_kra_status=1 - fi - elif [ "$line" == "$begin_ocsp_status_comment" ] ; then - # always turn off processing DRM status at this point - process_pki_kra_status=0 - if [ $display_pki_ocsp_status_banner -eq 1 ] ; then - # print OCSP Status Definition banner - echo - echo " [OCSP Status Definitions]" - # turn on processing OCSP status at this point - process_pki_ocsp_status=1 - fi - elif [ "$line" == "$begin_tks_status_comment" ] ; then - # always turn off processing OCSP status at this point - process_pki_ocsp_status=0 - if [ $display_pki_tks_status_banner -eq 1 ] ; then - # print TKS Status Definition banner - echo - echo " [TKS Status Definitions]" - # turn on processing TKS status at this point - process_pki_tks_status=1 - fi - elif [ $process_pki_ca_status -eq 1 ] || - [ $process_pki_kra_status -eq 1 ] || - [ $process_pki_ocsp_status -eq 1 ] || - [ $process_pki_tks_status -eq 1 ] ; then - # look for a PKI Status Definition and print it - if [ "$head" == "$unsecure_port_statement" ] || - [ "$head" == "$secure_agent_port_statement" ] || - [ "$head" == "$secure_ee_port_statement" ] || - [ "$head" == "$secure_admin_port_statement" ] || - [ "$head" == "$secure_ee_client_auth_port_statement" ] || - [ "$head" == "$pki_console_port_statement" ] || - [ "$head" == "$tomcat_port_statement" ] ; then - echo " $line" - total_ports=`expr ${total_ports} + 1` - fi - fi - fi - done - - return 0; -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep -e '^[ \t]*cs.type[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - pki_subsystem=`echo "${line}" | sed -e 's/^[^=]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return ${default_error} - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return ${default_error} - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep -e '^[ \t]*subsystem.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return ${default_error} - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep -e '^[ \t]*hierarchy.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - else - return ${default_error} - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep -e '^[ \t]*securitydomain.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return ${default_error} - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep -e '^[ \t]*securitydomain.name[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - else - return ${default_error} - fi - - line=`grep -e '^[ \t]*securitydomain.host[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - else - return ${default_error} - fi - - line=`grep -e '^[ \t]*securitydomain.httpsadminport[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - else - return ${default_error} - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return ${default_error} - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " [${pki_subsystem} Configuration Definitions]" - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -display_configuration_information() -{ - result=0 - check_pki_configuration_status - rv=$? - if [ $rv -eq 0 ] ; then - get_pki_status_definitions - rv=$? - if [ $rv -ne 0 ] ; then - result=$rv - echo - echo "${PKI_INSTANCE_ID} Status Definitions not found" - else - get_subsystems - for SUBSYSTEM in ${PKI_SUBSYSTEMS}; do - PKI_SUBSYSTEM_CONFIGURATION_FILE="${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg" - get_pki_configuration_definitions - rv=$? - if [ $rv -ne 0 ] ; then - result=$rv - echo - echo "${PKI_INSTANCE_ID} Configuration Definitions not found for ${SUBSYSTEM}" - fi - done - fi - fi - return $result -} - -display_instance_status_systemd() -{ - echo -n "Status for ${PKI_INSTANCE_ID}: " - systemctl status "$PKI_SYSTEMD_TARGET@$PKI_INSTANCE_ID.service" > /dev/null 2>&1 - rv=$? - - if [ $rv -eq 0 ] ; then - echo "$PKI_INSTANCE_ID is running .." - display_configuration_information - else - echo "$PKI_INSTANCE_ID is stopped" - fi - - return $rv -} - -display_instance_status() -{ - # Verify there is an initscript for this instance - if [ ! -f $PKI_INSTANCE_INITSCRIPT ]; then - # 4 program or service status is unknown - return 4 - fi - - # Invoke the initscript for this instance - $PKI_INSTANCE_INITSCRIPT status - rv=$? - - if [ $rv -eq 0 ] ; then - display_configuration_information - fi - - return $rv -} - -make_symlink() -{ - symlink="${1}" - target="${2}" - user="${3}" - group="${4}" - - rv=0 - - echo "INFO: Attempting to create '${symlink}' -> '${target}' . . ." - # Check to make certain that the expected target exists. - # - # NOTE: The symbolic link does NOT exist at this point. - # - if [ -e ${target} ]; then - # Check that the expected target is fully resolvable! - if [ ! `readlink -qe ${target}` ]; then - # Issue an ERROR that the target to which the - # symbolic link is expected to point is NOT fully resolvable! - echo "ERROR: Failed making '${symlink}' -> '${target}'"\ - "since target '${target}' is NOT fully resolvable!" - rv=1 - else - # Attempt to create a symbolic link and 'chown' it. - ln -s ${target} ${symlink} - rv=$? - if [ $rv -eq 0 ]; then - # NOTE: Ignore 'chown' errors. - chown -h ${user}:${group} ${symlink} - echo "SUCCESS: Created '${symlink}' -> '${target}'" - else - echo "ERROR: Failed to create '${symlink}' -> '${target}'!" - rv=1 - fi - fi - else - # Issue an ERROR that the target to which the - # symbolic link is expected to point does NOT exist. - echo "ERROR: Failed making '${symlink}' -> '${target}'"\ - "since target '${target}' does NOT exist!" - rv=1 - fi - - return $rv -} - -check_symlinks() -{ - # declare -p symlinks - path="${1}" - user="${2}" - group="${3}" - - rv=0 - - # process key/value pairs (symlink/target) in the associative array - for key in "${!symlinks[@]}" - do - symlink="${path}/${key}" - target=${symlinks[${key}]} - if [ -e ${symlink} ]; then - if [ -h ${symlink} ]; then - current_target=`readlink ${symlink}` - # Verify that the current target to which the - # symlink points is the expected target - if [ ${current_target} == ${target} ]; then - # Check to make certain that the expected target exists. - if [ -e ${target} ]; then - # Check that the expected target is fully resolvable! - if [ ! `readlink -qe ${target}` ]; then - # Issue an ERROR that the target to which the - # symbolic link is expected to point is NOT - # fully resolvable! - echo "WARNING: Symbolic link '${symlink}'"\ - "exists, but is a dangling symlink!"\ - echo "ERROR: Unable to create"\ - "'${symlink}' -> '${target}'"\ - "since target '${target}' is NOT fully"\ - "resolvable!" - rv=1 - else - # ALWAYS run 'chown' on an existing '${symlink}' - # that points to a fully resolvable '${target}' - # - # NOTE: Ignore 'chown' errors. - # - chown -h ${user}:${group} ${symlink} - # echo "SUCCESS: '${symlink}' -> '${target}'" - fi - else - # Issue an ERROR that the target to which the - # symbolic link is expected to point does NOT exist. - echo "WARNING: Symbolic link '${symlink}'"\ - "exists, but is a dangling symlink!"\ - echo "ERROR: Unable to create"\ - "'${symlink}' -> '${target}'"\ - "since target '${target}' does NOT exist!" - rv=1 - fi - else - # Attempt to remove this symbolic link and - # issue a WARNING that a new symbolic link is - # being created to point to the expected target - # rather than the current target to which it - # points. - echo "WARNING: Attempting to change symbolic link"\ - "'${symlink}' to point to target '${target}'"\ - "INSTEAD of current target '${current_target}'!" - rm ${symlink} - rv=$? - if [ $rv -ne 0 ]; then - echo "ERROR: Failed to remove"\ - "'${symlink}' -> '${current_target}'!" - rv=1 - else - echo "INFO: Removed"\ - "'${symlink}' -> '${current_target}'!" - # Attempt to create the symbolic link and chown it. - make_symlink ${symlink} ${target} ${user} ${group} - rv=$? - fi - fi - elif [ -f ${symlink} ]; then - # Issue a WARNING that the administrator may have replaced - # the symbolic link with a file for debugging purposes. - echo "WARNING: '${symlink}' exists but is NOT a symbolic link!" - else - # Issue an ERROR that the symbolic link has been replaced - # by something unusable (such as a directory). - echo "ERROR: '${symlink}' exists but is NOT a symbolic link!" - rv=1 - fi - else - # Issue a WARNING that this symbolic link does not exist. - echo "WARNING: Symbolic link '${symlink}' does NOT exist!" - # Attempt to create the symbolic link and chown it. - make_symlink ${symlink} ${target} ${user} ${group} - rv=$? - fi - done - - return $rv -} - -# Detect and correct any missing or incorrect symlinks. -# -# Use the following command to locate PKI 'instance' symlinks: -# -# find ${PKI_INSTANCE_PATH} -type l | sort | xargs file -# -verify_symlinks() -{ - # declare associative arrays - declare -A base_symlinks - declare -A root_symlinks - declare -A ca_symlinks - declare -A kra_symlinks - declare -A ocsp_symlinks - declare -A tks_symlinks - declare -A common_jar_symlinks - declare -A ca_jar_symlinks - declare -A kra_jar_symlinks - declare -A ocsp_jar_symlinks - declare -A tks_jar_symlinks - declare -A systemd_symlinks - - # Dogtag 10 Conditional Variables - jni_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` - - # Dogtag 10 Symbolic Link Target Variables - java_dir="/usr/share/java" - pki_systemd_service="pki-${PKI_WEB_SERVER_TYPE}d@.service" - systemd_dir="/lib/systemd/system" - - # Dogtag 10 Symbolic Link Variables - pki_common_jar_dir="${PKI_INSTANCE_PATH}/common/lib" - pki_registry_dir="/etc/sysconfig/pki/${PKI_WEB_SERVER_TYPE}/${PKI_INSTANCE_ID}" - pki_systemd_dir="/etc/systemd/system/pki-tomcatd.target.wants" - pki_systemd_link="pki-${PKI_WEB_SERVER_TYPE}d@${PKI_INSTANCE_ID}.service" - pki_ca_jar_dir="${PKI_INSTANCE_PATH}/webapps/ca/WEB-INF/lib" - pki_kra_jar_dir="${PKI_INSTANCE_PATH}/webapps/kra/WEB-INF/lib" - pki_ocsp_jar_dir="${PKI_INSTANCE_PATH}/webapps/ocsp/WEB-INF/lib" - pki_tks_jar_dir="${PKI_INSTANCE_PATH}/webapps/tks/WEB-INF/lib" - - # '${PKI_INSTANCE_PATH}' symlinks - base_symlinks=( - [alias]=/etc/pki/${PKI_INSTANCE_ID}/alias - [bin]=/usr/share/tomcat/bin - [conf]=/etc/pki/${PKI_INSTANCE_ID} - [logs]=/var/log/pki/${PKI_INSTANCE_ID}) - - # '${PKI_INSTANCE_PATH}' symlinks (root:root ownership) - root_symlinks[${PKI_INSTANCE_ID}]=/usr/sbin/tomcat-sysd - - # '${PKI_INSTANCE_PATH}/ca' symlinks - ca_symlinks=( - [alias]=${PKI_INSTANCE_PATH}/alias - [conf]=/etc/pki/${PKI_INSTANCE_ID}/ca - [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ca - [registry]=${pki_registry_dir} - [webapps]=${PKI_INSTANCE_PATH}/webapps) - - # '${pki_ca_jar_dir}' symlinks - ca_jar_symlinks=( - [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar - [pki-cms.jar]=${java_dir}/pki/pki-cms.jar - [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar - [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar - [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar - [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar - [pki-ca.jar]=${java_dir}/pki/pki-ca.jar) - - # '${PKI_INSTANCE_PATH}/kra' symlinks - kra_symlinks=( - [alias]=${PKI_INSTANCE_PATH}/alias - [conf]=/etc/pki/${PKI_INSTANCE_ID}/kra - [logs]=/var/log/pki/${PKI_INSTANCE_ID}/kra - [registry]=${pki_registry_dir} - [webapps]=${PKI_INSTANCE_PATH}/webapps) - - # '${pki_kra_jar_dir}' symlinks - kra_jar_symlinks=( - [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar - [pki-cms.jar]=${java_dir}/pki/pki-cms.jar - [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar - [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar - [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar - [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar - [pki-kra.jar]=${java_dir}/pki/pki-kra.jar) - - # '${PKI_INSTANCE_PATH}/ocsp' symlinks - ocsp_symlinks=( - [alias]=${PKI_INSTANCE_PATH}/alias - [conf]=/etc/pki/${PKI_INSTANCE_ID}/ocsp - [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ocsp - [registry]=${pki_registry_dir} - [webapps]=${PKI_INSTANCE_PATH}/webapps) - - # '${pki_ocsp_jar_dir}' symlinks - ocsp_jar_symlinks=( - [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar - [pki-cms.jar]=${java_dir}/pki/pki-cms.jar - [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar - [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar - [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar - [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar - [pki-ocsp.jar]=${java_dir}/pki/pki-ocsp.jar) - - # '${PKI_INSTANCE_PATH}/tks' symlinks - tks_symlinks=( - [alias]=${PKI_INSTANCE_PATH}/alias - [conf]=/etc/pki/${PKI_INSTANCE_ID}/tks - [logs]=/var/log/pki/${PKI_INSTANCE_ID}/tks - [registry]=${pki_registry_dir} - [webapps]=${PKI_INSTANCE_PATH}/webapps) - - # '${pki_tks_jar_dir}' symlinks - tks_jar_symlinks=( - [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar - [pki-cms.jar]=${java_dir}/pki/pki-cms.jar - [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar - [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar - [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar - [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar - [pki-tks.jar]=${java_dir}/pki/pki-tks.jar) - - # '${pki_common_jar_dir}' symlinks - common_jar_symlinks=( - [apache-commons-codec.jar]=${java_dir}/commons-codec.jar - [apache-commons-collections.jar]=${java_dir}/apache-commons-collections.jar - [apache-commons-lang.jar]=${java_dir}/apache-commons-lang.jar - [apache-commons-logging.jar]=${java_dir}/apache-commons-logging.jar - [httpclient.jar]=${java_dir}/httpcomponents/httpclient.jar - [httpcore.jar]=${java_dir}/httpcomponents/httpcore.jar - [javassist.jar]=${java_dir}/javassist.jar - [jaxrs-api.jar]=${RESTEASY_LIB}/jaxrs-api.jar - [jettison.jar]=${java_dir}/jettison.jar - [jss4.jar]=${jni_dir}/jss4.jar - [ldapjdk.jar]=${java_dir}/ldapjdk.jar - [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar - [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar - [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar - [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar - [resteasy-jettison-provider.jar]=${RESTEASY_LIB}/resteasy-jettison-provider.jar - [scannotation.jar]=${java_dir}/scannotation.jar - [tomcatjss.jar]=${java_dir}/tomcatjss.jar - [velocity.jar]=${java_dir}/velocity.jar - [xerces-j2.jar]=${java_dir}/xerces-j2.jar - [xml-commons-apis.jar]=${java_dir}/xml-commons-apis.jar - [xml-commons-resolver.jar]=${java_dir}/xml-commons-resolver.jar) - - if [ -e ${PKI_INSTANCE_PATH}/tks ]; then - common_jar_symlinks[symkey.jar]=${jni_dir}/symkey.jar - fi - - # '${pki_systemd_dir}' symlinks - systemd_symlinks[${pki_systemd_link}]=${systemd_dir}/${pki_systemd_service} - - # Detect and correct 'Tomcat' symbolic links - # - # (1) convert the specified associative array into a string - # (2) create a new global 'symlinks' associative array from this - # specified string which will be used by the "check_symlinks()" - # subroutine - # (3) call "check_symlinks()" with the appropriate arguments to - # detect and correct this specified associative array; - # "check_symlinks()" returns 0 on success and 1 on failure - # - if [ ${PKI_WEB_SERVER_TYPE} == 'tomcat' ]; then - # Detect and correct 'base_symlinks' - base_symlinks_string=$(declare -p base_symlinks) - eval "declare -A symlinks=${base_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - - # Detect and correct 'root_symlinks' - root_symlinks_string=$(declare -p root_symlinks) - eval "declare -A symlinks=${root_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH} "root" "root" - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - - if [ -e ${PKI_INSTANCE_PATH}/ca ]; then - # Detect and correct 'ca_symlinks' - ca_symlinks_string=$(declare -p ca_symlinks) - eval "declare -A symlinks=${ca_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH}/ca ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - # Detect and correct 'ca_jar_symlinks' - ca_jar_symlinks_string=$(declare -p ca_jar_symlinks) - eval "declare -A symlinks=${ca_jar_symlinks_string#*=}" - check_symlinks ${pki_ca_jar_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - fi - - if [ -e ${PKI_INSTANCE_PATH}/kra ]; then - # Detect and correct 'kra_symlinks' - kra_symlinks_string=$(declare -p kra_symlinks) - eval "declare -A symlinks=${kra_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH}/kra ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - # Detect and correct 'kra_jar_symlinks' - kra_jar_symlinks_string=$(declare -p kra_jar_symlinks) - eval "declare -A symlinks=${kra_jar_symlinks_string#*=}" - check_symlinks ${pki_kra_jar_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - fi - - if [ -e ${PKI_INSTANCE_PATH}/ocsp ]; then - # Detect and correct 'ocsp_symlinks' - ocsp_symlinks_string=$(declare -p ocsp_symlinks) - eval "declare -A symlinks=${ocsp_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH}/ocsp ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - # Detect and correct 'ocsp_jar_symlinks' - ocsp_jar_symlinks_string=$(declare -p ocsp_jar_symlinks) - eval "declare -A symlinks=${ocsp_jar_symlinks_string#*=}" - check_symlinks ${pki_ocsp_jar_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - fi - - if [ -e ${PKI_INSTANCE_PATH}/tks ]; then - # Detect and correct 'tks_symlinks' - tks_symlinks_string=$(declare -p tks_symlinks) - eval "declare -A symlinks=${tks_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH}/tks ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - # Detect and correct 'tks_jar_symlinks' - tks_jar_symlinks_string=$(declare -p tks_jar_symlinks) - eval "declare -A symlinks=${tks_jar_symlinks_string#*=}" - check_symlinks ${pki_tks_jar_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - fi - - # Detect and correct 'common_jar_symlinks' - common_jar_symlinks_string=$(declare -p common_jar_symlinks) - eval "declare -A symlinks=${common_jar_symlinks_string#*=}" - check_symlinks ${pki_common_jar_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - - # Detect and correct 'systemd_symlinks' - systemd_symlinks_string=$(declare -p systemd_symlinks) - eval "declare -A symlinks=${systemd_symlinks_string#*=}" - check_symlinks ${pki_systemd_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - fi - - return 0 -} - -start_instance() -{ - rv=0 - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - # Verify symbolic links (detecting and correcting them if possible) - verify_symlinks - rv=$? - if [ $rv -ne 0 ] ; then - return $rv - fi - - # Invoke the initscript for this instance - case $PKI_WEB_SERVER_TYPE in - tomcat) - - # Generate catalina.policy dynamically. - cat /usr/share/pki/server/conf/catalina.policy \ - /usr/share/tomcat/conf/catalina.policy \ - /usr/share/pki/server/conf/pki.policy \ - /var/lib/pki/$PKI_INSTANCE_ID/conf/custom.policy > \ - /var/lib/pki/$PKI_INSTANCE_ID/conf/catalina.policy - - # We must export the service name so that the systemd version - # of the tomcat init script knows which instance specific - # configuration file to source. - export SERVICE_NAME=$PKI_INSTANCE_ID - $PKI_INSTANCE_INITSCRIPT start - rv=$? - ;; - apache) - $PKI_INSTANCE_INITSCRIPT start - rv=$? - ;; - esac - - if [ $rv -ne 0 ] ; then - return $rv - fi - - # On Tomcat subsystems, make certain that the service has started - case $PKI_WEB_SERVER_TYPE in - tomcat) - count=0 - tries=30 - port=${PKI_UNSECURE_PORT} - while [ $count -lt $tries ] - do - netstat -antl | grep ${port} > /dev/null - netrv=$? - if [ $netrv -eq 0 ] ; then - break; - fi - sleep 1 - let count=$count+1; - done - if [ $netrv -ne 0 ] ; then - return 1 - fi - ;; - esac - - if [ $rv -eq 0 ] ; then - # From the PKI point of view a returned error code of 6 implies - # that the program is not "configured". An error code of 1 implies - # that the program was "configured" but must still be restarted. - # - # If the return code is 6 return this value unchanged to the - # calling routine so that the total number of configuration errors - # may be counted. Other return codes are ignored. - # - check_pki_configuration_status - rv=$? - if [ $rv -eq 6 ]; then - # 6 program is not configured - return 6 - else - # 0 success - return 0 - fi - fi - return $rv -} - -stop_instance() -{ - rv=0 - - export SERVICE_NAME=$PKI_INSTANCE_ID - # Invoke the initscript for this instance - $PKI_INSTANCE_INITSCRIPT stop - rv=$? - - # On Tomcat subsystems, always remove the "pki subsystem identity" symlinks - # that were previously associated with the Tomcat 'pid' and 'lock' files. - case $PKI_WEB_SERVER_TYPE in - tomcat) - if [ -f ${PKI_PIDFILE} ]; then - rm -f ${PKI_PIDFILE} - fi - ;; - esac - - return $rv -} - -start() -{ - error_rv=0 - rv=0 - config_errors=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - # 5 program is not installed - return 5 - fi - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ]; then - echo "BEGIN STARTING '${PKI_TYPE}' INSTANCES:" - fi - - # Start every PKI instance of this type that isn't already running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - start_instance - rv=$? - if [ $rv = 6 ] ; then - # Since at least ONE configuration error exists, then there - # is at least ONE unconfigured instance from the PKI point - # of view. - # - # However, it must still be considered that the - # instance is "running" from the point of view of other - # OS programs such as 'chkconfig'. - # - # Therefore, ignore non-zero return codes resulting - # from configuration errors. - # - - config_errors=`expr $config_errors + 1` - rv=0 - elif [ $rv != 0 ] ; then - errors=`expr $errors + 1` - error_rv=$rv - fi - done - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then - touch ${lockfile} - chmod 00600 ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - # NOTE: "bad" return code(s) OVERRIDE configuration errors! - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances failed to start!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." - fi - - return $rv -} - -stop() -{ - error_rv=0 - rv=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - # 5 program is not installed - return 5 - fi - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" - fi - - # Shutdown every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - stop_instance - rv=$? - if [ $rv != 0 ] ; then - errors=`expr $errors + 1` - error_rv=$rv - fi - done - - if [ ${errors} -eq 0 ] ; then - rm -f ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully stopped!" - echo - fi - - echo - echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." - fi - - return $rv -} - -restart() -{ - stop - sleep 2 - start - - return $? -} - -registry_status() -{ - error_rv=0 - rv=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - # 4 program or service status is unknown - return 4 - fi - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" - fi - - # Obtain status of every PKI instance of this type - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - case $PKI_WEB_SERVER_TYPE in - tomcat) - if [ $SYSTEMD ]; then - display_instance_status_systemd - else - display_instance_status - fi - rv=$? - ;; - apache) - display_instance_status - rv=$? - ;; - esac - if [ $rv -ne 0 ] ; then - errors=`expr $errors + 1` - error_rv=$rv - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "4 - program or service status is unknown" - rv=4 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances reported status failures!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." - fi - - return $rv -} - diff --git a/base/deploy/scripts/pkidaemon b/base/deploy/scripts/pkidaemon deleted file mode 100755 index 3e1d27a40..000000000 --- a/base/deploy/scripts/pkidaemon +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# - -PROG_NAME=`basename $0` -SERVICE_NAME="pkidaemon" -SERVICE_PROG="/bin/systemctl" - -command="$1" -pki_instance_type="$2" -pki_instance_id="$3" - -PKI_REGISTRY="/etc/sysconfig/pki/${pki_instance_type}" -PKI_TYPE="${pki_instance_type}" -PKI_SYSTEMD_TARGET="pki-${pki_instance_type}d" -SYSTEMD=1 - -# Source the PKI function library -. /usr/share/pki/scripts/operations - -# See how we were called. -case $command in - status) - registry_status - exit $? - ;; - start) - start - exit $? - ;; - restart) - restart - exit $? - ;; - stop) - echo "An exit status of '143' refers to the 'systemd' method of using"\ - "'SIGTERM' to shutdown a Java process and can safely be ignored." - stop - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - echo "The '${command}' action is TBD." - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - echo "unknown action ($command)" - echo - usage_systemd - echo "where valid instance types include:" - list_instance_types - echo "and where valid instance names include:" - list_systemd_instances - exit ${default_error} - ;; -esac - diff --git a/base/deploy/src/engine/pkiconfig.py b/base/deploy/src/engine/pkiconfig.py deleted file mode 100644 index ad6c22251..000000000 --- a/base/deploy/src/engine/pkiconfig.py +++ /dev/null @@ -1,185 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# -import re - -# PKI Deployment Constants -PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS = 00755 -PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS = 00770 -PKI_DEPLOYMENT_DEFAULT_EXE_PERMISSIONS = 00770 -PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS = 00660 -PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS = 00600 -PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770 -PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777 -PKI_DEPLOYMENT_DEFAULT_UMASK = 00002 - -PKI_DEPLOYMENT_DEFAULT_COMMENT = "'Certificate System'" -PKI_DEPLOYMENT_DEFAULT_GID = 17 -PKI_DEPLOYMENT_DEFAULT_GROUP = "pkiuser" -PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin" -PKI_DEPLOYMENT_DEFAULT_UID = 17 -PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser" - -PKI_SUBSYSTEMS = ["CA","KRA","OCSP","RA","TKS","TPS"] -PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS","TPS"] -PKI_APACHE_SUBSYSTEMS = ["RA","TPS"] -PKI_TOMCAT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS"] -PKI_BASE_RESERVED_NAMES = ["alias", "bin", "ca", "common", "conf", "kra", - "lib", "logs", "ocsp", "temp", "tks", "webapps", - "work"] -PKI_CONFIGURATION_RESERVED_NAMES = ["CA", "java", "nssdb", "rpm-gpg", - "rsyslog", "tls"] -PKI_APACHE_REGISTRY_RESERVED_NAMES = ["ra", "tps"] -PKI_TOMCAT_REGISTRY_RESERVED_NAMES = ["ca", "kra", "ocsp", "tks"] - -PKI_INDENTATION_LEVEL_0 = {'indent' : ''} -PKI_INDENTATION_LEVEL_1 = {'indent' : '... '} -PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '} -PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '} -PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '} - -PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\ - "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-" - -PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki" -PKI_DEPLOYMENT_BASE_ROOT = "/var/lib/pki" -# NOTE: Top-level "/etc/pki" is owned by the "filesystem" package! -PKI_DEPLOYMENT_CONFIGURATION_ROOT = "/etc/pki" -PKI_DEPLOYMENT_LOG_ROOT = "/var/log/pki" -# NOTE: Well-known 'registry root', default 'instance', and default -# 'configuration file' names MUST be created in order to potentially -# obtain an instance-specific configuration file -# (presuming one has not been specified during command-line parsing) -# because command-line parsing happens prior to reading any -# configuration files. Although the 'registry root' MUST remain fixed, -# the default 'instance' name may be overridden by the value specified -# in the configuration file (the value in the default configuration file -# should always match the 'default' instance name specified below). -PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME = "pki-apache" -PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME = "pki-tomcat" - -DEFAULT_DEPLOYMENT_CONFIGURATION = "default.cfg" -USER_DEPLOYMENT_CONFIGURATION = "deployment.cfg" - -PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE =\ - PKI_DEPLOYMENT_CONFIGURATION_ROOT + "/" + DEFAULT_DEPLOYMENT_CONFIGURATION -PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\ - PKI_DEPLOYMENT_SOURCE_ROOT + "/deployment/config/pkislots.cfg" - -# subtypes of PKI subsystems -PKI_DEPLOYMENT_CLONED_PKI_SUBSYSTEM = "Cloned" -PKI_DEPLOYMENT_EXTERNAL_CA = "External" -PKI_DEPLOYMENT_SUBORDINATE_CA = "Subordinate" - -# default ports (for defined selinux policy) -PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT = 8080 -PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT = 8443 -PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT = 8005 -PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT = 8009 - -# PKI Deployment Global Variables -pki_install_time = None -pki_timestamp = None -pki_architecture = None -pki_hostname = None - - -# PKI Deployment Command-Line Variables -pki_deployment_executable = None - -# PKI Deployment "Mandatory" Command-Line Variables -pki_subsystem = None -# 'pkispawn' ONLY -default_deployment_cfg = None -user_deployment_cfg = None -# 'pkidestroy' ONLY -pki_deployed_instance_name = None -pki_secdomain_user = None -pki_secdomain_pass = None - -# PKI Deployment "Optional" Command-Line Variables -# 'pkispawn' ONLY -pki_update_flag = False - -# PKI Deployment "Test" Command-Line Variables -pki_root_prefix = None - - -# PKI Deployment Helper Functions -def str2bool(string): - return string.lower() in ("yes", "true", "t", "1") - -# NOTE: To utilize the 'preparations_for_an_external_java_debugger(master)' -# and 'wait_to_attach_an_external_java_debugger(master)' functions, -# change 'pki_enable_java_debugger=False' to -# 'pki_enable_java_debugger=True' in the appropriate -# deployment configuration file. -def prepare_for_an_external_java_debugger(instance): - print - print PKI_DEPLOYMENT_INTERRUPT_BANNER - print - print "The following 'JAVA_OPTS' MUST be enabled (uncommented) in" - print "'%s':" % instance - print - print " JAVA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,\"" - print " \"address=8000,server=y,suspend\"" - print - raw_input("Enable external java debugger 'JAVA_OPTS' "\ - "and press return to continue . . . ") - print - print PKI_DEPLOYMENT_INTERRUPT_BANNER - print - return - -def wait_to_attach_an_external_java_debugger(): - print - print PKI_DEPLOYMENT_INTERRUPT_BANNER - print - print "Attach the java debugger to this process on the port specified by" - print "the 'address' selected by 'JAVA_OPTS' (e. g. - port 8000) and" - print "set any desired breakpoints" - print - raw_input("Please attach an external java debugger "\ - "and press return to continue . . . ") - print - print PKI_DEPLOYMENT_INTERRUPT_BANNER - print - return - - -# PKI Deployment Logger Variables -pki_log = None -pki_log_dir = None -pki_log_name = None -pki_log_level = None -pki_console_log_level = None - - -# PKI Deployment Global Dictionaries -pki_master_dict = {} -pki_slots_dict = None - -# PKI Selinux Constants and parameters -PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t" -PKI_LOG_SELINUX_CONTEXT = "pki_tomcat_log_t" -PKI_CFG_SELINUX_CONTEXT = "pki_tomcat_etc_rw_t" -PKI_CERTDB_SELINUX_CONTEXT = "pki_tomcat_cert_t" -PKI_PORT_SELINUX_CONTEXT = "http_port_t" -pki_selinux_config_ports = [] diff --git a/base/deploy/src/engine/pkihelper.py b/base/deploy/src/engine/pkihelper.py deleted file mode 100644 index df71978ed..000000000 --- a/base/deploy/src/engine/pkihelper.py +++ /dev/null @@ -1,3397 +0,0 @@ -#!/usr/bin/python -t - -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import errno -import sys -import os -import fileinput -import pickle -import random -import re -import requests -import shutil -import string -import subprocess -import time -from datetime import datetime -from grp import getgrgid -from grp import getgrnam -from pwd import getpwnam -from pwd import getpwuid -import xml.etree.ElementTree as ET -import zipfile -import selinux -if selinux.is_selinux_enabled(): - import seobject - - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -from pkiconfig import pki_slots_dict as slots -from pkiconfig import pki_selinux_config_ports as ports -import pkimanifest as manifest -import pkimessages as log -from pkiparser import PKIConfigParser -import pki.account -import pki.client -import pki.system - -# PKI Deployment Helper Functions -def pki_copytree(src, dst, symlinks=False, ignore=None): - """Recursively copy a directory tree using copy2(). - - PATCH: This code was copied from 'shutil.py' and patched to - allow 'The destination directory to already exist.' - - If exception(s) occur, an Error is raised with a list of reasons. - - If the optional symlinks flag is true, symbolic links in the - source tree result in symbolic links in the destination tree; if - it is false, the contents of the files pointed to by symbolic - links are copied. - - The optional ignore argument is a callable. If given, it - is called with the `src` parameter, which is the directory - being visited by pki_copytree(), and `names` which is the list of - `src` contents, as returned by os.listdir(): - - callable(src, names) -> ignored_names - - Since pki_copytree() is called recursively, the callable will be - called once for each directory that is copied. It returns a - list of names relative to the `src` directory that should - not be copied. - - XXX Consider this example code rather than the ultimate tool. - - """ - names = os.listdir(src) - if ignore is not None: - ignored_names = ignore(src, names) - else: - ignored_names = set() - - # PATCH: ONLY execute 'os.makedirs(dst)' if the top-level - # destination directory does NOT exist! - if not os.path.exists(dst): - os.makedirs(dst) - errors = [] - for name in names: - if name in ignored_names: - continue - srcname = os.path.join(src, name) - dstname = os.path.join(dst, name) - try: - if symlinks and os.path.islink(srcname): - linkto = os.readlink(srcname) - os.symlink(linkto, dstname) - elif os.path.isdir(srcname): - pki_copytree(srcname, dstname, symlinks, ignore) - else: - # Will raise a SpecialFileError for unsupported file types - shutil.copy2(srcname, dstname) - # catch the Error from the recursive pki_copytree so that we can - # continue with other files - except Error, err: - errors.extend(err.args[0]) - except EnvironmentError, why: - errors.append((srcname, dstname, str(why))) - try: - shutil.copystat(src, dst) - except OSError, why: - if WindowsError is not None and isinstance(why, WindowsError): - # Copying file access times may fail on Windows - pass - else: - errors.extend((src, dst, str(why))) - if errors: - raise Error, errors - -# PKI Deployment Identity Class -class identity: - def __add_gid(self, pki_group): - pki_gid = None - try: - # Does the specified 'pki_group' exist? - pki_gid = getgrnam(pki_group)[2] - # Yes, group 'pki_group' exists! - config.pki_log.info(log.PKIHELPER_GROUP_ADD_2, pki_group, pki_gid, - extra=config.PKI_INDENTATION_LEVEL_2) - except KeyError as exc: - # No, group 'pki_group' does not exist! - config.pki_log.debug(log.PKIHELPER_GROUP_ADD_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - try: - # Is the default well-known GID already defined? - group = getgrgid(config.PKI_DEPLOYMENT_DEFAULT_GID)[0] - # Yes, the default well-known GID exists! - config.pki_log.info(log.PKIHELPER_GROUP_ADD_DEFAULT_2, - group, config.PKI_DEPLOYMENT_DEFAULT_GID, - extra=config.PKI_INDENTATION_LEVEL_2) - # Attempt to create 'pki_group' using a random GID. - command = "/usr/sbin/groupadd" + " " +\ - pki_group + " " +\ - "> /dev/null 2>&1" - except KeyError as exc: - # No, the default well-known GID does not exist! - config.pki_log.debug(log.PKIHELPER_GROUP_ADD_GID_KEYERROR_1, - exc, extra=config.PKI_INDENTATION_LEVEL_2) - # Is the specified 'pki_group' the default well-known group? - if pki_group == config.PKI_DEPLOYMENT_DEFAULT_GROUP: - # Yes, attempt to create the default well-known group - # using the default well-known GID. - command = "/usr/sbin/groupadd" + " " +\ - "-g" + " " +\ - str(config.PKI_DEPLOYMENT_DEFAULT_GID) + " " +\ - "-r" + " " +\ - pki_group + " " +\ - "> /dev/null 2>&1" - else: - # No, attempt to create 'pki_group' using a random GID. - command = "/usr/sbin/groupadd" + " " +\ - pki_group + " " +\ - "> /dev/null 2>&1" - # Execute this "groupadd" command. - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def __add_uid(self, pki_user, pki_group): - pki_uid = None - try: - # Does the specified 'pki_user' exist? - pki_uid = getpwnam(pki_user)[2] - # Yes, user 'pki_user' exists! - config.pki_log.info(log.PKIHELPER_USER_ADD_2, pki_user, pki_uid, - extra=config.PKI_INDENTATION_LEVEL_2) - # NOTE: For now, never check validity of specified 'pki_group'! - except KeyError as exc: - # No, user 'pki_user' does not exist! - config.pki_log.debug(log.PKIHELPER_USER_ADD_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - try: - # Is the default well-known UID already defined? - user = getpwuid(config.PKI_DEPLOYMENT_DEFAULT_UID)[0] - # Yes, the default well-known UID exists! - config.pki_log.info(log.PKIHELPER_USER_ADD_DEFAULT_2, - user, config.PKI_DEPLOYMENT_DEFAULT_UID, - extra=config.PKI_INDENTATION_LEVEL_2) - # Attempt to create 'pki_user' using a random UID. - command = "/usr/sbin/useradd" + " " +\ - "-g" + " " +\ - pki_group + " " +\ - "-d" + " " +\ - config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ - "-s" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ - "-c" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ - pki_user + " " +\ - "> /dev/null 2>&1" - except KeyError as exc: - # No, the default well-known UID does not exist! - config.pki_log.debug(log.PKIHELPER_USER_ADD_UID_KEYERROR_1, - exc, extra=config.PKI_INDENTATION_LEVEL_2) - # Is the specified 'pki_user' the default well-known user? - if pki_user == config.PKI_DEPLOYMENT_DEFAULT_USER: - # Yes, attempt to create the default well-known user - # using the default well-known UID. - command = "/usr/sbin/useradd" + " " +\ - "-g" + " " +\ - pki_group + " " +\ - "-d" + " " +\ - config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ - "-s" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ - "-c" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ - "-u" + " " +\ - str(config.PKI_DEPLOYMENT_DEFAULT_UID) + " " +\ - "-r" + " " +\ - pki_user + " " +\ - "> /dev/null 2>&1" - else: - # No, attempt to create 'pki_user' using a random UID. - command = "/usr/sbin/useradd" + " " +\ - "-g" + " " +\ - pki_group + " " +\ - "-d" + " " +\ - config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ - "-s" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ - "-c" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ - pki_user + " " +\ - "> /dev/null 2>&1" - # Execute this "useradd" command. - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def add_uid_and_gid(self, pki_user, pki_group): - self.__add_gid(pki_group) - self.__add_uid(pki_user, pki_group) - return - - def get_uid(self, critical_failure=True): - try: - pki_uid = master['pki_uid'] - except KeyError as exc: - config.pki_log.error(log.PKI_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return pki_uid - - def get_gid(self, critical_failure=True): - try: - pki_gid = master['pki_gid'] - except KeyError as exc: - config.pki_log.error(log.PKI_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return pki_gid - - def set_uid(self, name, critical_failure=True): - try: - config.pki_log.debug(log.PKIHELPER_USER_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - # id -u - pki_uid = getpwnam(name)[2] - master['pki_uid']=pki_uid - config.pki_log.debug(log.PKIHELPER_UID_2, name, pki_uid, - extra=config.PKI_INDENTATION_LEVEL_3) - except KeyError as exc: - config.pki_log.error(log.PKI_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return pki_uid - - def set_gid(self, name, critical_failure=True): - try: - config.pki_log.debug(log.PKIHELPER_GROUP_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - # id -g - pki_gid = getgrnam(name)[2] - master['pki_gid']=pki_gid - config.pki_log.debug(log.PKIHELPER_GID_2, name, pki_gid, - extra=config.PKI_INDENTATION_LEVEL_3) - except KeyError as exc: - config.pki_log.error(log.PKI_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return pki_gid - - -# PKI Deployment Namespace Class -class namespace: - # Silently verify that the selected 'pki_instance_name' will - # NOT produce any namespace collisions - def collision_detection(self): - # Run simple checks for pre-existing namespace collisions - if os.path.exists(master['pki_instance_path']): - if os.path.exists(master['pki_subsystem_path']): - # Top-Level PKI base path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_instance_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - if os.path.exists(master['pki_target_tomcat_conf_instance_id']): - # Top-Level "/etc/sysconfig" path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_target_tomcat_conf_instance_id'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(master['pki_cgroup_systemd_service']): - # Systemd cgroup path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_cgroup_systemd_service_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(master['pki_cgroup_cpu_systemd_service']): - # Systemd cgroup CPU path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_cgroup_cpu_systemd_service_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(master['pki_instance_log_path']) and\ - os.path.exists(master['pki_subsystem_log_path']): - # Top-Level PKI log path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_instance_log_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(master['pki_instance_configuration_path']) and\ - os.path.exists(master['pki_subsystem_configuration_path']): - # Top-Level PKI configuration path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_instance_configuration_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(master['pki_instance_registry_path']) and\ - os.path.exists(master['pki_subsystem_registry_path']): - # Top-Level PKI registry path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_instance_registry_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Run simple checks for reserved name namespace collisions - if master['pki_instance_name'] in config.PKI_BASE_RESERVED_NAMES: - # Top-Level PKI base path reserved name collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, - master['pki_instance_name'], - master['pki_instance_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # No need to check for reserved name under Top-Level PKI log path - if master['pki_instance_name'] in config.PKI_CONFIGURATION_RESERVED_NAMES: - # Top-Level PKI configuration path reserved name collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, - master['pki_instance_name'], - master['pki_instance_configuration_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - # Top-Level Apache PKI registry path reserved name collision - if master['pki_instance_name'] in\ - config.PKI_APACHE_REGISTRY_RESERVED_NAMES: - config.pki_log.error( - log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, - master['pki_instance_name'], - master['pki_instance_registry_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - # Top-Level Tomcat PKI registry path reserved name collision - if master['pki_instance_name'] in\ - config.PKI_TOMCAT_REGISTRY_RESERVED_NAMES: - config.pki_log.error( - log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, - master['pki_instance_name'], - master['pki_instance_registry_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - -# PKI Deployment Configuration File Class -class configuration_file: - def log_configuration_url(self): - # NOTE: This is the one and only parameter containing a sensitive - # parameter that may be stored in a log file. - config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_URL_1, - master['pki_configuration_url'], - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_RESTART_1, - master['pki_registry_initscript_command'], - extra=config.PKI_INDENTATION_LEVEL_2) - - def display_configuration_url(self): - # NOTE: This is the one and only parameter containing a sensitive - # parameter that may be displayed to the screen. - print log.PKI_CONFIGURATION_URL_1 % master['pki_configuration_url'] - print - print log.PKI_CONFIGURATION_RESTART_1 %\ - master['pki_registry_initscript_command'] - print - - def verify_sensitive_data(self): - # Silently verify the existence of 'sensitive' data - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - # Verify existence of Directory Server Password (ALWAYS) - if not master.has_key('pki_ds_password') or\ - not len(master['pki_ds_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Verify existence of Admin Password (except for Clones) - if not config.str2bool(master['pki_clone']): - if not master.has_key('pki_admin_password') or\ - not len(master['pki_admin_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_admin_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # If required, verify existence of Backup Password - if config.str2bool(master['pki_backup_keys']): - if not master.has_key('pki_backup_password') or\ - not len(master['pki_backup_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_backup_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Verify existence of Client Pin for NSS client security databases - if not master.has_key('pki_client_database_password') or\ - not len(master['pki_client_database_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2, - "pki_client_database_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Verify existence of Client PKCS #12 Password for Admin Cert - if not master.has_key('pki_client_pkcs12_password') or\ - not len(master['pki_client_pkcs12_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_client_pkcs12_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Verify existence of PKCS #12 Password (ONLY for Clones) - if config.str2bool(master['pki_clone']): - if not master.has_key('pki_clone_pkcs12_password') or\ - not len(master['pki_clone_pkcs12_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_pkcs12_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Verify existence of Security Domain Password File - # (ONLY for Clones, KRA, OCSP, TKS, or Subordinate CA) - if config.str2bool(master['pki_clone']) or\ - not master['pki_subsystem'] == "CA" or\ - config.str2bool(master['pki_subordinate']): - if not master.has_key('pki_security_domain_password') or\ - not len(master['pki_security_domain_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_security_domain_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # If required, verify existence of Token Password - if not master['pki_token_name'] == "internal": - if not master.has_key('pki_token_password') or\ - not len(master['pki_token_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_token_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def verify_mutually_exclusive_data(self): - # Silently verify the existence of 'mutually exclusive' data - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - if master['pki_subsystem'] == "CA": - if config.str2bool(master['pki_clone']) and\ - config.str2bool(master['pki_external']) and\ - config.str2bool(master['pki_subordinate']): - config.pki_log.error( - log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA, - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif config.str2bool(master['pki_clone']) and\ - config.str2bool(master['pki_external']): - config.pki_log.error( - log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA, - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif config.str2bool(master['pki_clone']) and\ - config.str2bool(master['pki_subordinate']): - config.pki_log.error( - log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA, - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif config.str2bool(master['pki_external']) and\ - config.str2bool(master['pki_subordinate']): - config.pki_log.error( - log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA, - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def verify_predefined_configuration_file_data(self): - # Silently verify the existence of any required 'predefined' data - # - # FUTURE: As much as is possible, alter this routine to verify - # ALL name/value pairs for the requested configuration - # scenario. This should include checking for the - # "existence" of ALL required "name" parameters, as well as - # the "existence", "type" (e. g. - string, boolean, number, - # etc.), and "correctness" (e. g. - file, directory, boolean - # 'True' or 'False', etc.) of ALL required "value" parameters. - # - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - if config.str2bool(master['pki_clone']): - # Verify existence of clone parameters - if not master.has_key('pki_ds_base_dn') or\ - not len(master['pki_ds_base_dn']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_base_dn", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_ds_ldap_port') or\ - not len(master['pki_ds_ldap_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_ldap_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_ds_ldaps_port') or\ - not len(master['pki_ds_ldaps_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_ldaps_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # NOTE: Although this will be checked prior to getting to - # this method, this clone's 'pki_instance_name' MUST - # be different from the master's 'pki_instance_name' - # IF AND ONLY IF the master and clone are located on - # the same host! - if not master.has_key('pki_ajp_port') or\ - not len(master['pki_ajp_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ajp_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_http_port') or\ - not len(master['pki_http_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_http_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_https_port') or\ - not len(master['pki_https_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_https_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_tomcat_server_port') or\ - not len(master['pki_tomcat_server_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_tomcat_server_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_clone_pkcs12_path') or\ - not len(master['pki_clone_pkcs12_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_pkcs12_path", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif not os.path.isfile(master['pki_clone_pkcs12_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - master['pki_clone_pkcs12_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_clone_replication_security') or\ - not len(master['pki_clone_replication_security']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_replication_security", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_clone_uri') or\ - not len(master['pki_clone_uri']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_uri", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external']): - if not master.has_key('pki_external_step_two') or\ - not len(master['pki_external_step_two']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_step_two", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not config.str2bool(master['pki_external_step_two']): - # External CA (Step 1) - if not master.has_key('pki_external_csr_path') or\ - not len(master['pki_external_csr_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_csr_path", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif os.path.exists(master['pki_external_csr_path']) and\ - not os.path.isfile(master['pki_external_csr_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - master['pki_external_csr_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - # External CA (Step 2) - if not master.has_key('pki_external_ca_cert_chain_path') or\ - not len(master['pki_external_ca_cert_chain_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_ca_cert_chain_path", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif os.path.exists( - master['pki_external_ca_cert_chain_path']) and\ - not os.path.isfile( - master['pki_external_ca_cert_chain_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - master['pki_external_ca_cert_chain_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_external_ca_cert_path') or\ - not len(master['pki_external_ca_cert_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_ca_cert_path", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif os.path.exists(master['pki_external_ca_cert_path']) and\ - not os.path.isfile( - master['pki_external_ca_cert_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - master['pki_external_ca_cert_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def populate_non_default_ports(self): - if master['pki_http_port'] != \ - str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT): - ports.append(master['pki_http_port']) - if master['pki_https_port'] != \ - str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT): - ports.append(master['pki_https_port']) - if master['pki_tomcat_server_port'] != \ - str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT): - ports.append(master['pki_tomcat_server_port']) - if master['pki_ajp_port'] != \ - str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT): - ports.append(master['pki_ajp_port']) - return - - def verify_selinux_ports(self): - # Determine which ports still need to be labelled, and if any are - # incorrectly labelled - if len(ports) == 0: - return - - if not bool(selinux.is_selinux_enabled()): - config.pki_log.error( - log.PKIHELPER_SELINUX_DISABLED, - extra=config.PKI_INDENTATION_LEVEL_2) - return - - portrecs = seobject.portRecords().get_all() - portlist = ports[:] - for port in portlist: - context = "" - for i in portrecs: - if portrecs[i][0] == "unreserved_port_t" or \ - portrecs[i][0] == "reserved_port_t" or \ - i[2] != "tcp": - continue - if i[0] <= int(port) and int(port) <= i[1]: - context = portrecs[i][0] - break - if context == "": - # port has no current context - # leave it in list of ports to set - continue - elif context == config.PKI_PORT_SELINUX_CONTEXT: - # port is already set correctly - # remove from list of ports to set - ports.remove(port) - else: - config.pki_log.error( - log.PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT, - port, context, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def verify_command_matches_configuration_file(self): - # Silently verify that the command-line parameters match the values - # that are present in the corresponding configuration file - if master['pki_deployment_executable'] == 'pkidestroy': - if master['pki_deployed_instance_name'] !=\ - master['pki_instance_name']: - config.pki_log.error( - log.PKIHELPER_COMMAND_LINE_PARAMETER_MISMATCH_2, - master['pki_deployed_instance_name'], - master['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - - -# PKI Deployment XML File Class -#class xml_file: -# def remove_filter_section_from_web_xml(self, -# web_xml_source, -# web_xml_target): -# config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1, -# master['pki_target_subsystem_web_xml'], -# extra=config.PKI_INDENTATION_LEVEL_2) -# begin_filters_section = False -# begin_servlet_section = False -# FILE = open(web_xml_target, "w") -# for line in fileinput.FileInput(web_xml_source): -# if not begin_filters_section: -# # Read and write lines until first "" tag -# if line.count("") >= 1: -# # Mark filters section -# begin_filters_section = True -# else: -# FILE.write(line) -# elif not begin_servlet_section: -# # Skip lines until first "" tag -# if line.count("") >= 1: -# # Mark servlets section and write out the opening tag -# begin_servlet_section = True -# FILE.write(line) -# else: -# continue -# else: -# # Read and write lines all lines after "" tag -# FILE.write(line) -# FILE.close() - - -# PKI Deployment Instance Class -class instance: - def apache_instance_subsystems(self): - rv = 0 - try: - # count number of PKI subsystems present - # within the specified Apache instance - for subsystem in config.PKI_APACHE_SUBSYSTEMS: - path = master['pki_instance_path'] + "/" + subsystem.lower() - if os.path.exists(path) and os.path.isdir(path): - rv = rv + 1 - config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], - rv, extra=config.PKI_INDENTATION_LEVEL_2) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return rv - - def apache_instances(self): - rv = 0 - try: - # Since ALL directories under the top-level PKI 'apache' registry - # directory SHOULD represent PKI Apache instances, and there - # shouldn't be any stray files or symbolic links at this level, - # simply count the number of PKI 'apache' instances (directories) - # present within the PKI 'apache' registry directory - for instance in\ - os.listdir(master['pki_instance_type_registry_path']): - if os.path.isdir( - os.path.join(master['pki_instance_type_registry_path'], - instance)) and not\ - os.path.islink( - os.path.join(master['pki_instance_type_registry_path'], - instance)): - rv = rv + 1 - config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, - master['pki_instance_type_registry_path'], - rv, - extra=config.PKI_INDENTATION_LEVEL_2) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return rv - - def pki_instance_subsystems(self): - rv = 0 - try: - # Since ALL directories within the top-level PKI infrastructure - # SHOULD represent PKI instances, look for all possible - # PKI instances within the top-level PKI infrastructure - for instance in os.listdir(master['pki_path']): - if os.path.isdir(os.path.join(master['pki_path'],instance))\ - and not\ - os.path.islink(os.path.join(master['pki_path'],instance)): - dir = os.path.join(master['pki_path'],instance) - # Since ANY directory within this PKI instance COULD - # be a PKI subsystem, look for all possible - # PKI subsystems within this PKI instance - for name in os.listdir(dir): - if os.path.isdir(os.path.join(dir,name)) and\ - not os.path.islink(os.path.join(dir,name)): - if name.upper() in config.PKI_SUBSYSTEMS: - rv = rv + 1 - config.pki_log.debug(log.PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], rv, - extra=config.PKI_INDENTATION_LEVEL_2) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return rv - - def tomcat_instance_subsystems(self): - # Return list of PKI subsystems in the specified tomcat instance - rv = [] - try: - for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - path = master['pki_instance_path'] + "/" + subsystem.lower() - if os.path.exists(path) and os.path.isdir(path): - rv.append(subsystem) - except OSErr as e: - config.pki_log.error(log.PKI_OSERROR_1, str(e), - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return rv - - def tomcat_instances(self): - rv = 0 - try: - # Since ALL directories under the top-level PKI 'tomcat' registry - # directory SHOULD represent PKI Tomcat instances, and there - # shouldn't be any stray files or symbolic links at this level, - # simply count the number of PKI 'tomcat' instances (directories) - # present within the PKI 'tomcat' registry directory - for instance in\ - os.listdir(master['pki_instance_type_registry_path']): - if os.path.isdir( - os.path.join(master['pki_instance_type_registry_path'], - instance)) and not\ - os.path.islink( - os.path.join(master['pki_instance_type_registry_path'], - instance)): - rv = rv + 1 - config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, - master['pki_instance_type_registry_path'], - rv, - extra=config.PKI_INDENTATION_LEVEL_2) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return rv - - def verify_subsystem_exists(self): - try: - if not os.path.exists(master['pki_subsystem_path']): - config.pki_log.error(log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2, - master['pki_subsystem'], - master['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def verify_subsystem_does_not_exist(self): - try: - if os.path.exists(master['pki_subsystem_path']): - config.pki_log.error(log.PKI_SUBSYSTEM_ALREADY_EXISTS_2, - master['pki_subsystem'], - master['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def get_instance_status(self): - self.connection = pki.client.PKIConnection( - protocol='https', - hostname=master['pki_hostname'], - port=master['pki_https_port'], - subsystem=master['pki_subsystem_type'], - accept = 'application/xml') - - try: - client = pki.system.SystemStatusClient(self.connection) - response = client.getStatus() - config.pki_log.debug(response, - extra=config.PKI_INDENTATION_LEVEL_3) - - root = ET.fromstring(response) - status = root.findtext("Status") - return status - except requests.exceptions.ConnectionError: - config.pki_log.debug("No connection", - extra=config.PKI_INDENTATION_LEVEL_3) - return None - - def wait_for_startup(self, timeout): - start_time = datetime.today() - status = None - while status != "running": - status = self.get_instance_status() - time.sleep(1); - stop_time = datetime.today() - if (stop_time - start_time).total_seconds() >= timeout: - break - return status - -# PKI Deployment Directory Class -class directory: - def create(self, name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, - acls=None, critical_failure=True): - try: - if not os.path.exists(name): - # mkdir -p - config.pki_log.info(log.PKIHELPER_MKDIR_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - os.makedirs(name) - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown : - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_DIRECTORY - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - elif not os.path.isdir(name): - config.pki_log.error( - log.PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - if exc.errno == errno.EEXIST: - pass - else: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def modify(self, name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, - acls=None, silent=False, critical_failure=True): - try: - if os.path.exists(name): - if not os.path.isdir(name): - config.pki_log.error( - log.PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1, - name, extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - # Always re-process each directory whether it needs it or not - if not silent: - config.pki_log.info(log.PKIHELPER_MODIFY_DIR_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - # chmod - if not silent: - config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown : - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - if not silent: - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - if not silent: - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_DIRECTORY - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - else: - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def delete(self, name, recursive_flag=True, critical_failure=True): - try: - if not os.path.exists(name) or not os.path.isdir(name): - # Simply issue a warning and continue - config.pki_log.warning( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - if recursive_flag == True: - # rm -rf - config.pki_log.info(log.PKIHELPER_RM_RF_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - shutil.rmtree(name) - else: - # rmdir - config.pki_log.info(log.PKIHELPER_RMDIR_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - os.rmdir(name) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def exists(self, name): - try: - if not os.path.exists(name) or not os.path.isdir(name): - return False - else: - return True - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def is_empty(self, name): - try: - if not os.listdir(name): - config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_EMPTY_1, - name, extra=config.PKI_INDENTATION_LEVEL_2) - return True - else: - config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1, - name, extra=config.PKI_INDENTATION_LEVEL_2) - return False - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def set_mode(self, name, uid=None, gid=None, - dir_perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, - file_perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - symlink_perms=\ - config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS, - dir_acls=None, file_acls=None, symlink_acls=None, - recursive_flag=True, critical_failure=True): - try: - if not os.path.exists(name) or not os.path.isdir(name): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - config.pki_log.info( - log.PKIHELPER_SET_MODE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - if recursive_flag == True: - for root, dirs, files in os.walk(name): - for name in files: - entity = os.path.join(root, name) - if not os.path.islink(entity): - file = entity - config.pki_log.debug( - log.PKIHELPER_IS_A_FILE_1, file, - extra=config.PKI_INDENTATION_LEVEL_3) - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - file_perms, file, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(file, file_perms) - # chown : - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, file, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(file, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = file_perms - record.acls = file_acls - manifest.database.append(record) - else: - symlink = entity - config.pki_log.debug( - log.PKIHELPER_IS_A_SYMLINK_1, symlink, - extra=config.PKI_INDENTATION_LEVEL_3) - # REMINDER: Due to POSIX compliance, 'lchmod' - # is NEVER implemented on Linux - # systems since 'chmod' CANNOT be - # run directly against symbolic - # links! - # chown -h : - config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, - uid, gid, symlink, - extra=config.PKI_INDENTATION_LEVEL_3) - os.lchown(symlink, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_SYMLINK - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = symlink_perms - record.acls = symlink_acls - manifest.database.append(record) - for name in dirs: - dir = os.path.join(root, name) - config.pki_log.debug( - log.PKIHELPER_IS_A_DIRECTORY_1, dir, - extra=config.PKI_INDENTATION_LEVEL_3) - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - dir_perms, dir, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(dir, dir_perms) - # chown : - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, dir, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(dir, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_DIRECTORY - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = dir_perms - record.acls = dir_acls - manifest.database.append(record) - else: - config.pki_log.debug( - log.PKIHELPER_IS_A_DIRECTORY_1, name, - extra=config.PKI_INDENTATION_LEVEL_3) - name = os.path.join(root, name) - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - dir_perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, dir_perms) - # chown : - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_DIRECTORY - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = dir_perms - record.acls = dir_acls - manifest.database.append(record) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - - def copy(self, old_name, new_name, uid=None, gid=None, - dir_perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, - file_perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - symlink_perms=config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS, - dir_acls=None, file_acls=None, symlink_acls=None, - recursive_flag=True, overwrite_flag=False, critical_failure=True): - try: - if not os.path.exists(old_name) or not os.path.isdir(old_name): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, old_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - if os.path.exists(new_name): - if not overwrite_flag: - config.pki_log.error( - log.PKI_DIRECTORY_ALREADY_EXISTS_1, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if recursive_flag == True: - # cp -rp - config.pki_log.info(log.PKIHELPER_CP_RP_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - # Due to a limitation in the 'shutil.copytree()' - # implementation which requires that - # 'The destination directory must not already exist.', - # an OSError exception is always thrown due to the - # implementation's unchecked call to 'os.makedirs(dst)'. - # Consequently, a 'patched' local copy of this routine has - # been included in this file with the appropriate fix. - pki_copytree(old_name, new_name) - else: - # cp -p - config.pki_log.info(log.PKIHELPER_CP_P_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - shutil.copy2(old_name, new_name) - # set ownerships, permissions, and acls - # of newly created top-level directory - self.modify(new_name, uid, gid, dir_perms, dir_acls, - True, critical_failure) - # set ownerships, permissions, and acls - # of contents of newly created top-level directory - self.set_mode(new_name, uid, gid, - dir_perms, file_perms, symlink_perms, - dir_acls, file_acls, symlink_acls, - recursive_flag, critical_failure) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except shutil.Error as exc: - config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - -# PKI Deployment File Class (also used for executables) -class file: - def create(self, name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - acls=None, critical_failure=True): - try: - if not os.path.exists(name): - # touch - config.pki_log.info(log.PKIHELPER_TOUCH_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - open(name, "w").close() - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown : - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - elif not os.path.isfile(name): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - if exc.errno == errno.EEXIST: - pass - else: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def modify(self, name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - acls=None, silent=False, critical_failure=True): - try: - if os.path.exists(name): - if not os.path.isfile(name): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - name, extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - # Always re-process each file whether it needs it or not - if not silent: - config.pki_log.info(log.PKIHELPER_MODIFY_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - # chmod - if not silent: - config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown : - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - if not silent: - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - if not silent: - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - else: - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def delete(self, name, critical_failure=True): - try: - if not os.path.exists(name) or not os.path.isfile(name): - # Simply issue a warning and continue - config.pki_log.warning( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - # rm -f - config.pki_log.info(log.PKIHELPER_RM_F_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - os.remove(name) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def exists(self, name): - try: - if not os.path.exists(name) or not os.path.isfile(name): - return False - else: - return True - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def copy(self, old_name, new_name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, acls=None, - overwrite_flag=False, critical_failure=True): - try: - if not os.path.exists(old_name) or not os.path.isfile(old_name): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - if os.path.exists(new_name): - if not overwrite_flag: - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_1, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # cp -p - config.pki_log.info(log.PKIHELPER_CP_P_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - shutil.copy2(old_name, new_name) - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - perms, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(new_name, perms) - # chown : - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(new_name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = new_name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except shutil.Error as exc: - config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def apply_slot_substitution( - self, name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - acls=None, critical_failure=True): - try: - if not os.path.exists(name) or not os.path.isfile(name): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # applying in-place slot substitutions on - config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1, - name, - extra=config.PKI_INDENTATION_LEVEL_2) - for line in fileinput.FileInput(name, inplace=1): - for slot in slots: - if slot != '__name__' and slots[slot] in line: - config.pki_log.debug( - log.PKIHELPER_SLOT_SUBSTITUTION_2, - slots[slot], master[slot], - extra=config.PKI_INDENTATION_LEVEL_3) - line=line.replace(slots[slot],master[slot]) - sys.stdout.write(line) - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown : - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except shutil.Error as exc: - config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def copy_with_slot_substitution( - self, old_name, new_name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - acls=None, overwrite_flag=False, - critical_failure=True): - try: - if not os.path.exists(old_name) or not os.path.isfile(old_name): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - if os.path.exists(new_name): - if not overwrite_flag: - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_1, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # copy to with slot substitutions - config.pki_log.info(log.PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - FILE = open(new_name, "w") - for line in fileinput.FileInput(old_name): - for slot in slots: - if slot != '__name__' and slots[slot] in line: - config.pki_log.debug( - log.PKIHELPER_SLOT_SUBSTITUTION_2, - slots[slot], master[slot], - extra=config.PKI_INDENTATION_LEVEL_3) - line=line.replace(slots[slot],master[slot]) - FILE.write(line) - FILE.close() - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - perms, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(new_name, perms) - # chown : - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(new_name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = new_name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except shutil.Error as exc: - config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def generate_noise_file(self, name, bytes, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - acls=None, critical_failure=True): - try: - if not os.path.exists(name): - # generating noise file called and - # filling it with random bytes - config.pki_log.info(log.PKIHELPER_NOISE_FILE_2, name, bytes, - extra=config.PKI_INDENTATION_LEVEL_2) - open(name, "w").close() - FILE = open(name, "w") - noise = ''.join(random.choice(string.ascii_letters +\ - string.digits) for x in range(bytes)) - FILE.write(noise) - FILE.close() - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown : - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - elif not os.path.isfile(name): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - if exc.errno == errno.EEXIST: - pass - else: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - -# PKI Deployment Symbolic Link Class -class symlink: - def create(self, name, link, uid=None, gid=None, - acls=None, allow_dangling_symlink=False, critical_failure=True): - try: - if not os.path.exists(link): - if not os.path.exists(name): - config.pki_log.warning( - log.PKIHELPER_DANGLING_SYMLINK_2, link, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if not allow_dangling_symlink: - sys.exit(1) - # ln -s - config.pki_log.info(log.PKIHELPER_LINK_S_2, name, link, - extra=config.PKI_INDENTATION_LEVEL_2) - os.symlink(name, link) - # REMINDER: Due to POSIX compliance, 'lchmod' is NEVER - # implemented on Linux systems since 'chmod' - # CANNOT be run directly against symbolic links! - # chown -h : - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, - uid, gid, link, - extra=config.PKI_INDENTATION_LEVEL_3) - os.lchown(link, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = link - record.type = manifest.RECORD_TYPE_SYMLINK - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions =\ - config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS - record.acls = acls - manifest.database.append(record) - elif not os.path.islink(link): - config.pki_log.error( - log.PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1, link, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - if exc.errno == errno.EEXIST: - pass - else: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def modify(self, link, uid=None, gid=None, - acls=None, silent=False, critical_failure=True): - try: - if os.path.exists(link): - if not os.path.islink(link): - config.pki_log.error( - log.PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1, - link, extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - # Always re-process each link whether it needs it or not - if not silent: - config.pki_log.info(log.PKIHELPER_MODIFY_SYMLINK_1, link, - extra=config.PKI_INDENTATION_LEVEL_2) - # REMINDER: Due to POSIX compliance, 'lchmod' is NEVER - # implemented on Linux systems since 'chmod' - # CANNOT be run directly against symbolic links! - # chown -h : - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - if not silent: - config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, - uid, gid, link, - extra=config.PKI_INDENTATION_LEVEL_3) - os.lchown(link, uid, gid) - # Store record in installation manifest - if not silent: - record = manifest.record() - record.name = link - record.type = manifest.RECORD_TYPE_SYMLINK - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions =\ - config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS - record.acls = acls - manifest.database.append(record) - else: - config.pki_log.error( - log.PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1, link, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def delete(self, link, critical_failure=True): - try: - if not os.path.exists(link) or not os.path.islink(link): - # Simply issue a warning and continue - config.pki_log.warning( - log.PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1, link, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - # rm -f - config.pki_log.info(log.PKIHELPER_RM_F_1, link, - extra=config.PKI_INDENTATION_LEVEL_2) - os.remove(link) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def exists(self, name): - try: - if not os.path.exists(name) or not os.path.islink(name): - return False - else: - return True - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - -# PKI Deployment War File Class -class war: - def explode(self, name, path, critical_failure=True): - try: - if os.path.exists(name) and os.path.isfile(name): - if not zipfile.is_zipfile(name): - config.pki_log.error( - log.PKI_FILE_NOT_A_WAR_FILE_1, - name, extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - if not os.path.exists(path) or not os.path.isdir(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - path, extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - # jar -xf -C - config.pki_log.info(log.PKIHELPER_JAR_XF_C_2, name, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # Open war file - war = zipfile.ZipFile(name, 'r') - # Extract contents of war file to path - war.extractall(path) - else: - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except zipfile.BadZipfile as exc: - config.pki_log.error(log.PKI_BADZIPFILE_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except zipfile.LargeZipFile as exc: - config.pki_log.error(log.PKI_LARGEZIPFILE_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - -# PKI Deployment Password Class -class password: - def create_password_conf(self, path, pin, pin_sans_token=False, - overwrite_flag=False, critical_failure=True): - try: - if os.path.exists(path): - if overwrite_flag: - config.pki_log.info( - log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # overwrite the existing 'password.conf' file - with open(path, "wt") as fd: - if pin_sans_token == True: - fd.write(str(pin)) - elif master['pki_subsystem'] in\ - config.PKI_APACHE_SUBSYSTEMS: - fd.write(master['pki_self_signed_token'] +\ - ":" + str(pin)) - else: - fd.write(master['pki_self_signed_token'] +\ - "=" + str(pin)) - fd.closed - else: - config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # create a new 'password.conf' file - with open(path, "wt") as fd: - if pin_sans_token == True: - fd.write(str(pin)) - elif master['pki_subsystem'] in\ - config.PKI_APACHE_SUBSYSTEMS: - fd.write(master['pki_self_signed_token'] +\ - ":" + str(pin)) - else: - fd.write(master['pki_self_signed_token'] +\ - "=" + str(pin)) - fd.closed - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def create_client_pkcs12_password_conf(self, path, overwrite_flag=False, - critical_failure=True): - try: - if os.path.exists(path): - if overwrite_flag: - config.pki_log.info( - log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # overwrite the existing 'pkcs12_password.conf' file - with open(path, "wt") as fd: - fd.write(master['pki_client_pkcs12_password']) - fd.closed - else: - config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # create a new 'pkcs12_password.conf' file - with open(path, "wt") as fd: - fd.write(master['pki_client_pkcs12_password']) - fd.closed - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def get_password(self, path, token_name, critical_failure=True): - if os.path.exists(path) and os.path.isfile(path) and\ - os.access(path, os.R_OK): - tokens = PKIConfigParser.read_simple_configuration_file(path) - hardware_token = "hardware-" + token_name - if tokens.has_key(hardware_token): - token_name = hardware_token - token_pwd = tokens[hardware_token] - elif tokens.has_key(token_name): - token_pwd = tokens[token_name] - - if token_pwd is None or token_pwd == '': - # TODO prompt for this password - config.pki_log.error(log.PKIHELPER_PASSWORD_NOT_FOUND_1, - token_name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - return token_pwd - - -# PKI Deployment NSS 'certutil' Class -class certutil: - def create_security_databases(self, path, pki_cert_database, - pki_key_database, pki_secmod_database, - password_file=None, prefix=None, - critical_failure=True): - try: - # Compose this "certutil" command - command = "certutil" + " " + "-N" - # Provide a path to the NSS security databases - if path: - command = command + " " + "-d" + " " + path - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_PATH, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if password_file != None: - command = command + " " + "-f" + " " + password_file - if prefix != None: - command = command + " " + "-P" + " " + prefix - if not os.path.exists(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(pki_cert_database) or\ - os.path.exists(pki_key_database) or\ - os.path.exists(pki_secmod_database): - # Simply notify user that the security databases exist - config.pki_log.info( - log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3, - pki_cert_database, - pki_key_database, - pki_secmod_database, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - if password_file != None: - if not os.path.exists(password_file) or\ - not os.path.isfile(password_file): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - password_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Display this "certutil" command - config.pki_log.info( - log.PKIHELPER_CREATE_SECURITY_DATABASES_1, - command, - extra=config.PKI_INDENTATION_LEVEL_2) - # Execute this "certutil" command - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def verify_certificate_exists(self, path, pki_cert_database, - pki_key_database, pki_secmod_database, - token, nickname, password_file=None, - silent=True): - rv = 0 - try: - # Compose this "certutil" command - command = "certutil" + " " + "-L" - # Provide a path to the NSS security databases - if path: - command = command + " " + "-d" + " " + path - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_PATH, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the 'token' - if token: - command = command + " " + "-h" + " " + "'" + token + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_TOKEN, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the nickname of this self-signed certificate - if nickname: - command = command + " " + "-n" + " " + "'" + nickname + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # OPTIONALLY specify a password file - if password_file != None: - command = command + " " + "-f" + " " + password_file - # By default, execute this command silently - if silent != False: - command = command + " > /dev/null 2>&1" - if not os.path.exists(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not os.path.exists(pki_cert_database) or\ - not os.path.exists(pki_key_database) or\ - not os.path.exists(pki_secmod_database): - # NSS security databases MUST exist! - config.pki_log.error( - log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, - pki_cert_database, - pki_key_database, - pki_secmod_database, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if password_file != None: - if not os.path.exists(password_file) or\ - not os.path.isfile(password_file): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - password_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Execute this "certutil" command - subprocess.check_call(command, shell=True) - except subprocess.CalledProcessError as exc: - return False - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return True - - def generate_self_signed_certificate(self, path, pki_cert_database, - pki_key_database, pki_secmod_database, - token, nickname, - subject, serial_number, - validity_period, issuer_name, - trustargs, noise_file, - password_file=None, - critical_failure=True): - try: - # Compose this "certutil" command - command = "certutil" + " " + "-S" - # Provide a path to the NSS security databases - if path: - command = command + " " + "-d" + " " + path - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_PATH, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the 'token' - if token: - command = command + " " + "-h" + " " + "'" + token + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_TOKEN, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the nickname of this self-signed certificate - if nickname: - command = command + " " + "-n" + " " + "'" + nickname + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the subject name (RFC1485) - if subject: - command = command + " " + "-s" + " " + "'" + subject + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the serial number - if serial_number != None: - command = command + " " + "-m" + " " + str(serial_number) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the months valid - if validity_period != None: - command = command + " " + "-v" + " " + str(validity_period) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the nickname of the issuer certificate - if issuer_name: - command = command + " " + "-c" + " " +\ - "'" + issuer_name + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the certificate trust attributes - if trustargs: - command = command + " " + "-t" + " " + "'" + trustargs + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify a noise file to be used for key generation - if noise_file: - command = command + " " + "-z" + " " + noise_file - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # OPTIONALLY specify a password file - if password_file != None: - command = command + " " + "-f" + " " + password_file - # ALWAYS self-sign this certificate - command = command + " " + "-x" - # ALWAYS mask the command-line output of this command - command = command + " " + "> /dev/null 2>&1" - # Display this "certutil" command - config.pki_log.info( - log.PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1, command, - extra=config.PKI_INDENTATION_LEVEL_2) - if not os.path.exists(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not os.path.exists(pki_cert_database) or\ - not os.path.exists(pki_key_database) or\ - not os.path.exists(pki_secmod_database): - # NSS security databases MUST exist! - config.pki_log.error( - log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, - pki_cert_database, - pki_key_database, - pki_secmod_database, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not os.path.exists(noise_file): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - noise_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if password_file != None: - if not os.path.exists(password_file) or\ - not os.path.isfile(password_file): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - password_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Execute this "certutil" command - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def import_cert(self, nickname, trust, input_file, password_file, - path=None, token=None, critical_failure=True): - try: - command = ["certutil","-A"] - if path: - command.extend(["-d", path]) - - if token: - command.extend(["-h", token]) - - if nickname: - command.extend(["-n", nickname ]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if trust: - command.extend(["-t", trust]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if input_file: - command.extend(["-i", input_file]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_INPUT_FILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if password_file: - command.extend(["-f", password_file]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - config.pki_log.info(command, - extra=config.PKI_INDENTATION_LEVEL_2) - subprocess.call(command) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def generate_certificate_request(self, subject, key_size, - password_file, noise_file, - output_file = None, path = None, - ascii_format = None, token = None, - critical_failure=True): - try: - command = ["certutil", "-R"] - if path: - command.extend(["-d", path]) - else: - command.extend(["-d", "."]) - - if token: - command.extend(["-h", token]) - - if subject: - command.extend(["-s", subject]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if key_size: - command.extend(["-g", str(key_size)]) - - if noise_file: - command.extend(["-z", noise_file]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if password_file: - command.extend(["-f", password_file]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if output_file: - command.extend(["-o", output_file]) - - # set acsii output - if ascii_format: - command.append("-a") - - # Display this "certutil" command - config.pki_log.info( - log.PKIHELPER_CERTUTIL_GENERATE_CSR_1, command, - extra=config.PKI_INDENTATION_LEVEL_2) - if not os.path.exists(noise_file): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - noise_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not os.path.exists(password_file) or\ - not os.path.isfile(password_file): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - password_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Execute this "certutil" command - with open(os.devnull, "w") as fnull: - subprocess.call(command, stdout=fnull, stderr=fnull) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - -# pk12util class -class pk12util: - def create_file(self, out_file, nickname, out_pwfile, - db_pwfile, path=None): - try: - command = ["pk12util"] - if path: - command.extend(["-d", path]) - if out_file: - command.extend(["-o", out_file]) - else: - config.pki_log.error( - log.PKIHELPER_PK12UTIL_MISSING_OUTFILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if nickname: - command.extend(["-n", nickname]) - else: - config.pki_log.error( - log.PKIHELPER_PK12UTIL_MISSING_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if out_pwfile: - command.extend(["-w", out_pwfile]) - else: - config.pki_log.error( - log.PKIHELPER_PK12UTIL_MISSING_OUTPWFILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if db_pwfile: - command.extend(["-k", db_pwfile]) - else: - config.pki_log.error( - log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - config.pki_log.info(command, - extra=config.PKI_INDENTATION_LEVEL_2) - with open(os.devnull, "w") as fnull: - subprocess.call(command, stdout=fnull, stderr=fnull) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - -# KRA Connector Class -class kra_connector: - def deregister(self, critical_failure=False): - try: - # this is applicable to KRAs only - if master['pki_subsystem_type'] != "kra": - return - - config.pki_log.info( - log.PKIHELPER_KRACONNECTOR_UPDATE_CONTACT, - extra=config.PKI_INDENTATION_LEVEL_2) - - cs_cfg = PKIConfigParser.read_simple_configuration_file( - master['pki_target_cs_cfg']) - krahost = cs_cfg.get('service.machineName') - kraport = cs_cfg.get('pkicreate.secure_port') - cahost = cs_cfg.get('cloning.ca.hostname') - caport = cs_cfg.get('cloning.ca.httpsport') - if cahost is None or\ - caport is None: - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CA_HOST_PORT, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - # retrieve subsystem nickname - subsystemnick = cs_cfg.get('kra.cert.subsystem.nickname') - if subsystemnick is None: - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - # retrieve name of token based upon type (hardware/software) - if ':' in subsystemnick: - token_name = subsystemnick.split(':')[0] - else: - token_name = "internal" - - token_pwd = password.get_password( - master['pki_shared_password_conf'], - token_name, - critical_failure) - - if token_pwd is None or token_pwd == '': - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_TOKEN_PASSWD_1, - token_name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - self.execute_using_sslget(caport, cahost, subsystemnick, - token_pwd, krahost, kraport) - - except subprocess.CalledProcessError as exc: - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2, - str(krahost), - str(kraport), - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - return - - def execute_using_pki(self, caport, cahost, subsystemnick, - token_pwd, krahost, kraport, critical_failure=False): - command = "/bin/pki -p '{}' -h '{}' -n '{}' -P https -d '{}' -w '{}' "\ - "kraconnector-del {} {}".format( - caport, cahost, subsystemnick, - master['pki_database_path'], - token_pwd, krahost, kraport) - - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - - error = re.findall("ClientResponseFailure:(.*?)", output) - if error: - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2, - str(krahost), - str(kraport), - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, output, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - - def execute_using_sslget(self, caport, cahost, subsystemnick, - token_pwd, krahost, kraport): - urlheader = "https://{}:{}".format(cahost, caport) - updateURL = "/ca/rest/admin/kraconnector/remove" - - params = "host=" + str(krahost) +\ - "&port=" + str(kraport) - - command = "/usr/bin/sslget -n '{}' -p '{}' -d '{}' -e '{}' "\ - "-v -r '{}' {}:{} 2>&1".format( - subsystemnick, token_pwd, - master['pki_database_path'], - params, updateURL, - cahost, caport) - - # update KRA connector - # Execute this "sslget" command - # Note that sslget will return non-zero value for HTTP code != 200 - # and this will raise an exception - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - -# PKI Deployment Security Domain Class -class security_domain: - def deregister(self, install_token, critical_failure=False): - # process this PKI subsystem instance's 'CS.cfg' - cs_cfg = PKIConfigParser.read_simple_configuration_file( - master['pki_target_cs_cfg']) - - # assign key name/value pairs - machinename = cs_cfg.get('service.machineName') - sport = cs_cfg.get('service.securityDomainPort') - ncsport = cs_cfg.get('service.non_clientauth_securePort', '') - sechost = cs_cfg.get('securitydomain.host') - httpport = cs_cfg.get('securitydomain.httpport') - seceeport = cs_cfg.get('securitydomain.httpseeport') - secagentport = cs_cfg.get('securitydomain.httpsagentport') - secadminport = cs_cfg.get('securitydomain.httpsadminport') - secname = cs_cfg.get('securitydomain.name', 'unknown') - secselect = cs_cfg.get('securitydomain.select') - adminsport = cs_cfg.get('pkicreate.admin_secure_port', '') - typeval = cs_cfg.get('cs.type', '') - agentsport = cs_cfg.get('pkicreate.agent_secure_port', '') - - # NOTE: Don't check for the existence of 'httpport', as this will - # be undefined for a Security Domain that has been migrated! - if sechost is None or\ - seceeport is None or\ - secagentport is None or\ - secadminport is None: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_SECURITY_DOMAIN_UNDEFINED, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - config.pki_log.info(log.PKIHELPER_SECURITY_DOMAIN_CONTACT_1, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - listval = typeval.lower() + "List" - urlheader = "https://{}:{}".format(sechost, seceeport) - urlagentheader = "https://{}:{}".format(sechost, secagentport) - urladminheader = "https://{}:{}".format(sechost, secadminport) - updateURL = "/ca/agent/ca/updateDomainXML" - - params = "name=" + "\"" + master['pki_instance_path'] + "\"" +\ - "&type=" + str(typeval) +\ - "&list=" + str(listval) +\ - "&host=" + str(machinename) +\ - "&sport=" + str(sport) +\ - "&ncsport=" + str(ncsport) +\ - "&adminsport=" + str(adminsport) +\ - "&agentsport=" + str(agentsport) +\ - "&operation=remove" - - if install_token: - try: - # first try install token-based servlet - params += "&sessionID=" + str(install_token) - adminUpdateURL = "/ca/admin/ca/updateDomainXML" - command = "/usr/bin/sslget -p 123456 -d '{}' -e '{}' "\ - "-v -r '{}' {}:{} 2>&1".format( - master['pki_database_path'], - params, adminUpdateURL, - sechost, secadminport) - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - output = self.update_domain_using_agent_port(typeval, - secname, params, updateURL, sechost, secagentport, - critical_failure) - else: - output = self.update_domain_using_agent_port(typeval, - secname, params, updateURL, sechost, secagentport, - critical_failure) - - if not output: - if critical_failure == True: - sys.exit(-1) - else: - return - - config.pki_log.debug(log.PKIHELPER_SSLGET_OUTPUT_1, - output, - extra=config.PKI_INDENTATION_LEVEL_2) - # Search the output for Status - status = re.findall("\(.*?)\<\/Status\>", output) - if not status: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - elif status[0] != "0": - error = re.findall("\(.*?)\<\/Error\>", output) - if not error: - error = "" - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3, - typeval, - secname, - error, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - config.pki_log.info( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - - def update_domain_using_agent_port(self, typeval, secname, params, - updateURL, sechost, secagentport, critical_failure= False): - token_pwd = None - cs_cfg = PKIConfigParser.read_simple_configuration_file( - master['pki_target_cs_cfg']) - # retrieve subsystem nickname - subsystemnick_param = typeval.lower() + ".cert.subsystem.nickname" - subsystemnick = cs_cfg.get(subsystemnick_param) - if subsystemnick is None: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - # retrieve name of token based upon type (hardware/software) - if ':' in subsystemnick: - token_name = subsystemnick.split(':')[0] - else: - token_name = "internal" - - token_pwd = password.get_password( - master['pki_shared_password_conf'], - token_name, - critical_failure) - - if token_pwd is None or token_pwd == '': - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - command = "/usr/bin/sslget -n '{}' -p '{}' -d '{}' -e '{}' "\ - "-v -r '{}' {}:{} 2>&1".format( - subsystemnick, token_pwd, - master['pki_database_path'], - params, updateURL, - sechost, secagentport) - try: - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - return output - except subprocess.CalledProcessError as exc: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - - return None - - - def get_installation_token(self, secuser, secpass, critical_failure=True): - token = None - - if not secuser or not secpass: - return None - - # process this PKI subsystem instance's 'CS.cfg' - cs_cfg = PKIConfigParser.read_simple_configuration_file( - master['pki_target_cs_cfg']) - - # assign key name/value pairs - machinename = cs_cfg.get('service.machineName') - cstype = cs_cfg.get('cs.type', '') - sechost = cs_cfg.get('securitydomain.host') - secadminport = cs_cfg.get('securitydomain.httpsadminport') - secselect = cs_cfg.get('securitydomain.select') - - command = "/bin/pki -p '{}' -h '{}' -P https -u '{}' -w '{}' "\ - "securitydomain-get-install-token --hostname {} "\ - "--subsystem {}".format( - secadminport, sechost, secuser, secpass, - machinename, cstype) - try: - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - - token_list = re.findall("Install token: \"(.*)\"", output) - if not token_list: - config.pki_log.error( - log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2, - str(sechost), - str(secadminport), - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, output, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - token = token_list[0] - return token - except subprocess.CalledProcessError as exc: - config.pki_log.error( - log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2, - str(sechost), - str(secadminport), - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - return None - -# PKI Deployment 'systemd' Execution Management Class -class systemd: - def start(self, critical_failure=True): - try: - # Compose this "systemd" execution management command - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - command = "systemctl" + " " +\ - "start" + " " +\ - "pki-apached" + "@" +\ - master['pki_instance_name'] + "." + "service" - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - command = "systemctl" + " " +\ - "start" + " " +\ - "pki-tomcatd" + "@" +\ - master['pki_instance_name'] + "." + "service" - # Display this "systemd" execution managment command - config.pki_log.info( - log.PKIHELPER_SYSTEMD_COMMAND_1, command, - extra=config.PKI_INDENTATION_LEVEL_2) - # Execute this "systemd" execution management command - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def stop(self, critical_failure=True): - try: - # Compose this "systemd" execution management command - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - command = "systemctl" + " " +\ - "stop" + " " +\ - "pki-apached" + "@" +\ - master['pki_instance_name'] + "." + "service" - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - command = "systemctl" + " " +\ - "stop" + " " +\ - "pki-tomcatd" + "@" +\ - master['pki_instance_name'] + "." + "service" - # Display this "systemd" execution managment command - config.pki_log.info( - log.PKIHELPER_SYSTEMD_COMMAND_1, command, - extra=config.PKI_INDENTATION_LEVEL_2) - # Execute this "systemd" execution management command - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def restart(self, critical_failure=True): - try: - # Compose this "systemd" execution management command - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - command = "systemctl" + " " +\ - "restart" + " " +\ - "pki-apached" + "@" +\ - master['pki_instance_name'] + "." + "service" - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - command = "systemctl" + " " +\ - "restart" + " " +\ - "pki-tomcatd" + "@" +\ - master['pki_instance_name'] + "." + "service" - # Display this "systemd" execution managment command - config.pki_log.info( - log.PKIHELPER_SYSTEMD_COMMAND_1, command, - extra=config.PKI_INDENTATION_LEVEL_2) - # Execute this "systemd" execution management command - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - -class config_client: - - def configure_pki_data(self, data): - config.pki_log.info(log.PKI_CONFIG_CONFIGURING_PKI_DATA, - extra=config.PKI_INDENTATION_LEVEL_2) - - self.connection = pki.client.PKIConnection( - protocol='https', - hostname=master['pki_hostname'], - port=master['pki_https_port'], - subsystem=master['pki_subsystem_type']) - - try: - client = pki.system.SystemConfigClient(self.connection) - response = client.configure(data) - - config.pki_log.debug(log.PKI_CONFIG_RESPONSE_STATUS +\ - " " + str(response['status']), - extra=config.PKI_INDENTATION_LEVEL_2) - certs = response['systemCerts'] - for cdata in certs: - if master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external']) and\ - not config.str2bool(master['pki_external_step_two']): - # External CA Step 1 - if cdata['tag'].lower() == "signing": - config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST +\ - " " + cdata['request'], - extra=config.PKI_INDENTATION_LEVEL_2) - - # Save 'External CA Signing Certificate' CSR (Step 1) - config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE +\ - " '" + master['pki_external_csr_path'] + "'", - extra=config.PKI_INDENTATION_LEVEL_2) - directory.create( - os.path.dirname(master['pki_external_csr_path'])) - with open(master['pki_external_csr_path'], "w") as f: - f.write(cdata['request']) - return - else: - config.pki_log.debug(log.PKI_CONFIG_CDATA_TAG +\ - " " + cdata['tag'], - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.debug(log.PKI_CONFIG_CDATA_CERT +\ - " " + cdata['cert'], - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.debug(log.PKI_CONFIG_CDATA_REQUEST +\ - " " + cdata['request'], - extra=config.PKI_INDENTATION_LEVEL_2) - - # Cloned PKI subsystems do not return an Admin Certificate - if not config.str2bool(master['pki_clone']) and \ - not config.str2bool(master['pki_import_admin_cert']): - admin_cert = response['adminCert']['cert'] - self.process_admin_cert(admin_cert) - except Exception, e: - config.pki_log.error( - log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " + str(e), - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def process_admin_cert(self, admin_cert): - config.pki_log.debug(log.PKI_CONFIG_RESPONSE_ADMIN_CERT +\ - " " + admin_cert, - extra=config.PKI_INDENTATION_LEVEL_2) - - # Store the Administration Certificate in a file - admin_cert_file = master['pki_client_admin_cert'] - admin_cert_bin_file = admin_cert_file + ".der" - config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE +\ - " '" + admin_cert_file + "'", - extra=config.PKI_INDENTATION_LEVEL_2) - with open(admin_cert_file, "w") as f: - f.write(admin_cert) - - # convert the cert file to binary - command = ["AtoB", admin_cert_file, admin_cert_bin_file] - config.pki_log.info(command, - extra=config.PKI_INDENTATION_LEVEL_2) - subprocess.call(command) - - os.chmod(admin_cert_file, - config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) - - os.chmod(admin_cert_bin_file, - config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) - - # Import the Administration Certificate - # into the client NSS security database - certutil.import_cert( - re.sub("'", "'", master['pki_admin_nickname']), - "u,u,u", - admin_cert_bin_file, - master['pki_client_password_conf'], - master['pki_client_database_dir'], - None, - True) - - # create directory for p12 file if it does not exist - directory.create(os.path.dirname( - master['pki_client_admin_cert_p12'])) - - # Export the Administration Certificate from the - # client NSS security database into a PKCS #12 file - pk12util.create_file( - master['pki_client_admin_cert_p12'], - re.sub("'","'", master['pki_admin_nickname']), - master['pki_client_pkcs12_password_conf'], - master['pki_client_password_conf'], - master['pki_client_database_dir']) - - os.chmod(master['pki_client_admin_cert_p12'], - config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - - - def construct_pki_configuration_data(self): - config.pki_log.info(log.PKI_CONFIG_CONSTRUCTING_PKI_DATA, - extra=config.PKI_INDENTATION_LEVEL_2) - - data = pki.system.ConfigurationRequest() - - # Miscellaneous Configuration Information - data.pin = master['pki_one_time_pin'] - data.subsystemName = master['pki_subsystem_name'] - - # Cloning parameters - if master['pki_instance_type'] == "Tomcat": - if config.str2bool(master['pki_clone']): - self.set_cloning_parameters(data) - else: - data.isClone = "false" - - # Hierarchy - self.set_hierarchy_parameters(data) - - # Security Domain - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or - # Subordinate CA - self.set_existing_security_domain(data) - else: - # PKI CA or External CA - self.set_new_security_domain(data) - - # database - if master['pki_subsystem'] != "RA": - self.set_database_parameters(data) - - # backup - if master['pki_instance_type'] == "Tomcat": - self.set_backup_parameters(data) - - # admin user - if not config.str2bool(master['pki_clone']): - self.set_admin_parameters(data) - - # Issuing CA Information - self.set_issuing_ca_parameters(data) - - # Create system certs - self.set_system_certs(data) - - return data - - def set_system_certs(self, data): - systemCerts = [] - - # Create 'CA Signing Certificate' - if master['pki_subsystem'] == "CA": - if not config.str2bool(master['pki_clone']): - cert1 = self.create_system_cert("ca_signing") - cert1.signingAlgorithm =\ - master['pki_ca_signing_signing_algorithm'] - if config.str2bool(master['pki_external_step_two']): - # Load the 'External CA Signing Certificate' (Step 2) - print( - log.PKI_CONFIG_EXTERNAL_CA_LOAD + " " +\ - "'" + master['pki_external_ca_cert_path'] + "'") - with open(master['pki_external_ca_cert_path']) as f: - external_cert = f.read() - cert1.cert = external_cert - - # Load the 'External CA Signing Certificate Chain' (Step 2) - print( - log.PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD + " " +\ - "'" + master['pki_external_ca_cert_chain_path'] +\ - "'") - with open(master['pki_external_ca_cert_chain_path']) as f: - external_cert_chain = f.read() - - cert1.certChain = external_cert_chain - systemCerts.append(cert1) - - # Create 'OCSP Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "CA" or\ - master['pki_subsystem'] == "OCSP": - # External CA, Subordinate CA, PKI CA, or PKI OCSP - cert2 = self.create_system_cert("ocsp_signing") - cert2.signingAlgorithm =\ - master['pki_ocsp_signing_signing_algorithm'] - systemCerts.append(cert2) - - # Create 'SSL Server Certificate' - # all subsystems - - # create new sslserver cert only if this is a new instance - cert3 = None - system_list = instance.tomcat_instance_subsystems() - if len(system_list) >= 2: - data.generateServerCert = "false" - for subsystem in system_list: - dst = master['pki_instance_path'] + '/conf/' +\ - subsystem.lower() + '/CS.cfg' - if subsystem != master['pki_subsystem'] and \ - os.path.exists(dst): - cert3 = self.retrieve_existing_server_cert(dst) - break - else: - cert3 = self.create_system_cert("ssl_server") - systemCerts.append(cert3) - - # Create 'Subsystem Certificate' - if not config.str2bool(master['pki_clone']): - cert4 = self.create_system_cert("subsystem") - systemCerts.append(cert4) - - # Create 'Audit Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] != "RA": - cert5 = self.create_system_cert("audit_signing") - cert5.signingAlgorithm =\ - master['pki_audit_signing_signing_algorithm'] - systemCerts.append(cert5) - - # Create DRM Transport and storage Certificates - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "KRA": - cert6 = self.create_system_cert("transport") - systemCerts.append(cert6) - - cert7 = self.create_system_cert("storage") - systemCerts.append(cert7) - - data.systemCerts = systemCerts - - def set_cloning_parameters(self, data): - data.isClone = "true" - data.cloneUri = master['pki_clone_uri'] - data.p12File = master['pki_clone_pkcs12_path'] - data.p12Password = master['pki_clone_pkcs12_password'] - data.replicateSchema = master['pki_clone_replicate_schema'] - data.replicationSecurity =\ - master['pki_clone_replication_security'] - if master['pki_clone_replication_master_port']: - data.masterReplicationPort =\ - master['pki_clone_replication_master_port'] - if master['pki_clone_replication_clone_port']: - data.cloneReplicationPort =\ - master['pki_clone_replication_clone_port'] - - def set_hierarchy_parameters(self, data): - if master['pki_subsystem'] == "CA": - if config.str2bool(master['pki_clone']): - # Cloned CA - data.hierarchy = "root" - elif config.str2bool(master['pki_external']): - # External CA - data.hierarchy = "join" - elif config.str2bool(master['pki_subordinate']): - # Subordinate CA - data.hierarchy = "join" - else: - # PKI CA - data.hierarchy = "root" - - def set_existing_security_domain(self, data): - data.securityDomainType = "existingdomain" - data.securityDomainUri = master['pki_security_domain_uri'] - data.securityDomainUser = master['pki_security_domain_user'] - data.securityDomainPassword = master['pki_security_domain_password'] - - def set_new_security_domain(self, data): - data.securityDomainType = "newdomain" - data.securityDomainName = master['pki_security_domain_name'] - - def set_database_parameters(self, data): - data.dsHost = master['pki_ds_hostname'] - data.dsPort = master['pki_ds_ldap_port'] - data.baseDN = master['pki_ds_base_dn'] - data.bindDN = master['pki_ds_bind_dn'] - data.database = master['pki_ds_database'] - data.bindpwd = master['pki_ds_password'] - if config.str2bool(master['pki_ds_remove_data']): - data.removeData = "true" - else: - data.removeData = "false" - if config.str2bool(master['pki_ds_secure_connection']): - data.secureConn = "true" - else: - data.secureConn = "false" - - def set_backup_parameters(self, data): - if config.str2bool(master['pki_backup_keys']): - data.backupKeys = "true" - data.backupFile = master['pki_backup_keys_p12'] - data.backupPassword = master['pki_backup_password'] - else: - data.backupKeys = "false" - - def set_admin_parameters(self, data): - data.adminEmail = master['pki_admin_email'] - data.adminName = master['pki_admin_name'] - data.adminPassword = master['pki_admin_password'] - data.adminProfileID = master['pki_admin_profile_id'] - data.adminUID = master['pki_admin_uid'] - data.adminSubjectDN = master['pki_admin_subject_dn'] - if config.str2bool(master['pki_import_admin_cert']): - data.importAdminCert = "true" - # read config from file - with open(master['pki_admin_cert_file']) as f: - b64 = f.read().replace('\n','') - data.adminCert = b64 - else: - data.importAdminCert = "false" - data.adminSubjectDN = master['pki_admin_subject_dn'] - if master['pki_admin_cert_request_type'] == "pkcs10": - data.adminCertRequestType = "pkcs10" - - noise_file = os.path.join( - master['pki_client_database_dir'], "noise") - - output_file = os.path.join( - master['pki_client_database_dir'], "admin_pkcs10.bin") - - file.generate_noise_file( - noise_file, int(master['pki_admin_keysize'])) - - certutil.generate_certificate_request( - master['pki_admin_subject_dn'], - master['pki_admin_keysize'], - master['pki_client_password_conf'], - noise_file, - output_file, - master['pki_client_database_dir'], - None, None, True) - - # convert output to ascii - command = ["BtoA", output_file, output_file + ".asc"] - config.pki_log.info(command, - extra=config.PKI_INDENTATION_LEVEL_2) - subprocess.call(command) - - with open(output_file + ".asc") as f: - b64 = f.read().replace('\n','') - - data.adminCertRequest = b64 - else: - print "log.PKI_CONFIG_PKCS10_SUPPORT_ONLY" - sys.exit(1) - - def set_issuing_ca_parameters(self, data): - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']) or\ - config.str2bool(master['pki_external']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, - # Subordinate CA, or External CA - data.issuingCA = master['pki_issuing_ca'] - if master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external_step_two']): - # External CA Step 2 - data.stepTwo = "true"; - - def create_system_cert(self, tag): - cert = pki.system.SystemCertData() - cert.tag = master["pki_%s_tag" % tag] - cert.keyAlgorithm = master["pki_%s_key_algorithm" % tag] - cert.keySize = master["pki_%s_key_size" % tag] - cert.keyType = master["pki_%s_key_type" % tag] - cert.nickname = master["pki_%s_nickname" % tag] - cert.subjectDN = master["pki_%s_subject_dn" % tag] - cert.token = master["pki_%s_token" % tag] - return cert - - def retrieve_existing_server_cert(self, cfg_file): - cs_cfg = PKIConfigParser.read_simple_configuration_file(cfg_file) - cstype = cs_cfg.get('cs.type').lower() - cert = pki.system.SystemCertData() - cert.tag = master["pki_ssl_server_tag"] - cert.keyAlgorithm = master["pki_ssl_server_key_algorithm"] - cert.keySize = master["pki_ssl_server_key_size"] - cert.keyType = master["pki_ssl_server_key_type"] - cert.nickname = cs_cfg.get(cstype + ".sslserver.nickname") - cert.cert = cs_cfg.get(cstype + ".sslserver.cert") - cert.request = cs_cfg.get(cstype + ".sslserver.certreq") - cert.subjectDN = master["pki_ssl_server_subject_dn"] - cert.token = cs_cfg.get(cstype + ".sslserver.tokenname") - return cert - -# PKI Deployment Helper Class Instances -identity = identity() -namespace = namespace() -configuration_file = configuration_file() -#xml_file = xml_file() -instance = instance() -directory = directory() -file = file() -symlink = symlink() -war = war() -password = password() -certutil = certutil() -pk12util = pk12util() -security_domain = security_domain() -kra_connector = kra_connector() -systemd = systemd() diff --git a/base/deploy/src/engine/pkilogging.py b/base/deploy/src/engine/pkilogging.py deleted file mode 100644 index 319616145..000000000 --- a/base/deploy/src/engine/pkilogging.py +++ /dev/null @@ -1,76 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import logging -import os -import pprint - -sensitive_parameters = [] - -# Initialize 'pretty print' for objects -pp = pprint.PrettyPrinter(indent=4) - -def format(dict): - new_dict = {} - - # mask sensitive data - for key in dict: - if key in sensitive_parameters: - value = 'XXXXXXXX' - else: - value = dict[key] - new_dict[key] = value - - return pp.pformat(new_dict) - -# PKI Deployment Logging Functions -def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name): - if not os.path.isdir(log_dir): - try: - os.makedirs(log_dir) - except OSError: - return OSError - - # Configure logger - logger = logging.getLogger(name) - logger.setLevel(log_level) - - # Configure console handler - console = logging.StreamHandler() - console.setLevel(console_log_level) - console_format = logging.Formatter('%(name)-12s: ' +\ - '%(levelname)-8s ' +\ - '%(indent)s%(message)s') - console.setFormatter(console_format) - logger.addHandler(console) - - # Configure file handler - file = logging.FileHandler(log_dir + "/" + log_name, 'w') - file.setLevel(log_level) - file_format = logging.Formatter('%(asctime)s %(name)-12s: ' +\ - '%(levelname)-8s ' +\ - '%(indent)s%(message)s', - '%Y-%m-%d %H:%M:%S') - file.setFormatter(file_format) - logger.addHandler(file) - - return logger diff --git a/base/deploy/src/engine/pkimanifest.py b/base/deploy/src/engine/pkimanifest.py deleted file mode 100644 index 04a638f06..000000000 --- a/base/deploy/src/engine/pkimanifest.py +++ /dev/null @@ -1,101 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -from collections import namedtuple -import csv -import sys - - -# PKI Deployment Imports -import pkiconfig as config -import pkimessages as log - - -# PKI Deployment Manifest Constants -RECORD_TYPE_DIRECTORY = "directory" -RECORD_TYPE_FILE = "file" -RECORD_TYPE_SYMLINK = "symlink" - - -# PKI Deployment Manifest Record Class -class record(object): - __slots__= "name",\ - "type",\ - "user",\ - "group",\ - "uid",\ - "gid",\ - "permissions",\ - "acls", - - def items(self): - "dict style items" - return [ - (field_name, getattr(self, field_name)) - for field_name in self.__slots__] - - def __iter__(self): - "iterate over fields tuple/list style" - for field_name in self.__slots__: - yield getattr(self, field_name) - - def __getitem__(self, index): - "tuple/list style getitem" - return getattr(self, self.__slots__[index]) - - -# PKI Deployment Manifest File Class -class file: - global database - filename = None - - def register(self, name): - self.filename = name - - def write(self): - try: - fd = open(self.filename, "wt") - c = csv.writer(fd) - for record in database: - c.writerow(tuple(record)) - fd.close() - except IOError as exc: - config.pki_log.error(log.PKI_IOERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_1) - sys.exit(1) - - def read(self): - try: - fd = open(self.filename, "rt") - cr = csv.reader(fd) - for row in cr: - print tuple(row) - fd.close() - except IOError as exc: - config.pki_log.error(log.PKI_IOERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_1) - sys.exit(1) - - -# PKI Deployment Global Named Tuples -database = [] -file = file() diff --git a/base/deploy/src/engine/pkimessages.py b/base/deploy/src/engine/pkimessages.py deleted file mode 100644 index a6361dc8b..000000000 --- a/base/deploy/src/engine/pkimessages.py +++ /dev/null @@ -1,361 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Engine Messages -PKI_DICTIONARY_DEFAULT ="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI DEFAULT DICTIONARY\n"\ -"=====================================================" -PKI_DICTIONARY_MASTER="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI MASTER DICTIONARY\n"\ -"=====================================================" -PKI_DICTIONARY_SLOTS="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI SLOTS DICTIONARY\n"\ -"=====================================================" -PKI_DICTIONARY_SUBSYSTEM="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI SUBSYSTEM DICTIONARY\n"\ -"=====================================================" -PKI_DICTIONARY_WEB_SERVER="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI WEB SERVER DICTIONARY\n"\ -"=====================================================" -# NEVER print out 'sensitive' data dictionary!!! - - -# PKI Deployment Log Messages -PKI_VERBOSITY=\ -"VERBOSITY FLAGS CONSOLE MESSAGE LEVEL LOG MESSAGE LEVEL\n"\ -"=======================================================================\n"\ -" NONE error|warning error|warning|info\n"\ -" -v error|warning|info error|warning|info\n"\ -" -vv error|warning|info error|warning|info|debug\n"\ -" -vvv error|warning|info|debug error|warning|info|debug\n"\ -" " - -# PKI Deployment Error Messages -PKI_BADZIPFILE_ERROR_1 = "zipfile.BadZipFile: %s!" -PKI_CONFIGURATION_RESTART_1 = "After configuration, the server can be "\ - "operated by the command:\n\n%s" -PKI_CONFIGURATION_URL_1 = "Please start the configuration by accessing:\n\n%s" -PKI_CONFIGURATION_WIZARD_RESTART_1 = "After configuration, the server can be "\ - "operated by the command:\n%s" -PKI_CONFIGURATION_WIZARD_URL_1 = "Configuration Wizard listening on\n%s" -PKI_DIRECTORY_ALREADY_EXISTS_1 = "Directory '%s' already exists!" -PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1 = "Directory '%s' already "\ - "exists BUT it is NOT a "\ - "directory!" -PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 = "Directory '%s' is either "\ - "missing or is NOT a directory!" -PKI_DNS_DOMAIN_NOT_SET = "A valid DNS domain name MUST be established "\ - "to use PKI services!" -PKI_FILE_ALREADY_EXISTS_1 = "File '%s' already exists!" -PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 = "File '%s' already "\ - "exists BUT it is NOT a "\ - "file!" -PKI_FILE_MISSING_OR_NOT_A_FILE_1 = "File '%s' is either missing "\ - "or is NOT a regular file!" -PKI_FILE_NOT_A_WAR_FILE_1 = "File '%s' is NOT a war file!" -PKI_INSTANCE_DOES_NOT_EXIST_1 = "PKI instance '%s' does NOT exist!" -PKI_SECURITY_DATABASES_ALREADY_EXIST_3 = "Security databases '%s', '%s', "\ - "and/or '%s' already exist!" -PKI_SECURITY_DATABASES_DO_NOT_EXIST_3 = "Security databases '%s', '%s', "\ - "and/or '%s' do NOT exist!" -PKI_SUBSYSTEM_NOT_INSTALLED_1 = "Package pki-%s is NOT installed!" -PKI_SUBSYSTEM_ALREADY_EXISTS_2 = "PKI subsystem '%s' for instance '%s' "\ - "already exists!" -PKI_SUBSYSTEM_DOES_NOT_EXIST_2 = "PKI subsystem '%s' for instance '%s' "\ - "does NOT exist!" - -PKI_IOERROR_1 = "IOError: %s!" -PKI_KEYERROR_1 = "KeyError: %s!" -PKI_LARGEZIPFILE_ERROR_1 = "zipfile.LargeZipFile: %s!" -PKI_MANIFEST_MESSAGE_1 = "generating manifest file called '%s'" -PKI_OSERROR_1 = "OSError: %s!" -PKI_SHUTIL_ERROR_1 = "shutil.Error: %s!" -PKI_SUBPROCESS_ERROR_1 = "subprocess.CalledProcessError: %s!" -PKI_SYMLINK_ALREADY_EXISTS_1 = "Symlink '%s' already exists!" -PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1 = "Symlink '%s' already "\ - "exists BUT it is NOT a "\ - "symlink!" -PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1 = "Symlink '%s' is either missing "\ - "or is NOT a symbolic link!" -PKI_UNABLE_TO_PARSE_1 = "'Could not parse: '%s'" -PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 = "Could not create log directory '%s'!" -PKI_VERBOSITY_LEVELS_MESSAGE = "Only up to 3 levels of verbosity are supported!" - - -# PKI Deployment 'pkispawn' and 'pkidestroy' Messages -PKIDESTROY_BEGIN_MESSAGE_2 = "BEGIN destroying subsystem '%s' of "\ - "instance '%s' . . ." -PKIDESTROY_END_MESSAGE_2 = "END destroying subsystem '%s' of "\ - "instance '%s'" -PKIDESTROY_EPILOG =\ -"REMINDER:\n\n"\ -" The default PKI instance path will be calculated and placed in front\n"\ -" of the mandatory '-i ' parameter, and the values that reside\n"\ -" in deployment configuration file that was most recently used\n"\ -" by this instance's 'pkispawn' (or 'pkispawn -u') command will be\n"\ -" utilized by 'pkidestroy' to remove this instance.\n\n"\ -" Finally, if an optional '-p ' is defined, this value WILL be\n"\ -" prepended to the default PKI instance path which is placed in front\n"\ -" of the specified '-i ' parameter.\n\n" +\ -PKI_VERBOSITY -PKIRESPAWN_BEGIN_MESSAGE_2 = "BEGIN respawning subsystem '%s' of "\ - "instance '%s' . . ." -PKIRESPAWN_END_MESSAGE_2 = "END respawning subsystem '%s' of "\ - "instance '%s'" -PKISPAWN_BEGIN_MESSAGE_2 = "BEGIN spawning subsystem '%s' of "\ - "instance '%s' . . ." -PKISPAWN_END_MESSAGE_2 = "END spawning subsystem '%s' of "\ - "instance '%s'" -PKISPAWN_EPILOG =\ -"REMINDER:\n\n"\ -" If two or more Apache or Tomcat PKI 'instances' are specified via\n"\ -" separate configuration files, remember that the following parameters\n"\ -" MUST differ between PKI 'instances':\n\n"\ -" Apache: 'pki_instance_name', 'pki_http_port', and 'pki_https_port'\n"\ -" Tomcat: 'pki_instance_name', 'pki_http_port', 'pki_https_port',\n"\ -" 'pki_ajp_port', and 'pki_tomcat_server_port'\n\n"\ -" Finally, if an optional '-p ' is defined, this value WILL NOT\n"\ -" be prepended in front of the mandatory '-f '.\n\n" +\ -PKI_VERBOSITY - - -# PKI Deployment "Helper" Messages -PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ - "Apache PKI subsystems" -PKIHELPER_APACHE_INSTANCES_2 = "PKI Apache registry '%s' contains '%d' "\ - "Apache PKI instances" -PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\ - "slot substitutions on '%s'" -PKIHELPER_CERTUTIL_GENERATE_CSR_1 = "executing '%s'" -PKIHELPER_CERTUTIL_MISSING_INPUT_FILE = "certutil: Missing "\ - "'-i input-file' option!" -PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = "certutil: Missing "\ - "'-c issuer-name' option!" -PKIHELPER_CERTUTIL_MISSING_NICKNAME = "certutil: Missing "\ - "'-n nickname' option!" -PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = "certutil: Missing "\ - "'-z noise-file' option!" -PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE = "certutil: Missing "\ - "'-f password-file' option!" -PKIHELPER_CERTUTIL_MISSING_PATH = "certutil: Missing '-d path' option!" -PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER = "certutil: Missing "\ - "'-m serial-number' option!" -PKIHELPER_CERTUTIL_MISSING_SUBJECT = "certutil: Missing '-s subject' option!" -PKIHELPER_CERTUTIL_MISSING_TOKEN = "certutil: Missing '-h token' option!" -PKIHELPER_CERTUTIL_MISSING_TRUSTARGS = "certutil: Missing "\ - "'-t trustargs' option!" -PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD = "certutil: Missing "\ - "'-v months-valid' option!" -PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1 = "executing '%s'" -PKIHELPER_CHMOD_2 = "chmod %o %s" -PKIHELPER_CHOWN_3 = "chown %s:%s %s" -PKIHELPER_CHOWN_H_3 = "chown -h %s:%s %s" -PKIHELPER_COMMAND_LINE_PARAMETER_MISMATCH_2 = "the command-line parameter "\ - "'%s' DOES NOT match the "\ - "configuration file value '%s'!" -PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2 = "copying '%s' --> '%s' "\ - "with slot substitution" -PKIHELPER_CP_P_2 = "cp -p %s %s" -PKIHELPER_CP_RP_2 = "cp -rp %s %s" -PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'" -PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'" -PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1 = "KeyError: Master dictionary "\ - "is missing the key called '%s'!" -PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty" -PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty" -PKIHELPER_GID_2 = "GID of '%s' is %s" -PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ." -PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." -PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." -PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" -PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" -PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\ - "context %s" -PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" -PKIHELPER_IS_A_FILE_1 = "'%s' is a file" -PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink" -PKIHELPER_JAR_XF_C_2 = "jar -xf %s -C %s" -PKIHELPER_KRACONNECTOR_UPDATE_CONTACT =\ - "contacting the CA to update the KRA connector" -PKIHELPER_KRACONNECTOR_UPDATE_FAILURE = "Failed to update KRA connector on CA" -PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2 = "Failed to update KRA connector for %s:%s" -PKIHELPER_LINK_S_2 = "ln -s %s %s" -PKIHELPER_MKDIR_1 = "mkdir -p %s" -PKIHELPER_MODIFY_DIR_1 = "modifying '%s'" -PKIHELPER_MODIFY_FILE_1 = "modifying '%s'" -PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'" -PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = "cloned CAs and external "\ - "CAs MUST be MUTUALLY "\ - "EXCLUSIVE in '%s'" -PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\ - "CAs, and subordinate CAs"\ - "MUST ALL be MUTUALLY "\ - "EXCLUSIVE in '%s'" -PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\ - "CAs MUST be MUTUALLY "\ - "EXCLUSIVE in '%s'" -PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA = "external CAs and subordinate "\ - "CAs MUST be MUTUALLY "\ - "EXCLUSIVE in '%s'" -PKIHELPER_NAMESPACE_COLLISION_2 = "PKI instance '%s' would produce a "\ - "namespace collision with '%s'!" -PKIHELPER_NAMESPACE_RESERVED_NAME_2 = "PKI instance '%s' is already a "\ - "reserved name under '%s'!" -PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\ - "filling it with '%d' random bytes" -PKIHELPER_PASSWORD_CONF_1 = "generating '%s'" -PKIHELPER_PASSWORD_NOT_FOUND_1 = "no password found for '%s'!" -PKIHELPER_PK12UTIL_MISSING_DBPWFILE = "pk12util missing "\ - "-k db-password-file option!" -PKIHELPER_PK12UTIL_MISSING_NICKNAME = "pk12util missing "\ - "-n nickname option!" -PKIHELPER_PK12UTIL_MISSING_OUTFILE = "pk12util missing "\ - "-o output-file option!" -PKIHELPER_PK12UTIL_MISSING_PWFILE = "pk12util missing "\ - "-w pw-file option!" - -PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ - "PKI subsystems" -PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'" -PKIHELPER_RM_F_1 = "rm -f %s" -PKIHELPER_RM_RF_1 = "rm -rf %s" -PKIHELPER_RMDIR_1 = "rmdir %s" -PKIHELPER_SECURITY_DOMAIN_CONTACT_1 =\ - "contacting the security domain master to update security domain '%s'" -PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2 =\ - "Failed to get installation token from security domain '%s:%s'" -PKIHELPER_SECURITY_DOMAIN_UNDEFINED =\ - "No security domain defined.\n"\ - "If this is an unconfigured instance, then that is OK.\n"\ - "Otherwise, manually delete the entry from the security domain master." -PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1 =\ - "security domain '%s' may be offline or unreachable!" -PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2 =\ - "this '%s' entry may not be registered with security domain '%s'!" -PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2 =\ - "this '%s' entry will NOT be deleted from security domain '%s'!" -PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3 =\ - "updateDomainXML FAILED to delete this '%s' entry from "\ - "security domain '%s': '%s'" -PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2 =\ - "updateDomainXML SUCCESSFULLY deleted this '%s' entry from "\ - "security domain '%s'" -PKIHELPER_SELINUX_DISABLED = "Selinux is disabled. Not checking port contexts" -PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'" -PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'" -PKIHELPER_SSLGET_OUTPUT_1 = "\n"\ - "Dump of 'sslget' output:\n"\ - "=====================================================\n"\ - "%s\n"\ - "=====================================================" -PKIHELPER_SYSTEMD_COMMAND_1 = "executing '%s'" -PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ - "Tomcat PKI subsystems" -PKIHELPER_TOMCAT_INSTANCES_2 = "PKI Tomcat registry '%s' contains '%d' "\ - "Tomcat PKI instances" -PKIHELPER_TOUCH_1 = "touch %s" -PKIHELPER_UID_2 = "UID of '%s' is %s" -PKIHELPER_UNDEFINED_CA_HOST_PORT = "CA Host or Port is undefined" -PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2 =\ - "Either a value for '%s' MUST be defined in '%s', or "\ - "the randomly generated client pin MUST be used" -PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 =\ - "A value for '%s' MUST be defined in '%s'" -PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME = "subsystem nickname not defined" -PKIHELPER_UNDEFINED_TOKEN_PASSWD_1 = "Password for token '%s' not defined" -PKIHELPER_USER_1 = "retrieving UID for '%s' . . ." -PKIHELPER_USER_ADD_2 = "adding UID '%s' for user '%s' . . ." -PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ." -PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s" -PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s" - -PKI_CONFIG_ADMIN_CERT_SAVE = "saving Admin Certificate to file:" -PKI_CONFIG_ADMIN_CERT_ATOB = "converting Admin Certificate to binary:" -PKI_CONFIG_CDATA_TAG = "tag:" -PKI_CONFIG_CDATA_CERT = "cert:" -PKI_CONFIG_CDATA_REQUEST = "request:" -PKI_CONFIG_CONFIGURING_PKI_DATA = "configuring PKI configuration data." -PKI_CONFIG_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data." -PKI_CONFIG_PKCS10_SUPPORT_ONLY = "only the 'pkcs10' certificate request type "\ - "is currently supported" -PKI_CONFIG_EXTERNAL_CA_LOAD = "loading external CA signing certificate "\ - "from file:" -PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD = "loading external CA signing certificate "\ - "chain from file:" -PKI_CONFIG_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:" -PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION =\ - "Exception from Java Configuration Servlet:" -PKI_CONFIG_RESPONSE_ADMIN_CERT = "adminCert:" -PKI_CONFIG_RESPONSE_STATUS = "status:" -PKI_CONFIG_NOT_YET_IMPLEMENTED_1 = " %s NOT YET IMPLEMENTED" - -# PKI Deployment "Scriptlet" Messages -ADMIN_DOMAIN_DESTROY_1 = "depopulating '%s'" -ADMIN_DOMAIN_RESPAWN_1 = "repopulating '%s'" -ADMIN_DOMAIN_SPAWN_1 = "populating '%s'" -CONFIGURATION_DESTROY_1 = "unconfiguring '%s'" -CONFIGURATION_RESPAWN_1 = "reconfiguring '%s'" -CONFIGURATION_SPAWN_1 = "configuring '%s'" -FINALIZATION_DESTROY_1 = "finalizing '%s'" -FINALIZATION_RESPAWN_1 = "finalizing '%s'" -FINALIZATION_SPAWN_1 = "finalizing '%s'" -INITIALIZATION_DESTROY_1 = "initializing '%s'" -INITIALIZATION_RESPAWN_1 = "initializing '%s'" -INITIALIZATION_SPAWN_1 = "initializing '%s'" -INSTANCE_DESTROY_1 = "depopulating '%s'" -INSTANCE_RESPAWN_1 = "repopulating '%s'" -INSTANCE_SPAWN_1 = "populating '%s'" -RESIDUAL_DESTROY_1 = "depopulating '%s'" -RESIDUAL_RESPAWN_1 = "repopulating '%s'" -RESIDUAL_SPAWN_1 = "populating '%s'" -SECURITY_DATABASES_DESTROY_1 = "removing '%s'" -SECURITY_DATABASES_RESPAWN_1 = "regenerating '%s'" -SECURITY_DATABASES_SPAWN_1 = "generating '%s'" -SELINUX_DESTROY_1 = "depopulating '%s'" -SELINUX_RESPAWN_1 = "repopulating '%s'" -SELINUX_SPAWN_1 = "populating '%s'" -SELINUX_DISABLED_DESTROY_1 = "selinux disabled. skipping unlabelling '%s'" -SELINUX_DISABLED_SPAWN_1 = "selinux disabled. skipping labelling '%s'" -SLOT_ASSIGNMENT_DESTROY_1 = "unassigning slots for '%s'" -SLOT_ASSIGNMENT_RESPAWN_1 = "reassigning slots for '%s'" -SLOT_ASSIGNMENT_SPAWN_1 = "assigning slots for '%s'" -SUBSYSTEM_DESTROY_1 = "depopulating '%s'" -SUBSYSTEM_RESPAWN_1 = "repopulating '%s'" -SUBSYSTEM_SPAWN_1 = "populating '%s'" -WEBAPP_DEPLOYMENT_DESTROY_1 = "removing '%s'" -WEBAPP_DEPLOYMENT_RESPAWN_1 = "redeploying '%s'" -WEBAPP_DEPLOYMENT_SPAWN_1 = "deploying '%s'" -SKIP_ADMIN_DOMAIN_SPAWN_1 = "skip populating '%s'" -SKIP_CONFIGURATION_SPAWN_1 = "skip configuring '%s'" -SKIP_FINALIZATION_SPAWN_1 = "skip finalizing '%s'" -SKIP_INITIALIZATION_SPAWN_1 = "skip initializing '%s'" -SKIP_INSTANCE_SPAWN_1 = "skip populating '%s'" -SKIP_RESIDUAL_SPAWN_1 = "skip populating '%s'" -SKIP_SECURITY_DATABASES_SPAWN_1 = "skip generating '%s'" -SKIP_SELINUX_SPAWN_1 = "skip populating '%s'" -SKIP_SLOT_ASSIGNMENT_SPAWN_1 = "skip assigning slots for '%s'" -SKIP_SUBSYSTEM_SPAWN_1 = "skip populating '%s'" -SKIP_WEBAPP_DEPLOYMENT_SPAWN_1 = "skip deploying '%s'" diff --git a/base/deploy/src/engine/pkiparser.py b/base/deploy/src/engine/pkiparser.py deleted file mode 100644 index c4bf9b886..000000000 --- a/base/deploy/src/engine/pkiparser.py +++ /dev/null @@ -1,1069 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import ConfigParser -import argparse -import getpass -import ldap -import logging -import os -import random -import string -import subprocess -import sys -import time - - -# PKI Deployment Imports -import pkilogging -import pkiconfig as config -import pkimessages as log - -import pki.account -import pki.client -import pki.system - -class PKIConfigParser: - - COMMENT_CHAR = '#' - OPTION_CHAR = '=' - - def __init__(self, description, epilog): - self.pki_config = None - - "Read and process command-line options" - self.arg_parser = argparse.ArgumentParser( - description=description, - add_help=False, - formatter_class=argparse.RawDescriptionHelpFormatter, - epilog=epilog) - - # Establish 'Mandatory' command-line options - self.mandatory = self.arg_parser.add_argument_group('mandatory arguments') - - # Establish 'Optional' command-line options - self.optional = self.arg_parser.add_argument_group('optional arguments') - self.optional.add_argument('-s', - dest='pki_subsystem', action='store', - nargs=1, choices=config.PKI_SUBSYSTEMS, - metavar='', - help='where is ' - 'CA, KRA, OCSP, RA, TKS, or TPS') - self.optional.add_argument('-h', '--help', - dest='help', action='help', - help='show this help message and exit') - self.optional.add_argument('-v', - dest='pki_verbosity', action='count', - help='display verbose information (details below)') - - # Establish 'Test' command-line options - test = self.arg_parser.add_argument_group('test arguments') - test.add_argument('-p', - dest='pki_root_prefix', action='store', - nargs=1, metavar='', - help='directory prefix to specify local directory ' - '[TEST ONLY]') - - self.indent = 0 - - # PKI Deployment Helper Functions - def process_command_line_arguments(self, argv): - - # Parse command-line options - args = self.arg_parser.parse_args() - - # Process 'Mandatory' command-line options - - # Process 'Optional' command-line options - # '-v' - if args.pki_verbosity == 1: - config.pki_console_log_level = logging.INFO - config.pki_log_level = logging.INFO - elif args.pki_verbosity == 2: - config.pki_console_log_level = logging.INFO - config.pki_log_level = logging.DEBUG - elif args.pki_verbosity == 3: - config.pki_console_log_level = logging.DEBUG - config.pki_log_level = logging.DEBUG - elif args.pki_verbosity > 3: - print "ERROR: " + log.PKI_VERBOSITY_LEVELS_MESSAGE - print - self.arg_parser.print_help() - self.arg_parser.exit(-1); - else: - # Set default log levels - config.pki_console_log_level = logging.WARNING - config.pki_log_level = logging.INFO - - # Process 'Test' command-line options - # '-p' - if args.pki_root_prefix is None: - config.pki_root_prefix = "" - else: - config.pki_root_prefix = str(args.pki_root_prefix).strip('[\']') - - return args - - - def validate(self): - - # Validate command-line options - if len(config.pki_root_prefix) > 0: - if not os.path.exists(config.pki_root_prefix) or\ - not os.path.isdir(config.pki_root_prefix): - print "ERROR: " +\ - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 %\ - config.pki_root_prefix - print - self.arg_parser.print_help() - self.arg_parser.exit(-1); - - # always default that configuration file exists - if not os.path.exists(config.default_deployment_cfg) or\ - not os.path.isfile(config.default_deployment_cfg): - print "ERROR: " +\ - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ - config.default_deployment_cfg - print - self.arg_parser.print_help() - self.arg_parser.exit(-1); - - if config.user_deployment_cfg: - # verify user configuration file exists - if not os.path.exists(config.user_deployment_cfg) or\ - not os.path.isfile(config.user_deployment_cfg): - print "ERROR: " +\ - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ - config.user_deployment_cfg - print - parser.arg_parser.print_help() - parser.arg_parser.exit(-1); - - - def init_config(self): - - # RESTEasy - resteasy_lib = subprocess.check_output(\ - 'source /etc/pki/pki.conf && echo $RESTEASY_LIB', - shell=True).strip() - - # JNI jar location - jni_jar_dir = subprocess.check_output(\ - 'source /etc/pki/pki.conf && echo $JNI_JAR_DIR', - shell=True).strip() - - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - default_instance_name = 'pki-tomcat' - default_http_port = '8080' - default_https_port = '8443' - else: - default_instance_name = 'pki-apache' - default_http_port = '80' - default_https_port = '443' - - self.pki_config = ConfigParser.SafeConfigParser({ - 'pki_instance_name': default_instance_name, - 'pki_http_port': default_http_port, - 'pki_https_port': default_https_port, - 'pki_dns_domainname': config.pki_dns_domainname, - 'pki_subsystem': config.pki_subsystem, - 'pki_subsystem_type': config.pki_subsystem.lower(), - 'pki_root_prefix' : config.pki_root_prefix, - 'resteasy_lib': resteasy_lib, - 'jni_jar_dir': jni_jar_dir, - 'home_dir': os.path.expanduser("~"), - 'pki_hostname': config.pki_hostname}) - - # Make keys case-sensitive! - self.pki_config.optionxform = str - - config.user_config = ConfigParser.SafeConfigParser() - config.user_config.optionxform = str - - with open(config.default_deployment_cfg) as f: - self.pki_config.readfp(f) - - self.flatten_master_dict() - - - # The following code is based heavily upon - # "http://www.decalage.info/en/python/configparser" - @staticmethod - def read_simple_configuration_file(filename): - values = {} - f = open(filename) - for line in f: - # First, remove comments: - if PKIConfigParser.COMMENT_CHAR in line: - # split on comment char, keep only the part before - line, comment = line.split(PKIConfigParser.COMMENT_CHAR, 1) - # Second, find lines with an name=value: - if PKIConfigParser.OPTION_CHAR in line: - # split on name char: - name, value = line.split(PKIConfigParser.OPTION_CHAR, 1) - # strip spaces: - name = name.strip() - value = value.strip() - # store in dictionary: - values[name] = value - f.close() - return values - - - def set_property(self, section, property, value): - if section != "DEFAULT" and not self.pki_config.has_section(section): - self.pki_config.add_section(section) - self.pki_config.set(section, property, value) - self.flatten_master_dict() - - if section != "DEFAULT" and not config.user_config.has_section(section): - config.user_config.add_section(section) - config.user_config.set(section, property, value) - - - def print_text(self, message): - print ' ' * self.indent + message - - def read_text(self, message, - section=None, property=None, default=None, - options=None, sign=':', allowEmpty=True, caseSensitive=True): - - if default is None and property is not None: - default = config.pki_master_dict[property] - if default: - message = message + ' [' + default + ']' - message = ' ' * self.indent + message + sign + ' ' - - done = False - while not done: - value = raw_input(message) - value = value.strip() - - if len(value) == 0: # empty value - if allowEmpty: - value = default - done = True - break - - else: # non-empty value - if options is not None: - for v in options: - if caseSensitive: - if v == value: - done = True - break - else: - if v.lower() == value.lower(): - done = True - break - else: - done = True - break - - value = value.replace("%", "%%") - if section: - self.set_property(section, property, value) - - return value - - - def read_password(self, message, section=None, property=None, - verifyMessage=None): - message = ' ' * self.indent + message + ': ' - if verifyMessage is not None: - verifyMessage = ' ' * self.indent + verifyMessage + ': ' - - while True: - password = '' - while len(password) == 0: - password = getpass.getpass(prompt=message) - - if verifyMessage is not None: - verification = '' - while len(verification) == 0: - verification = getpass.getpass(prompt=verifyMessage) - - if password != verification: - self.print_text('Passwords do not match.') - continue - - break - - password = password.replace("%", "%%") - if section: - self.set_property(section, property, password) - - return password - - def read_pki_configuration_file(self): - "Read configuration file sections into dictionaries" - rv = 0 - try: - if config.user_deployment_cfg: - print 'Loading deployment configuration from ' + config.user_deployment_cfg + '.' - self.pki_config.read([config.user_deployment_cfg]) - - except ConfigParser.ParsingError, err: - print err - rv = err - return rv - - - def flatten_master_dict(self): - config.pki_master_dict.update(__name__="PKI Master Dictionary") - - default_dict = dict(self.pki_config.items('DEFAULT')) - default_dict[0] = None - config.pki_master_dict.update(default_dict) - - web_server_dict = None - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if self.pki_config.has_section('Tomcat'): - web_server_dict = dict(self.pki_config.items('Tomcat')) - else: - if self.pki_config.has_section('Apache'): - web_server_dict = dict(self.pki_config.items('Apache')) - - if web_server_dict: - web_server_dict[0] = None - config.pki_master_dict.update(web_server_dict) - - if self.pki_config.has_section(config.pki_subsystem): - subsystem_dict = dict(self.pki_config.items(config.pki_subsystem)) - subsystem_dict[0] = None - config.pki_master_dict.update(subsystem_dict) - - - def ds_connect(self): - - hostname = config.pki_master_dict['pki_ds_hostname'] - - if config.str2bool(config.pki_master_dict['pki_ds_secure_connection']): - protocol = 'ldaps' - port = config.pki_master_dict['pki_ds_ldaps_port'] - else: - protocol = 'ldap' - port = config.pki_master_dict['pki_ds_ldap_port'] - - self.ds_connection = ldap.initialize(protocol + '://' + hostname + ':' + port) - self.ds_connection.search_s('', ldap.SCOPE_BASE) - - def ds_bind(self): - self.ds_connection.simple_bind_s( - config.pki_master_dict['pki_ds_bind_dn'], - config.pki_master_dict['pki_ds_password']) - - def ds_base_dn_exists(self): - try: - results = self.ds_connection.search_s( - config.pki_master_dict['pki_ds_base_dn'], - ldap.SCOPE_BASE) - - if results is None or len(results) == 0: - return False - - return True - - except ldap.NO_SUCH_OBJECT as e: - return False - - def ds_close(self): - self.ds_connection.unbind_s() - - def sd_connect(self): - self.sd_connection = pki.client.PKIConnection( - protocol='https', - hostname=config.pki_master_dict['pki_security_domain_hostname'], - port=config.pki_master_dict['pki_security_domain_https_port'], - subsystem='ca') - - def sd_get_info(self): - sd = pki.system.SecurityDomainClient(self.sd_connection) - return sd.getSecurityDomainInfo() - - def sd_authenticate(self): - self.sd_connection.authenticate( - config.pki_master_dict['pki_security_domain_user'], - config.pki_master_dict['pki_security_domain_password']) - - account = pki.account.AccountClient(self.sd_connection) - account.login() - account.logout() - - def compose_pki_master_dictionary(self): - "Create a single master PKI dictionary from the sectional dictionaries" - try: - # 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs - config.pki_master_dict['pki_deployment_executable'] =\ - config.pki_deployment_executable - config.pki_master_dict['pki_install_time'] = config.pki_install_time - config.pki_master_dict['pki_timestamp'] = config.pki_timestamp - config.pki_master_dict['pki_certificate_timestamp'] =\ - config.pki_certificate_timestamp - config.pki_master_dict['pki_architecture'] = config.pki_architecture - config.pki_master_dict['pki_default_deployment_cfg'] = config.default_deployment_cfg - config.pki_master_dict['pki_user_deployment_cfg'] = config.user_deployment_cfg - config.pki_master_dict['pki_deployed_instance_name'] =\ - config.pki_deployed_instance_name - # Generate random 'pin's for use as security database passwords - # and add these to the "sensitive" key value pairs read in from - # the configuration file - pin_low = 100000000000 - pin_high = 999999999999 - config.pki_master_dict['pki_pin'] =\ - random.randint(pin_low, pin_high) - config.pki_master_dict['pki_client_pin'] =\ - random.randint(pin_low, pin_high) - - self.flatten_master_dict() - - pkilogging.sensitive_parameters = config.pki_master_dict['sensitive_parameters'].split() - - # PKI Target (slot substitution) name/value pairs - config.pki_master_dict['pki_target_cs_cfg'] =\ - os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], - "CS.cfg") - config.pki_master_dict['pki_target_registry'] =\ - os.path.join(config.pki_master_dict['pki_instance_registry_path'], - config.pki_master_dict['pki_instance_name']) - if config.pki_master_dict['pki_subsystem'] == "CA" and\ - config.str2bool(config.pki_master_dict['pki_external_step_two']): - # Use the 'pki_one_time_pin' established during the setup of - # External CA Step 1 - if os.path.exists(config.pki_master_dict['pki_target_cs_cfg'])\ - and\ - os.path.isfile(config.pki_master_dict['pki_target_cs_cfg']): - cs_cfg = self.read_simple_configuration_file( - config.pki_master_dict['pki_target_cs_cfg']) - config.pki_master_dict['pki_one_time_pin'] =\ - cs_cfg.get('preop.pin') - else: - config.pki_log.error(log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - config.pki_master_dict['pki_target_cs_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - # Generate a one-time pin to be used prior to configuration - # and add this to the "sensitive" key value pairs read in from - # the configuration file - config.pki_master_dict['pki_one_time_pin'] =\ - ''.join(random.choice(string.ascii_letters + string.digits)\ - for x in range(20)) - if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_master_dict['pki_target_catalina_properties'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "catalina.properties") - config.pki_master_dict['pki_target_servercertnick_conf'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "serverCertNick.conf") - config.pki_master_dict['pki_target_server_xml'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "server.xml") - config.pki_master_dict['pki_target_context_xml'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "context.xml") - config.pki_master_dict['pki_target_tomcat_conf_instance_id'] =\ - config.pki_master_dict['pki_root_prefix'] +\ - "/etc/sysconfig/" +\ - config.pki_master_dict['pki_instance_name'] - config.pki_master_dict['pki_target_tomcat_conf'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "tomcat.conf") - # in-place slot substitution name/value pairs - config.pki_master_dict['pki_target_velocity_properties'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "velocity.properties") - config.pki_master_dict['pki_target_subsystem_web_xml'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "web.xml") - config.pki_master_dict['pki_target_subsystem_web_xml_orig'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "web.xml.orig") - # subystem-specific slot substitution name/value pairs - if config.pki_master_dict['pki_subsystem'] == "CA": - config.pki_master_dict['pki_target_flatfile_txt'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "flatfile.txt") - config.pki_master_dict['pki_target_proxy_conf'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "proxy.conf") - config.pki_master_dict['pki_target_registry_cfg'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "registry.cfg") - # '*.profile' - config.pki_master_dict['pki_target_admincert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "adminCert.profile") - config.pki_master_dict['pki_target_caauditsigningcert_profile']\ - = os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "caAuditSigningCert.profile") - config.pki_master_dict['pki_target_cacert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "caCert.profile") - config.pki_master_dict['pki_target_caocspcert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "caOCSPCert.profile") - config.pki_master_dict['pki_target_servercert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "serverCert.profile") - config.pki_master_dict['pki_target_subsystemcert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "subsystemCert.profile") - # in-place slot substitution name/value pairs - config.pki_master_dict['pki_target_profileselect_template'] =\ - os.path.join( - config.pki_master_dict\ - ['pki_tomcat_webapps_subsystem_path'], - "ee", - config.pki_master_dict['pki_subsystem'].lower(), - "ProfileSelect.template") - elif config.pki_master_dict['pki_subsystem'] == "KRA": - # '*.profile' - config.pki_master_dict['pki_target_servercert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "serverCert.profile") - config.pki_master_dict['pki_target_storagecert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "storageCert.profile") - config.pki_master_dict['pki_target_subsystemcert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "subsystemCert.profile") - config.pki_master_dict['pki_target_transportcert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "transportCert.profile") - # Slot assignment name/value pairs - # NOTE: Master key == Slots key; Master value ==> Slots value - config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\ - config.pki_master_dict['pki_instance_name'] - config.pki_master_dict['PKI_INSTANCE_INITSCRIPT_SLOT'] =\ - os.path.join(config.pki_master_dict['pki_instance_path'], - config.pki_master_dict['pki_instance_name']) - config.pki_master_dict['PKI_REGISTRY_FILE_SLOT'] =\ - os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], - config.pki_master_dict['pki_instance_name']) - if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_APACHE_SUBSYSTEMS: - config.pki_master_dict['FORTITUDE_APACHE_SLOT'] = None - config.pki_master_dict['FORTITUDE_AUTH_MODULES_SLOT'] = None - config.pki_master_dict['FORTITUDE_DIR_SLOT'] = None - config.pki_master_dict['FORTITUDE_LIB_DIR_SLOT'] = None - config.pki_master_dict['FORTITUDE_MODULE_SLOT'] = None - config.pki_master_dict['FORTITUDE_NSS_MODULES_SLOT'] = None - config.pki_master_dict['HTTPD_CONF_SLOT'] = None - config.pki_master_dict['LIB_PREFIX_SLOT'] = None - config.pki_master_dict['NON_CLIENTAUTH_SECURE_PORT_SLOT'] = None - config.pki_master_dict['NSS_CONF_SLOT'] = None - config.pki_master_dict['OBJ_EXT_SLOT'] = None - config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ - os.path.join("/var/lock/pki", - "apache") - config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ - os.path.join("/var/run/pki", - "apache") - config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] = "apache" - config.pki_master_dict['PORT_SLOT'] = None - config.pki_master_dict['PROCESS_ID_SLOT'] = None - config.pki_master_dict['REQUIRE_CFG_PL_SLOT'] = None - config.pki_master_dict['SECURE_PORT_SLOT'] = None - config.pki_master_dict['SECURITY_LIBRARIES_SLOT'] = None - config.pki_master_dict['SERVER_NAME_SLOT'] = None - config.pki_master_dict['SERVER_ROOT_SLOT'] = None - config.pki_master_dict['SYSTEM_LIBRARIES_SLOT'] = None - config.pki_master_dict['SYSTEM_USER_LIBRARIES_SLOT'] = None - config.pki_master_dict['TMP_DIR_SLOT'] = None - config.pki_master_dict['TPS_DIR_SLOT'] = None - elif config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_master_dict['INSTALL_TIME_SLOT'] =\ - config.pki_master_dict['pki_install_time'] - config.pki_master_dict['PKI_ADMIN_SECURE_PORT_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict\ - ['PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ - "Unused" - config.pki_master_dict\ - ['PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_AGENT_CLIENTAUTH_SLOT'] =\ - "want" - config.pki_master_dict['PKI_AGENT_SECURE_PORT_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict['PKI_AJP_PORT_SLOT'] =\ - config.pki_master_dict['pki_ajp_port'] - config.pki_master_dict['PKI_AJP_REDIRECT_PORT_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict['PKI_CERT_DB_PASSWORD_SLOT'] =\ - config.pki_master_dict['pki_pin'] - config.pki_master_dict['PKI_CFG_PATH_NAME_SLOT'] =\ - config.pki_master_dict['pki_target_cs_cfg'] - config.pki_master_dict\ - ['PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\ - "-->" - config.pki_master_dict\ - ['PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\ - "-->" - config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict\ - ['PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT'] =\ - "Unused" - config.pki_master_dict\ - ['PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict['PKI_EE_SECURE_PORT_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict['PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ - "Unused" - config.pki_master_dict['PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_GROUP_SLOT'] =\ - config.pki_master_dict['pki_group'] - config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\ - config.pki_master_dict['pki_instance_path'] - config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\ - config.pki_master_dict['pki_path'] - config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ - os.path.join("/var/lock/pki", - "tomcat") - config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\ - config.pki_master_dict['pki_hostname'] - config.pki_master_dict\ - ['PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT'] =\ - "-->" - config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] = "" - config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] = "" - config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_SECURITY_MANAGER_SLOT'] =\ - config.pki_master_dict['pki_security_manager'] - config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\ - config.pki_master_dict['pki_target_server_xml'] - config.pki_master_dict['PKI_SUBSYSTEM_DIR_SLOT'] =\ - config.pki_master_dict['pki_subsystem'].lower() + "/" - config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\ - config.pki_master_dict['pki_subsystem'].lower() - config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\ - "pki-tomcatd" + "@" +\ - config.pki_master_dict['pki_instance_name'] + ".service" - config.pki_master_dict['PKI_UNSECURE_PORT_SLOT'] =\ - config.pki_master_dict['pki_http_port'] - config.pki_master_dict['PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT'] =\ - "Unsecure" - config.pki_master_dict['PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_USER_SLOT'] =\ - config.pki_master_dict['pki_user'] - config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] =\ - "tomcat" - config.pki_master_dict['PKI_WEBAPPS_NAME_SLOT'] =\ - "webapps" - config.pki_master_dict['TOMCAT_CFG_SLOT'] =\ - config.pki_master_dict['pki_target_tomcat_conf'] - config.pki_master_dict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_common_lib_path'], - "*.jar") - config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\ - config.pki_master_dict['pki_instance_log_path'] - config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\ - "/var/run/pki/tomcat/" + config.pki_master_dict['pki_instance_name'] + ".pid" - config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\ - config.pki_master_dict['pki_tomcat_server_port'] - config.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] =\ - "-SSL2_RC4_128_WITH_MD5," +\ - "-SSL2_RC4_128_EXPORT40_WITH_MD5," +\ - "-SSL2_RC2_128_CBC_WITH_MD5," +\ - "-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5," +\ - "-SSL2_DES_64_CBC_WITH_MD5," +\ - "-SSL2_DES_192_EDE3_CBC_WITH_MD5" - config.pki_master_dict['TOMCAT_SSL3_CIPHERS_SLOT'] =\ - "-SSL3_FORTEZZA_DMS_WITH_NULL_SHA," +\ - "-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA," +\ - "+SSL3_RSA_WITH_RC4_128_SHA," +\ - "-SSL3_RSA_EXPORT_WITH_RC4_40_MD5," +\ - "+SSL3_RSA_WITH_3DES_EDE_CBC_SHA," +\ - "+SSL3_RSA_WITH_DES_CBC_SHA," +\ - "-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5," +\ - "-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA," +\ - "-SSL_RSA_FIPS_WITH_DES_CBC_SHA," +\ - "+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA," +\ - "-SSL3_RSA_WITH_NULL_MD5," +\ - "-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," +\ - "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ - "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - config.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] =\ - "ssl2=true," +\ - "ssl3=true," +\ - "tls=true" - config.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] =\ - "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +\ - "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +\ - "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +\ - "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ - "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +\ - "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_RSA_WITH_AES_128_CBC_SHA," +\ - "+TLS_RSA_WITH_AES_256_CBC_SHA," +\ - "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +\ - "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ - "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +\ - "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +\ - "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," +\ - "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," +\ - "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\ - "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" - # Shared Apache/Tomcat NSS security database name/value pairs - config.pki_master_dict['pki_shared_pfile'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "pfile") - config.pki_master_dict['pki_shared_password_conf'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "password.conf") - config.pki_master_dict['pki_cert_database'] =\ - os.path.join(config.pki_master_dict['pki_database_path'], - "cert8.db") - config.pki_master_dict['pki_key_database'] =\ - os.path.join(config.pki_master_dict['pki_database_path'], - "key3.db") - config.pki_master_dict['pki_secmod_database'] =\ - os.path.join(config.pki_master_dict['pki_database_path'], - "secmod.db") - config.pki_master_dict['pki_self_signed_token'] = "internal" - config.pki_master_dict['pki_self_signed_nickname'] =\ - "Server-Cert cert-" + config.pki_master_dict['pki_instance_name'] - config.pki_master_dict['pki_self_signed_subject'] =\ - "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ - "o=" + config.pki_master_dict['pki_certificate_timestamp'] - config.pki_master_dict['pki_self_signed_serial_number'] = 0 - config.pki_master_dict['pki_self_signed_validity_period'] = 12 - config.pki_master_dict['pki_self_signed_issuer_name'] =\ - "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ - "o=" + config.pki_master_dict['pki_certificate_timestamp'] - config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu" - config.pki_master_dict['pki_self_signed_noise_file'] =\ - os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], - "noise") - config.pki_master_dict['pki_self_signed_noise_bytes'] = 1024 - # Shared Apache/Tomcat NSS security database convenience symbolic links - config.pki_master_dict\ - ['pki_subsystem_configuration_password_conf_link'] =\ - os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], - "password.conf") - - if not len(config.pki_master_dict['pki_client_database_password']): - # use randomly generated client 'pin' - config.pki_master_dict['pki_client_database_password'] =\ - str(config.pki_master_dict['pki_client_pin']) - - # Configuration scriptlet - # 'Security Domain' Configuration name/value pairs - # 'Subsystem Name' Configuration name/value pairs - # 'Token' Configuration name/value pairs - # - # Apache - [RA], [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_security_domain_type'] - # config.pki_master_dict['pki_security_domain_uri'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_clone_pkcs12_password'] - # config.pki_master_dict['pki_security_domain_password'] - # config.pki_master_dict['pki_token_password'] - # config.pki_master_dict['pki_clone_pkcs12_path'] - # config.pki_master_dict['pki_clone_uri'] - # config.pki_master_dict['pki_security_domain_https_port'] - # config.pki_master_dict['pki_token_name'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_security_domain_user'] - # config.pki_master_dict['pki_issuing_ca'] - # - - # if security domain user is not defined - if not len(config.pki_master_dict['pki_security_domain_user']): - - # use the CA admin uid if it's defined - if self.pki_config.has_option('CA', 'pki_admin_uid') and\ - len(self.pki_config.get('CA', 'pki_admin_uid')) > 0: - config.pki_master_dict['pki_security_domain_user'] =\ - self.pki_config.get('CA', 'pki_admin_uid') - - # or use the Default admin uid if it's defined - elif self.pki_config.has_option('DEFAULT', 'pki_admin_uid') and\ - len(self.pki_config.get('DEFAULT', 'pki_admin_uid')) > 0: - config.pki_master_dict['pki_security_domain_user'] =\ - self.pki_config.get('DEFAULT', 'pki_admin_uid') - - # otherwise use the default CA admin uid - else: - config.pki_master_dict['pki_security_domain_user'] = "caadmin" - - if config.pki_subsystem != "CA" or\ - config.str2bool(config.pki_master_dict['pki_clone']) or\ - config.str2bool(config.pki_master_dict['pki_subordinate']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or - # Subordinate CA - config.pki_master_dict['pki_security_domain_type'] = "existing" - config.pki_master_dict['pki_security_domain_uri'] =\ - "https" + "://" +\ - config.pki_master_dict['pki_security_domain_hostname'] + ":" +\ - config.pki_master_dict['pki_security_domain_https_port'] - - elif config.str2bool(config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict['pki_security_domain_type'] = "new" - if not len(config.pki_master_dict['pki_issuing_ca']): - config.pki_master_dict['pki_issuing_ca'] = "External CA" - else: - # PKI CA - config.pki_master_dict['pki_security_domain_type'] = "new" - - # 'External CA' Configuration name/value pairs - # - # Tomcat - [External CA] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_external_ca_cert_chain_path'] - # config.pki_master_dict['pki_external_ca_cert_path'] - # config.pki_master_dict['pki_external_csr_path'] - # config.pki_master_dict['pki_external_step_two'] - # - - # 'Backup' Configuration name/value pairs - # - # Apache - [RA], [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_backup_password'] - # config.pki_master_dict['pki_backup_keys'] - # - if config.str2bool(config.pki_master_dict['pki_backup_keys']): - # NOTE: ALWAYS store the PKCS #12 backup keys file - # in with the NSS "server" security databases - config.pki_master_dict['pki_backup_keys_p12'] =\ - config.pki_master_dict['pki_database_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() + "_" +\ - "backup" + "_" + "keys" + "." + "p12" - - config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert" - - if not 'pki_import_admin_cert' in config.pki_master_dict: - config.pki_master_dict['pki_import_admin_cert'] = 'false' - - config.pki_master_dict['pki_ca_signing_tag'] = "signing" - if config.pki_master_dict['pki_subsystem'] == "CA": - config.pki_master_dict['pki_ocsp_signing_tag'] = "ocsp_signing" - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - config.pki_master_dict['pki_ocsp_signing_tag'] = "signing" - config.pki_master_dict['pki_ssl_server_tag'] = "sslserver" - config.pki_master_dict['pki_subsystem_tag'] = "subsystem" - config.pki_master_dict['pki_audit_signing_tag'] = "audit_signing" - config.pki_master_dict['pki_transport_tag'] = "transport" - config.pki_master_dict['pki_storage_tag'] = "storage" - - # Finalization name/value pairs - config.pki_master_dict['pki_default_deployment_cfg_replica'] =\ - os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], - config.DEFAULT_DEPLOYMENT_CONFIGURATION) - config.pki_master_dict['pki_user_deployment_cfg_replica'] =\ - os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], - config.USER_DEPLOYMENT_CONFIGURATION) - config.pki_master_dict['pki_user_deployment_cfg_spawn_archive'] =\ - config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ - "spawn" + "_" +\ - config.USER_DEPLOYMENT_CONFIGURATION + "." +\ - config.pki_master_dict['pki_timestamp'] - config.pki_master_dict['pki_default_deployment_cfg_respawn_archive'] =\ - config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ - "respawn" + "_" +\ - config.DEFAULT_DEPLOYMENT_CONFIGURATION + "." +\ - config.pki_master_dict['pki_timestamp'] - config.pki_master_dict['pki_user_deployment_cfg_respawn_archive'] =\ - config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ - "respawn" + "_" +\ - config.USER_DEPLOYMENT_CONFIGURATION + "." +\ - config.pki_master_dict['pki_timestamp'] - config.pki_master_dict['pki_manifest'] =\ - config.pki_master_dict['pki_subsystem_registry_path'] + "/" +\ - "manifest" - config.pki_master_dict['pki_manifest_spawn_archive'] =\ - config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ - "spawn" + "_" + "manifest" + "." +\ - config.pki_master_dict['pki_timestamp'] - config.pki_master_dict['pki_manifest_respawn_archive'] =\ - config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ - "respawn" + "_" + "manifest" + "." +\ - config.pki_master_dict['pki_timestamp'] - # Construct the configuration URL containing the one-time pin - # and add this to the "sensitive" key value pairs read in from - # the configuration file - # - # NOTE: This is the one and only parameter containing a sensitive - # parameter that may be stored in a log file and displayed - # to the screen. - # - config.pki_master_dict['pki_configuration_url'] =\ - "https://{}:{}/{}/{}?pin={}".format( - config.pki_master_dict['pki_hostname'], - config.pki_master_dict['pki_https_port'], - config.pki_master_dict['pki_subsystem'].lower(), - "admin/console/config/login", - config.pki_master_dict['pki_one_time_pin']) - # Compose this "systemd" execution management command - if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_APACHE_SUBSYSTEMS: - config.pki_master_dict['pki_registry_initscript_command'] =\ - "systemctl" + " " +\ - "restart" + " " +\ - "pki-apached" + "@" +\ - config.pki_master_dict['pki_instance_name'] + "." + "service" - elif config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_master_dict['pki_registry_initscript_command'] =\ - "systemctl" + " " +\ - "restart" + " " +\ - "pki-tomcatd" + "@" +\ - config.pki_master_dict['pki_instance_name'] + "." + "service" - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - except KeyError as err: - config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1, - err, extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - - def compose_pki_slots_dictionary(self): - """Read the slots configuration file to create - the appropriate PKI slots dictionary""" - rv = 0 - try: - config.pki_slots_dict = dict() - parser = ConfigParser.ConfigParser() - # Make keys case-sensitive! - parser.optionxform = str - parser.read(config.PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE) - # Slots configuration file name/value pairs - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - config.pki_slots_dict = dict(parser._sections['Apache']) - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_slots_dict = dict(parser._sections['Tomcat']) - except ConfigParser.ParsingError, err: - rv = err - return rv diff --git a/base/deploy/src/engine/pkiscriptlet.py b/base/deploy/src/engine/pkiscriptlet.py deleted file mode 100644 index 767b3c609..000000000 --- a/base/deploy/src/engine/pkiscriptlet.py +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import abc - - -# PKI Deployment Abstract Base PKI Scriptlet -class AbstractBasePkiScriptlet(object): - __metaclass__ = abc.ABCMeta - - @abc.abstractmethod - def spawn(self): - """Retrieve data from the specified PKI dictionary and - use it to install a new PKI instance.""" - return - - @abc.abstractmethod - def respawn(self): - """Retrieve data from the specified PKI dictionary and - use it to update an existing PKI instance.""" - return - - @abc.abstractmethod - def destroy(self): - """Retrieve data from the specified PKI dictionary and - use it to destroy an existing PKI instance.""" - return diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy deleted file mode 100755 index 4e23445f1..000000000 --- a/base/deploy/src/pkidestroy +++ /dev/null @@ -1,264 +0,0 @@ -#!/usr/bin/python -tu -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2011 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import sys -import signal - -if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: - print "Python version %s.%s.%s is too old." % sys.version_info[:3] - print "Please upgrade to at least Python 2.7.0." - sys.exit(1) -try: - import argparse - import logging - import os - import socket - import struct - import subprocess - import time - from time import strftime as date - from pki.deployment import pkiconfig as config - from pki.deployment.pkiparser import PKIConfigParser - from pki.deployment import pkilogging - from pki.deployment import pkimessages as log -except ImportError: - print >> sys.stderr, """\ -There was a problem importing one of the required Python modules. The -error was: - - %s -""" % sys.exc_value - sys.exit(1) - -#Handle the Keyboard Interrupt -def interrupt_handler(signal, frame): - print - print '\nUninstallation canceled.' - sys.exit(1) - -# PKI Deployment Functions -def main(argv): - "main entry point" - - config.pki_deployment_executable = os.path.basename(argv[0]) - - # Only run this program as "root". - if not os.geteuid() == 0: - sys.exit("'%s' must be run as root!" % argv[0]) - - # Set the umask - os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK) - - # Set installation time - ticks = time.time() - config.pki_install_time = time.asctime(time.localtime(ticks)) - - # Generate a timestamp - config.pki_timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) - config.pki_certificate_timestamp =\ - date('%Y-%m-%d %H:%M:%S', time.localtime(ticks)) - - # Obtain the architecture bit-size - config.pki_architecture = struct.calcsize("P") * 8 - - # Retrieve hostname - config.pki_hostname = socket.getfqdn() - - # Retrieve DNS domainname - config.pki_dns_domainname = None - try: - config.pki_dns_domainname = subprocess.check_output("dnsdomainname", - shell=True) - config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') - if not len(config.pki_dns_domainname): - print log.PKI_DNS_DOMAIN_NOT_SET - sys.exit(1) - except subprocess.CalledProcessError as exc: - print log.PKI_SUBPROCESS_ERROR_1 % exc - sys.exit(1) - - # Read and process command-line arguments. - parser = PKIConfigParser( - 'PKI Instance Removal', - log.PKIDESTROY_EPILOG) - - parser.optional.add_argument('-i', - dest='pki_deployed_instance_name', - action='store', - nargs=1, metavar='', - help='FORMAT: ${pki_instance_name}') - - parser.optional.add_argument('-u', - dest='pki_secdomain_user', - action='store', - nargs=1, metavar='', - help='security domain user') - - parser.optional.add_argument('-W', - dest='pki_secdomain_pass_file', - action='store', - nargs=1, metavar='', - help='security domain password file path') - - - args = parser.process_command_line_arguments(argv) - - interactive = False - - while True: - - # -s - if args.pki_subsystem is None: - interactive = True - config.pki_subsystem = parser.read_text('Subsystem (CA/KRA/OCSP/TKS)', - options=['CA', 'KRA', 'OCSP', 'TKS'], - default='CA', caseSensitive=False).upper() - else: - config.pki_subsystem = str(args.pki_subsystem).strip('[\']') - - # -i - if args.pki_deployed_instance_name is None: - interactive = True - config.pki_deployed_instance_name = parser.read_text('Instance', default='pki-tomcat') - else: - config.pki_deployed_instance_name = str(args.pki_deployed_instance_name).strip('[\']') - - if interactive: - print - parser.indent = 0 - - begin = parser.read_text('Begin uninstallation (Yes/No/Quit)', - options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'], - sign='?', allowEmpty=False, caseSensitive=False).lower() - - print - - if begin == 'q' or begin == 'quit': - print "Uninstallation canceled." - sys.exit(0) - - elif begin == 'y' or begin == 'yes': - break - - else: - break - - # '-u' - if args.pki_secdomain_user: - config.pki_secdomain_user = str(args.pki_secdomain_user).strip('[\']') - - # '-W' password file - if args.pki_secdomain_pass_file: - with open(str(args.pki_secdomain_pass_file).strip('[\']'),'r') as pwd_file: - config.pki_secdomain_pass = pwd_file.readline().strip('\n') - - # verify that previously deployed instance exists - deployed_pki_instance_path = config.pki_root_prefix +\ - config.PKI_DEPLOYMENT_BASE_ROOT + "/" +\ - config.pki_deployed_instance_name - if not os.path.exists(deployed_pki_instance_path): - print "ERROR: " + log.PKI_INSTANCE_DOES_NOT_EXIST_1 %\ - deployed_pki_instance_path - print - parser.arg_parser.exit(-1); - - # verify that previously deployed subsystem for this instance exists - deployed_pki_subsystem_path = deployed_pki_instance_path + "/" +\ - config.pki_subsystem.lower() - if not os.path.exists(deployed_pki_subsystem_path): - print "ERROR: " + log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2 %\ - (config.pki_subsystem, deployed_pki_instance_path) - print - parser.arg_parser.exit(-1); - - config.default_deployment_cfg = config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE - - # establish complete path to previously deployed configuration file - config.user_deployment_cfg =\ - deployed_pki_subsystem_path + "/" +\ - "registry" + "/" +\ - config.pki_subsystem.lower() + "/" +\ - config.USER_DEPLOYMENT_CONFIGURATION - - parser.validate() - parser.init_config() - - # Enable 'pkidestroy' logging. - config.pki_log_dir = config.pki_root_prefix +\ - config.PKI_DEPLOYMENT_LOG_ROOT - config.pki_log_name = "pki" + "-" +\ - config.pki_subsystem.lower() +\ - "-" + "destroy" + "." +\ - config.pki_timestamp + "." + "log" - rv = pkilogging.enable_pki_logger(config.pki_log_dir, - config.pki_log_name, - config.pki_log_level, - config.pki_console_log_level, - "pkidestroy") - if rv != OSError: - config.pki_log = rv - else: - print log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir - sys.exit(1) - - # Read the specified PKI configuration file. - rv = parser.read_pki_configuration_file() - if rv != 0: - config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, - extra=config.PKI_INDENTATION_LEVEL_0) - sys.exit(1) - - # Combine the various sectional dictionaries into a PKI master dictionary - parser.compose_pki_master_dictionary() - config.pki_master_dict['pki_destroy_log'] = config.pki_log_dir + "/" +\ - config.pki_log_name - config.pki_log.debug(log.PKI_DICTIONARY_MASTER, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_master_dict), - extra=config.PKI_INDENTATION_LEVEL_0) - - print "Uninstalling " + config.pki_subsystem + " from " + deployed_pki_instance_path + "." - - # Process the various "scriptlets" to remove the specified PKI subsystem. - pki_subsystem_scriptlets = config.pki_master_dict['destroy_scriplets'].split() - rv = 0 - for pki_scriptlet in pki_subsystem_scriptlets: - scriptlet = __import__("pki.deployment." + - pki_scriptlet, - fromlist = [pki_scriptlet]) - instance = scriptlet.PkiScriptlet() - rv = instance.destroy() - if rv != 0: - sys.exit(1) - config.pki_log.debug(log.PKI_DICTIONARY_MASTER, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_master_dict), - extra=config.PKI_INDENTATION_LEVEL_0) - - print - print "Uninstallation complete." - - -# PKI Deployment Entry Point -if __name__ == "__main__": - signal.signal(signal.SIGINT, interrupt_handler) - main(sys.argv) diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn deleted file mode 100755 index 447240ecf..000000000 --- a/base/deploy/src/pkispawn +++ /dev/null @@ -1,413 +0,0 @@ -#!/usr/bin/python -tu -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2011 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import sys -import signal - -if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: - print "Python version %s.%s.%s is too old." % sys.version_info[:3] - print "Please upgrade to at least Python 2.7.0." - sys.exit(1) -try: - import argparse - import ldap - import logging - import os - import requests - import socket - import struct - import subprocess - import time - import urllib2 - from time import strftime as date - from pki.deployment import pkiconfig as config - from pki.deployment.pkiparser import PKIConfigParser - from pki.deployment import pkilogging - from pki.deployment import pkimessages as log -except ImportError: - print >> sys.stderr, """\ -There was a problem importing one of the required Python modules. The -error was: - - %s -""" % sys.exc_value - sys.exit(1) - -#Handle the Keyboard Interrupt -def interrupt_handler(signal, frame): - print - print '\nInstallation canceled.' - sys.exit(1) - -# PKI Deployment Functions -def main(argv): - "main entry point" - - config.pki_deployment_executable = os.path.basename(argv[0]) - - # Only run this program as "root". - if not os.geteuid() == 0: - sys.exit("'%s' must be run as root!" % argv[0]) - - # Set the umask - os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK) - - # Set installation time - ticks = time.time() - config.pki_install_time = time.asctime(time.localtime(ticks)) - - # Generate a timestamp - config.pki_timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) - config.pki_certificate_timestamp =\ - date('%Y-%m-%d %H:%M:%S', time.localtime(ticks)) - - # Obtain the architecture bit-size - config.pki_architecture = struct.calcsize("P") * 8 - - # Retrieve hostname - config.pki_hostname = socket.getfqdn() - - # Retrieve DNS domainname - config.pki_dns_domainname = None - try: - config.pki_dns_domainname = subprocess.check_output("dnsdomainname", - shell=True) - config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') - if not len(config.pki_dns_domainname): - print log.PKI_DNS_DOMAIN_NOT_SET - sys.exit(1) - except subprocess.CalledProcessError as exc: - print log.PKI_SUBPROCESS_ERROR_1 % exc - sys.exit(1) - - # Read and process command-line arguments. - parser = PKIConfigParser( - 'PKI Instance Installation and Configuration', - log.PKISPAWN_EPILOG) - - parser.optional.add_argument('-f', - dest='user_deployment_cfg', action='store', - nargs=1, metavar='', - help='configuration filename ' - '(MUST specify complete path)') - - parser.optional.add_argument('-u', - dest='pki_update_flag', action='store_true', - help='update instance of specified subsystem') - - args = parser.process_command_line_arguments(argv) - - config.default_deployment_cfg = config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE - - # -f - if args.user_deployment_cfg is not None: - config.user_deployment_cfg = str(args.user_deployment_cfg).strip('[\']') - - # -u - config.pki_update_flag = args.pki_update_flag - - parser.validate() - interactive = False - - while True: - - # -s - if args.pki_subsystem is None: - interactive = True - parser.indent = 0 - - config.pki_subsystem = parser.read_text('Subsystem (CA/KRA/OCSP/TKS)', - options=['CA', 'KRA', 'OCSP', 'TKS'], - default='CA', caseSensitive=False).upper() - print - else: - config.pki_subsystem = str(args.pki_subsystem).strip('[\']') - - parser.init_config() - - if config.user_deployment_cfg is None: - interactive = True - parser.indent = 2 - - print "Tomcat:" - parser.read_text('Instance', 'DEFAULT', 'pki_instance_name') - parser.read_text('HTTP port', config.pki_subsystem, 'pki_http_port') - parser.read_text('Secure HTTP port', config.pki_subsystem, 'pki_https_port') - parser.read_text('AJP port', config.pki_subsystem, 'pki_ajp_port') - parser.read_text('Management port', config.pki_subsystem, 'pki_tomcat_server_port') - print - - print "Administrator:" - parser.read_text('Username', config.pki_subsystem, 'pki_admin_uid') - - admin_password = parser.read_password( - 'Password', config.pki_subsystem, 'pki_admin_password', - verifyMessage='Verify password') - - parser.set_property(config.pki_subsystem, 'pki_backup_password', admin_password) - parser.set_property(config.pki_subsystem, 'pki_client_database_password', admin_password) - parser.set_property(config.pki_subsystem, 'pki_client_pkcs12_password', admin_password) - - if config.pki_master_dict['pki_import_admin_cert'] == 'True': - import_cert = 'Y' - else: - import_cert = 'N' - - import_cert = parser.read_text('Import certificate (Yes/No)', - default=import_cert, options=['Yes', 'Y', 'No', 'N'], - sign='?', caseSensitive=False).lower() - - if import_cert == 'y' or import_cert == 'yes': - parser.set_property(config.pki_subsystem, 'pki_import_admin_cert', 'True') - parser.read_text('Import certificate from', config.pki_subsystem, 'pki_admin_cert_file') - else: - parser.set_property(config.pki_subsystem, 'pki_import_admin_cert', 'False') - - parser.read_text('Export certificate to', config.pki_subsystem, 'pki_client_admin_cert') - print - - print "Directory Server:" - while True: - parser.read_text('Hostname', config.pki_subsystem, 'pki_ds_hostname') - parser.read_text('Port', config.pki_subsystem, 'pki_ds_ldap_port') - - try: - parser.ds_connect() - break - - except ldap.LDAPError as e: - parser.print_text('ERROR: ' + e.message['desc']) - - while True: - parser.read_text('Bind DN', config.pki_subsystem, 'pki_ds_bind_dn') - parser.read_password('Password', config.pki_subsystem, 'pki_ds_password') - - try: - parser.ds_bind() - break - - except ldap.LDAPError as e: - parser.print_text('ERROR: ' + e.message['desc']) - - while True: - parser.read_text('Base DN', config.pki_subsystem, 'pki_ds_base_dn') - try: - if not parser.ds_base_dn_exists(): - break - - except ldap.LDAPError as e: - parser.print_text('ERROR: ' + e.message['desc']) - continue - - remove = parser.read_text('Base DN already exists. Overwrite (Yes/No/Quit)', - options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'], - sign='?', allowEmpty=False, caseSensitive=False).lower() - - if remove == 'q' or remove == 'quit': - print "Installation canceled." - sys.exit(0) - - if remove == 'y' or remove == 'yes': - break - - parser.ds_close() - - print - - print "Security Domain:" - - if config.pki_subsystem == "CA": - parser.read_text('Name', config.pki_subsystem, 'pki_security_domain_name') - - else: - while True: - parser.read_text('Hostname', config.pki_subsystem, 'pki_security_domain_hostname') - parser.read_text('Secure HTTP port', config.pki_subsystem, 'pki_security_domain_https_port') - - try: - parser.sd_connect() - info = parser.sd_get_info() - parser.print_text('Name: ' + info.name) - parser.set_property(config.pki_subsystem, 'pki_security_domain_name', info.name) - break - except requests.exceptions.ConnectionError as e: - parser.print_text('ERROR: ' + str(e)) - - while True: - parser.read_text('Username', config.pki_subsystem, 'pki_security_domain_user') - parser.read_password('Password', config.pki_subsystem, 'pki_security_domain_password') - - try: - parser.sd_authenticate() - break - except requests.exceptions.HTTPError as e: - parser.print_text('ERROR: ' + str(e)) - - print - - if interactive: - parser.indent = 0 - - begin = parser.read_text('Begin installation (Yes/No/Quit)', - options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'], - sign='?', allowEmpty=False, caseSensitive=False).lower() - print - - if begin == 'q' or begin == 'quit': - print "Installation canceled." - sys.exit(0) - - if begin == 'y' or begin == 'yes': - break - - else: - break - - if not os.path.exists(config.PKI_DEPLOYMENT_SOURCE_ROOT +\ - "/" + config.pki_subsystem.lower()): - print "ERROR: " + log.PKI_SUBSYSTEM_NOT_INSTALLED_1 %\ - config.pki_subsystem.lower() - sys.exit(1) - - # Enable 'pkispawn' logging. - rv = 0 - if not config.pki_update_flag: - config.pki_log_dir = config.pki_root_prefix +\ - config.PKI_DEPLOYMENT_LOG_ROOT - config.pki_log_name = "pki" + "-" +\ - config.pki_subsystem.lower() +\ - "-" + "spawn" + "." +\ - config.pki_timestamp + "." + "log" - rv = pkilogging.enable_pki_logger(config.pki_log_dir, - config.pki_log_name, - config.pki_log_level, - config.pki_console_log_level, - "pkispawn") - else: - config.pki_log_dir = config.pki_root_prefix +\ - config.PKI_DEPLOYMENT_LOG_ROOT - config.pki_log_name = "pki" + "-" +\ - config.pki_subsystem.lower() +\ - "-" + "respawn" + "." +\ - config.pki_timestamp + "." + "log" - rv = pkilogging.enable_pki_logger(config.pki_log_dir, - config.pki_log_name, - config.pki_log_level, - config.pki_console_log_level, - "pkirespawn") - if rv != OSError: - config.pki_log = rv - else: - print log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir - sys.exit(1) - - # Read the specified PKI configuration file. - rv = parser.read_pki_configuration_file() - if rv != 0: - config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, - extra=config.PKI_INDENTATION_LEVEL_0) - sys.exit(1) - - # Read in the PKI slots configuration file. - parser.compose_pki_slots_dictionary() - config.pki_log.debug(log.PKI_DICTIONARY_SLOTS, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_slots_dict), - extra=config.PKI_INDENTATION_LEVEL_0) - - # Combine the various sectional dictionaries into a PKI master dictionary - parser.compose_pki_master_dictionary() - - if not config.pki_update_flag: - config.pki_master_dict['pki_spawn_log'] = config.pki_log_dir + "/" +\ - config.pki_log_name - else: - config.pki_master_dict['pki_respawn_log'] = config.pki_log_dir + "/" +\ - config.pki_log_name - config.pki_log.debug(log.PKI_DICTIONARY_MASTER, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_master_dict), - extra=config.PKI_INDENTATION_LEVEL_0) - - if not interactive and\ - not config.str2bool(config.pki_master_dict['pki_skip_configuration']): - try: - parser.ds_connect() - parser.ds_bind() - - if parser.ds_base_dn_exists() and\ - not config.str2bool(config.pki_master_dict['pki_ds_remove_data']): - print 'ERROR: Base DN already exists.' - sys.exit(1) - - parser.ds_close() - - except ldap.LDAPError as e: - print 'ERROR: Unable to access directory server: ' + e.message['desc'] - sys.exit(1) - - if config.pki_subsystem != "CA" or\ - config.str2bool(config.pki_master_dict['pki_clone']) or\ - config.str2bool(config.pki_master_dict['pki_subordinate']): - try: - parser.sd_connect() - info = parser.sd_get_info() - parser.set_property(config.pki_subsystem, 'pki_security_domain_name', info.name) - parser.sd_authenticate() - - except requests.exceptions.ConnectionError as e: - print('ERROR: Unable to access security domain: ' + str(e)) - sys.exit(1) - - except requests.exceptions.HTTPError as e: - print('ERROR: Unable to access security domain: ' + str(e)) - sys.exit(1) - - print "Installing " + config.pki_subsystem + " into " + config.pki_master_dict['pki_instance_path'] + "." - - # Process the various "scriptlets" to create the specified PKI subsystem. - pki_subsystem_scriptlets = config.pki_master_dict['spawn_scriplets'].split() - rv = 0 - for pki_scriptlet in pki_subsystem_scriptlets: - scriptlet = __import__("pki.deployment." + - pki_scriptlet, - fromlist = [pki_scriptlet]) - instance = scriptlet.PkiScriptlet() - if not config.pki_update_flag: - rv = instance.spawn() - else: - rv = instance.respawn() - if rv != 0: - sys.exit(1) - config.pki_log.debug(log.PKI_DICTIONARY_MASTER, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_master_dict), - extra=config.PKI_INDENTATION_LEVEL_0) - - print - print "Installation complete." - - -# PKI Deployment Entry Point -if __name__ == "__main__": - signal.signal(signal.SIGINT, interrupt_handler) - main(sys.argv) diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py deleted file mode 100644 index 7bd1b017a..000000000 --- a/base/deploy/src/scriptlets/configuration.py +++ /dev/null @@ -1,150 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -import pkihelper as util -import pkimessages as log -import pkiscriptlet -import json -import pki.system -import pki.encoder - - -# PKI Deployment Configuration Scriptlet -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - - def spawn(self): - if config.str2bool(master['pki_skip_configuration']): - config.pki_log.info(log.SKIP_CONFIGURATION_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - - # Place "slightly" less restrictive permissions on - # the top-level client directory ONLY - util.directory.create(master['pki_client_subsystem_dir'], - uid=0, gid=0, - perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) - # Since 'certutil' does NOT strip the 'token=' portion of - # the 'token=password' entries, create a client password file - # which ONLY contains the 'password' for the purposes of - # allowing 'certutil' to generate the security databases - util.password.create_password_conf( - master['pki_client_password_conf'], - master['pki_client_database_password'], pin_sans_token=True) - util.file.modify(master['pki_client_password_conf'], - uid=0, gid=0) - # Similarly, create a simple password file containing the - # PKCS #12 password used when exporting the "Admin Certificate" - # into a PKCS #12 file - util.password.create_client_pkcs12_password_conf( - master['pki_client_pkcs12_password_conf']) - util.file.modify(master['pki_client_pkcs12_password_conf']) - util.directory.create(master['pki_client_database_dir'], - uid=0, gid=0) - util.certutil.create_security_databases( - master['pki_client_database_dir'], - master['pki_client_cert_database'], - master['pki_client_key_database'], - master['pki_client_secmod_database'], - password_file=master['pki_client_password_conf']) - util.symlink.create(master['pki_systemd_service'], - master['pki_systemd_service_link']) - - # Start/Restart this Apache/Tomcat PKI Process - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - apache_instance_subsystems =\ - util.instance.apache_instance_subsystems() - if apache_instance_subsystems == 1: - util.systemd.start() - elif apache_instance_subsystems > 1: - util.systemd.restart() - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - # Optionally prepare to enable a java debugger - # (e. g. - 'eclipse'): - if config.str2bool(master['pki_enable_java_debugger']): - config.prepare_for_an_external_java_debugger( - master['pki_target_tomcat_conf_instance_id']) - tomcat_instance_subsystems =\ - len(util.instance.tomcat_instance_subsystems()) - if tomcat_instance_subsystems == 1: - util.systemd.start() - elif tomcat_instance_subsystems > 1: - util.systemd.restart() - - # wait for startup - status = util.instance.wait_for_startup(60) - if status == None: - config.pki_log.error("server failed to restart", - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - # Optionally wait for debugger to attach (e. g. - 'eclipse'): - if config.str2bool(master['pki_enable_java_debugger']): - config.wait_to_attach_an_external_java_debugger() - - config_client = util.config_client() - # Construct PKI Subsystem Configuration Data - data = None - if master['pki_instance_type'] == "Apache": - if master['pki_subsystem'] == "RA": - config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, - master['pki_subsystem'], - extra=config.PKI_INDENTATION_LEVEL_2) - return rv - elif master['pki_subsystem'] == "TPS": - config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, - master['pki_subsystem'], - extra=config.PKI_INDENTATION_LEVEL_2) - return rv - elif master['pki_instance_type'] == "Tomcat": - # CA, KRA, OCSP, or TKS - data = config_client.construct_pki_configuration_data() - - # Configure the substem - config_client.configure_pki_data( - json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) - - return self.rv - - def respawn(self): - config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - - def destroy(self): - config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() == 1: - if util.directory.exists(master['pki_client_dir']): - util.directory.delete(master['pki_client_dir']) - util.symlink.delete(master['pki_systemd_service_link']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - len(util.instance.tomcat_instance_subsystems()) == 1: - if util.directory.exists(master['pki_client_dir']): - util.directory.delete(master['pki_client_dir']) - util.symlink.delete(master['pki_systemd_service_link']) - return self.rv diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py deleted file mode 100644 index 6ddc98d03..000000000 --- a/base/deploy/src/scriptlets/finalization.py +++ /dev/null @@ -1,114 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -import pkihelper as util -import pkimanifest as manifest -import pkimessages as log -import pkiscriptlet - - -# PKI Deployment Finalization Scriptlet -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - - def spawn(self): - if master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external_step_two']): - # must check for 'External CA Step 2' installation PRIOR to - # 'pki_skip_installation' since this value has been set to true - # by the initialization scriptlet - pass - elif config.str2bool(master['pki_skip_installation']): - config.pki_log.info(log.SKIP_FINALIZATION_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - config.pki_log.info(log.FINALIZATION_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - # For debugging/auditing purposes, save a timestamped copy of - # this configuration file in the subsystem archive - util.file.copy(master['pki_user_deployment_cfg_replica'], - master['pki_user_deployment_cfg_spawn_archive']) - # Save a copy of the installation manifest file - config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, master['pki_manifest'], - extra=config.PKI_INDENTATION_LEVEL_2) - # for record in manifest.database: - # print tuple(record) - manifest.file.register(master['pki_manifest']) - manifest.file.write() - util.file.modify(master['pki_manifest'], silent=True) - - # Also, for debugging/auditing purposes, save a timestamped copy of - # this installation manifest file - util.file.copy(master['pki_manifest'], - master['pki_manifest_spawn_archive']) - # Optionally, programmatically 'restart' the configured PKI instance - if config.str2bool(master['pki_restart_configured_instance']): - util.systemd.restart() - # Optionally, 'purge' the entire temporary client infrastructure - # including the client NSS security databases and password files - # - # WARNING: If the PKCS #12 file containing the Admin Cert was - # placed under this infrastructure, it may accidentally - # be deleted! - # - if config.str2bool(master['pki_client_database_purge']): - if util.directory.exists(master['pki_client_subsystem_dir']): - util.directory.delete(master['pki_client_subsystem_dir']) - # If instance has not been configured, print the - # configuration URL to the log - if config.str2bool(master['pki_skip_configuration']): - util.configuration_file.log_configuration_url() - # Log final process messages - config.pki_log.info(log.PKISPAWN_END_MESSAGE_2, - master['pki_subsystem'], - master['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_0) - util.file.modify(master['pki_spawn_log'], silent=True) - # If instance has not been configured, print the - # configuration URL to the screen - if config.str2bool(master['pki_skip_configuration']): - util.configuration_file.display_configuration_url() - return self.rv - - def respawn(self): - config.pki_log.info(log.FINALIZATION_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - - def destroy(self): - config.pki_log.info(log.FINALIZATION_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - util.file.modify(master['pki_destroy_log'], silent=True) - # Start this Apache/Tomcat PKI Process - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() >= 1: - util.systemd.start() - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - len(util.instance.tomcat_instance_subsystems()) >= 1: - util.systemd.start() - config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2, - master['pki_subsystem'], - master['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_0) - return self.rv diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py deleted file mode 100644 index 69a905849..000000000 --- a/base/deploy/src/scriptlets/infrastructure_layout.py +++ /dev/null @@ -1,116 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -import pkihelper as util -import pkimessages as log -import pkiscriptlet - - -# PKI Deployment Top-Level Infrastructure Layout Scriptlet -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - - def spawn(self): - if config.str2bool(master['pki_skip_installation']): - config.pki_log.info(log.SKIP_ADMIN_DOMAIN_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - config.pki_log.info(log.ADMIN_DOMAIN_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - # NOTE: It was determined that since the "pkidestroy" command - # relies upon a symbolic link to a replica of the original - # deployment configuration file used by the - # "pkispawn" command of an instance, it is necessary to - # create any required instance and subsystem directories - # in this top-level "infrastructure_layout" scriptlet - # (rather than the "instance_layout" and "subsystem_layout" - # scriptlets) so that a copy of this configuration file can - # be saved, and the required symbolic link can be created. - # - # establish the top-level infrastructure, instance, and subsystem - # registry directories for storage of a copy of the original - # deployment configuration file used to spawn this instance, - # and save a copy of this file - util.directory.create(master['pki_registry_path']) - util.directory.create(master['pki_instance_type_registry_path']) - util.directory.create(master['pki_instance_registry_path']) - util.directory.create(master['pki_subsystem_registry_path']) - util.file.copy(master['pki_default_deployment_cfg'], - master['pki_default_deployment_cfg_replica']) - - print "Storing deployment configuration into " + config.pki_master_dict['pki_user_deployment_cfg_replica'] + "." - if master['pki_user_deployment_cfg']: - util.file.copy(master['pki_user_deployment_cfg'], - master['pki_user_deployment_cfg_replica']) - else: - with open(master['pki_user_deployment_cfg_replica'], 'w') as f: - config.user_config.write(f) - - # establish top-level infrastructure, instance, and subsystem - # base directories and create the "registry" symbolic link that - # the "pkidestroy" executable relies upon - util.directory.create(master['pki_path']) - util.directory.create(master['pki_instance_path']) - util.directory.create(master['pki_subsystem_path']) - util.symlink.create(master['pki_instance_registry_path'], - master['pki_subsystem_registry_link']) - # - # NOTE: If "infrastructure_layout" scriptlet execution has been - # successfully executed to this point, the "pkidestroy" command - # may always be utilized to remove the entire infrastructure. - # - # no need to establish top-level infrastructure logs - # since it now stores 'pkispawn'/'pkidestroy' logs - # and will already exist - # util.directory.create(master['pki_log_path']) - # establish top-level infrastructure configuration - if master['pki_configuration_path'] !=\ - config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: - util.directory.create(master['pki_configuration_path']) - return self.rv - - def respawn(self): - config.pki_log.info(log.ADMIN_DOMAIN_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - - def destroy(self): - config.pki_log.info(log.ADMIN_DOMAIN_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - # remove top-level infrastructure base - if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - util.instance.pki_instance_subsystems() == 0: - # remove top-level infrastructure base - util.directory.delete(master['pki_path']) - # do NOT remove top-level infrastructure logs - # since it now stores 'pkispawn'/'pkidestroy' logs - # util.directory.delete(master['pki_log_path']) - # remove top-level infrastructure configuration - if util.directory.is_empty(master['pki_configuration_path'])\ - and master['pki_configuration_path'] !=\ - config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: - util.directory.delete(master['pki_configuration_path']) - # remove top-level infrastructure registry - util.directory.delete(master['pki_registry_path']) - return self.rv diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py deleted file mode 100644 index 3494ebdc7..000000000 --- a/base/deploy/src/scriptlets/initialization.py +++ /dev/null @@ -1,126 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -import pkihelper as util -import pkimessages as log -import pkiscriptlet - - -# PKI Deployment Initialization Scriptlet -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - - def spawn(self): - # begin official logging - config.pki_log.info(log.PKISPAWN_BEGIN_MESSAGE_2, - master['pki_subsystem'], - master['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_0) - if config.str2bool(master['pki_skip_installation']): - config.pki_log.info(log.SKIP_INITIALIZATION_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - else: - config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - if master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external_step_two']): - # verify that this type of "subsystem" currently EXISTS - # for this "instance" (External CA Step 2) - util.instance.verify_subsystem_exists() - master['pki_skip_installation'] = "True"; - else: - # verify that this type of "subsystem" does NOT yet - # exist for this "instance" - util.instance.verify_subsystem_does_not_exist() - # detect and avoid any namespace collisions - util.namespace.collision_detection() - # initialize 'uid' and 'gid' - util.identity.add_uid_and_gid(master['pki_user'], master['pki_group']) - # establish 'uid' and 'gid' - util.identity.set_uid(master['pki_user']) - util.identity.set_gid(master['pki_group']) - # verify existence of SENSITIVE configuration file data - util.configuration_file.verify_sensitive_data() - # verify existence of MUTUALLY EXCLUSIVE configuration file data - util.configuration_file.verify_mutually_exclusive_data() - # verify existence of PREDEFINED configuration file data - util.configuration_file.verify_predefined_configuration_file_data() - # verify selinux context of selected ports - util.configuration_file.populate_non_default_ports() - util.configuration_file.verify_selinux_ports() - return self.rv - - def respawn(self): - # begin official logging - config.pki_log.info(log.PKIRESPAWN_BEGIN_MESSAGE_2, - master['pki_subsystem'], - master['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.info(log.INITIALIZATION_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - # verify that this type of "subsystem" currently EXISTS - # for this "instance" - util.instance.verify_subsystem_exists() - return self.rv - - def destroy(self): - # begin official logging - config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2, - master['pki_subsystem'], - master['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - # verify that this type of "subsystem" currently EXISTS - # for this "instance" - util.instance.verify_subsystem_exists() - # verify that the command-line parameters match the values - # that are present in the corresponding configuration file - util.configuration_file.verify_command_matches_configuration_file() - # establish 'uid' and 'gid' - util.identity.set_uid(master['pki_user']) - util.identity.set_gid(master['pki_group']) - # get ports to remove selinux context - util.configuration_file.populate_non_default_ports() - - # get deinstallation token - token = util.security_domain.get_installation_token( - config.pki_secdomain_user, config.pki_secdomain_pass) - - # remove kra connector from CA if this is a KRA - util.kra_connector.deregister() - - # de-register instance from its Security Domain - # - # NOTE: Since the security domain of an instance must be up - # and running in order to be de-registered, this step - # must be done PRIOR to instance shutdown because this - # instance's security domain may be a part of a - # tightly-coupled shared instance. - # - util.security_domain.deregister(token) - # ALWAYS Stop this Apache/Tomcat PKI Process - util.systemd.stop() - return self.rv diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py deleted file mode 100644 index 843227a84..000000000 --- a/base/deploy/src/scriptlets/instance_layout.py +++ /dev/null @@ -1,190 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import os - - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -import pkihelper as util -import pkimessages as log -import pkiscriptlet -import os - - -# PKI Deployment Instance Layout Scriptlet -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - - def spawn(self): - if config.str2bool(master['pki_skip_installation']): - config.pki_log.info(log.SKIP_INSTANCE_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - config.pki_log.info(log.INSTANCE_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - # establish instance logs - util.directory.create(master['pki_instance_log_path']) - # establish instance configuration - util.directory.create(master['pki_instance_configuration_path']) - # establish Apache/Tomcat specific instance - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - # establish Tomcat instance configuration - util.directory.copy(master['pki_source_server_path'], - master['pki_instance_configuration_path'], - overwrite_flag=True) - # establish Tomcat instance base - util.directory.create(master['pki_tomcat_common_path']) - util.directory.create(master['pki_tomcat_common_lib_path']) - # establish Tomcat instance library - util.directory.create(master['pki_instance_lib']) - for name in os.listdir(master['pki_tomcat_lib_path']): - util.symlink.create( - os.path.join( - master['pki_tomcat_lib_path'], - name), - os.path.join( - master['pki_instance_lib'], - name)) - util.symlink.create(master['pki_instance_conf_log4j_properties'], - master['pki_instance_lib_log4j_properties']) - util.directory.create(master['pki_tomcat_tmpdir_path']) - util.directory.create(master['pki_tomcat_webapps_path']) - util.directory.create(master['pki_tomcat_work_path']) - util.directory.create(master['pki_tomcat_work_catalina_path']) - util.directory.create(master['pki_tomcat_work_catalina_host_path']) - util.directory.create( - master['pki_tomcat_work_catalina_host_run_path']) - util.directory.create( - master['pki_tomcat_work_catalina_host_subsystem_path']) - # establish Tomcat instance logs - # establish Tomcat instance registry - # establish Tomcat instance convenience symbolic links - util.symlink.create(master['pki_tomcat_bin_path'], - master['pki_tomcat_bin_link']) - util.symlink.create(master['pki_tomcat_systemd'], - master['pki_instance_systemd_link'], - uid=0, gid=0) - # establish Tomcat instance common lib jar symbolic links - util.symlink.create(master['pki_apache_commons_collections_jar'], - master['pki_apache_commons_collections_jar_link']) - util.symlink.create(master['pki_apache_commons_lang_jar'], - master['pki_apache_commons_lang_jar_link']) - util.symlink.create(master['pki_apache_commons_logging_jar'], - master['pki_apache_commons_logging_jar_link']) - util.symlink.create(master['pki_commons_codec_jar'], - master['pki_commons_codec_jar_link']) - util.symlink.create(master['pki_httpclient_jar'], - master['pki_httpclient_jar_link']) - util.symlink.create(master['pki_httpcore_jar'], - master['pki_httpcore_jar_link']) - util.symlink.create(master['pki_javassist_jar'], - master['pki_javassist_jar_link']) - util.symlink.create(master['pki_resteasy_jaxrs_api_jar'], - master['pki_resteasy_jaxrs_api_jar_link']) - util.symlink.create(master['pki_jettison_jar'], - master['pki_jettison_jar_link']) - util.symlink.create(master['pki_jss_jar'], - master['pki_jss_jar_link']) - util.symlink.create(master['pki_ldapjdk_jar'], - master['pki_ldapjdk_jar_link']) - util.symlink.create(master['pki_tomcat_jar'], - master['pki_tomcat_jar_link']) - util.symlink.create(master['pki_resteasy_atom_provider_jar'], - master['pki_resteasy_atom_provider_jar_link']) - util.symlink.create(master['pki_resteasy_jaxb_provider_jar'], - master['pki_resteasy_jaxb_provider_jar_link']) - util.symlink.create(master['pki_resteasy_jaxrs_jar'], - master['pki_resteasy_jaxrs_jar_link']) - util.symlink.create(master['pki_resteasy_jettison_provider_jar'], - master['pki_resteasy_jettison_provider_jar_link']) - util.symlink.create(master['pki_scannotation_jar'], - master['pki_scannotation_jar_link']) - if master['pki_subsystem'] == 'TKS': - util.symlink.create(master['pki_symkey_jar'], - master['pki_symkey_jar_link']) - util.symlink.create(master['pki_tomcatjss_jar'], - master['pki_tomcatjss_jar_link']) - util.symlink.create(master['pki_velocity_jar'], - master['pki_velocity_jar_link']) - util.symlink.create(master['pki_xerces_j2_jar'], - master['pki_xerces_j2_jar_link']) - util.symlink.create(master['pki_xml_commons_apis_jar'], - master['pki_xml_commons_apis_jar_link']) - util.symlink.create(master['pki_xml_commons_resolver_jar'], - master['pki_xml_commons_resolver_jar_link']) - # establish shared NSS security databases for this instance - util.directory.create(master['pki_database_path']) - # establish instance convenience symbolic links - util.symlink.create(master['pki_database_path'], - master['pki_instance_database_link']) - util.symlink.create(master['pki_instance_configuration_path'], - master['pki_instance_conf_link']) - util.symlink.create(master['pki_instance_log_path'], - master['pki_instance_logs_link']) - return self.rv - - def respawn(self): - config.pki_log.info(log.INSTANCE_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - - def destroy(self): - config.pki_log.info(log.INSTANCE_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - if master['pki_subsystem'] == 'TKS': - util.symlink.delete(master['pki_symkey_jar_link']) - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() == 0: - # remove Apache instance base - util.directory.delete(master['pki_instance_path']) - # remove Apache instance logs - # remove shared NSS security database path for this instance - util.directory.delete(master['pki_database_path']) - # remove Apache instance configuration - util.directory.delete(master['pki_instance_configuration_path']) - # remove Apache instance registry - util.directory.delete(master['pki_instance_registry_path']) - # remove Apache PKI registry (if empty) - if util.instance.apache_instances() == 0: - util.directory.delete( - master['pki_instance_type_registry_path']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - len(util.instance.tomcat_instance_subsystems()) == 0: - # remove Tomcat instance base - util.directory.delete(master['pki_instance_path']) - # remove Tomcat instance logs - util.directory.delete(master['pki_instance_log_path']) - # remove shared NSS security database path for this instance - util.directory.delete(master['pki_database_path']) - # remove Tomcat instance configuration - util.directory.delete(master['pki_instance_configuration_path']) - # remove PKI 'tomcat.conf' instance file - util.file.delete(master['pki_target_tomcat_conf_instance_id']) - # remove Tomcat instance registry - util.directory.delete(master['pki_instance_registry_path']) - # remove Tomcat PKI registry (if empty) - if util.instance.tomcat_instances() == 0: - util.directory.delete( - master['pki_instance_type_registry_path']) - return self.rv diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py deleted file mode 100644 index 9ac4784e5..000000000 --- a/base/deploy/src/scriptlets/security_databases.py +++ /dev/null @@ -1,119 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -import pkihelper as util -import pkimessages as log -import pkiscriptlet - - -# PKI Deployment Security Databases Scriptlet -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - - def spawn(self): - if config.str2bool(master['pki_skip_installation']): - config.pki_log.info(log.SKIP_SECURITY_DATABASES_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - util.password.create_password_conf( - master['pki_shared_password_conf'], - master['pki_pin']) - # Since 'certutil' does NOT strip the 'token=' portion of - # the 'token=password' entries, create a temporary server 'pfile' - # which ONLY contains the 'password' for the purposes of - # allowing 'certutil' to generate the security databases - util.password.create_password_conf( - master['pki_shared_pfile'], - master['pki_pin'], pin_sans_token=True) - util.file.modify(master['pki_shared_password_conf']) - util.certutil.create_security_databases( - master['pki_database_path'], - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], - password_file=master['pki_shared_pfile']) - util.file.modify(master['pki_cert_database'], perms=\ - config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - util.file.modify(master['pki_key_database'], perms=\ - config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - util.file.modify(master['pki_secmod_database'], perms=\ - config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - - if len(util.instance.tomcat_instance_subsystems()) < 2: - # only create a self signed cert for a new instance - rv = util.certutil.verify_certificate_exists( - master['pki_database_path'], - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], - master['pki_self_signed_token'], - master['pki_self_signed_nickname'], - password_file=master['pki_shared_pfile']) - if not rv: - util.file.generate_noise_file( - master['pki_self_signed_noise_file'], - master['pki_self_signed_noise_bytes']) - util.certutil.generate_self_signed_certificate( - master['pki_database_path'], - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], - master['pki_self_signed_token'], - master['pki_self_signed_nickname'], - master['pki_self_signed_subject'], - master['pki_self_signed_serial_number'], - master['pki_self_signed_validity_period'], - master['pki_self_signed_issuer_name'], - master['pki_self_signed_trustargs'], - master['pki_self_signed_noise_file'], - password_file=master['pki_shared_pfile']) - # Delete the temporary 'noise' file - util.file.delete(master['pki_self_signed_noise_file']) - # Delete the temporary 'pfile' - util.file.delete(master['pki_shared_pfile']) - return self.rv - - def respawn(self): - config.pki_log.info(log.SECURITY_DATABASES_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - - def destroy(self): - config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() == 0: - util.file.delete(master['pki_cert_database']) - util.file.delete(master['pki_key_database']) - util.file.delete(master['pki_secmod_database']) - util.file.delete(master['pki_shared_password_conf']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - len(util.instance.tomcat_instance_subsystems()) == 0: - util.file.delete(master['pki_cert_database']) - util.file.delete(master['pki_key_database']) - util.file.delete(master['pki_secmod_database']) - util.file.delete(master['pki_shared_password_conf']) - return self.rv diff --git a/base/deploy/src/scriptlets/selinux_setup.py b/base/deploy/src/scriptlets/selinux_setup.py deleted file mode 100644 index 552ab3f41..000000000 --- a/base/deploy/src/scriptlets/selinux_setup.py +++ /dev/null @@ -1,175 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Ade Lee -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -from pkiconfig import pki_selinux_config_ports as ports -import pkihelper as util -import pkimessages as log -import pkiscriptlet -import selinux -if selinux.is_selinux_enabled(): - import seobject - - -# PKI Deployment Selinux Setup Scriptlet -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - suffix = "(/.*)?" - - def restore_context(self): - selinux.restorecon(master['pki_instance_path'], True) - selinux.restorecon(config.PKI_DEPLOYMENT_LOG_ROOT, True) - selinux.restorecon(master['pki_instance_log_path'], True) - selinux.restorecon(master['pki_instance_configuration_path'], True) - - def spawn(self): - if config.str2bool(master['pki_skip_installation']): - config.pki_log.info(log.SKIP_SELINUX_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - - if not bool(selinux.is_selinux_enabled()): - config.pki_log.info(log.SELINUX_DISABLED_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - - config.pki_log.info(log.SELINUX_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - - # check first if any transactions are required - if len(ports) == 0 and master['pki_instance_name'] == \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: - self.restore_context() - return self.rv - - # add SELinux contexts when adding the first subsystem - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() == 1 or\ - master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - len(util.instance.tomcat_instance_subsystems()) == 1: - - trans = seobject.semanageRecords("targeted") - trans.start() - if master['pki_instance_name'] != \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: - - fcon = seobject.fcontextRecords() - - config.pki_log.info("adding selinux fcontext \"%s\"", - master['pki_instance_path'] + self.suffix, - extra=config.PKI_INDENTATION_LEVEL_2) - fcon.add(master['pki_instance_path'] + self.suffix, - config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "") - - config.pki_log.info("adding selinux fcontext \"%s\"", - master['pki_instance_log_path'] + self.suffix, - extra=config.PKI_INDENTATION_LEVEL_2) - fcon.add(master['pki_instance_log_path'] + self.suffix, - config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "") - - config.pki_log.info("adding selinux fcontext \"%s\"", - master['pki_instance_configuration_path'] + self.suffix, - extra=config.PKI_INDENTATION_LEVEL_2) - fcon.add(master['pki_instance_configuration_path'] + self.suffix, - config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "") - - config.pki_log.info("adding selinux fcontext \"%s\"", - master['pki_database_path'] + self.suffix, - extra=config.PKI_INDENTATION_LEVEL_2) - fcon.add(master['pki_database_path'] + self.suffix, - config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") - - portRecords = seobject.portRecords() - for port in ports: - config.pki_log.info("adding selinux port %s", port, - extra=config.PKI_INDENTATION_LEVEL_2) - portRecords.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) - - trans.finish() - - self.restore_context() - return self.rv - - def respawn(self): - config.pki_log.info(log.SELINUX_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - self.restore_context() - return self.rv - - def destroy(self): - if not bool(selinux.is_selinux_enabled()): - config.pki_log.info(log.SELINUX_DISABLED_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - config.pki_log.info(log.SELINUX_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - - # check first if any transactions are required - if len(ports) == 0 and master['pki_instance_name'] == \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: - return self.rv - - # remove SELinux contexts when removing the last subsystem - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() == 0 or\ - master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - len(util.instance.tomcat_instance_subsystems()) == 0: - - trans = seobject.semanageRecords("targeted") - trans.start() - - if master['pki_instance_name'] != \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: - - fcon = seobject.fcontextRecords() - - config.pki_log.info("deleting selinux fcontext \"%s\"", - master['pki_instance_path'] + self.suffix, - extra=config.PKI_INDENTATION_LEVEL_2) - fcon.delete(master['pki_instance_path'] + self.suffix , "") - - config.pki_log.info("deleting selinux fcontext \"%s\"", - master['pki_instance_log_path'] + self.suffix, - extra=config.PKI_INDENTATION_LEVEL_2) - fcon.delete(master['pki_instance_log_path'] + self.suffix, "") - - config.pki_log.info("deleting selinux fcontext \"%s\"", - master['pki_instance_configuration_path'] + self.suffix, - extra=config.PKI_INDENTATION_LEVEL_2) - fcon.delete(master['pki_instance_configuration_path'] + \ - self.suffix, "") - - config.pki_log.info("deleting selinux fcontext \"%s\"", - master['pki_database_path'] + self.suffix, - extra=config.PKI_INDENTATION_LEVEL_2) - fcon.delete(master['pki_database_path'] + self.suffix , "") - - portRecords = seobject.portRecords() - for port in ports: - config.pki_log.info("deleting selinux port %s", port, - extra=config.PKI_INDENTATION_LEVEL_2) - portRecords.delete(port, "tcp") - - trans.finish() - - return self.rv diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py deleted file mode 100644 index 205ed49f6..000000000 --- a/base/deploy/src/scriptlets/slot_substitution.py +++ /dev/null @@ -1,103 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -from pkiconfig import pki_slots_dict as slots -import pkihelper as util -import pkimessages as log -import pkiscriptlet - - -# PKI Deployment Slot Substitution Scriptlet -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - - def spawn(self): - if config.str2bool(master['pki_skip_installation']): - config.pki_log.info(log.SKIP_SLOT_ASSIGNMENT_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - config.pki_log.info(log.SLOT_ASSIGNMENT_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'], - master['pki_target_cs_cfg']) - util.file.copy_with_slot_substitution(master['pki_source_registry'], - master['pki_target_registry'], - uid=0, gid=0, overwrite_flag=True) - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - util.file.copy_with_slot_substitution( - master['pki_source_catalina_properties'], - master['pki_target_catalina_properties'], - overwrite_flag=True) - util.file.copy_with_slot_substitution( - master['pki_source_servercertnick_conf'], - master['pki_target_servercertnick_conf'], - overwrite_flag=True) - util.file.copy_with_slot_substitution( - master['pki_source_server_xml'], - master['pki_target_server_xml'], - overwrite_flag=True) - util.file.copy_with_slot_substitution( - master['pki_source_context_xml'], - master['pki_target_context_xml'], - overwrite_flag=True) - util.file.copy_with_slot_substitution( - master['pki_source_tomcat_conf'], - master['pki_target_tomcat_conf_instance_id'], - uid=0, gid=0, overwrite_flag=True) - util.file.copy_with_slot_substitution( - master['pki_source_tomcat_conf'], - master['pki_target_tomcat_conf'], - overwrite_flag=True) - util.file.apply_slot_substitution( - master['pki_target_velocity_properties']) - util.file.apply_slot_substitution( - master['pki_target_subsystem_web_xml']) - # Strip "" section from subsystem "web.xml" - # This is ONLY necessary because XML comments cannot be "nested"! - #util.file.copy(master['pki_target_subsystem_web_xml'], - # master['pki_target_subsystem_web_xml_orig']) - #util.file.delete(master['pki_target_subsystem_web_xml']) - #util.xml_file.remove_filter_section_from_web_xml( - # master['pki_target_subsystem_web_xml_orig'], - # master['pki_target_subsystem_web_xml']) - #util.file.delete(master['pki_target_subsystem_web_xml_orig']) - if master['pki_subsystem'] == "CA": - util.file.copy_with_slot_substitution( - master['pki_source_proxy_conf'], - master['pki_target_proxy_conf']) - util.file.apply_slot_substitution( - master['pki_target_profileselect_template']) - return self.rv - - def respawn(self): - config.pki_log.info(log.SLOT_ASSIGNMENT_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - - def destroy(self): - config.pki_log.info(log.SLOT_ASSIGNMENT_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - config.pki_log.info("NOTHING NEEDS TO BE IMPLEMENTED", - extra=config.PKI_INDENTATION_LEVEL_2) - return self.rv diff --git a/base/deploy/src/scriptlets/subsystem_layout.py b/base/deploy/src/scriptlets/subsystem_layout.py deleted file mode 100644 index c4c4c2283..000000000 --- a/base/deploy/src/scriptlets/subsystem_layout.py +++ /dev/null @@ -1,126 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -import pkihelper as util -import pkimessages as log -import pkiscriptlet - - -# PKI Deployment Subsystem Layout Scriptlet -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - - def spawn(self): - if config.str2bool(master['pki_skip_installation']): - config.pki_log.info(log.SKIP_SUBSYSTEM_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - config.pki_log.info(log.SUBSYSTEM_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - # establish instance-based subsystem logs - util.directory.create(master['pki_subsystem_log_path']) - util.directory.create(master['pki_subsystem_archive_log_path']) - if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS: - util.directory.create(master['pki_subsystem_signed_audit_log_path']) - # establish instance-based subsystem configuration - util.directory.create(master['pki_subsystem_configuration_path']) - # util.directory.copy(master['pki_source_conf_path'], - # master['pki_subsystem_configuration_path']) - # establish instance-based Apache/Tomcat specific subsystems - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - # establish instance-based Tomcat PKI subsystem base - if master['pki_subsystem'] == "CA": - util.directory.copy(master['pki_source_emails'], - master['pki_subsystem_emails_path']) - util.directory.copy(master['pki_source_profiles'], - master['pki_subsystem_profiles_path']) - # establish instance-based Tomcat PKI subsystem logs - # establish instance-based Tomcat PKI subsystem configuration - if master['pki_subsystem'] == "CA": - util.file.copy(master['pki_source_flatfile_txt'], - master['pki_target_flatfile_txt']) - util.file.copy(master['pki_source_registry_cfg'], - master['pki_target_registry_cfg']) - # '*.profile' - util.file.copy(master['pki_source_admincert_profile'], - master['pki_target_admincert_profile']) - util.file.copy(master['pki_source_caauditsigningcert_profile'], - master['pki_target_caauditsigningcert_profile']) - util.file.copy(master['pki_source_cacert_profile'], - master['pki_target_cacert_profile']) - util.file.copy(master['pki_source_caocspcert_profile'], - master['pki_target_caocspcert_profile']) - util.file.copy(master['pki_source_servercert_profile'], - master['pki_target_servercert_profile']) - util.file.copy(master['pki_source_subsystemcert_profile'], - master['pki_target_subsystemcert_profile']) - elif master['pki_subsystem'] == "KRA": - # '*.profile' - util.file.copy(master['pki_source_servercert_profile'], - master['pki_target_servercert_profile']) - util.file.copy(master['pki_source_storagecert_profile'], - master['pki_target_storagecert_profile']) - util.file.copy(master['pki_source_subsystemcert_profile'], - master['pki_target_subsystemcert_profile']) - util.file.copy(master['pki_source_transportcert_profile'], - master['pki_target_transportcert_profile']) - # establish instance-based Tomcat PKI subsystem registry - # establish instance-based Tomcat PKI subsystem convenience - # symbolic links - util.symlink.create(master['pki_tomcat_webapps_path'], - master['pki_subsystem_tomcat_webapps_link']) - # establish instance-based subsystem convenience symbolic links - util.symlink.create(master['pki_instance_database_link'], - master['pki_subsystem_database_link']) - util.symlink.create(master['pki_subsystem_configuration_path'], - master['pki_subsystem_conf_link']) - util.symlink.create(master['pki_subsystem_log_path'], - master['pki_subsystem_logs_link']) - util.symlink.create(master['pki_instance_registry_path'], - master['pki_subsystem_registry_link']) - return self.rv - - def respawn(self): - config.pki_log.info(log.SUBSYSTEM_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - - def destroy(self): - config.pki_log.info(log.SUBSYSTEM_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - # remove instance-based subsystem base - if master['pki_subsystem'] == "CA": - util.directory.delete(master['pki_subsystem_emails_path']) - util.directory.delete(master['pki_subsystem_profiles_path']) - util.directory.delete(master['pki_subsystem_path']) - # remove instance-based subsystem logs - if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS: - util.directory.delete(master['pki_subsystem_signed_audit_log_path']) - util.directory.delete(master['pki_subsystem_archive_log_path']) - util.directory.delete(master['pki_subsystem_log_path']) - # remove instance-based subsystem configuration - util.directory.delete(master['pki_subsystem_configuration_path']) - # remove instance-based subsystem registry - util.directory.delete(master['pki_subsystem_registry_path']) - return self.rv diff --git a/base/deploy/src/scriptlets/webapp_deployment.py b/base/deploy/src/scriptlets/webapp_deployment.py deleted file mode 100644 index e72752ee8..000000000 --- a/base/deploy/src/scriptlets/webapp_deployment.py +++ /dev/null @@ -1,170 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import os - - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -import pkihelper as util -import pkimessages as log -import pkiscriptlet - - -# PKI Web Application Deployment Scriptlet -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - - def spawn(self): - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - if config.str2bool(master['pki_skip_installation']): - config.pki_log.info(log.SKIP_WEBAPP_DEPLOYMENT_SPAWN_1, - __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - config.pki_log.info(log.WEBAPP_DEPLOYMENT_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - - # Copy /usr/share/pki/server/webapps/ROOT - # to /webapps/ROOT - util.directory.create(master['pki_tomcat_webapps_root_path']) - util.directory.copy( - os.path.join( - config.PKI_DEPLOYMENT_SOURCE_ROOT, - "server", - "webapps", - "ROOT"), - master['pki_tomcat_webapps_root_path'], - overwrite_flag=True) - - util.directory.create(master['pki_tomcat_webapps_common_path']) - - # If desired and available, - # copy selected server theme - # to /webapps/pki - if config.str2bool(master['pki_theme_enable']) and\ - os.path.exists(master['pki_theme_server_dir']): - util.directory.copy(master['pki_theme_server_dir'], - master['pki_tomcat_webapps_common_path'], - overwrite_flag=True) - - # Copy /usr/share/pki/server/webapps/pki/js - # to /webapps/pki/js - util.directory.copy( - os.path.join( - config.PKI_DEPLOYMENT_SOURCE_ROOT, - "server", - "webapps", - "pki", - "js"), - os.path.join( - master['pki_tomcat_webapps_common_path'], - "js"), - overwrite_flag=True) - - # Copy /usr/share/pki/server/webapps/pki/META-INF - # to /webapps/pki/META-INF - util.directory.copy( - os.path.join( - config.PKI_DEPLOYMENT_SOURCE_ROOT, - "server", - "webapps", - "pki", - "META-INF"), - os.path.join( - master['pki_tomcat_webapps_common_path'], - "META-INF"), - overwrite_flag=True) - - # Copy /usr/share/pki/server/webapps/pki/admin - # to /webapps//admin - # TODO: common templates should be deployed in common webapp - util.directory.create(master['pki_tomcat_webapps_subsystem_path']) - util.directory.copy( - os.path.join( - config.PKI_DEPLOYMENT_SOURCE_ROOT, - "server", - "webapps", - "pki", - "admin"), - os.path.join( - master['pki_tomcat_webapps_subsystem_path'], - "admin"), - overwrite_flag=True) - - # Copy /usr/share/pki//webapps/ - # to /webapps/ - util.directory.copy( - os.path.join( - config.PKI_DEPLOYMENT_SOURCE_ROOT, - master['pki_subsystem'].lower(), - "webapps", - master['pki_subsystem'].lower()), - master['pki_tomcat_webapps_subsystem_path'], - overwrite_flag=True) - - util.directory.create( - master['pki_tomcat_webapps_subsystem_webinf_classes_path']) - util.directory.create( - master['pki_tomcat_webapps_subsystem_webinf_lib_path']) - # establish Tomcat webapps subsystem WEB-INF lib symbolic links - util.symlink.create(master['pki_certsrv_jar'], - master['pki_certsrv_jar_link']) - util.symlink.create(master['pki_cmsbundle'], - master['pki_cmsbundle_jar_link']) - util.symlink.create(master['pki_cmscore'], - master['pki_cmscore_jar_link']) - util.symlink.create(master['pki_cms'], - master['pki_cms_jar_link']) - util.symlink.create(master['pki_cmsutil'], - master['pki_cmsutil_jar_link']) - util.symlink.create(master['pki_nsutil'], - master['pki_nsutil_jar_link']) - if master['pki_subsystem'] == "CA": - util.symlink.create(master['pki_ca_jar'], - master['pki_ca_jar_link']) - elif master['pki_subsystem'] == "KRA": - util.symlink.create(master['pki_kra_jar'], - master['pki_kra_jar_link']) - elif master['pki_subsystem'] == "OCSP": - util.symlink.create(master['pki_ocsp_jar'], - master['pki_ocsp_jar_link']) - elif master['pki_subsystem'] == "TKS": - util.symlink.create(master['pki_tks_jar'], - master['pki_tks_jar_link']) - # set ownerships, permissions, and acls - util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path']) - return self.rv - - def respawn(self): - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_log.info(log.WEBAPP_DEPLOYMENT_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - return self.rv - - def destroy(self): - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_log.info(log.WEBAPP_DEPLOYMENT_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - util.directory.delete(master['pki_tomcat_webapps_subsystem_path']) - return self.rv diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt new file mode 100644 index 000000000..1f638dc95 --- /dev/null +++ b/base/server/CMakeLists.txt @@ -0,0 +1,144 @@ +project(server) + +set(PKI_SUBSYSTEMS + ca + kra + ocsp + ra + tks + tps +) + +set(TOMCAT_SUBSYSTEMS + ca + kra + ocsp + tks +) + +set(APACHE_SUBSYSTEMS + ra + tps +) + +install( + FILES + man/man5/pki_default.cfg.5 + DESTINATION + ${MAN_INSTALL_DIR}/man5 + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + +install( + FILES + man/man8/pkispawn.8 + man/man8/pkidestroy.8 + DESTINATION + ${MAN_INSTALL_DIR}/man8 + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + +install( + FILES + src/pkispawn + src/pkidestroy + DESTINATION + ${SBIN_INSTALL_DIR} + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + +install( + FILES + scripts/pkidaemon + DESTINATION + ${BIN_INSTALL_DIR} + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + +install( + FILES + scripts/operations + DESTINATION + ${DATA_INSTALL_DIR}/scripts/ + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + +install( + DIRECTORY + config + DESTINATION + ${DATA_INSTALL_DIR}/deployment +) + +install( + DIRECTORY + etc/ + DESTINATION + ${SYSCONF_INSTALL_DIR}/pki + PATTERN "pki.conf" EXCLUDE +) + +configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/etc/pki.conf + ${CMAKE_CURRENT_BINARY_DIR}/etc/pki.conf +) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/etc/pki.conf + DESTINATION + ${SYSCONF_INSTALL_DIR}/pki/ +) + +install( + FILES + src/engine/pkiconfig.py + src/engine/pkihelper.py + src/engine/pkilogging.py + src/engine/pkimanifest.py + src/engine/pkimessages.py + src/engine/pkiparser.py + src/engine/pkiscriptlet.py + src/scriptlets/configuration.py + src/scriptlets/finalization.py + src/scriptlets/infrastructure_layout.py + src/scriptlets/initialization.py + src/scriptlets/instance_layout.py + src/scriptlets/security_databases.py + src/scriptlets/selinux_setup.py + src/scriptlets/slot_substitution.py + src/scriptlets/subsystem_layout.py + src/scriptlets/webapp_deployment.py + DESTINATION + ${PYTHON_SITE_PACKAGES}/pki/deployment + PERMISSIONS + OWNER_WRITE OWNER_READ + GROUP_READ + WORLD_READ +) +install( + CODE + "execute_process( + COMMAND + ${CMAKE_COMMAND} -E touch + \"\$ENV{DESTDIR}${PYTHON_SITE_PACKAGES}/pki/deployment/__init__.py\")" +) + +# install empty directories +install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/lock/pki)") +install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/run/pki)") diff --git a/base/server/LICENSE b/base/server/LICENSE new file mode 100644 index 000000000..e281f4362 --- /dev/null +++ b/base/server/LICENSE @@ -0,0 +1,291 @@ +This Program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published +by the Free Software Foundation; version 2 of the License. + +This Program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received a copy of the GNU General Public License +along with this Program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg new file mode 100644 index 000000000..1cb463bfe --- /dev/null +++ b/base/server/config/pkislots.cfg @@ -0,0 +1,92 @@ +[Apache] +FORTITUDE_APACHE_SLOT=[FORTITUDE_APACHE] +FORTITUDE_AUTH_MODULES_SLOT=[FORTITUDE_AUTH_MODULES] +FORTITUDE_DIR_SLOT=[FORTITUDE_DIR] +FORTITUDE_LIB_DIR_SLOT=[FORTITUDE_LIB_DIR] +FORTITUDE_MODULE_SLOT=[FORTITUDE_MODULE] +FORTITUDE_NSS_MODULES_SLOT=[FORTITUDE_NSS_MODULES] +HTTPD_CONF_SLOT=[HTTPD_CONF] +LIB_PREFIX_SLOT=[LIB_PREFIX] +NON_CLIENTAUTH_SECURE_PORT_SLOT=[NON_CLIENTAUTH_SECURE_PORT] +NSS_CONF_SLOT=[NSS_CONF] +OBJ_EXT_SLOT=[OBJ_EXT] +PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID] +PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT] +PKI_LOCKDIR_SLOT=[PKI_LOCKDIR] +PKI_PIDDIR_SLOT=[PKI_PIDDIR] +PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE] +PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE] +PORT_SLOT=[PORT] +PROCESS_ID_SLOT=[PROCESS_ID] +REQUIRE_CFG_PL_SLOT=[REQUIRE_CFG_PL] +SECURE_PORT_SLOT=[SECURE_PORT] +SECURITY_LIBRARIES_SLOT=[SECURITY_LIBRARIES] +SERVER_NAME_SLOT=[SERVER_NAME] +SERVER_ROOT_SLOT=[SERVER_ROOT] +SYSTEM_LIBRARIES_SLOT=[SYSTEM_LIBRARIES] +SYSTEM_USER_LIBRARIES_SLOT=[SYSTEM_USER_LIBRARIES] +TMP_DIR_SLOT=[TMP_DIR] +TPS_DIR_SLOT=[TPS_DIR] +[Tomcat] +INSTALL_TIME_SLOT=[INSTALL_TIME] +PKI_ADMIN_SECURE_PORT_SLOT=[PKI_ADMIN_SECURE_PORT] +PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME] +PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] +PKI_AGENT_CLIENTAUTH_SLOT=[PKI_AGENT_CLIENTAUTH] +PKI_AGENT_SECURE_PORT_SLOT=[PKI_AGENT_SECURE_PORT] +PKI_AJP_PORT_SLOT=[PKI_AJP_PORT] +PKI_AJP_REDIRECT_PORT_SLOT=[PKI_AJP_REDIRECT_PORT] +PKI_CERT_DB_PASSWORD_SLOT=[PKI_CERT_DB_PASSWORD] +PKI_CFG_PATH_NAME_SLOT=[PKI_CFG_PATH_NAME] +PKI_CLOSE_AJP_PORT_COMMENT_SLOT=[PKI_CLOSE_AJP_PORT_COMMENT] +PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT=[PKI_CLOSE_ENABLE_PROXY_COMMENT] +PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] +PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] +PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT] +PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME] +PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT] +PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_UI] +PKI_EE_SECURE_PORT_SLOT=[PKI_EE_SECURE_PORT] +PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_PORT_CONNECTOR_NAME] +PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_PORT_SERVER_COMMENT] +PKI_GROUP_SLOT=[PKI_GROUP] +PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID] +PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT] +PKI_INSTANCE_PATH_SLOT=[PKI_INSTANCE_PATH] +PKI_INSTANCE_ROOT_SLOT=[PKI_INSTANCE_ROOT] +PKI_LOCKDIR_SLOT=[PKI_LOCKDIR] +PKI_MACHINE_NAME_SLOT=[PKI_MACHINE_NAME] +PKI_OPEN_AJP_PORT_COMMENT_SLOT=[PKI_OPEN_AJP_PORT_COMMENT] +PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT=[PKI_OPEN_ENABLE_PROXY_COMMENT] +PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT] +PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] +PKI_PIDDIR_SLOT=[PKI_PIDDIR] +PKI_PROXY_SECURE_PORT_SLOT=[PKI_PROXY_SECURE_PORT] +PKI_PROXY_UNSECURE_PORT_SLOT=[PKI_PROXY_UNSECURE_PORT] +PKI_RANDOM_NUMBER_SLOT=[PKI_RANDOM_NUMBER] +PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE] +PKI_RESTEASY_LIB_SLOT=[PKI_RESTEASY_LIB] +PKI_SECURE_PORT_SLOT=[PKI_SECURE_PORT] +PKI_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_SECURE_PORT_CONNECTOR_NAME] +PKI_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_SECURE_PORT_SERVER_COMMENT] +PKI_SECURITY_MANAGER_SLOT=[PKI_SECURITY_MANAGER] +PKI_SERVER_XML_CONF_SLOT=[PKI_SERVER_XML_CONF] +PKI_SUBSYSTEM_DIR_SLOT=[PKI_SUBSYSTEM_DIR] +PKI_SUBSYSTEM_TYPE_SLOT=[PKI_SUBSYSTEM_TYPE] +PKI_SYSTEMD_SERVICENAME_SLOT=[PKI_SYSTEMD_SERVICENAME] +PKI_TMPDIR_SLOT=[PKI_TMPDIR] +PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT] +PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME] +PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT] +PKI_USER_SLOT=[PKI_USER] +PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE] +PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME] +TOMCAT_CFG_SLOT=[TOMCAT_CFG] +TOMCAT_INSTANCE_COMMON_LIB_SLOT=[TOMCAT_INSTANCE_COMMON_LIB] +TOMCAT_LOG_DIR_SLOT=[TOMCAT_LOG_DIR] +TOMCAT_PIDFILE_SLOT=[TOMCAT_PIDFILE] +TOMCAT_SERVER_PORT_SLOT=[TOMCAT_SERVER_PORT] +TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS] +TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS] +TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS] +TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS] diff --git a/base/server/config/sample.cfg b/base/server/config/sample.cfg new file mode 100644 index 000000000..d2334c754 --- /dev/null +++ b/base/server/config/sample.cfg @@ -0,0 +1,6 @@ +[DEFAULT] +pki_admin_password= +pki_client_pkcs12_password= +pki_ds_password= +##Required for all subsystems that are not root CAs +#pki_security_domain_password= diff --git a/base/server/config/sampleCAclone.cfg b/base/server/config/sampleCAclone.cfg new file mode 100644 index 000000000..0aef7b25a --- /dev/null +++ b/base/server/config/sampleCAclone.cfg @@ -0,0 +1,15 @@ +[DEFAULT] +pki_admin_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user= + +[CA] +pki_clone=True +pki_clone_pkcs12_password= +pki_clone_pkcs12_path= +pki_clone_replicate_schema= +pki_clone_uri= \ No newline at end of file diff --git a/base/server/config/sampleExternalSignedCA-step1.cfg b/base/server/config/sampleExternalSignedCA-step1.cfg new file mode 100644 index 000000000..35b3d2460 --- /dev/null +++ b/base/server/config/sampleExternalSignedCA-step1.cfg @@ -0,0 +1,10 @@ +[DEFAULT] +pki_admin_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= + +[CA] +pki_external=True +pki_external_csr_path= +pki_ca_signing_subject_dn= \ No newline at end of file diff --git a/base/server/config/sampleExternalSignedCA-step2.cfg b/base/server/config/sampleExternalSignedCA-step2.cfg new file mode 100644 index 000000000..c106d63c0 --- /dev/null +++ b/base/server/config/sampleExternalSignedCA-step2.cfg @@ -0,0 +1,12 @@ +[DEFAULT] +pki_admin_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= + +[CA] +pki_external=True +pki_external_ca_cert_chain_path= +pki_external_ca_cert_path= +pki_external_step_two=True +pki_ca_signing_subject_dn= \ No newline at end of file diff --git a/base/server/config/sampleKRA.cfg b/base/server/config/sampleKRA.cfg new file mode 100644 index 000000000..8cdfb9fa0 --- /dev/null +++ b/base/server/config/sampleKRA.cfg @@ -0,0 +1,12 @@ +[DEFAULT] +pki_admin_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user= +pki_issuing_ca_uri= + +[KRA] +pki_import_admin_cert= \ No newline at end of file diff --git a/base/server/config/sampleKRAclone.cfg b/base/server/config/sampleKRAclone.cfg new file mode 100644 index 000000000..96025cf07 --- /dev/null +++ b/base/server/config/sampleKRAclone.cfg @@ -0,0 +1,16 @@ +[DEFAULT] +pki_admin_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user= + +[KRA] +pki_clone=True +pki_clone_pkcs12_password= +pki_clone_pkcs12_path= +pki_clone_replicate_schema= +pki_clone_uri= +pki_issuing_ca= \ No newline at end of file diff --git a/base/server/config/sampleSubordinateCA.cfg b/base/server/config/sampleSubordinateCA.cfg new file mode 100644 index 000000000..8b616163a --- /dev/null +++ b/base/server/config/sampleSubordinateCA.cfg @@ -0,0 +1,13 @@ +[DEFAULT] +pki_admin_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user= + +[CA] +pki_subordinate=True +pki_issuing_ca= +pki_ca_signing_subject_dn= \ No newline at end of file diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg new file mode 100644 index 000000000..e848363ab --- /dev/null +++ b/base/server/etc/default.cfg @@ -0,0 +1,531 @@ +############################################################################### +## Default Configuration: ## +## ## +## Values in this section are common to more than one PKI subsystem, and ## +## contain required information which MAY be overridden by users as ## +## necessary. ## +## ## +## There are also some meta-parameters that determine how the PKI ## +## configuratiion should work. ## +## ## +############################################################################### +[DEFAULT] + +# The sensitive_parameters contains a list of parameters which may contain +# sensitive information which must not be displayed to the console nor stored +# in log files for security reasons. +sensitive_parameters= + pki_admin_password + pki_backup_password + pki_client_database_password + pki_client_pin + pki_client_pkcs12_password + pki_clone_pkcs12_password + pki_ds_password + pki_one_time_pin + pki_pin + pki_security_domain_password + pki_token_password + +# The spawn_scriplets contains a list of scriplets to be executed by pkispawn. +spawn_scriplets= + initialization + infrastructure_layout + instance_layout + subsystem_layout + selinux_setup + webapp_deployment + slot_substitution + security_databases + configuration + finalization + +# The destroy_scriplets contains a list of scriplets to be executed by pkidestroy. +destroy_scriplets= + initialization + configuration + webapp_deployment + subsystem_layout + security_databases + instance_layout + selinux_setup + infrastructure_layout + finalization + +# By default, the following parameters will be set for Tomcat and Apache instances. +# There is no reason to uncomment these. They are provided for reference in +# case someone wants to override them in their config file. +# +# Tomcat instances: +# pki_instance_name=pki-tomcat +# pki_https_port=8443 +# pki_http_port=8080 +# +# Apache instances: +# pki_instance_name=pki-apache +# pki_https_port=443 +# pki_http_port=80 + +pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert +pki_admin_cert_request_type=pkcs10 +pki_admin_dualkey=False +pki_admin_keysize=2048 +pki_admin_password= +pki_audit_group=pkiaudit +pki_audit_signing_key_algorithm=SHA256withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_signing_algorithm=SHA256withRSA +pki_audit_signing_token=Internal Key Storage Token +pki_backup_keys=False +pki_backup_password= +pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12 +pki_client_database_password= +pki_client_database_purge=True +pki_client_dir=%(home_dir)s/.pki/%(pki_instance_name)s +pki_client_pkcs12_password= +pki_ds_bind_dn=cn=Directory Manager +pki_ds_ldap_port=389 +pki_ds_ldaps_port=636 +pki_ds_password= +pki_ds_remove_data=True +pki_ds_secure_connection=False +pki_group=pkiuser +pki_issuing_ca_hostname=%(pki_security_domain_hostname)s +pki_issuing_ca_https_port=%(pki_security_domain_https_port)s +pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s +pki_issuing_ca=%(pki_issuing_ca_uri)s +pki_restart_configured_instance=True +pki_security_domain_hostname=%(pki_hostname)s +pki_security_domain_https_port=8443 +pki_security_domain_name=%(pki_dns_domainname)s Security Domain +pki_security_domain_password= +pki_security_domain_user=caadmin +pki_skip_configuration=False +pki_skip_installation=False +pki_ssl_server_key_algorithm=SHA256withRSA +pki_ssl_server_key_size=2048 +pki_ssl_server_key_type=rsa +pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s +pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s +pki_ssl_server_token=Internal Key Storage Token +pki_subsystem_key_algorithm=SHA256withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa +pki_subsystem_token=Internal Key Storage Token +pki_theme_enable=True +pki_theme_server_dir=/usr/share/pki/common-ui +pki_token_name=internal +pki_token_password= +pki_user=pkiuser + +# Paths: +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_client_database_dir=%(pki_client_subsystem_dir)s/alias +pki_client_subsystem_dir=%(pki_client_dir)s/%(pki_subsystem_type)s +pki_client_password_conf=%(pki_client_subsystem_dir)s/password.conf +pki_client_pkcs12_password_conf=%(pki_client_subsystem_dir)s/pkcs12_password.conf +pki_client_cert_database=%(pki_client_database_dir)s/cert8.db +pki_client_key_database=%(pki_client_database_dir)s/key3.db +pki_client_secmod_database=%(pki_client_database_dir)s/secmod.db +pki_client_admin_cert=%(pki_client_dir)s/%(pki_subsystem_type)s_admin.cert +pki_source_conf_path=/usr/share/pki/%(pki_subsystem_type)s/conf +pki_source_setup_path=/usr/share/pki/setup +pki_source_server_path=/usr/share/pki/server/conf +pki_source_cs_cfg=/usr/share/pki/%(pki_subsystem_type)s/conf/CS.cfg +pki_source_registry=/usr/share/pki/setup/pkidaemon_registry +pki_path=%(pki_root_prefix)s/var/lib/pki +pki_log_path=%(pki_root_prefix)s/var/log/pki +pki_configuration_path=%(pki_root_prefix)s/etc/pki +pki_registry_path=%(pki_root_prefix)s/etc/sysconfig/pki +pki_instance_path=%(pki_path)s/%(pki_instance_name)s +pki_instance_log_path=%(pki_log_path)s/%(pki_instance_name)s +pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s +pki_database_path=%(pki_instance_configuration_path)s/alias +pki_instance_database_link=%(pki_instance_path)s/alias +pki_instance_conf_link=%(pki_instance_path)s/conf +pki_instance_logs_link=%(pki_instance_path)s/logs +pki_subsystem_path=%(pki_instance_path)s/%(pki_subsystem_type)s +pki_subsystem_log_path=%(pki_instance_log_path)s/%(pki_subsystem_type)s +pki_subsystem_archive_log_path=%(pki_subsystem_log_path)s/archive +pki_subsystem_configuration_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s +pki_subsystem_database_link=%(pki_subsystem_path)s/alias +pki_subsystem_conf_link=%(pki_subsystem_path)s/conf +pki_subsystem_logs_link=%(pki_subsystem_path)s/logs +pki_subsystem_registry_link=%(pki_subsystem_path)s/registry + + +############################################################################### +## Apache Configuration: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Apache' (RA and TPS subsystems), and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[Apache] + +# Paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_systemd_service=/lib/systemd/system/pki-apached@.service +pki_systemd_target=/lib/systemd/system/pki-apached.target +pki_systemd_target_wants=/etc/systemd/system/pki-apached.target.wants +pki_systemd_service_link=%(pki_systemd_target_wants)s/pki-apached@%(pki_instance_name)s.service +pki_cgroup_systemd_service_path=/sys/fs/cgroup/systemd/system/%(pki_systemd_service)s +pki_cgroup_systemd_service=%(pki_cgroup_systemd_service_path)s/%(pki_instance_name)s +pki_cgroup_cpu_systemd_service_path=/sys/fs/cgroup/cpu\,cpuacct/system/%(pki_systemd_service)s +pki_cgroup_cpu_systemd_service=%(pki_cgroup_cpu_systemd_service_path)s/%(pki_systemd_service)s +pki_instance_type=Apache +pki_instance_type_registry_path =%(pki_registry_path)s/apache +pki_instance_registry_path=%(pki_instance_type_registry_path)s/%(pki_instance_name)s +pki_subsystem_registry_path=%(pki_instance_registry_path)s/%(pki_subsystem_type)s + +############################################################################### +## Tomcat Configuration: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## +## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## +## or a 'TKS Clone', change the value of 'pki_clone' ## +## from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[Tomcat] +pki_ajp_port=8009 +pki_clone=False +pki_clone_pkcs12_password= +pki_clone_pkcs12_path= +pki_clone_replicate_schema=True +pki_clone_replication_master_port= +pki_clone_replication_clone_port= +pki_clone_replication_security=None +pki_clone_uri= +pki_enable_java_debugger=False +pki_enable_proxy=False +pki_proxy_http_port=80 +pki_proxy_https_port=443 +pki_security_manager=true +pki_tomcat_server_port=8005 + +# Paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_systemd_service=/lib/systemd/system/pki-tomcatd@.service +pki_systemd_target=/lib/systemd/system/pki-tomcatd.target +pki_systemd_target_wants=/etc/systemd/system/pki-tomcatd.target.wants +pki_systemd_service_link=%(pki_systemd_target_wants)s/pki-tomcatd@%(pki_instance_name)s.service +pki_cgroup_systemd_service_path=/sys/fs/cgroup/systemd/system/%(pki_systemd_service)s +pki_cgroup_systemd_service=%(pki_cgroup_systemd_service_path)s/%(pki_instance_name)s +pki_cgroup_cpu_systemd_service_path=/sys/fs/cgroup/cpu\,cpuacct/system/%(pki_systemd_service)s +pki_cgroup_cpu_systemd_service=%(pki_cgroup_cpu_systemd_service_path)s/%(pki_systemd_service)s +pki_tomcat_bin_path=/usr/share/tomcat/bin +pki_tomcat_lib_path=/usr/share/tomcat/lib +pki_tomcat_systemd=/usr/sbin/tomcat-sysd +pki_source_catalina_properties=%(pki_source_server_path)s/catalina.properties +pki_source_servercertnick_conf=%(pki_source_server_path)s/serverCertNick.conf +pki_source_server_xml=%(pki_source_server_path)s/server.xml +pki_source_context_xml=%(pki_source_server_path)s/context.xml +pki_source_tomcat_conf=%(pki_source_server_path)s/tomcat.conf +pki_instance_type=Tomcat +pki_tomcat_common_path=%(pki_instance_path)s/common +pki_tomcat_common_lib_path=%(pki_tomcat_common_path)s/lib +pki_tomcat_tmpdir_path=%(pki_instance_path)s/temp +pki_tomcat_webapps_path=%(pki_instance_path)s/webapps +pki_tomcat_webapps_root_path=%(pki_tomcat_webapps_path)s/ROOT +pki_tomcat_webapps_common_path=%(pki_tomcat_webapps_path)s/pki +pki_tomcat_webapps_root_webinf_path=%(pki_tomcat_webapps_root_path)s/WEB-INF +pki_tomcat_work_path=%(pki_instance_path)s/work +pki_tomcat_work_catalina_path=%(pki_tomcat_work_path)s/Catalina +pki_tomcat_work_catalina_host_path=%(pki_tomcat_work_catalina_path)s/localhost +pki_tomcat_work_catalina_host_run_path=%(pki_tomcat_work_catalina_host_path)s/_ +pki_tomcat_work_catalina_host_subsystem_path=%(pki_tomcat_work_catalina_host_path)s/%(pki_subsystem_type)s +pki_instance_conf_log4j_properties=%(pki_instance_configuration_path)s/log4j.properties +pki_instance_type_registry_path=%(pki_registry_path)s/tomcat +pki_instance_registry_path=%(pki_instance_type_registry_path)s/%(pki_instance_name)s +pki_subsystem_registry_path=%(pki_instance_registry_path)s/%(pki_subsystem_type)s +pki_tomcat_bin_link=%(pki_instance_path)s/bin +pki_instance_lib=%(pki_instance_path)s/lib +pki_instance_lib_log4j_properties=%(pki_instance_lib)s/log4j.properties +pki_instance_systemd_link=%(pki_instance_path)s/%(pki_instance_name)s +pki_subsystem_signed_audit_log_path=%(pki_subsystem_log_path)s/signedAudit +pki_subsystem_tomcat_webapps_link=%(pki_subsystem_path)s/webapps +pki_tomcat_webapps_subsystem_path=%(pki_tomcat_webapps_path)s/%(pki_subsystem_type)s +pki_tomcat_webapps_subsystem_webinf_classes_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/classes +pki_tomcat_webapps_subsystem_webinf_lib_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/lib +pki_certsrv_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-certsrv.jar +pki_cmsbundle_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsbundle.jar +pki_cmscore_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmscore.jar +pki_cms_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cms.jar +pki_cmsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsutil.jar +pki_nsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-nsutil.jar + + +# JAR paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files +pki_jss_jar=%(jni_jar_dir)s/jss4.jar +pki_symkey_jar=%(jni_jar_dir)s/symkey.jar +pki_apache_commons_collections_jar=/usr/share/java/apache-commons-collections.jar +pki_apache_commons_lang_jar=/usr/share/java/apache-commons-lang.jar +pki_apache_commons_logging_jar=/usr/share/java/apache-commons-logging.jar +pki_commons_codec_jar=/usr/share/java/commons-codec.jar +pki_httpclient_jar=/usr/share/java/httpcomponents/httpclient.jar +pki_httpcore_jar=/usr/share/java/httpcomponents/httpcore.jar +pki_javassist_jar=/usr/share/java/javassist.jar +pki_jettison_jar=/usr/share/java/jettison.jar +pki_ldapjdk_jar=/usr/share/java/ldapjdk.jar +pki_certsrv_jar=/usr/share/java/pki/pki-certsrv.jar +pki_cmsbundle=/usr/share/java/pki/pki-cmsbundle.jar +pki_cmscore=/usr/share/java/pki/pki-cmscore.jar +pki_cms=/usr/share/java/pki/pki-cms.jar +pki_cmsutil=/usr/share/java/pki/pki-cmsutil.jar +pki_resteasy_jaxrs_api_jar=%(resteasy_lib)s/jaxrs-api.jar +pki_nsutil=/usr/share/java/pki/pki-nsutil.jar +pki_tomcat_jar=/usr/share/java/pki/pki-tomcat.jar +pki_resteasy_atom_provider_jar=%(resteasy_lib)s/resteasy-atom-provider.jar +pki_resteasy_jaxb_provider_jar=%(resteasy_lib)s/resteasy-jaxb-provider.jar +pki_resteasy_jaxrs_jar=%(resteasy_lib)s/resteasy-jaxrs.jar +pki_resteasy_jettison_provider_jar=%(resteasy_lib)s/resteasy-jettison-provider.jar +pki_scannotation_jar=/usr/share/java/scannotation.jar +pki_tomcatjss_jar=/usr/share/java/tomcatjss.jar +pki_velocity_jar=/usr/share/java/velocity.jar +pki_xerces_j2_jar=/usr/share/java/xerces-j2.jar +pki_xml_commons_apis_jar=/usr/share/java/xml-commons-apis.jar +pki_xml_commons_resolver_jar=/usr/share/java/xml-commons-resolver.jar +pki_jss_jar_link=%(pki_tomcat_common_lib_path)s/jss4.jar +pki_symkey_jar_link=%(pki_tomcat_common_lib_path)s/symkey.jar +pki_apache_commons_collections_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-collections.jar +pki_apache_commons_lang_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-lang.jar +pki_apache_commons_logging_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-logging.jar +pki_commons_codec_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-codec.jar +pki_httpclient_jar_link=%(pki_tomcat_common_lib_path)s/httpclient.jar +pki_httpcore_jar_link=%(pki_tomcat_common_lib_path)s/httpcore.jar +pki_javassist_jar_link=%(pki_tomcat_common_lib_path)s/javassist.jar +pki_resteasy_jaxrs_api_jar_link=%(pki_tomcat_common_lib_path)s/jaxrs-api.jar +pki_jettison_jar_link=%(pki_tomcat_common_lib_path)s/jettison.jar +pki_ldapjdk_jar_link=%(pki_tomcat_common_lib_path)s/ldapjdk.jar +pki_tomcat_jar_link=%(pki_tomcat_common_lib_path)s/pki-tomcat.jar +pki_resteasy_atom_provider_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-atom-provider.jar +pki_resteasy_jaxb_provider_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-jaxb-provider.jar +pki_resteasy_jaxrs_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-jaxrs.jar +pki_resteasy_jettison_provider_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-jettison-provider.jar +pki_scannotation_jar_link=%(pki_tomcat_common_lib_path)s/scannotation.jar +pki_tomcatjss_jar_link=%(pki_tomcat_common_lib_path)s/tomcatjss.jar +pki_velocity_jar_link=%(pki_tomcat_common_lib_path)s/velocity.jar +pki_xerces_j2_jar_link=%(pki_tomcat_common_lib_path)s/xerces-j2.jar +pki_xml_commons_apis_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-apis.jar +pki_xml_commons_resolver_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-resolver.jar +pki_ca_jar=/usr/share/java/pki/pki-ca.jar +pki_ca_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ca.jar +pki_kra_jar=/usr/share/java/pki/pki-kra.jar +pki_kra_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-kra.jar +pki_ocsp_jar=/usr/share/java/pki/pki-ocsp.jar +pki_ocsp_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ocsp.jar +pki_tks_jar=/usr/share/java/pki/pki-tks.jar +pki_tks_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-tks.jar + + + +############################################################################### +## CA Configuration: ## +## ## +## Values in this section are common to CA subsystems including 'PKI CAs', ## +## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## EXTERNAL CAs: To specify an 'External CA', change the value ## +## of 'pki_external' from 'False' to 'True'. ## +## ## +## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## +## of 'pki_subordinate' from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[CA] +pki_ca_signing_key_algorithm=SHA256withRSA +pki_ca_signing_key_size=2048 +pki_ca_signing_key_type=rsa +pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA +pki_ca_signing_signing_algorithm=SHA256withRSA +pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s +pki_ca_signing_token=Internal Key Storage Token +pki_external=False +pki_external_ca_cert_chain_path= +pki_external_ca_cert_path= +pki_external_csr_path= +pki_external_step_two=False +pki_import_admin_cert=False +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_token=Internal Key Storage Token +pki_subordinate=False +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=caadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA +pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_name)s-CA +pki_ds_database=%(pki_instance_name)s-CA +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s CA +pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s + +# Paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_source_emails=/usr/share/pki/ca/emails +pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt +pki_source_profiles=/usr/share/pki/ca/profiles +pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf +pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg +pki_source_admincert_profile=%(pki_source_conf_path)s/adminCert.profile +pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile +pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile +pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile +pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile +pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile +pki_subsystem_emails_path=%(pki_subsystem_path)s/emails +pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles + + + + +############################################################################### +## KRA Configuration: ## +## ## +## Values in this section are common to KRA subsystems ## +## including 'PKI KRAs' and 'Cloned KRAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[KRA] +pki_import_admin_cert=True +pki_storage_key_algorithm=SHA256withRSA +pki_storage_key_size=2048 +pki_storage_key_type=rsa +pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA +pki_storage_signing_algorithm=SHA256withRSA +pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s +pki_storage_token=Internal Key Storage Token +pki_transport_key_algorithm=SHA256withRSA +pki_transport_key_size=2048 +pki_transport_key_type=rsa +pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA +pki_transport_signing_algorithm=SHA256withRSA +pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s +pki_transport_token=Internal Key Storage Token +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=kraadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA +pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_name)s-KRA +pki_ds_database=%(pki_instance_name)s-KRA +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s KRA +pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s + +# Paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile +pki_source_storagecert_profile=%(pki_source_conf_path)s/storageCert.profile +pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile +pki_source_transportcert_profile=%(pki_source_conf_path)s/transportCert.profile + +############################################################################### +## OCSP Configuration: ## +## ## +## Values in this section are common to OCSP subsystems ## +## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[OCSP] +pki_import_admin_cert=True +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_token=Internal Key Storage Token +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=ocspadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP +pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_name)s-OCSP +pki_ds_database=%(pki_instance_name)s-OCSP +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s OCSP +pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s + +############################################################################### +## RA Configuration: ## +## ## +## Values in this section are common to PKI RA subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[RA] + +############################################################################### +## TKS Configuration: ## +## ## +## Values in this section are common to TKS subsystems ## +## including 'PKI TKSs' and 'Cloned TKSs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TKS] +pki_import_admin_cert=True +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=tksadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS +pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_name)s-TKS +pki_ds_database=%(pki_instance_name)s-TKS +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s TKS +pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s + +############################################################################### +## TPS Configuration: ## +## ## +## Values in this section are common to PKI TPS subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TPS] + +# Paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_subsystem_signed_audit_log_path=%(pki_subsystem_log_path)s/signedAudit + diff --git a/base/server/etc/pki.conf b/base/server/etc/pki.conf new file mode 100644 index 000000000..24decec52 --- /dev/null +++ b/base/server/etc/pki.conf @@ -0,0 +1,4 @@ +# RESTEasy library +RESTEASY_LIB=${RESTEASY_LIB} +# JNI jar file location +JNI_JAR_DIR=${JNI_JAR_DIR} diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 new file mode 100644 index 000000000..ec2379a9f --- /dev/null +++ b/base/server/man/man5/pki_default.cfg.5 @@ -0,0 +1,275 @@ +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH pki_default.cfg 5 "December 13, 2012" "version 1.0" "PKI Default Instance Configuration" Ade Lee +.\" Please adjust this date whenever revising the man page. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for man page specific macros, see man(7) +.SH NAME +pki_default.cfg \- Certificate Server instance default config file. + +.SH LOCATION +/etc/pki/default.cfg + +.SH DESCRIPTION +This file contains the default settings for a Certificate Server instance created using \fBpkispawn\fP. This file should not be edited, as it can be modified when the Certificate Server packages are updated. Rather, when setting up a Certificate Server instance, a user-provided configuration file can provide overrides to the defaults in /etc/pki/default.cfg. See \fBpkispawn(8)\fR for details. + +.SH SECTIONS +\fIdefault.cfg\fP is divided into subsystem-based sections ([DEFAULT] for general configuration and subsystem-type sections such as [CA] and [KRA]). These sections are stacked, so that parameters read in earlier sections can be overwritten by parameters in later sections. For the Java subsystems (CA, KRA, OCSP, and TKS), the sections read are [DEFAULT], [Tomcat] and the subsystem type section -- [CA], [KRA], [OCSP], and [TKS] -- in that order. This allows the ability to specify parameters to be shared by all subsystems in [DEFAULT] or [Tomcat], and subsystem-specific upgrades in the other sections. +.PP +There are a small number of bootstrap parameters which are passed in the configuration file by \fBpkispawn\fP. Other parameter's values can be interpolated tokens rather than explicit values. For example: +.PP +\fBpki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA\fP +.PP +This substitutes the value of pki_instance_name into the parameter value. It is possible to interpolate any parameter within a section or in [DEFAULT]. Any parameter used in interpolation can \fBONLY\fP be overridden within the same section. So, for example, pki_instance_name should only be overridden in [DEFAULT]; otherwise, interpolations can fail. + +.SH GENERAL INSTANCE PARAMETERS +The parameters described below, as well as the parameters located in the following sections, can be customized as part of a deployment. This list is not exhaustive. +.TP +.B pki_instance_name +.IP +Name of the instance. The instance is located at /var/lib/pki/. For Java subsystems, the default is specified as pki-tomcat. +.TP +.B pki_https_port, pki_http_port +.IP +Secure and unsecure ports. Defaults to standard Tomcat ports 8443 and 8080, respectively, for Java subsystems, and 443 and 80 for Apache subsystems. +.TP +.B pki_ajp_port, pki_tomcat_server_port +.IP +Ports for Tomcat subsystems. Defaults to standard Tomcat ports of 8009 and 8005, respectively. +.TP +.B pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy +.IP +Ports for an Apache proxy server. Certificate Server instances can be run behind an Apache proxy server, which will communicate with the Tomcat instance through the AJP port. See the Red Hat Certificate System documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/ for details. +.TP +.B pki_user, pki_group, pki_audit_group +.IP +Specifies the default administrative user, group, and auditor group identities for PKI instances. The default user and group are both specified as \fBpkiuser\fR, and the default audit group is specified as \fBpkiaudit\fR. +.TP +.B pki_token_name, pki_token_password +.IP +The token and password where this instance's system certificate and keys are stored. Defaults to the NSS internal software token. + +.SS SYSTEM CERTIFICATE PARAMETERS +\fBpkispawn\fP sets up a number of system certificates for each subsystem. The system certificates which are required differ between subsystems. Each system certificate is denoted by a tag, as noted below. The different system certificates are: +.IP +* signing certificate ("signing"). Used to sign other certificates. Required for CA. +.IP +* OCSP signing certificate ("ocsp_signing" in CA, "signing" in OCSP). Used to sign CRLs. Required for OCSP and CA. +.IP +* storage certificate ("storage"). Used to encrypt keys for storage in KRA. Required for KRA only. +.IP +* transport certificate ("transport"). Used to encrypt keys in transport to the KRA. Required for KRA only. +.IP +* subsystem certificate ("subsystem"). Used to communicate between subsystems within the security domain. Issued by the security domain CA. Required for all subsystems. +.IP +* server certificate ("sslserver"). Used for communication with the server. One server certificate is required for each Certificate Server instance. +.IP +* audit signing certificate ("audit_signing"). Used to sign audit logs. Required for all subsystems except the RA. +.PP +Each system certificate can be customized using the parameters below: +.TP +.B pki__key_type, pki__keysize, pki__key_algorithm +.IP +Characteristics of the private key. See the Red Hat Certificate System documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/ for possible options. The defaults are RSA for the type, 2048 bits for the key size, and SHA256withRSA for the algorithm. +.TP +.B pki__signing_algorithm +.IP +For signing certificates, the algorithm used for signing. Defaults to SHA256withRSA. +.TP +.B pki__token +.IP +Location where the certificate and private key are stored. Defaults to the internal software NSS token database. +.TP +.B pki__nickname +.IP +Nickname for the certificate in the token database. +.TP +.B pki__subject_dn +.IP +Subject DN for the certificate. The subject DN for the SSL Server certificate must include CN=. +.SS ADMIN USER PARAMETERS +\fBpkispawn\fP creates a bootstrap administrative user that is a member of all the necessary groups to administer the installed subsystem. On a security domain CA, the CA administrative user is also a member of the groups required to register a new subsystem on the security domain. The certificate and keys for this administrative user are stored in a PKCS #12 file in \fBpki_client_dir\fP, and can be imported into a browser to administer the system. +.TP +.B pki_admin_name, pki_admin_uid +.IP +Name and UID of this administrative user. Defaults to caadmin for CA, kraadmin for KRA, etc. +.TP +.B pki_admin_password +.IP +Password for the admin user. This password is used to log into the pki-console (unless client authentication is enabled), as well as log into the security domain CA. +.TP +.B pki_admin_email +.IP +Email address for the admin user. +.TP +.B pki_admin_dualkey, pki_admin_keysize, pki_admin_keytype +.IP +Settings for the administrator certificate and keys. +.TP +.B pki_admin_subject_dn +.IP +Subject DN for the administrator certificate. Defaults to \fBcn=PKI Administrator, e=%(pki_admin_email)s, o=%(pki_security_domain_name)s\fP. +.TP +.B pki_admin_nickname +Nickname for the administrator certificate. +.TP +.B pki_import_admin_cert +.IP +Set to True to import an existing admin certificate for the admin user, rather than generating a new one. A subsystem-specific administrator will still be created within the subsystem's LDAP tree. This is useful to allow multiple subsystems within the same instance to be more easily administered from the same browser by using a single certificate. + +By default, this is set to False for CA subsystems and true for KRA, OCSP, and TKS subsystems. In this case, the admin certificate is read from the file ca_admin.cert in \fBpki_client_dir\fP. + +Note that cloned subsystems do not create a new administrative user. The administrative user of the master subsystem is used instead, and the details of this master user are replicated during the install. +.TP +.B pki_client_admin_cert_p12 +.IP +Location for the PKCS #12 file containing the administrative user's certificate and keys. For a CA, this defaults to \fIca_admin_cert.p12\fP in the \fBpki_client_dir\fP directory. +.SS BACKUP PARAMETERS +.TP +.B pki_backup_keys, pki_backup_password +.IP +Set to True to back up the subsystem certificates and keys to a PKCS #12 file. This file will be located in \fI/var/lib/pki//alias\fP. pki_backup_password is the password of the PKCS#12 file. + +.SS CLIENT DIRECTORY PARAMETERS +.TP +.B pki_client_dir +.IP +This is the location where all client data used during the installation is stored. At the end of the invocation of \fBpkispawn\fP, the administrative user's certificate and keys are stored in a PKCS #12 file in this location. +.TP +.B pki_client_database_dir, pki_client_database_password +.IP +Location where an NSS token database is created in order to generate a key for the administrative user. Usually, the data in this location is removed at the end of the installation, as the keys and certificates are stored in a PKCS #12 file in \fBpki_client_dir\fP. +.TP +.B pki_client_database_purge +.IP +Set to True to remove \fBpki_client_database_dir\fP at the end of the installation. Defaults to True. +.SS INTERNAL DATABASE PARAMETERS +\x'-1'\fBpki_ds_hostname, pki_ds_ldap_port, pki_ds_ldaps_port\fR +.IP +Hostname and ports for the internal database. Defaults to localhost, 389, and 636, respectively. +.PP +.B pki_ds_bind_dn, pki_ds_password +.IP +Credentials to connect to the database during installation. Directory Manager-level access is required during installation to set up the relevant schema and database. During the installation, a more restricted Certificate Server user is set up to client authentication connections to the database. Some additional configuration is required, including setting up the directory server to use SSL. See the documentation for details. +.PP +.B pki_ds_secure_connection +.IP +Sets whether to require connections to the Directory Server using LDAPS. This requires SSL to be set up on the Directory Server first. Defaults to false. +.PP +.B pki_ds_remove_data +.IP +Sets whether to remove any data from the base DN before starting the installation. Defaults to True. +.PP +.B pki_ds_base_dn +.IP +The base DN for the internal database. It is advised that the Certificate Server have its own base DN for its internal database. If the base DN does not exist, it will be created during the running of \fBpkispawn\fP. For a cloned subsystem, the base DN for the clone subsystem MUST be the same as for the master subsystem. +.PP +.B pki_ds_database +.IP +Name of the back-end database. It is advised that the Certificate Server have its own base DN for its internal database. If the back-end does not exist, it will be created during the running of \fBpkispawn\fP. +.SS ISSUING CA PARAMETERS +\x'-1'\fBpki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri\fR +.IP +Hostname and port, or URI of the issuing CA. Required for installations of subordinate CA and non-CA subsystems. This should point to the CA that will issue the relevant system certificates for the subsystem. In a default install, this defaults to the CA subsystem within the same instance. The URI has the format https://:. + +.SS MISCELLANEOUS PARAMETERS +\x'-1'\fBpki_restart_configured_instance\fR +.IP +Sets whether to restart the instance after configuration is complete. Defaults to True. +.PP +.B pki_skip_configuration +.IP +Sets whether to execute the configuration steps when running \fBpkispawn\fP. If this is true, then the process is analogous to running \fBpkicreate\fP, when the configuration was performed separately from the instance creation. A configuration URL will be provided. This URL can be used as a starting point for the browser-based configuration panels. Defaults to False. +.PP +.B pki_skip_installation +.IP +Sets whether to skip the installation steps. With pki_skip_configuration set to False, this is analogous to running pkisilent. Defaults to False. +.PP +.B pki_enable_java_debugger +.IP +Sets whether to attach a Java debugger such as Eclipse to the instance for troubleshooting. Defaults to False. +.PP +.B pki_security_manager +.IP +Enables the Java security manager policies provided by the JDK to be used with the instance. Defaults to True. +.PP +.SS SECURITY DOMAIN PARAMETERS +The security domain is a component that facilitates communication between subsystems. The first CA installed hosts this component and is used to register subsequent subsystems with the security domain. These subsystems can communicate with each other using their subsystem certificate, which is issued by the security domain CA. For more information about the security domain component, see the Red Hat Certificate System documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/. +.TP +.B pki_security_domain_hostname, pki_security_domain_https_port +.IP +Location of the security domain. Required for KRA, OCSP, and TKS subsystems and for CA subsystems joining a security domain. Defaults to the location of the CA subsystem within the same instance. +.TP +.B pki_security_domain_user, pki_security_domain_password +.IP +Administrative user of the security domain. Required for KRA, OCSP, and TKS subsystems, and for CA subsystems joining a security domain. Defaults to the administrative user for the CA subsystem within the same instance (caadmin). +.TP +.B pki_security_domain_name +.IP +The name of the security domain. This is required for the security domain CA. + +.SS CLONE PARAMETERS +.TP +.B pki_clone +.IP +Installs a clone, rather than original, subsystem. +.TP +.B pki_clone_pkcs12_password, pki_clone_pkcs12_path +.IP +Location and password of the PKCS #12 file containing the system certificates for the master subsystem being cloned. This file should be readable by the user that the Certificate Server is running as (default of pkiuser), and have the correct selinux context (pki_tomcat_cert_t). This can be achieved by placing the file in \fI/var/lib/pki//alias\fP. +.TP +.B pki_clone_replication_master_port, pki_clone_replication_clone_port +.IP +Ports on which replication occurs. These are the ports on the master and clone databases respectively. Defaults to the internal database port. +.TP +.B pki_clone_repicate_schema +.IP +Replicate schema when the replication agreement is set up and the new instance (consumer) is initialized. Otherwise, the schema must be installed in the clone as a separate step beforehand. This does not usually have to be changed. Defaults to True. +.TP +.B pki_clone_replication_security +.IP +The type of security used for the replication data. This can be set to SSL (using LDAPS), TLS, or None. Defaults to None. For SSL and TLS, SSL must be set up for the database instances beforehand. +.TP +.B pki_clone_uri +.IP +A pointer to the subsystem being cloned. The format is https://:. + +.SS EXTERNAL CA CERTIFICATE PARAMETERS +\x'-1'\fBpki_external\fR +.IP +Sets whether the new CA will have a signing certificate that will be issued by an external CA. This is a two step process. In the first step, a CSR to be presented to the external CA is generated. In the second step, the issued signing certificate and certificate chain are provided to the \fBpkispawn\fP utility to complete the installation. Defaults to False. +.PP +.B pki_external_csr_path +.IP +Required in the first step of the external CA signing process. The CSR will be printed to the screen and stored in this location. +.PP +.B pki_external_step_two +.IP +Specifies that this is the second step of the external CA process. Defaults to False. +.PP +.B pki_external_cert_path, pki_external_cert_chain_path +.IP +Required for the second step of the external CA signing process. This is the location of the CA signing cert (as issued by the external CA) and the external CA's certificate chain. +.SS SUBORDINATE CA CERTIFICATE PARAMETERS +\x'-1'\fBpki_subordinate\fR +.IP +Specifies whether the new CA which will be a subordinate of another CA. The master CA is specified by \fBpki_issuing_ca\fP. Defaults to False. + +.SH AUTHORS +Ade Lee . \fBpkispawn\fP was written by the Dogtag project. + +.SH COPYRIGHT +Copyright (c) 2012 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. + +.SH SEE ALSO +.BR pkispawn(8) diff --git a/base/server/man/man8/pkidestroy.8 b/base/server/man/man8/pkidestroy.8 new file mode 100644 index 000000000..407a915aa --- /dev/null +++ b/base/server/man/man8/pkidestroy.8 @@ -0,0 +1,67 @@ +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH pkidestroy 8 "December 13, 2012" "version 1.0" "PKI Instance Removal Utility" Ade Lee +.\" Please adjust this date whenever revising the man page. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for man page specific macros, see man(7) +.SH NAME +pkidestroy \- Removes a subsystem from an instance of Certificate Server. + +.SH SYNOPSIS +pkidestroy -s -i [-u ] [-W ] [-h] [-v] [-p ] + +.SH DESCRIPTION +Removes a subsystem from an instance of Certificate Server. This utility removes any of the Java-based Certificate Server subsystems (CA, KRA, OCSP, and TKS). +.PP +.TP +\fBNote:\fP +This utility is only used for Java-based subsystems. The Apache-based Certificate Server subsystems (RA and TPS) are removed using \fBpkiremove\fP. +.PP +An instance can contain multiple subsystems, although it may contain at most one of each type of subsystem. So, for example, an instance could contain CA and KRA subsystems, but not two CA subsystems. If \fBpkidestroy\fP is invoked on the last subsystem in the instance, then that instance is removed. Typically, as subsystems need to contact the CA to update the security domain, the CA instance should be the last instance to be removed. + +.SH OPTIONS +.TP +.B -s +Specifies the subsystem to be removed, where is CA, KRA, OCSP, or TKS. If this option is not specified, \fBpkidestroy\fP +will prompt for its value. +.TP +.B -i +Specifies the name of the instance from which the subsystem should be removed. The instance is located at /var/log/pki/. If this option is not specified, \fBpkidestroy\fP +will prompt for its value. +.TP +.B -u +Specifies the username of the security domain of the subsystem. This is an \fBoptional\fP parameter. +.TP +.B -W +Specifies the file containing the password of the security domain of the subsystem. This is an \fBoptional\fP parameter. +.TP +.B -h, --help +Prints additional help information. +.TP +.B -v +Displays verbose information about the installation. This flag can be provided multiple times to increase verbosity. See +.B pkidestroy -h +for details. + + +.SH BUGS +Report bugs to http://bugzilla.redhat.com. + +.SH AUTHORS +Ade Lee . \fBpkidestroy\fP was written by the Certificate Server project. + +.SH COPYRIGHT +Copyright (c) 2012 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. + +.SH SEE ALSO +.BR pkispawn(8) diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 new file mode 100644 index 000000000..d3e980302 --- /dev/null +++ b/base/server/man/man8/pkispawn.8 @@ -0,0 +1,374 @@ +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH pkispawn 8 "December 13, 2012" "version 1.0" "PKI Instance Creation Utility" Ade Lee +.\" Please adjust this date whenever revising the man page. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for man page specific macros, see man(7) +.SH NAME +pkispawn \- Sets up an instance of Certificate Server. + +.SH SYNOPSIS +pkispawn -s -f [-h] [-u] [-v] [-p ] + +.SH DESCRIPTION +Sets up an instance of Certificate Server. This utility creates any of the Java-based Certificate Server subsystems (CA, KRA, OCSP, and TKS). +.TP +\fBNote:\fP +A 389 Directory Server instance must be configured and running before this script can be run. Certificate Server requires an internal directory database. The default configuration assumes a Directory Server instance running on the same machine on port 389. For more information on creating a Directory Server instance, see +.B setup-ds.pl(8). +.TP +\fBNote:\fP +This utility creates only Java-based subsystems. The Apache-based Certificate Server subsystems (RA and TPS) are created using \fBpkicreate\fP. +.PP +An instance can contain multiple subsystems, although it may contain at most one of each type of subsystem on a single machine. So, for example, an instance could contain CA and KRA subsystems, but not two CA subsystems. To create an instance with a CA and a KRA, simply run pkispawn twice, with values +.I -s CA +and +.I -s KRA +respectively. +.PP +The instances are created based on values for configuration parameters in the default configuration (/etc/pki/default.cfg) and the user-provided configuration file. The user-provided configuration file is read after the default configuration file, so any parameters defined in that file will override parameters in the default configuration file. In general, most users will store only those parameters which are different from the default configuration in their user-provided configuration file. +.PP +This configuration file contains directives that are divided into sections for different subsystem types (such as [DEFAULT], [CA], and [KRA]). These sections are stacked, so that parameters read in earlier sections can be overwritten by parameters in later sections. For the Java subsystems (CA, KRA, OCSP and TKS), the sections read are [DEFAULT], [Tomcat] and the subsystem-type section ([CA], [KRA], [OCSP], or [TKS]), in that order. This allows the ability to specify parameters to be shared by all subsystems in [DEFAULT] or [Tomcat], and system-specific upgrades in the [CA], [KRA], and other sections. +.PP +At a minimum, the user-defined configuration file must provide some passwords needed for the install. An example configuration file is provided in the +.B EXAMPLES +section below. For more information on the default configuration file and the parameters it contains (and can be customized), see +.B pki_default.cfg(5). +.PP +The \fBpkispawn\fP run creates several different installation files that can be referenced later, if need be: +.IP +* For Tomcat-based instances, a Tomcat instance is created at \fT/var/lib/pki/\fP, where pki_instance_name is defined in the configuration file. +.IP +* A log file of \fBpkispawn\fP operations is written to \fI/var/log/pki/pki-spawn--.log\fP. +.IP +* A .p12 (PKCS #12) file containing a certificate for a subsystem administrator is stored in pki_client_dir. +.PP +When the utility is done running, the CA can be accessed by pointing a browser to https://:/. The agent pages can be accessed by importing the CA certificate and administrator certificate into the browser. +.PP +The Certificate Server instance can also be accessed using the \fBpki\fP command line interface. See +\fBpki(1)\fP. For more extensive documentation on how to use Certificate Server features, see the Red Hat Certificate System Documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/. +.PP +Instances created using \fBpkispawn\fP can be removed using \fBpkidestroy\fP. See +.BR pkidestroy(8). +.PP +\fBpkispawn\fP supersedes and combines the functionality of \fBpkicreate\fP and \fBpkisilent\fP, which were available in earlier releases of Certificate Server. It is now possible to completely create and configure the Certificate Server subsystem in a single step using \fBpkispawn\fP. To use the browser-based configuration panels with \fBpkispawn\fP instead, set the configuration parameter \fBpki_skip_configuration\fP to True. + +.SH OPTIONS +.TP +.B -s +Specifies the subsystem to be installed and configured, where is CA, KRA, OCSP, or TKS. +.TP +.B -f +Specifies the path to the user-defined configuration file. This file contains differences between the default configuration and the custom configuration. +.TP +.B -h, --help +Prints additional help information. +.TP +.B -u +Runs this script in upgrade mode, to update an existing instance. +.TP +.B -v +Displays verbose information about the installation. This flag can be provided multiple times to increase verbosity. See +.B pkispawn -h +for details. + +.SH INTERACTIVE MODE +.PP +If no options are specified, pkispawn will provide an interactive menu to collect the parameters needed to install +the Certificate Server instance. Note that only the most basic installation options are provided. This includes root CAs, +KRAs, OCSPs and TKS, connecting to the LDAP port of a directory server. More complicated setups such as: cloned subsystems, subordinate or externally signed CAs, subsystems that connect to the directory server using LDAPS, and subsystems that are customized beyond the options described below - require the use of a configuration file with the +-f option. +.PP +The interactive option is most useful for those users getting familiar with Certificate Server. The parameters collected are +written to the installation file of the subsystem, which can be found at \fB/etc/sysconfig/pki/tomcat///deployment.cfg.\fP +.PP +The following parameters are queried interactively during the installation process: +.PP +\fBSubsystem Type\fP +.TP +\fISubsystem (CA/KRA/OCSP/TKS):\fP +the type of subsystem to be installed. Prompted when the -s option is not specified. The default value chosen is CA. +.PP +\fBInstance Specific Parameters\fP +.TP +\fIInstance name:\fP +the name of the tomcat instance in which the subsystem is to be installed. The default value is pki-tomcat. +.br +\fBNote:\fP Only one subsystem of a given type (CA, KRA, OCSP, TKS) can exist within a given instance. +.TP +\fIHTTP port:\fP +the HTTP port of the Tomcat instance. The default value is 8080. +.TP +\fISecure HTTP port:\fP +the HTTPS port of the Tomcat instance. The default value is 8443. +.TP +\fIAJP port:\fP +the AJP port of the Tomcat instance. The default value is 8009. +.TP +\fIManagement port:\fP +the management port of the Tomcat instance. The default value is 8005. +.PP +\fBAdministrative User Parameters\f +.TP +\fIUsername:\fP +the username of the administrator of this subsystem. The default value is admin. +.TP +\fIPassword:\fP +password for the administrator user. +.TP +\fIImport certificate:\fP +An optional parameter that can be used to import an already available CA admin certificate into this instance. +.TP +\fIExport certificate:\fP +setup the path where the admin certificate of this should be stored. The default value is /root/.pki/pki-tomcat/_admin.cert. +.PP +\fBDirectory Server Parameters\f +.TP +\fIHostname:\fP +Hostname of the directory server instance. The default value is the hostname of the system. +.TP +\fIPort:\fP +Port for the directory server instance. The default value is 389. +.TP +\fIBase DN:\fP +the Base DN to be used for the internal database for this subsystem. The default value is o=pki-tomcat-. +.TP +\fIBind DN:\fP +the bind DN required to connect for the directory server. This user must have sufficient permissions to install the required schema and database. The default value is cn=Directory Manager. +.TP +\fIPassword:\fP +password for the bind DN. +.PP +\fBSecurity Domain Parameters\f +.TP +\fIName:\fP +the name of the security domain. Required only if installing a root CA. Default value: Security Domain. +.TP +\fIHostname:\fP +the hostname for the security domain CA. Required only for non-CA subsystems. The default value is the hostname of this system. +.TP +\fISecure HTTP port:\fP +the https port for the security domain. Required only for non-CA subsystems. The default value is 8443. +.TP +\fIUsername:\fP +the username of the security domain administrator of the CA. Required only for non-CA subsystems. The default value is caadmin. +.TP +\fIPassword:\fP +password for the security domain administrator. Required for all subsystems that are not root CAs. + +.SH EXAMPLES +.SS CA using default configuration +\x'-1'\fBpkispawn -s CA -f myconfig.txt\fR +.PP +where \fImyconfig.txt\fP contains the following text: +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +.fi +.PP +Prior to running this command, a Directory Server instance should be created and running. This command assumes that the Directory Server instance is using its default configuration: +.IP +* Installed on the local machine +.IP +* Listening on port 389 +.IP +* The user is cn=Directory Manager, with the password specified in pki_ds_password + +This invocation of \fBpkispawn\fP creates a Tomcat instance containing a CA running on the local machine with secure port 8443 and unsecure port 8080. To access this CA, simply point a browser to https://:8443. +.PP +The instance name (defined by pki_instance_name) is pki-tomcat, and it is located at \fI/var/lib/pki/pki-tomcat\fP. Logs for the instance are located at \fI/var/log/pki/pki-tomcat\fP, and an installation log is written to \fI/var/log/pki/pkispawn-pki-tomcat-.log\fP. +.PP +A PKCS #12 file containing the administrator certificate is created in \fI$HOME/.pki/pki-tomcat\fP. This PKCS #12 file uses the password designated by pki_client_pkcs12_password in the configuration file. +.PP +To access the agent pages, first import the CA certificate by accessing the CA End Entity Pages and clicking on the Retrieval Tab. Be sure to trust the CA certificate. Then, import the administrator certificate in the PKCS #12 file. +.SS KRA, OCSP, or TKS using default configuration +\x'-1'\fBpkispawn -s -f myconfig.txt\fR +.PP +where subsystem is KRA, OCSP, or TKS, and \fImyconfig.txt\fP contains the following text: +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +pki_security_domain_password=\fIpassword123\fP +.fi +.PP +The \fBpki_security_domain_password\fP is the admin password of the CA installed in the same default instance. This command should be run after a CA is installed. This installs another subsystem within the same default instance using the certificate generated for the CA administrator for the subsystem's administrator. This allows a user to access both subsystems on the browser with a single administrator certificate. To access the new subsystem's functionality, simply point the browser to https://:8443 and click the relevant top-level links. +.SS KRA, OCSP, or TKS connecting to a remote CA +\x'-1'\fBpkispawn -s -f myconfig.txt\fR +.PP +where subsystem is KRA, OCSP, or TKS, and \fImyconfig.txt\fP contains the following text: +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +pki_security_domain_password=\fIpassword123\fP +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user=caadmin +pki_issuing_ca_uri=https://: + +[KRA] +pki_import_admin_cert=False +.fi +.PP +A remote CA is one where the CA resides in another Certificate Server instance, either on the local machine or a remote machine. In this case, \fImyconfig.txt\fP must specify the connection information for the remote CA and the information about the security domain (the trusted collection of subsystems within an instance). +.PP +The subsystem section is [KRA], [OCSP], or [TKS]. This example assumes that the specified CA hosts the security domain. The CA must be running and accessible. +.PP +A new administrator certificate is generated for the new subsystem and stored in a PKCS #12 file in \fI$HOME/.pki/pki-tomcat\fP. +.SS Installing a CA clone +\x'-1'\fBpkispawn -s CA -f myconfig.txt\fR +.PP +where \fImyconfig.txt\fP contains the following text: +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +pki_security_domain_password=\fIpassword123\fP +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user=caadmin + +[CA] +pki_clone=True +pki_clone_pkcs12_password=\fIpassword123\fP +pki_clone_pkcs12_path= +pki_clone_replicate_schema=True +pki_clone_uri=https://: +.fi +.PP +A cloned CA is a CA which uses the same signing, OCSP signing, and audit signing certificates as the master CA, but issues certificates within a different serial number range. It has its own internal database -- separate from the master CA database -- but using the same base DN, that keeps in sync with the master CA through replication agreements between the databases. This is very useful for load sharing and disaster recovery. To create a clone, the \fImyconfig.txt\fP uses pki_clone-* parameters in its [CA] section which identify the original CA to use as a master template. Additionally, it connects to the master CA as a remote CA and uses its security domain. +.PP +Before the clone can be generated, the Directory Server must be created that is separate from the master CA's Directory Server. The example assumes that the master CA and cloned CA are on different machines, and that their Directory Servers are on port 389. In addition, the master's system certs and keys have been stored in a PKCS #12 file that is copied over to the clone subsystem in the location specified in . This file is created when the master CA is installed; it can also be generated using \fBPKCS12Export\fP. The file needs to be readable by the user the Certificate Server runs as (by default, pkiuser) and be given the SELinux context pki_tomcat_cert_t. +.PP +.SS Installing a KRA, OCSP, or TKS clone +\x'-1'\fBpkispawn -s -f myconfig.txt\fR +.PP +where subsystem is KRA, OCSP, or TKS, and \fImyconfig.txt\fP contains the following text: +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +pki_security_domain_password=\fIpassword123\fP +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user=caadmin + +[KRA] +pki_clone=True +pki_clone_pkcs12_password=\fIpassword123\fP +pki_clone_pkcs12_path= +pki_clone_replicate_schema=True +pki_clone_uri=https://: +pki_issuing_ca=https://: +.fi +.PP +As with a CA clone, a KRA, OCSP, or TKS clone uses the same certificates and basic configuration as the original subsystem. The configuration points to the original subsystem to copy its configuration. This example also assumes that the CA is on a remote machine and specifies the CA and security domain information. +.PP +The subsystem section is [KRA], [OCSP], or [TKS]. +.SS Installing a subordinate CA +\x'-1'\fBpkispawn -s CA -f myconfig.txt\fR +.PP +where \fImyconfig.txt\fP contains the following text: +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +pki_security_domain_password=\fIpassword123\fP +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user=caadmin + +[CA] +pki_subordinate=True +pki_issuing_ca=https://: +pki_ca_signing_subject_dn=cn=CA Subordinate Signing ,o=example.com +.fi +.PP +A sub-CA derives its certificate configuration -- such as allowed extensions and validity periods -- from a superior or root CA. Otherwise, the configuration of the CA is independent of the root CA, so it is its own instance rather than a clone. A sub-CA is configured using the pki_subordinate parameter and a pointer to the CA which issues the sub-CA's certificates. +.PP +\fBNote:\fP The value of \fBpki_ca_signing_subject_dn\fP of a subordinate CA should be different from the root CA's signing subject DN. +.SS Installing an externally signed CA +\x'-1'\fBpkispawn -s CA -f myconfig.txt\fR +.PP +This is a two step process. +.PP +In the first step, a certificate signing request (CSR) is generated for the signing certificate and \fImyconfig.txt\fP contains the following text: +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +pki_security_domain_password=\fIpassword123\fP + +[CA] +pki_external=True +pki_external_csr_path=/tmp/ca_signing.csr +pki_ca_signing_subject_dn=cn=CA Signing,ou=External,o=example.com +.fi +.PP +The CSR is written to pki_external_csr_path. The pki_ca_signing_subject_dn should be different from the subject DN of the external CA that is signing the request. The pki_ca_signing_subject_dn parameter can be used to specify the signing certificate's subject DN. + +.PP +The CSR is then submitted to the external CA, and the resulting certificate and certificate chain are saved to files on the system. + +.PP +In the second step, the configuration file has been modified to install the issued certificates. In place of the original CSR, the configuration file now points to the issued CA certificate and certificate chain. There is also a flag to indicate that this completes the installation process (pki_external_step_two). +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +pki_security_domain_password=\fIpassword123\fP + +[CA] +pki_external=True +pki_external_ca_cert_chain_path=/tmp/ca_cert_chain.cert +pki_external_ca_cert_path=/tmp/ca_signing.cert +pki_external_step_two=True +pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=External,o=example.com +.fi +.PP +Then, the \fBpkispawn\fP command is run again: +.PP +.B pkispawn -s CA -f myconfig.txt + +.SH BUGS +Report bugs to http://bugzilla.redhat.com. + +.SH AUTHORS +Ade Lee . \fBpkispawn\fP was written by the Certificate Server project. + +.SH COPYRIGHT +Copyright (c) 2012 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. + +.SH SEE ALSO +.BR pkidestroy(8), +.BR pki_default.cfg(5), +.BR pki(1), +.BR setup-ds.pl(8) diff --git a/base/server/scripts/operations b/base/server/scripts/operations new file mode 100644 index 000000000..50dd4e4fd --- /dev/null +++ b/base/server/scripts/operations @@ -0,0 +1,1703 @@ +#!/bin/bash -X + +# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": +# +# Status Exit Codes +# +# 0 program is running or service is OK +# 1 program is dead and /var/run pid file exists +# 2 program is dead and /var/lock lock file exists +# 3 program is not running +# 4 program or service status is unknown +# 5-99 reserved for future LSB use +# 100-149 reserved for distribution use +# 150-199 reserved for application use +# 200-254 reserved +# +# Non-Status Exit Codes +# +# 0 action was successful +# 1 generic or unspecified error (current practice) +# 2 invalid or excess argument(s) +# 3 unimplemented feature (for example, "reload") +# 4 user had insufficient privilege +# 5 program is not installed +# 6 program is not configured +# 7 program is not running +# 8-99 reserved for future LSB use +# 100-149 reserved for distribution use +# 150-199 reserved for application use +# 200-254 reserved +# + +if [ -f /etc/pki/pki.conf ] ; then + . /etc/pki/pki.conf +fi + +# PKI subsystem-level directory and file values for locks +lockfile="/var/lock/subsys/${SERVICE_NAME}" + +default_error=0 + +case $command in + start|stop|restart|condrestart|force-restart|try-restart) + # 1 generic or unspecified error (current practice) + default_error=1 + ;; + reload) + default_error=3 + ;; + status) + # 4 program or service status is unknown + default_error=4 + ;; + *) + # 2 invalid argument(s) + default_error=2 + ;; +esac + +# Enable nullglob, if set then shell pattern globs which do not match any +# file returns the empty string rather than the unmodified glob pattern. +shopt -s nullglob + +OS=`uname -s` +ARCHITECTURE=`uname -i` + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$PROG_NAME' from non-existent directory!" + exit ${default_error} +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +PKI_CA_PATH="/usr/share/pki/ca" +PKI_KRA_PATH="/usr/share/pki/kra" +PKI_OCSP_PATH="/usr/share/pki/ocsp" +PKI_RA_PATH="/usr/share/pki/ra" +PKI_TKS_PATH="/usr/share/pki/tks" +PKI_TPS_PATH="/usr/share/pki/tps" +if [ '${PKI_TYPE}' == "apache" ] ; then + if [ ! -d ${PKI_RA_PATH} ] && + [ ! -d ${PKI_TPS_PATH} ] ; then + echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + exit ${default_error} + fi + fi +elif [ '${PKI_TYPE}' == "tomcat" ] ; then + if [ ! -d ${PKI_CA_PATH} ] && + [ ! -d ${PKI_KRA_PATH} ] && + [ ! -d ${PKI_OCSP_PATH} ] && + [ ! -d ${PKI_TKS_PATH} ] ; then + echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + exit ${default_error} + fi + fi +fi + +# This script must be run as root! +RV=0 +if [ `id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$PROG_NAME'!" + if [ "${command}" != "status" ]; then + # 4 user had insufficient privilege + exit 4 + else + # 4 program or service status is unknown + exit 4 + fi +fi + +PKI_INSTANCE_TYPES="apache tomcat" +PKI_REGISTRY_ENTRIES="" +PKI_SUBSYSTEMS="" +TOTAL_PKI_REGISTRY_ENTRIES=0 +TOTAL_UNCONFIGURED_PKI_ENTRIES=0 + +# Gather ALL registered instances of this PKI web server type +for INSTANCE in ${PKI_REGISTRY}/*; do + if [ -d "$INSTANCE" ] ; then + for REGISTRY in ${INSTANCE}/*; do + if [ -f "$REGISTRY" ] ; then + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $REGISTRY" + TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` + fi + done + fi +done + +# Execute the specified registered instance of this PKI web server type +if [ -n "${pki_instance_id}" ]; then + for INSTANCE in ${PKI_REGISTRY_ENTRIES}; do + if [ "`basename ${INSTANCE}`" == "${pki_instance_id}" ]; then + PKI_REGISTRY_ENTRIES="${INSTANCE}" + TOTAL_PKI_REGISTRY_ENTRIES=1 + break + fi + done +fi + +usage() +{ + echo -n "Usage: ${SERVICE_PROG} ${SERVICE_NAME}" + echo -n "{start" + echo -n "|stop" + echo -n "|restart" + echo -n "|condrestart" + echo -n "|force-restart" + echo -n "|try-restart" + echo -n "|reload" + echo -n "|status} " + echo -n "[instance-name]" + echo + echo +} + +usage_systemd() +{ + echo -n "Usage: /usr/bin/pkidaemon " + echo -n "{start" + echo -n "|stop" + echo -n "|restart" + echo -n "|condrestart" + echo -n "|force-restart" + echo -n "|try-restart" + echo -n "|reload" + echo -n "|status} " + echo -n "instance-type " + echo -n "[instance-name]" + echo + echo +} + +list_systemd_instance_types() +{ + echo + for PKI_INSTANCE_TYPE in $PKI_INSTANCE_TYPES; do + echo " $PKI_INSTANCE_TYPE" + done + echo +} + +list_instances() +{ + echo + for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do + instance_name=`basename $PKI_REGISTRY_ENTRY` + echo " $instance_name" + done + echo +} + +list_systemd_instances() +{ + echo + for INSTANCE in /etc/sysconfig/pki/apache/*; do + if [ -d "${INSTANCE}" ] ; then + instance_name=`basename ${INSTANCE}` + echo " $instance_name" + fi + done + for INSTANCE in /etc/sysconfig/pki/tomcat/*; do + if [ -d "${INSTANCE}" ] ; then + instance_name=`basename ${INSTANCE}` + echo " $instance_name" + fi + done + echo +} + +get_subsystems() +{ + # Re-initialize PKI_SUBSYSTEMS for each instance + PKI_SUBSYSTEMS="" + case ${PKI_WEB_SERVER_TYPE} in + tomcat) + for SUBSYSTEM in ca kra ocsp tks; do + if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then + if [ '${PKI_SUBSYSTEMS}' == "" ] ; then + PKI_SUBSYSTEMS="${SUBSYSTEM}" + else + PKI_SUBSYSTEMS="${PKI_SUBSYSTEMS} ${SUBSYSTEM}" + fi + fi + done + ;; + apache) + for SUBSYSTEM in ra tps; do + if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then + if [ '${PKI_SUBSYSTEMS}' == "" ] ; then + PKI_SUBSYSTEMS="${SUBSYSTEM}" + else + PKI_SUBSYSTEMS="${PKI_SUBSYSTEMS} ${SUBSYSTEM}" + fi + fi + done + ;; + *) + echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" + exit ${default_error} + ;; + esac +} + +# Check arguments +if [ $SYSTEMD ]; then + if [ $# -lt 2 ] ; then + # [insufficient arguments] + echo "$PROG_NAME: Insufficient arguments!" + echo + usage_systemd + echo "where valid instance types include:" + list_systemd_instance_types + echo "and where valid instance names include:" + list_systemd_instances + exit 3 + elif [ ${default_error} -eq 2 ] ; then + # 2 invalid argument + echo "$PROG_NAME: Invalid arguments!" + echo + usage_systemd + echo "where valid instance types include:" + list_systemd_instance_types + echo "and where valid instance names include:" + list_systemd_instances + exit 2 + elif [ $# -gt 3 ] ; then + echo "$PROG_NAME: Excess arguments!" + echo + usage_systemd + echo "where valid instance types include:" + list_systemd_instance_types + echo "and where valid instance names include:" + list_systemd_instances + if [ "${command}" != "status" ]; then + # 2 excess arguments + exit 2 + else + # 4 program or service status is unknown + exit 4 + fi + fi +else + if [ $# -lt 1 ] ; then + # 3 unimplemented feature (for example, "reload") + # [insufficient arguments] + echo "$PROG_NAME: Insufficient arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 3 + elif [ ${default_error} -eq 2 ] ; then + # 2 invalid argument + echo "$PROG_NAME: Invalid arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 2 + elif [ $# -gt 2 ] ; then + echo "$PROG_NAME: Excess arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + if [ "${command}" != "status" ]; then + # 2 excess arguments + exit 2 + else + # 4 program or service status is unknown + exit 4 + fi + fi +fi + +# If an "instance" was supplied, check that it is a "valid" instance +if [ -n "${pki_instance_id}" ]; then + valid=0 + for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do + instance_name=`basename $PKI_REGISTRY_ENTRY` + if [ "${pki_instance_id}" == "${instance_name}" ]; then + valid=1 + break + fi + done + if [ $valid -eq 0 ]; then + if [ "${pki_instance_type}" != "apache" ] && + [ "${pki_instance_type}" != "tomcat" ]; then + echo -n "unknown instance type (${pki_instance_type})" + else + echo -n "${pki_instance_id} is an invalid '${PKI_TYPE}' instance" + fi + if [ ! $SYSTEMD ]; then + echo_failure + fi + echo + + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + # 4 program or service status is unknown + exit 4 + fi + fi +fi + +check_pki_configuration_status() +{ + rv=0 + + case ${PKI_WEB_SERVER_TYPE} in + tomcat) + for SUBSYSTEM in ca kra ocsp tks; do + if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then + rv=`grep -c ^preop ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg` + rv=`expr ${rv} + 0` + fi + done + ;; + apache) + # TBD + ;; + *) + echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" + exit ${default_error} + ;; + esac + + if [ $rv -ne 0 ] ; then + echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" + echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" + if [ "${command}" != "status" ]; then + # 6 program is not configured + rv=6 + else + # 4 program or service status is unknown + rv=4 + fi + TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` + elif [ -f ${RESTART_SERVER} ] ; then + echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " + echo -n "it must still be RESTARTED!" + echo + if [ "${command}" != "status" ]; then + # 1 generic or unspecified error (current practice) + rv=1 + else + # 4 program or service status is unknown + rv=4 + fi + fi + + return $rv +} + +get_pki_status_definitions() +{ + case $PKI_WEB_SERVER_TYPE in + tomcat) + PKI_SERVER_XML_CONF=${PKI_INSTANCE_PATH}/conf/server.xml + get_pki_status_definitions_tomcat + return $? + ;; + ra) + get_pki_status_definitions_ra + return $? + ;; + tps) + get_pki_status_definitions_tps + return $? + ;; + *) + echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" + exit ${default_error} + ;; + esac +} + +get_pki_status_definitions_ra() +{ + # establish well-known strings + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 0 ]; then + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + else + echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 1 ]; then + CLIENTAUTH_PORT=$port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" + fi + if [ $total_ports -eq 2 ]; then + NON_CLIENTAUTH_PORT=$port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + return 0; +} + +get_pki_status_definitions_tps() +{ + # establish well-known strings + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 0 ]; then + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + else + echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 1 ]; then + CLIENTAUTH_PORT=$port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" + echo " (ESC Security Officer Workstation)" + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus" + echo " (TPS Roles - Operator/Administrator/Agent)" + fi + if [ $total_ports -eq 2 ]; then + NON_CLIENTAUTH_PORT=$port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + fi + total_ports=`expr ${total_ports} + 1` + + done + + return 0; +} + +get_pki_status_definitions_tomcat() +{ + # establish well-known strings + begin_pki_status_comment="" + begin_ca_status_comment="" + begin_kra_status_comment="" + begin_ocsp_status_comment="" + begin_tks_status_comment="" + end_pki_status_comment="" + total_ports=0 + unsecure_port_statement="Unsecure Port" + secure_agent_port_statement="Secure Agent Port" + secure_ee_port_statement="Secure EE Port" + secure_ee_client_auth_port_statement="EE Client Auth Port" + secure_admin_port_statement="Secure Admin Port" + pki_console_port_statement="PKI Console Port" + tomcat_port_statement="Tomcat Port" + + # initialize looping variables + pki_status_comment_found=0 + display_pki_ca_status_banner=0 + display_pki_kra_status_banner=0 + display_pki_ocsp_status_banner=0 + display_pki_tks_status_banner=0 + process_pki_ca_status=0 + process_pki_kra_status=0 + process_pki_ocsp_status=0 + process_pki_tks_status=0 + + # first check to see that an instance-specific "server.xml" file exists + if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then + echo "File '${PKI_SERVER_XML_CONF}' does not exist!" + exit ${default_error} + fi + + # identify all PKI subsystems present within this PKI instance + if [ -e ${PKI_INSTANCE_PATH}/ca ]; then + display_pki_ca_status_banner=1 + fi + if [ -e ${PKI_INSTANCE_PATH}/kra ]; then + display_pki_kra_status_banner=1 + fi + if [ -e ${PKI_INSTANCE_PATH}/ocsp ]; then + display_pki_ocsp_status_banner=1 + fi + if [ -e ${PKI_INSTANCE_PATH}/tks ]; then + display_pki_tks_status_banner=1 + fi + + # read this instance-specific "server.xml" file line-by-line + # to obtain the current PKI Status Definitions + exec < ${PKI_SERVER_XML_CONF} + while read line; do + # first look for the well-known end PKI Status comment + # (to turn off processing) + if [ "$line" == "$end_pki_status_comment" ] ; then + # always turn off processing TKS status at this point + process_pki_tks_status=0 + pki_status_comment_found=0 + break; + fi + + # then look for the well-known begin PKI Status comment + # (to turn on processing) + if [ "$line" == "$begin_pki_status_comment" ] ; then + pki_status_comment_found=1 + fi + + # once the well-known begin PKI Status comment has been found, + # begin processing to obtain all of the PKI Status Definitions + if [ $pki_status_comment_found -eq 1 ] ; then + head=`echo "$line" | sed -e 's/^\([^=]*\)[ \t]*= .*$/\1/' -e 's/[ \t]*$//'` + if [ "$line" == "$begin_ca_status_comment" ] ; then + if [ $display_pki_ca_status_banner -eq 1 ] ; then + # print CA Status Definition banner + echo + echo " [CA Status Definitions]" + # turn on processing CA status at this point + process_pki_ca_status=1 + fi + elif [ "$line" == "$begin_kra_status_comment" ] ; then + # always turn off processing CA status at this point + process_pki_ca_status=0 + if [ $display_pki_kra_status_banner -eq 1 ] ; then + # print DRM Status Definition banner + echo + echo " [DRM Status Definitions]" + # turn on processing DRM status at this point + process_pki_kra_status=1 + fi + elif [ "$line" == "$begin_ocsp_status_comment" ] ; then + # always turn off processing DRM status at this point + process_pki_kra_status=0 + if [ $display_pki_ocsp_status_banner -eq 1 ] ; then + # print OCSP Status Definition banner + echo + echo " [OCSP Status Definitions]" + # turn on processing OCSP status at this point + process_pki_ocsp_status=1 + fi + elif [ "$line" == "$begin_tks_status_comment" ] ; then + # always turn off processing OCSP status at this point + process_pki_ocsp_status=0 + if [ $display_pki_tks_status_banner -eq 1 ] ; then + # print TKS Status Definition banner + echo + echo " [TKS Status Definitions]" + # turn on processing TKS status at this point + process_pki_tks_status=1 + fi + elif [ $process_pki_ca_status -eq 1 ] || + [ $process_pki_kra_status -eq 1 ] || + [ $process_pki_ocsp_status -eq 1 ] || + [ $process_pki_tks_status -eq 1 ] ; then + # look for a PKI Status Definition and print it + if [ "$head" == "$unsecure_port_statement" ] || + [ "$head" == "$secure_agent_port_statement" ] || + [ "$head" == "$secure_ee_port_statement" ] || + [ "$head" == "$secure_admin_port_statement" ] || + [ "$head" == "$secure_ee_client_auth_port_statement" ] || + [ "$head" == "$pki_console_port_statement" ] || + [ "$head" == "$tomcat_port_statement" ] ; then + echo " $line" + total_ports=`expr ${total_ports} + 1` + fi + fi + fi + done + + return 0; +} + +get_pki_configuration_definitions() +{ + # Obtain the PKI Subsystem Type + line=`grep -e '^[ \t]*cs.type[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + pki_subsystem=`echo "${line}" | sed -e 's/^[^=]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${line}" != "" ] ; then + if [ "${pki_subsystem}" != "CA" ] && + [ "${pki_subsystem}" != "KRA" ] && + [ "${pki_subsystem}" != "OCSP" ] && + [ "${pki_subsystem}" != "TKS" ] && + [ "${pki_subsystem}" != "RA" ] && + [ "${pki_subsystem}" != "TPS" ] + then + return ${default_error} + fi + if [ "${pki_subsystem}" == "KRA" ] ; then + # Rename "KRA" to "DRM" + pki_subsystem="DRM" + fi + else + return ${default_error} + fi + + # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, + # check to see if "${pki_subsystem}" is a "Clone" + pki_clone="" + if [ "${pki_subsystem}" == "CA" ] || + [ "${pki_subsystem}" == "DRM" ] || + [ "${pki_subsystem}" == "OCSP" ] || + [ "${pki_subsystem}" == "TKS" ] + then + line=`grep -e '^[ \t]*subsystem.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_clone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${pki_clone}" != "Clone" ] ; then + # Reset "${pki_clone}" to be empty + pki_clone="" + fi + else + return ${default_error} + fi + fi + + # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to + # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA + pki_hierarchy="" + if [ "${pki_subsystem}" == "CA" ] && + [ "${pki_clone}" != "Clone" ] + then + line=`grep -e '^[ \t]*hierarchy.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_hierarchy=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + fi + + # If ${pki_subsystem} is a CA, check to + # see if it is also a Security Domain + pki_security_domain="" + if [ "${pki_subsystem}" == "CA" ] ; then + line=`grep -e '^[ \t]*securitydomain.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${pki_security_domain}" == "new" ] ; then + # Set a fixed value for "${pki_security_domain}" + pki_security_domain="(Security Domain)" + else + # Reset "${pki_security_domain}" to be empty + pki_security_domain="" + fi + else + return ${default_error} + fi + fi + + # Always obtain this PKI instance's "registered" + # security domain information + pki_security_domain_name="" + pki_security_domain_hostname="" + pki_security_domain_https_admin_port="" + + line=`grep -e '^[ \t]*securitydomain.name[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_name=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + line=`grep -e '^[ \t]*securitydomain.host[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_hostname=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + line=`grep -e '^[ \t]*securitydomain.httpsadminport[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_https_admin_port=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + # Compose the "PKI Instance Name" Status Line + pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" + + # Compose the "PKI Subsystem Type" Status Line + header="PKI Subsystem Type: " + if [ "${pki_clone}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "CA Clone (Security Domain)" + # + data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" + else + # Possible Values: + # + # "CA Clone" + # "DRM Clone" + # "OCSP Clone" + # "TKS Clone" + # + data="${pki_subsystem} ${pki_clone}" + fi + elif [ "${pki_hierarchy}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "Root CA (Security Domain)" + # "Subordinate CA (Security Domain)" + # + data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" + else + # Possible Values: + # + # "Root CA" + # "Subordinate CA" + # + data="${pki_hierarchy} ${pki_subsystem}" + fi + else + # Possible Values: + # + # "DRM" + # "OCSP" + # "RA" + # "TKS" + # "TPS" + # + data="${pki_subsystem}" + fi + pki_subsystem_type="${header} ${data}" + + # Compose the "Registered PKI Security Domain Information" Status Line + header="Name: " + registered_pki_security_domain_name="${header} ${pki_security_domain_name}" + + header="URL: " + if [ "${pki_security_domain_hostname}" != "" ] && + [ "${pki_security_domain_https_admin_port}" != "" ] + then + data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" + else + return ${default_error} + fi + registered_pki_security_domain_url="${header} ${data}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " [${pki_subsystem} Configuration Definitions]" + echo " ${pki_instance_name}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_subsystem_type}" + + # Print the "Registered PKI Security Domain Information" Status Line + echo + echo " Registered PKI Security Domain Information:" + echo " ==========================================================================" + echo " ${registered_pki_security_domain_name}" + echo " ${registered_pki_security_domain_url}" + echo " ==========================================================================" + + return 0 +} + +display_configuration_information() +{ + result=0 + check_pki_configuration_status + rv=$? + if [ $rv -eq 0 ] ; then + get_pki_status_definitions + rv=$? + if [ $rv -ne 0 ] ; then + result=$rv + echo + echo "${PKI_INSTANCE_ID} Status Definitions not found" + else + get_subsystems + for SUBSYSTEM in ${PKI_SUBSYSTEMS}; do + PKI_SUBSYSTEM_CONFIGURATION_FILE="${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg" + get_pki_configuration_definitions + rv=$? + if [ $rv -ne 0 ] ; then + result=$rv + echo + echo "${PKI_INSTANCE_ID} Configuration Definitions not found for ${SUBSYSTEM}" + fi + done + fi + fi + return $result +} + +display_instance_status_systemd() +{ + echo -n "Status for ${PKI_INSTANCE_ID}: " + systemctl status "$PKI_SYSTEMD_TARGET@$PKI_INSTANCE_ID.service" > /dev/null 2>&1 + rv=$? + + if [ $rv -eq 0 ] ; then + echo "$PKI_INSTANCE_ID is running .." + display_configuration_information + else + echo "$PKI_INSTANCE_ID is stopped" + fi + + return $rv +} + +display_instance_status() +{ + # Verify there is an initscript for this instance + if [ ! -f $PKI_INSTANCE_INITSCRIPT ]; then + # 4 program or service status is unknown + return 4 + fi + + # Invoke the initscript for this instance + $PKI_INSTANCE_INITSCRIPT status + rv=$? + + if [ $rv -eq 0 ] ; then + display_configuration_information + fi + + return $rv +} + +make_symlink() +{ + symlink="${1}" + target="${2}" + user="${3}" + group="${4}" + + rv=0 + + echo "INFO: Attempting to create '${symlink}' -> '${target}' . . ." + # Check to make certain that the expected target exists. + # + # NOTE: The symbolic link does NOT exist at this point. + # + if [ -e ${target} ]; then + # Check that the expected target is fully resolvable! + if [ ! `readlink -qe ${target}` ]; then + # Issue an ERROR that the target to which the + # symbolic link is expected to point is NOT fully resolvable! + echo "ERROR: Failed making '${symlink}' -> '${target}'"\ + "since target '${target}' is NOT fully resolvable!" + rv=1 + else + # Attempt to create a symbolic link and 'chown' it. + ln -s ${target} ${symlink} + rv=$? + if [ $rv -eq 0 ]; then + # NOTE: Ignore 'chown' errors. + chown -h ${user}:${group} ${symlink} + echo "SUCCESS: Created '${symlink}' -> '${target}'" + else + echo "ERROR: Failed to create '${symlink}' -> '${target}'!" + rv=1 + fi + fi + else + # Issue an ERROR that the target to which the + # symbolic link is expected to point does NOT exist. + echo "ERROR: Failed making '${symlink}' -> '${target}'"\ + "since target '${target}' does NOT exist!" + rv=1 + fi + + return $rv +} + +check_symlinks() +{ + # declare -p symlinks + path="${1}" + user="${2}" + group="${3}" + + rv=0 + + # process key/value pairs (symlink/target) in the associative array + for key in "${!symlinks[@]}" + do + symlink="${path}/${key}" + target=${symlinks[${key}]} + if [ -e ${symlink} ]; then + if [ -h ${symlink} ]; then + current_target=`readlink ${symlink}` + # Verify that the current target to which the + # symlink points is the expected target + if [ ${current_target} == ${target} ]; then + # Check to make certain that the expected target exists. + if [ -e ${target} ]; then + # Check that the expected target is fully resolvable! + if [ ! `readlink -qe ${target}` ]; then + # Issue an ERROR that the target to which the + # symbolic link is expected to point is NOT + # fully resolvable! + echo "WARNING: Symbolic link '${symlink}'"\ + "exists, but is a dangling symlink!"\ + echo "ERROR: Unable to create"\ + "'${symlink}' -> '${target}'"\ + "since target '${target}' is NOT fully"\ + "resolvable!" + rv=1 + else + # ALWAYS run 'chown' on an existing '${symlink}' + # that points to a fully resolvable '${target}' + # + # NOTE: Ignore 'chown' errors. + # + chown -h ${user}:${group} ${symlink} + # echo "SUCCESS: '${symlink}' -> '${target}'" + fi + else + # Issue an ERROR that the target to which the + # symbolic link is expected to point does NOT exist. + echo "WARNING: Symbolic link '${symlink}'"\ + "exists, but is a dangling symlink!"\ + echo "ERROR: Unable to create"\ + "'${symlink}' -> '${target}'"\ + "since target '${target}' does NOT exist!" + rv=1 + fi + else + # Attempt to remove this symbolic link and + # issue a WARNING that a new symbolic link is + # being created to point to the expected target + # rather than the current target to which it + # points. + echo "WARNING: Attempting to change symbolic link"\ + "'${symlink}' to point to target '${target}'"\ + "INSTEAD of current target '${current_target}'!" + rm ${symlink} + rv=$? + if [ $rv -ne 0 ]; then + echo "ERROR: Failed to remove"\ + "'${symlink}' -> '${current_target}'!" + rv=1 + else + echo "INFO: Removed"\ + "'${symlink}' -> '${current_target}'!" + # Attempt to create the symbolic link and chown it. + make_symlink ${symlink} ${target} ${user} ${group} + rv=$? + fi + fi + elif [ -f ${symlink} ]; then + # Issue a WARNING that the administrator may have replaced + # the symbolic link with a file for debugging purposes. + echo "WARNING: '${symlink}' exists but is NOT a symbolic link!" + else + # Issue an ERROR that the symbolic link has been replaced + # by something unusable (such as a directory). + echo "ERROR: '${symlink}' exists but is NOT a symbolic link!" + rv=1 + fi + else + # Issue a WARNING that this symbolic link does not exist. + echo "WARNING: Symbolic link '${symlink}' does NOT exist!" + # Attempt to create the symbolic link and chown it. + make_symlink ${symlink} ${target} ${user} ${group} + rv=$? + fi + done + + return $rv +} + +# Detect and correct any missing or incorrect symlinks. +# +# Use the following command to locate PKI 'instance' symlinks: +# +# find ${PKI_INSTANCE_PATH} -type l | sort | xargs file +# +verify_symlinks() +{ + # declare associative arrays + declare -A base_symlinks + declare -A root_symlinks + declare -A ca_symlinks + declare -A kra_symlinks + declare -A ocsp_symlinks + declare -A tks_symlinks + declare -A common_jar_symlinks + declare -A ca_jar_symlinks + declare -A kra_jar_symlinks + declare -A ocsp_jar_symlinks + declare -A tks_jar_symlinks + declare -A systemd_symlinks + + # Dogtag 10 Conditional Variables + jni_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` + + # Dogtag 10 Symbolic Link Target Variables + java_dir="/usr/share/java" + pki_systemd_service="pki-${PKI_WEB_SERVER_TYPE}d@.service" + systemd_dir="/lib/systemd/system" + + # Dogtag 10 Symbolic Link Variables + pki_common_jar_dir="${PKI_INSTANCE_PATH}/common/lib" + pki_registry_dir="/etc/sysconfig/pki/${PKI_WEB_SERVER_TYPE}/${PKI_INSTANCE_ID}" + pki_systemd_dir="/etc/systemd/system/pki-tomcatd.target.wants" + pki_systemd_link="pki-${PKI_WEB_SERVER_TYPE}d@${PKI_INSTANCE_ID}.service" + pki_ca_jar_dir="${PKI_INSTANCE_PATH}/webapps/ca/WEB-INF/lib" + pki_kra_jar_dir="${PKI_INSTANCE_PATH}/webapps/kra/WEB-INF/lib" + pki_ocsp_jar_dir="${PKI_INSTANCE_PATH}/webapps/ocsp/WEB-INF/lib" + pki_tks_jar_dir="${PKI_INSTANCE_PATH}/webapps/tks/WEB-INF/lib" + + # '${PKI_INSTANCE_PATH}' symlinks + base_symlinks=( + [alias]=/etc/pki/${PKI_INSTANCE_ID}/alias + [bin]=/usr/share/tomcat/bin + [conf]=/etc/pki/${PKI_INSTANCE_ID} + [logs]=/var/log/pki/${PKI_INSTANCE_ID}) + + # '${PKI_INSTANCE_PATH}' symlinks (root:root ownership) + root_symlinks[${PKI_INSTANCE_ID}]=/usr/sbin/tomcat-sysd + + # '${PKI_INSTANCE_PATH}/ca' symlinks + ca_symlinks=( + [alias]=${PKI_INSTANCE_PATH}/alias + [conf]=/etc/pki/${PKI_INSTANCE_ID}/ca + [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ca + [registry]=${pki_registry_dir} + [webapps]=${PKI_INSTANCE_PATH}/webapps) + + # '${pki_ca_jar_dir}' symlinks + ca_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-ca.jar]=${java_dir}/pki/pki-ca.jar) + + # '${PKI_INSTANCE_PATH}/kra' symlinks + kra_symlinks=( + [alias]=${PKI_INSTANCE_PATH}/alias + [conf]=/etc/pki/${PKI_INSTANCE_ID}/kra + [logs]=/var/log/pki/${PKI_INSTANCE_ID}/kra + [registry]=${pki_registry_dir} + [webapps]=${PKI_INSTANCE_PATH}/webapps) + + # '${pki_kra_jar_dir}' symlinks + kra_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-kra.jar]=${java_dir}/pki/pki-kra.jar) + + # '${PKI_INSTANCE_PATH}/ocsp' symlinks + ocsp_symlinks=( + [alias]=${PKI_INSTANCE_PATH}/alias + [conf]=/etc/pki/${PKI_INSTANCE_ID}/ocsp + [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ocsp + [registry]=${pki_registry_dir} + [webapps]=${PKI_INSTANCE_PATH}/webapps) + + # '${pki_ocsp_jar_dir}' symlinks + ocsp_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-ocsp.jar]=${java_dir}/pki/pki-ocsp.jar) + + # '${PKI_INSTANCE_PATH}/tks' symlinks + tks_symlinks=( + [alias]=${PKI_INSTANCE_PATH}/alias + [conf]=/etc/pki/${PKI_INSTANCE_ID}/tks + [logs]=/var/log/pki/${PKI_INSTANCE_ID}/tks + [registry]=${pki_registry_dir} + [webapps]=${PKI_INSTANCE_PATH}/webapps) + + # '${pki_tks_jar_dir}' symlinks + tks_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-tks.jar]=${java_dir}/pki/pki-tks.jar) + + # '${pki_common_jar_dir}' symlinks + common_jar_symlinks=( + [apache-commons-codec.jar]=${java_dir}/commons-codec.jar + [apache-commons-collections.jar]=${java_dir}/apache-commons-collections.jar + [apache-commons-lang.jar]=${java_dir}/apache-commons-lang.jar + [apache-commons-logging.jar]=${java_dir}/apache-commons-logging.jar + [httpclient.jar]=${java_dir}/httpcomponents/httpclient.jar + [httpcore.jar]=${java_dir}/httpcomponents/httpcore.jar + [javassist.jar]=${java_dir}/javassist.jar + [jaxrs-api.jar]=${RESTEASY_LIB}/jaxrs-api.jar + [jettison.jar]=${java_dir}/jettison.jar + [jss4.jar]=${jni_dir}/jss4.jar + [ldapjdk.jar]=${java_dir}/ldapjdk.jar + [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar + [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar + [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar + [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar + [resteasy-jettison-provider.jar]=${RESTEASY_LIB}/resteasy-jettison-provider.jar + [scannotation.jar]=${java_dir}/scannotation.jar + [tomcatjss.jar]=${java_dir}/tomcatjss.jar + [velocity.jar]=${java_dir}/velocity.jar + [xerces-j2.jar]=${java_dir}/xerces-j2.jar + [xml-commons-apis.jar]=${java_dir}/xml-commons-apis.jar + [xml-commons-resolver.jar]=${java_dir}/xml-commons-resolver.jar) + + if [ -e ${PKI_INSTANCE_PATH}/tks ]; then + common_jar_symlinks[symkey.jar]=${jni_dir}/symkey.jar + fi + + # '${pki_systemd_dir}' symlinks + systemd_symlinks[${pki_systemd_link}]=${systemd_dir}/${pki_systemd_service} + + # Detect and correct 'Tomcat' symbolic links + # + # (1) convert the specified associative array into a string + # (2) create a new global 'symlinks' associative array from this + # specified string which will be used by the "check_symlinks()" + # subroutine + # (3) call "check_symlinks()" with the appropriate arguments to + # detect and correct this specified associative array; + # "check_symlinks()" returns 0 on success and 1 on failure + # + if [ ${PKI_WEB_SERVER_TYPE} == 'tomcat' ]; then + # Detect and correct 'base_symlinks' + base_symlinks_string=$(declare -p base_symlinks) + eval "declare -A symlinks=${base_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + + # Detect and correct 'root_symlinks' + root_symlinks_string=$(declare -p root_symlinks) + eval "declare -A symlinks=${root_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH} "root" "root" + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + + if [ -e ${PKI_INSTANCE_PATH}/ca ]; then + # Detect and correct 'ca_symlinks' + ca_symlinks_string=$(declare -p ca_symlinks) + eval "declare -A symlinks=${ca_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH}/ca ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + # Detect and correct 'ca_jar_symlinks' + ca_jar_symlinks_string=$(declare -p ca_jar_symlinks) + eval "declare -A symlinks=${ca_jar_symlinks_string#*=}" + check_symlinks ${pki_ca_jar_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + fi + + if [ -e ${PKI_INSTANCE_PATH}/kra ]; then + # Detect and correct 'kra_symlinks' + kra_symlinks_string=$(declare -p kra_symlinks) + eval "declare -A symlinks=${kra_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH}/kra ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + # Detect and correct 'kra_jar_symlinks' + kra_jar_symlinks_string=$(declare -p kra_jar_symlinks) + eval "declare -A symlinks=${kra_jar_symlinks_string#*=}" + check_symlinks ${pki_kra_jar_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + fi + + if [ -e ${PKI_INSTANCE_PATH}/ocsp ]; then + # Detect and correct 'ocsp_symlinks' + ocsp_symlinks_string=$(declare -p ocsp_symlinks) + eval "declare -A symlinks=${ocsp_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH}/ocsp ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + # Detect and correct 'ocsp_jar_symlinks' + ocsp_jar_symlinks_string=$(declare -p ocsp_jar_symlinks) + eval "declare -A symlinks=${ocsp_jar_symlinks_string#*=}" + check_symlinks ${pki_ocsp_jar_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + fi + + if [ -e ${PKI_INSTANCE_PATH}/tks ]; then + # Detect and correct 'tks_symlinks' + tks_symlinks_string=$(declare -p tks_symlinks) + eval "declare -A symlinks=${tks_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH}/tks ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + # Detect and correct 'tks_jar_symlinks' + tks_jar_symlinks_string=$(declare -p tks_jar_symlinks) + eval "declare -A symlinks=${tks_jar_symlinks_string#*=}" + check_symlinks ${pki_tks_jar_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + fi + + # Detect and correct 'common_jar_symlinks' + common_jar_symlinks_string=$(declare -p common_jar_symlinks) + eval "declare -A symlinks=${common_jar_symlinks_string#*=}" + check_symlinks ${pki_common_jar_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + + # Detect and correct 'systemd_symlinks' + systemd_symlinks_string=$(declare -p systemd_symlinks) + eval "declare -A symlinks=${systemd_symlinks_string#*=}" + check_symlinks ${pki_systemd_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + fi + + return 0 +} + +start_instance() +{ + rv=0 + + if [ -f ${RESTART_SERVER} ] ; then + rm -f ${RESTART_SERVER} + fi + + # Verify symbolic links (detecting and correcting them if possible) + verify_symlinks + rv=$? + if [ $rv -ne 0 ] ; then + return $rv + fi + + # Invoke the initscript for this instance + case $PKI_WEB_SERVER_TYPE in + tomcat) + + # Generate catalina.policy dynamically. + cat /usr/share/pki/server/conf/catalina.policy \ + /usr/share/tomcat/conf/catalina.policy \ + /usr/share/pki/server/conf/pki.policy \ + /var/lib/pki/$PKI_INSTANCE_ID/conf/custom.policy > \ + /var/lib/pki/$PKI_INSTANCE_ID/conf/catalina.policy + + # We must export the service name so that the systemd version + # of the tomcat init script knows which instance specific + # configuration file to source. + export SERVICE_NAME=$PKI_INSTANCE_ID + $PKI_INSTANCE_INITSCRIPT start + rv=$? + ;; + apache) + $PKI_INSTANCE_INITSCRIPT start + rv=$? + ;; + esac + + if [ $rv -ne 0 ] ; then + return $rv + fi + + # On Tomcat subsystems, make certain that the service has started + case $PKI_WEB_SERVER_TYPE in + tomcat) + count=0 + tries=30 + port=${PKI_UNSECURE_PORT} + while [ $count -lt $tries ] + do + netstat -antl | grep ${port} > /dev/null + netrv=$? + if [ $netrv -eq 0 ] ; then + break; + fi + sleep 1 + let count=$count+1; + done + if [ $netrv -ne 0 ] ; then + return 1 + fi + ;; + esac + + if [ $rv -eq 0 ] ; then + # From the PKI point of view a returned error code of 6 implies + # that the program is not "configured". An error code of 1 implies + # that the program was "configured" but must still be restarted. + # + # If the return code is 6 return this value unchanged to the + # calling routine so that the total number of configuration errors + # may be counted. Other return codes are ignored. + # + check_pki_configuration_status + rv=$? + if [ $rv -eq 6 ]; then + # 6 program is not configured + return 6 + else + # 0 success + return 0 + fi + fi + return $rv +} + +stop_instance() +{ + rv=0 + + export SERVICE_NAME=$PKI_INSTANCE_ID + # Invoke the initscript for this instance + $PKI_INSTANCE_INITSCRIPT stop + rv=$? + + # On Tomcat subsystems, always remove the "pki subsystem identity" symlinks + # that were previously associated with the Tomcat 'pid' and 'lock' files. + case $PKI_WEB_SERVER_TYPE in + tomcat) + if [ -f ${PKI_PIDFILE} ]; then + rm -f ${PKI_PIDFILE} + fi + ;; + esac + + return $rv +} + +start() +{ + error_rv=0 + rv=0 + config_errors=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 5 program is not installed + return 5 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ]; then + echo "BEGIN STARTING '${PKI_TYPE}' INSTANCES:" + fi + + # Start every PKI instance of this type that isn't already running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + start_instance + rv=$? + if [ $rv = 6 ] ; then + # Since at least ONE configuration error exists, then there + # is at least ONE unconfigured instance from the PKI point + # of view. + # + # However, it must still be considered that the + # instance is "running" from the point of view of other + # OS programs such as 'chkconfig'. + # + # Therefore, ignore non-zero return codes resulting + # from configuration errors. + # + + config_errors=`expr $config_errors + 1` + rv=0 + elif [ $rv != 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then + touch ${lockfile} + chmod 00600 ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + # NOTE: "bad" return code(s) OVERRIDE configuration errors! + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances failed to start!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + +stop() +{ + error_rv=0 + rv=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 5 program is not installed + return 5 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" + fi + + # Shutdown every PKI instance of this type that is running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + stop_instance + rv=$? + if [ $rv != 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + if [ ${errors} -eq 0 ] ; then + rm -f ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances were " + echo -n "unsuccessfully stopped!" + echo + fi + + echo + echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + +restart() +{ + stop + sleep 2 + start + + return $? +} + +registry_status() +{ + error_rv=0 + rv=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 4 program or service status is unknown + return 4 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" + fi + + # Obtain status of every PKI instance of this type + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + case $PKI_WEB_SERVER_TYPE in + tomcat) + if [ $SYSTEMD ]; then + display_instance_status_systemd + else + display_instance_status + fi + rv=$? + ;; + apache) + display_instance_status + rv=$? + ;; + esac + if [ $rv -ne 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "4 - program or service status is unknown" + rv=4 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances reported status failures!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + diff --git a/base/server/scripts/pkidaemon b/base/server/scripts/pkidaemon new file mode 100755 index 000000000..3e1d27a40 --- /dev/null +++ b/base/server/scripts/pkidaemon @@ -0,0 +1,78 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# + +PROG_NAME=`basename $0` +SERVICE_NAME="pkidaemon" +SERVICE_PROG="/bin/systemctl" + +command="$1" +pki_instance_type="$2" +pki_instance_id="$3" + +PKI_REGISTRY="/etc/sysconfig/pki/${pki_instance_type}" +PKI_TYPE="${pki_instance_type}" +PKI_SYSTEMD_TARGET="pki-${pki_instance_type}d" +SYSTEMD=1 + +# Source the PKI function library +. /usr/share/pki/scripts/operations + +# See how we were called. +case $command in + status) + registry_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + echo "An exit status of '143' refers to the 'systemd' method of using"\ + "'SIGTERM' to shutdown a Java process and can safely be ignored." + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + echo "The '${command}' action is TBD." + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + echo + usage_systemd + echo "where valid instance types include:" + list_instance_types + echo "and where valid instance names include:" + list_systemd_instances + exit ${default_error} + ;; +esac + diff --git a/base/server/src/engine/pkiconfig.py b/base/server/src/engine/pkiconfig.py new file mode 100644 index 000000000..ad6c22251 --- /dev/null +++ b/base/server/src/engine/pkiconfig.py @@ -0,0 +1,185 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# +import re + +# PKI Deployment Constants +PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS = 00755 +PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS = 00770 +PKI_DEPLOYMENT_DEFAULT_EXE_PERMISSIONS = 00770 +PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS = 00660 +PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS = 00600 +PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770 +PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777 +PKI_DEPLOYMENT_DEFAULT_UMASK = 00002 + +PKI_DEPLOYMENT_DEFAULT_COMMENT = "'Certificate System'" +PKI_DEPLOYMENT_DEFAULT_GID = 17 +PKI_DEPLOYMENT_DEFAULT_GROUP = "pkiuser" +PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin" +PKI_DEPLOYMENT_DEFAULT_UID = 17 +PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser" + +PKI_SUBSYSTEMS = ["CA","KRA","OCSP","RA","TKS","TPS"] +PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS","TPS"] +PKI_APACHE_SUBSYSTEMS = ["RA","TPS"] +PKI_TOMCAT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS"] +PKI_BASE_RESERVED_NAMES = ["alias", "bin", "ca", "common", "conf", "kra", + "lib", "logs", "ocsp", "temp", "tks", "webapps", + "work"] +PKI_CONFIGURATION_RESERVED_NAMES = ["CA", "java", "nssdb", "rpm-gpg", + "rsyslog", "tls"] +PKI_APACHE_REGISTRY_RESERVED_NAMES = ["ra", "tps"] +PKI_TOMCAT_REGISTRY_RESERVED_NAMES = ["ca", "kra", "ocsp", "tks"] + +PKI_INDENTATION_LEVEL_0 = {'indent' : ''} +PKI_INDENTATION_LEVEL_1 = {'indent' : '... '} +PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '} +PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '} +PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '} + +PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\ + "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-" + +PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki" +PKI_DEPLOYMENT_BASE_ROOT = "/var/lib/pki" +# NOTE: Top-level "/etc/pki" is owned by the "filesystem" package! +PKI_DEPLOYMENT_CONFIGURATION_ROOT = "/etc/pki" +PKI_DEPLOYMENT_LOG_ROOT = "/var/log/pki" +# NOTE: Well-known 'registry root', default 'instance', and default +# 'configuration file' names MUST be created in order to potentially +# obtain an instance-specific configuration file +# (presuming one has not been specified during command-line parsing) +# because command-line parsing happens prior to reading any +# configuration files. Although the 'registry root' MUST remain fixed, +# the default 'instance' name may be overridden by the value specified +# in the configuration file (the value in the default configuration file +# should always match the 'default' instance name specified below). +PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME = "pki-apache" +PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME = "pki-tomcat" + +DEFAULT_DEPLOYMENT_CONFIGURATION = "default.cfg" +USER_DEPLOYMENT_CONFIGURATION = "deployment.cfg" + +PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE =\ + PKI_DEPLOYMENT_CONFIGURATION_ROOT + "/" + DEFAULT_DEPLOYMENT_CONFIGURATION +PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\ + PKI_DEPLOYMENT_SOURCE_ROOT + "/deployment/config/pkislots.cfg" + +# subtypes of PKI subsystems +PKI_DEPLOYMENT_CLONED_PKI_SUBSYSTEM = "Cloned" +PKI_DEPLOYMENT_EXTERNAL_CA = "External" +PKI_DEPLOYMENT_SUBORDINATE_CA = "Subordinate" + +# default ports (for defined selinux policy) +PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT = 8080 +PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT = 8443 +PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT = 8005 +PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT = 8009 + +# PKI Deployment Global Variables +pki_install_time = None +pki_timestamp = None +pki_architecture = None +pki_hostname = None + + +# PKI Deployment Command-Line Variables +pki_deployment_executable = None + +# PKI Deployment "Mandatory" Command-Line Variables +pki_subsystem = None +# 'pkispawn' ONLY +default_deployment_cfg = None +user_deployment_cfg = None +# 'pkidestroy' ONLY +pki_deployed_instance_name = None +pki_secdomain_user = None +pki_secdomain_pass = None + +# PKI Deployment "Optional" Command-Line Variables +# 'pkispawn' ONLY +pki_update_flag = False + +# PKI Deployment "Test" Command-Line Variables +pki_root_prefix = None + + +# PKI Deployment Helper Functions +def str2bool(string): + return string.lower() in ("yes", "true", "t", "1") + +# NOTE: To utilize the 'preparations_for_an_external_java_debugger(master)' +# and 'wait_to_attach_an_external_java_debugger(master)' functions, +# change 'pki_enable_java_debugger=False' to +# 'pki_enable_java_debugger=True' in the appropriate +# deployment configuration file. +def prepare_for_an_external_java_debugger(instance): + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + print "The following 'JAVA_OPTS' MUST be enabled (uncommented) in" + print "'%s':" % instance + print + print " JAVA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,\"" + print " \"address=8000,server=y,suspend\"" + print + raw_input("Enable external java debugger 'JAVA_OPTS' "\ + "and press return to continue . . . ") + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + return + +def wait_to_attach_an_external_java_debugger(): + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + print "Attach the java debugger to this process on the port specified by" + print "the 'address' selected by 'JAVA_OPTS' (e. g. - port 8000) and" + print "set any desired breakpoints" + print + raw_input("Please attach an external java debugger "\ + "and press return to continue . . . ") + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + return + + +# PKI Deployment Logger Variables +pki_log = None +pki_log_dir = None +pki_log_name = None +pki_log_level = None +pki_console_log_level = None + + +# PKI Deployment Global Dictionaries +pki_master_dict = {} +pki_slots_dict = None + +# PKI Selinux Constants and parameters +PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t" +PKI_LOG_SELINUX_CONTEXT = "pki_tomcat_log_t" +PKI_CFG_SELINUX_CONTEXT = "pki_tomcat_etc_rw_t" +PKI_CERTDB_SELINUX_CONTEXT = "pki_tomcat_cert_t" +PKI_PORT_SELINUX_CONTEXT = "http_port_t" +pki_selinux_config_ports = [] diff --git a/base/server/src/engine/pkihelper.py b/base/server/src/engine/pkihelper.py new file mode 100644 index 000000000..df71978ed --- /dev/null +++ b/base/server/src/engine/pkihelper.py @@ -0,0 +1,3397 @@ +#!/usr/bin/python -t + +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import errno +import sys +import os +import fileinput +import pickle +import random +import re +import requests +import shutil +import string +import subprocess +import time +from datetime import datetime +from grp import getgrgid +from grp import getgrnam +from pwd import getpwnam +from pwd import getpwuid +import xml.etree.ElementTree as ET +import zipfile +import selinux +if selinux.is_selinux_enabled(): + import seobject + + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +from pkiconfig import pki_slots_dict as slots +from pkiconfig import pki_selinux_config_ports as ports +import pkimanifest as manifest +import pkimessages as log +from pkiparser import PKIConfigParser +import pki.account +import pki.client +import pki.system + +# PKI Deployment Helper Functions +def pki_copytree(src, dst, symlinks=False, ignore=None): + """Recursively copy a directory tree using copy2(). + + PATCH: This code was copied from 'shutil.py' and patched to + allow 'The destination directory to already exist.' + + If exception(s) occur, an Error is raised with a list of reasons. + + If the optional symlinks flag is true, symbolic links in the + source tree result in symbolic links in the destination tree; if + it is false, the contents of the files pointed to by symbolic + links are copied. + + The optional ignore argument is a callable. If given, it + is called with the `src` parameter, which is the directory + being visited by pki_copytree(), and `names` which is the list of + `src` contents, as returned by os.listdir(): + + callable(src, names) -> ignored_names + + Since pki_copytree() is called recursively, the callable will be + called once for each directory that is copied. It returns a + list of names relative to the `src` directory that should + not be copied. + + XXX Consider this example code rather than the ultimate tool. + + """ + names = os.listdir(src) + if ignore is not None: + ignored_names = ignore(src, names) + else: + ignored_names = set() + + # PATCH: ONLY execute 'os.makedirs(dst)' if the top-level + # destination directory does NOT exist! + if not os.path.exists(dst): + os.makedirs(dst) + errors = [] + for name in names: + if name in ignored_names: + continue + srcname = os.path.join(src, name) + dstname = os.path.join(dst, name) + try: + if symlinks and os.path.islink(srcname): + linkto = os.readlink(srcname) + os.symlink(linkto, dstname) + elif os.path.isdir(srcname): + pki_copytree(srcname, dstname, symlinks, ignore) + else: + # Will raise a SpecialFileError for unsupported file types + shutil.copy2(srcname, dstname) + # catch the Error from the recursive pki_copytree so that we can + # continue with other files + except Error, err: + errors.extend(err.args[0]) + except EnvironmentError, why: + errors.append((srcname, dstname, str(why))) + try: + shutil.copystat(src, dst) + except OSError, why: + if WindowsError is not None and isinstance(why, WindowsError): + # Copying file access times may fail on Windows + pass + else: + errors.extend((src, dst, str(why))) + if errors: + raise Error, errors + +# PKI Deployment Identity Class +class identity: + def __add_gid(self, pki_group): + pki_gid = None + try: + # Does the specified 'pki_group' exist? + pki_gid = getgrnam(pki_group)[2] + # Yes, group 'pki_group' exists! + config.pki_log.info(log.PKIHELPER_GROUP_ADD_2, pki_group, pki_gid, + extra=config.PKI_INDENTATION_LEVEL_2) + except KeyError as exc: + # No, group 'pki_group' does not exist! + config.pki_log.debug(log.PKIHELPER_GROUP_ADD_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + try: + # Is the default well-known GID already defined? + group = getgrgid(config.PKI_DEPLOYMENT_DEFAULT_GID)[0] + # Yes, the default well-known GID exists! + config.pki_log.info(log.PKIHELPER_GROUP_ADD_DEFAULT_2, + group, config.PKI_DEPLOYMENT_DEFAULT_GID, + extra=config.PKI_INDENTATION_LEVEL_2) + # Attempt to create 'pki_group' using a random GID. + command = "/usr/sbin/groupadd" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + except KeyError as exc: + # No, the default well-known GID does not exist! + config.pki_log.debug(log.PKIHELPER_GROUP_ADD_GID_KEYERROR_1, + exc, extra=config.PKI_INDENTATION_LEVEL_2) + # Is the specified 'pki_group' the default well-known group? + if pki_group == config.PKI_DEPLOYMENT_DEFAULT_GROUP: + # Yes, attempt to create the default well-known group + # using the default well-known GID. + command = "/usr/sbin/groupadd" + " " +\ + "-g" + " " +\ + str(config.PKI_DEPLOYMENT_DEFAULT_GID) + " " +\ + "-r" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + else: + # No, attempt to create 'pki_group' using a random GID. + command = "/usr/sbin/groupadd" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + # Execute this "groupadd" command. + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def __add_uid(self, pki_user, pki_group): + pki_uid = None + try: + # Does the specified 'pki_user' exist? + pki_uid = getpwnam(pki_user)[2] + # Yes, user 'pki_user' exists! + config.pki_log.info(log.PKIHELPER_USER_ADD_2, pki_user, pki_uid, + extra=config.PKI_INDENTATION_LEVEL_2) + # NOTE: For now, never check validity of specified 'pki_group'! + except KeyError as exc: + # No, user 'pki_user' does not exist! + config.pki_log.debug(log.PKIHELPER_USER_ADD_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + try: + # Is the default well-known UID already defined? + user = getpwuid(config.PKI_DEPLOYMENT_DEFAULT_UID)[0] + # Yes, the default well-known UID exists! + config.pki_log.info(log.PKIHELPER_USER_ADD_DEFAULT_2, + user, config.PKI_DEPLOYMENT_DEFAULT_UID, + extra=config.PKI_INDENTATION_LEVEL_2) + # Attempt to create 'pki_user' using a random UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + except KeyError as exc: + # No, the default well-known UID does not exist! + config.pki_log.debug(log.PKIHELPER_USER_ADD_UID_KEYERROR_1, + exc, extra=config.PKI_INDENTATION_LEVEL_2) + # Is the specified 'pki_user' the default well-known user? + if pki_user == config.PKI_DEPLOYMENT_DEFAULT_USER: + # Yes, attempt to create the default well-known user + # using the default well-known UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + "-u" + " " +\ + str(config.PKI_DEPLOYMENT_DEFAULT_UID) + " " +\ + "-r" + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + else: + # No, attempt to create 'pki_user' using a random UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + # Execute this "useradd" command. + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def add_uid_and_gid(self, pki_user, pki_group): + self.__add_gid(pki_group) + self.__add_uid(pki_user, pki_group) + return + + def get_uid(self, critical_failure=True): + try: + pki_uid = master['pki_uid'] + except KeyError as exc: + config.pki_log.error(log.PKI_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return pki_uid + + def get_gid(self, critical_failure=True): + try: + pki_gid = master['pki_gid'] + except KeyError as exc: + config.pki_log.error(log.PKI_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return pki_gid + + def set_uid(self, name, critical_failure=True): + try: + config.pki_log.debug(log.PKIHELPER_USER_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + # id -u + pki_uid = getpwnam(name)[2] + master['pki_uid']=pki_uid + config.pki_log.debug(log.PKIHELPER_UID_2, name, pki_uid, + extra=config.PKI_INDENTATION_LEVEL_3) + except KeyError as exc: + config.pki_log.error(log.PKI_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return pki_uid + + def set_gid(self, name, critical_failure=True): + try: + config.pki_log.debug(log.PKIHELPER_GROUP_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + # id -g + pki_gid = getgrnam(name)[2] + master['pki_gid']=pki_gid + config.pki_log.debug(log.PKIHELPER_GID_2, name, pki_gid, + extra=config.PKI_INDENTATION_LEVEL_3) + except KeyError as exc: + config.pki_log.error(log.PKI_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return pki_gid + + +# PKI Deployment Namespace Class +class namespace: + # Silently verify that the selected 'pki_instance_name' will + # NOT produce any namespace collisions + def collision_detection(self): + # Run simple checks for pre-existing namespace collisions + if os.path.exists(master['pki_instance_path']): + if os.path.exists(master['pki_subsystem_path']): + # Top-Level PKI base path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_instance_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + if os.path.exists(master['pki_target_tomcat_conf_instance_id']): + # Top-Level "/etc/sysconfig" path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_target_tomcat_conf_instance_id'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_cgroup_systemd_service']): + # Systemd cgroup path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_cgroup_systemd_service_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_cgroup_cpu_systemd_service']): + # Systemd cgroup CPU path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_cgroup_cpu_systemd_service_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_instance_log_path']) and\ + os.path.exists(master['pki_subsystem_log_path']): + # Top-Level PKI log path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_instance_log_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_instance_configuration_path']) and\ + os.path.exists(master['pki_subsystem_configuration_path']): + # Top-Level PKI configuration path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_instance_configuration_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_instance_registry_path']) and\ + os.path.exists(master['pki_subsystem_registry_path']): + # Top-Level PKI registry path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_instance_registry_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Run simple checks for reserved name namespace collisions + if master['pki_instance_name'] in config.PKI_BASE_RESERVED_NAMES: + # Top-Level PKI base path reserved name collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_name'], + master['pki_instance_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # No need to check for reserved name under Top-Level PKI log path + if master['pki_instance_name'] in config.PKI_CONFIGURATION_RESERVED_NAMES: + # Top-Level PKI configuration path reserved name collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_name'], + master['pki_instance_configuration_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + # Top-Level Apache PKI registry path reserved name collision + if master['pki_instance_name'] in\ + config.PKI_APACHE_REGISTRY_RESERVED_NAMES: + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_name'], + master['pki_instance_registry_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Top-Level Tomcat PKI registry path reserved name collision + if master['pki_instance_name'] in\ + config.PKI_TOMCAT_REGISTRY_RESERVED_NAMES: + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_name'], + master['pki_instance_registry_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + +# PKI Deployment Configuration File Class +class configuration_file: + def log_configuration_url(self): + # NOTE: This is the one and only parameter containing a sensitive + # parameter that may be stored in a log file. + config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_URL_1, + master['pki_configuration_url'], + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_RESTART_1, + master['pki_registry_initscript_command'], + extra=config.PKI_INDENTATION_LEVEL_2) + + def display_configuration_url(self): + # NOTE: This is the one and only parameter containing a sensitive + # parameter that may be displayed to the screen. + print log.PKI_CONFIGURATION_URL_1 % master['pki_configuration_url'] + print + print log.PKI_CONFIGURATION_RESTART_1 %\ + master['pki_registry_initscript_command'] + print + + def verify_sensitive_data(self): + # Silently verify the existence of 'sensitive' data + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Verify existence of Directory Server Password (ALWAYS) + if not master.has_key('pki_ds_password') or\ + not len(master['pki_ds_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_ds_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Admin Password (except for Clones) + if not config.str2bool(master['pki_clone']): + if not master.has_key('pki_admin_password') or\ + not len(master['pki_admin_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_admin_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # If required, verify existence of Backup Password + if config.str2bool(master['pki_backup_keys']): + if not master.has_key('pki_backup_password') or\ + not len(master['pki_backup_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_backup_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Client Pin for NSS client security databases + if not master.has_key('pki_client_database_password') or\ + not len(master['pki_client_database_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2, + "pki_client_database_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Client PKCS #12 Password for Admin Cert + if not master.has_key('pki_client_pkcs12_password') or\ + not len(master['pki_client_pkcs12_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_client_pkcs12_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of PKCS #12 Password (ONLY for Clones) + if config.str2bool(master['pki_clone']): + if not master.has_key('pki_clone_pkcs12_password') or\ + not len(master['pki_clone_pkcs12_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_clone_pkcs12_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Security Domain Password File + # (ONLY for Clones, KRA, OCSP, TKS, or Subordinate CA) + if config.str2bool(master['pki_clone']) or\ + not master['pki_subsystem'] == "CA" or\ + config.str2bool(master['pki_subordinate']): + if not master.has_key('pki_security_domain_password') or\ + not len(master['pki_security_domain_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_security_domain_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # If required, verify existence of Token Password + if not master['pki_token_name'] == "internal": + if not master.has_key('pki_token_password') or\ + not len(master['pki_token_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_token_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def verify_mutually_exclusive_data(self): + # Silently verify the existence of 'mutually exclusive' data + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_external']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA, + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_external']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA, + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA, + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_external']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA, + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def verify_predefined_configuration_file_data(self): + # Silently verify the existence of any required 'predefined' data + # + # FUTURE: As much as is possible, alter this routine to verify + # ALL name/value pairs for the requested configuration + # scenario. This should include checking for the + # "existence" of ALL required "name" parameters, as well as + # the "existence", "type" (e. g. - string, boolean, number, + # etc.), and "correctness" (e. g. - file, directory, boolean + # 'True' or 'False', etc.) of ALL required "value" parameters. + # + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + if config.str2bool(master['pki_clone']): + # Verify existence of clone parameters + if not master.has_key('pki_ds_base_dn') or\ + not len(master['pki_ds_base_dn']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_ds_base_dn", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_ds_ldap_port') or\ + not len(master['pki_ds_ldap_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_ds_ldap_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_ds_ldaps_port') or\ + not len(master['pki_ds_ldaps_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_ds_ldaps_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # NOTE: Although this will be checked prior to getting to + # this method, this clone's 'pki_instance_name' MUST + # be different from the master's 'pki_instance_name' + # IF AND ONLY IF the master and clone are located on + # the same host! + if not master.has_key('pki_ajp_port') or\ + not len(master['pki_ajp_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_ajp_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_http_port') or\ + not len(master['pki_http_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_http_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_https_port') or\ + not len(master['pki_https_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_https_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_tomcat_server_port') or\ + not len(master['pki_tomcat_server_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_tomcat_server_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_clone_pkcs12_path') or\ + not len(master['pki_clone_pkcs12_path']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_clone_pkcs12_path", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif not os.path.isfile(master['pki_clone_pkcs12_path']): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, + master['pki_clone_pkcs12_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_clone_replication_security') or\ + not len(master['pki_clone_replication_security']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_clone_replication_security", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_clone_uri') or\ + not len(master['pki_clone_uri']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_clone_uri", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external']): + if not master.has_key('pki_external_step_two') or\ + not len(master['pki_external_step_two']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_external_step_two", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not config.str2bool(master['pki_external_step_two']): + # External CA (Step 1) + if not master.has_key('pki_external_csr_path') or\ + not len(master['pki_external_csr_path']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_external_csr_path", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif os.path.exists(master['pki_external_csr_path']) and\ + not os.path.isfile(master['pki_external_csr_path']): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, + master['pki_external_csr_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + # External CA (Step 2) + if not master.has_key('pki_external_ca_cert_chain_path') or\ + not len(master['pki_external_ca_cert_chain_path']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_external_ca_cert_chain_path", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif os.path.exists( + master['pki_external_ca_cert_chain_path']) and\ + not os.path.isfile( + master['pki_external_ca_cert_chain_path']): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, + master['pki_external_ca_cert_chain_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_external_ca_cert_path') or\ + not len(master['pki_external_ca_cert_path']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_external_ca_cert_path", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif os.path.exists(master['pki_external_ca_cert_path']) and\ + not os.path.isfile( + master['pki_external_ca_cert_path']): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, + master['pki_external_ca_cert_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def populate_non_default_ports(self): + if master['pki_http_port'] != \ + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT): + ports.append(master['pki_http_port']) + if master['pki_https_port'] != \ + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT): + ports.append(master['pki_https_port']) + if master['pki_tomcat_server_port'] != \ + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT): + ports.append(master['pki_tomcat_server_port']) + if master['pki_ajp_port'] != \ + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT): + ports.append(master['pki_ajp_port']) + return + + def verify_selinux_ports(self): + # Determine which ports still need to be labelled, and if any are + # incorrectly labelled + if len(ports) == 0: + return + + if not bool(selinux.is_selinux_enabled()): + config.pki_log.error( + log.PKIHELPER_SELINUX_DISABLED, + extra=config.PKI_INDENTATION_LEVEL_2) + return + + portrecs = seobject.portRecords().get_all() + portlist = ports[:] + for port in portlist: + context = "" + for i in portrecs: + if portrecs[i][0] == "unreserved_port_t" or \ + portrecs[i][0] == "reserved_port_t" or \ + i[2] != "tcp": + continue + if i[0] <= int(port) and int(port) <= i[1]: + context = portrecs[i][0] + break + if context == "": + # port has no current context + # leave it in list of ports to set + continue + elif context == config.PKI_PORT_SELINUX_CONTEXT: + # port is already set correctly + # remove from list of ports to set + ports.remove(port) + else: + config.pki_log.error( + log.PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT, + port, context, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def verify_command_matches_configuration_file(self): + # Silently verify that the command-line parameters match the values + # that are present in the corresponding configuration file + if master['pki_deployment_executable'] == 'pkidestroy': + if master['pki_deployed_instance_name'] !=\ + master['pki_instance_name']: + config.pki_log.error( + log.PKIHELPER_COMMAND_LINE_PARAMETER_MISMATCH_2, + master['pki_deployed_instance_name'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + + +# PKI Deployment XML File Class +#class xml_file: +# def remove_filter_section_from_web_xml(self, +# web_xml_source, +# web_xml_target): +# config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1, +# master['pki_target_subsystem_web_xml'], +# extra=config.PKI_INDENTATION_LEVEL_2) +# begin_filters_section = False +# begin_servlet_section = False +# FILE = open(web_xml_target, "w") +# for line in fileinput.FileInput(web_xml_source): +# if not begin_filters_section: +# # Read and write lines until first "" tag +# if line.count("") >= 1: +# # Mark filters section +# begin_filters_section = True +# else: +# FILE.write(line) +# elif not begin_servlet_section: +# # Skip lines until first "" tag +# if line.count("") >= 1: +# # Mark servlets section and write out the opening tag +# begin_servlet_section = True +# FILE.write(line) +# else: +# continue +# else: +# # Read and write lines all lines after "" tag +# FILE.write(line) +# FILE.close() + + +# PKI Deployment Instance Class +class instance: + def apache_instance_subsystems(self): + rv = 0 + try: + # count number of PKI subsystems present + # within the specified Apache instance + for subsystem in config.PKI_APACHE_SUBSYSTEMS: + path = master['pki_instance_path'] + "/" + subsystem.lower() + if os.path.exists(path) and os.path.isdir(path): + rv = rv + 1 + config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2, + master['pki_instance_path'], + rv, extra=config.PKI_INDENTATION_LEVEL_2) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return rv + + def apache_instances(self): + rv = 0 + try: + # Since ALL directories under the top-level PKI 'apache' registry + # directory SHOULD represent PKI Apache instances, and there + # shouldn't be any stray files or symbolic links at this level, + # simply count the number of PKI 'apache' instances (directories) + # present within the PKI 'apache' registry directory + for instance in\ + os.listdir(master['pki_instance_type_registry_path']): + if os.path.isdir( + os.path.join(master['pki_instance_type_registry_path'], + instance)) and not\ + os.path.islink( + os.path.join(master['pki_instance_type_registry_path'], + instance)): + rv = rv + 1 + config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, + master['pki_instance_type_registry_path'], + rv, + extra=config.PKI_INDENTATION_LEVEL_2) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return rv + + def pki_instance_subsystems(self): + rv = 0 + try: + # Since ALL directories within the top-level PKI infrastructure + # SHOULD represent PKI instances, look for all possible + # PKI instances within the top-level PKI infrastructure + for instance in os.listdir(master['pki_path']): + if os.path.isdir(os.path.join(master['pki_path'],instance))\ + and not\ + os.path.islink(os.path.join(master['pki_path'],instance)): + dir = os.path.join(master['pki_path'],instance) + # Since ANY directory within this PKI instance COULD + # be a PKI subsystem, look for all possible + # PKI subsystems within this PKI instance + for name in os.listdir(dir): + if os.path.isdir(os.path.join(dir,name)) and\ + not os.path.islink(os.path.join(dir,name)): + if name.upper() in config.PKI_SUBSYSTEMS: + rv = rv + 1 + config.pki_log.debug(log.PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2, + master['pki_instance_path'], rv, + extra=config.PKI_INDENTATION_LEVEL_2) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return rv + + def tomcat_instance_subsystems(self): + # Return list of PKI subsystems in the specified tomcat instance + rv = [] + try: + for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + path = master['pki_instance_path'] + "/" + subsystem.lower() + if os.path.exists(path) and os.path.isdir(path): + rv.append(subsystem) + except OSErr as e: + config.pki_log.error(log.PKI_OSERROR_1, str(e), + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return rv + + def tomcat_instances(self): + rv = 0 + try: + # Since ALL directories under the top-level PKI 'tomcat' registry + # directory SHOULD represent PKI Tomcat instances, and there + # shouldn't be any stray files or symbolic links at this level, + # simply count the number of PKI 'tomcat' instances (directories) + # present within the PKI 'tomcat' registry directory + for instance in\ + os.listdir(master['pki_instance_type_registry_path']): + if os.path.isdir( + os.path.join(master['pki_instance_type_registry_path'], + instance)) and not\ + os.path.islink( + os.path.join(master['pki_instance_type_registry_path'], + instance)): + rv = rv + 1 + config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, + master['pki_instance_type_registry_path'], + rv, + extra=config.PKI_INDENTATION_LEVEL_2) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return rv + + def verify_subsystem_exists(self): + try: + if not os.path.exists(master['pki_subsystem_path']): + config.pki_log.error(log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def verify_subsystem_does_not_exist(self): + try: + if os.path.exists(master['pki_subsystem_path']): + config.pki_log.error(log.PKI_SUBSYSTEM_ALREADY_EXISTS_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def get_instance_status(self): + self.connection = pki.client.PKIConnection( + protocol='https', + hostname=master['pki_hostname'], + port=master['pki_https_port'], + subsystem=master['pki_subsystem_type'], + accept = 'application/xml') + + try: + client = pki.system.SystemStatusClient(self.connection) + response = client.getStatus() + config.pki_log.debug(response, + extra=config.PKI_INDENTATION_LEVEL_3) + + root = ET.fromstring(response) + status = root.findtext("Status") + return status + except requests.exceptions.ConnectionError: + config.pki_log.debug("No connection", + extra=config.PKI_INDENTATION_LEVEL_3) + return None + + def wait_for_startup(self, timeout): + start_time = datetime.today() + status = None + while status != "running": + status = self.get_instance_status() + time.sleep(1); + stop_time = datetime.today() + if (stop_time - start_time).total_seconds() >= timeout: + break + return status + +# PKI Deployment Directory Class +class directory: + def create(self, name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, + acls=None, critical_failure=True): + try: + if not os.path.exists(name): + # mkdir -p + config.pki_log.info(log.PKIHELPER_MKDIR_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + os.makedirs(name) + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown : + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_DIRECTORY + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + elif not os.path.isdir(name): + config.pki_log.error( + log.PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + if exc.errno == errno.EEXIST: + pass + else: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def modify(self, name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, + acls=None, silent=False, critical_failure=True): + try: + if os.path.exists(name): + if not os.path.isdir(name): + config.pki_log.error( + log.PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1, + name, extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + # Always re-process each directory whether it needs it or not + if not silent: + config.pki_log.info(log.PKIHELPER_MODIFY_DIR_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + # chmod + if not silent: + config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown : + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + if not silent: + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + if not silent: + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_DIRECTORY + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + else: + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def delete(self, name, recursive_flag=True, critical_failure=True): + try: + if not os.path.exists(name) or not os.path.isdir(name): + # Simply issue a warning and continue + config.pki_log.warning( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + else: + if recursive_flag == True: + # rm -rf + config.pki_log.info(log.PKIHELPER_RM_RF_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + shutil.rmtree(name) + else: + # rmdir + config.pki_log.info(log.PKIHELPER_RMDIR_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + os.rmdir(name) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def exists(self, name): + try: + if not os.path.exists(name) or not os.path.isdir(name): + return False + else: + return True + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def is_empty(self, name): + try: + if not os.listdir(name): + config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_EMPTY_1, + name, extra=config.PKI_INDENTATION_LEVEL_2) + return True + else: + config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1, + name, extra=config.PKI_INDENTATION_LEVEL_2) + return False + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def set_mode(self, name, uid=None, gid=None, + dir_perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, + file_perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + symlink_perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS, + dir_acls=None, file_acls=None, symlink_acls=None, + recursive_flag=True, critical_failure=True): + try: + if not os.path.exists(name) or not os.path.isdir(name): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + config.pki_log.info( + log.PKIHELPER_SET_MODE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + if recursive_flag == True: + for root, dirs, files in os.walk(name): + for name in files: + entity = os.path.join(root, name) + if not os.path.islink(entity): + file = entity + config.pki_log.debug( + log.PKIHELPER_IS_A_FILE_1, file, + extra=config.PKI_INDENTATION_LEVEL_3) + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + file_perms, file, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(file, file_perms) + # chown : + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, file, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(file, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = file_perms + record.acls = file_acls + manifest.database.append(record) + else: + symlink = entity + config.pki_log.debug( + log.PKIHELPER_IS_A_SYMLINK_1, symlink, + extra=config.PKI_INDENTATION_LEVEL_3) + # REMINDER: Due to POSIX compliance, 'lchmod' + # is NEVER implemented on Linux + # systems since 'chmod' CANNOT be + # run directly against symbolic + # links! + # chown -h : + config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, + uid, gid, symlink, + extra=config.PKI_INDENTATION_LEVEL_3) + os.lchown(symlink, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_SYMLINK + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = symlink_perms + record.acls = symlink_acls + manifest.database.append(record) + for name in dirs: + dir = os.path.join(root, name) + config.pki_log.debug( + log.PKIHELPER_IS_A_DIRECTORY_1, dir, + extra=config.PKI_INDENTATION_LEVEL_3) + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + dir_perms, dir, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(dir, dir_perms) + # chown : + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, dir, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(dir, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_DIRECTORY + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = dir_perms + record.acls = dir_acls + manifest.database.append(record) + else: + config.pki_log.debug( + log.PKIHELPER_IS_A_DIRECTORY_1, name, + extra=config.PKI_INDENTATION_LEVEL_3) + name = os.path.join(root, name) + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + dir_perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, dir_perms) + # chown : + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_DIRECTORY + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = dir_perms + record.acls = dir_acls + manifest.database.append(record) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + + def copy(self, old_name, new_name, uid=None, gid=None, + dir_perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, + file_perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + symlink_perms=config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS, + dir_acls=None, file_acls=None, symlink_acls=None, + recursive_flag=True, overwrite_flag=False, critical_failure=True): + try: + if not os.path.exists(old_name) or not os.path.isdir(old_name): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, old_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + if os.path.exists(new_name): + if not overwrite_flag: + config.pki_log.error( + log.PKI_DIRECTORY_ALREADY_EXISTS_1, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if recursive_flag == True: + # cp -rp + config.pki_log.info(log.PKIHELPER_CP_RP_2, + old_name, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + # Due to a limitation in the 'shutil.copytree()' + # implementation which requires that + # 'The destination directory must not already exist.', + # an OSError exception is always thrown due to the + # implementation's unchecked call to 'os.makedirs(dst)'. + # Consequently, a 'patched' local copy of this routine has + # been included in this file with the appropriate fix. + pki_copytree(old_name, new_name) + else: + # cp -p + config.pki_log.info(log.PKIHELPER_CP_P_2, + old_name, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + shutil.copy2(old_name, new_name) + # set ownerships, permissions, and acls + # of newly created top-level directory + self.modify(new_name, uid, gid, dir_perms, dir_acls, + True, critical_failure) + # set ownerships, permissions, and acls + # of contents of newly created top-level directory + self.set_mode(new_name, uid, gid, + dir_perms, file_perms, symlink_perms, + dir_acls, file_acls, symlink_acls, + recursive_flag, critical_failure) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except shutil.Error as exc: + config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + +# PKI Deployment File Class (also used for executables) +class file: + def create(self, name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, critical_failure=True): + try: + if not os.path.exists(name): + # touch + config.pki_log.info(log.PKIHELPER_TOUCH_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + open(name, "w").close() + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown : + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + elif not os.path.isfile(name): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + if exc.errno == errno.EEXIST: + pass + else: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def modify(self, name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, silent=False, critical_failure=True): + try: + if os.path.exists(name): + if not os.path.isfile(name): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, + name, extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + # Always re-process each file whether it needs it or not + if not silent: + config.pki_log.info(log.PKIHELPER_MODIFY_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + # chmod + if not silent: + config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown : + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + if not silent: + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + if not silent: + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + else: + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def delete(self, name, critical_failure=True): + try: + if not os.path.exists(name) or not os.path.isfile(name): + # Simply issue a warning and continue + config.pki_log.warning( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + else: + # rm -f + config.pki_log.info(log.PKIHELPER_RM_F_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + os.remove(name) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def exists(self, name): + try: + if not os.path.exists(name) or not os.path.isfile(name): + return False + else: + return True + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def copy(self, old_name, new_name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, acls=None, + overwrite_flag=False, critical_failure=True): + try: + if not os.path.exists(old_name) or not os.path.isfile(old_name): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + if os.path.exists(new_name): + if not overwrite_flag: + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_1, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # cp -p + config.pki_log.info(log.PKIHELPER_CP_P_2, + old_name, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + shutil.copy2(old_name, new_name) + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + perms, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(new_name, perms) + # chown : + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(new_name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = new_name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except shutil.Error as exc: + config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def apply_slot_substitution( + self, name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, critical_failure=True): + try: + if not os.path.exists(name) or not os.path.isfile(name): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # applying in-place slot substitutions on + config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1, + name, + extra=config.PKI_INDENTATION_LEVEL_2) + for line in fileinput.FileInput(name, inplace=1): + for slot in slots: + if slot != '__name__' and slots[slot] in line: + config.pki_log.debug( + log.PKIHELPER_SLOT_SUBSTITUTION_2, + slots[slot], master[slot], + extra=config.PKI_INDENTATION_LEVEL_3) + line=line.replace(slots[slot],master[slot]) + sys.stdout.write(line) + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown : + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except shutil.Error as exc: + config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def copy_with_slot_substitution( + self, old_name, new_name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, overwrite_flag=False, + critical_failure=True): + try: + if not os.path.exists(old_name) or not os.path.isfile(old_name): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + if os.path.exists(new_name): + if not overwrite_flag: + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_1, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # copy to with slot substitutions + config.pki_log.info(log.PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2, + old_name, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + FILE = open(new_name, "w") + for line in fileinput.FileInput(old_name): + for slot in slots: + if slot != '__name__' and slots[slot] in line: + config.pki_log.debug( + log.PKIHELPER_SLOT_SUBSTITUTION_2, + slots[slot], master[slot], + extra=config.PKI_INDENTATION_LEVEL_3) + line=line.replace(slots[slot],master[slot]) + FILE.write(line) + FILE.close() + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + perms, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(new_name, perms) + # chown : + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(new_name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = new_name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except shutil.Error as exc: + config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def generate_noise_file(self, name, bytes, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, critical_failure=True): + try: + if not os.path.exists(name): + # generating noise file called and + # filling it with random bytes + config.pki_log.info(log.PKIHELPER_NOISE_FILE_2, name, bytes, + extra=config.PKI_INDENTATION_LEVEL_2) + open(name, "w").close() + FILE = open(name, "w") + noise = ''.join(random.choice(string.ascii_letters +\ + string.digits) for x in range(bytes)) + FILE.write(noise) + FILE.close() + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown : + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + elif not os.path.isfile(name): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + if exc.errno == errno.EEXIST: + pass + else: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + +# PKI Deployment Symbolic Link Class +class symlink: + def create(self, name, link, uid=None, gid=None, + acls=None, allow_dangling_symlink=False, critical_failure=True): + try: + if not os.path.exists(link): + if not os.path.exists(name): + config.pki_log.warning( + log.PKIHELPER_DANGLING_SYMLINK_2, link, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if not allow_dangling_symlink: + sys.exit(1) + # ln -s + config.pki_log.info(log.PKIHELPER_LINK_S_2, name, link, + extra=config.PKI_INDENTATION_LEVEL_2) + os.symlink(name, link) + # REMINDER: Due to POSIX compliance, 'lchmod' is NEVER + # implemented on Linux systems since 'chmod' + # CANNOT be run directly against symbolic links! + # chown -h : + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, + uid, gid, link, + extra=config.PKI_INDENTATION_LEVEL_3) + os.lchown(link, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = link + record.type = manifest.RECORD_TYPE_SYMLINK + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions =\ + config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS + record.acls = acls + manifest.database.append(record) + elif not os.path.islink(link): + config.pki_log.error( + log.PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1, link, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + if exc.errno == errno.EEXIST: + pass + else: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def modify(self, link, uid=None, gid=None, + acls=None, silent=False, critical_failure=True): + try: + if os.path.exists(link): + if not os.path.islink(link): + config.pki_log.error( + log.PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1, + link, extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + # Always re-process each link whether it needs it or not + if not silent: + config.pki_log.info(log.PKIHELPER_MODIFY_SYMLINK_1, link, + extra=config.PKI_INDENTATION_LEVEL_2) + # REMINDER: Due to POSIX compliance, 'lchmod' is NEVER + # implemented on Linux systems since 'chmod' + # CANNOT be run directly against symbolic links! + # chown -h : + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + if not silent: + config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, + uid, gid, link, + extra=config.PKI_INDENTATION_LEVEL_3) + os.lchown(link, uid, gid) + # Store record in installation manifest + if not silent: + record = manifest.record() + record.name = link + record.type = manifest.RECORD_TYPE_SYMLINK + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions =\ + config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS + record.acls = acls + manifest.database.append(record) + else: + config.pki_log.error( + log.PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1, link, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def delete(self, link, critical_failure=True): + try: + if not os.path.exists(link) or not os.path.islink(link): + # Simply issue a warning and continue + config.pki_log.warning( + log.PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1, link, + extra=config.PKI_INDENTATION_LEVEL_2) + else: + # rm -f + config.pki_log.info(log.PKIHELPER_RM_F_1, link, + extra=config.PKI_INDENTATION_LEVEL_2) + os.remove(link) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def exists(self, name): + try: + if not os.path.exists(name) or not os.path.islink(name): + return False + else: + return True + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + +# PKI Deployment War File Class +class war: + def explode(self, name, path, critical_failure=True): + try: + if os.path.exists(name) and os.path.isfile(name): + if not zipfile.is_zipfile(name): + config.pki_log.error( + log.PKI_FILE_NOT_A_WAR_FILE_1, + name, extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + if not os.path.exists(path) or not os.path.isdir(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + path, extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + # jar -xf -C + config.pki_log.info(log.PKIHELPER_JAR_XF_C_2, name, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # Open war file + war = zipfile.ZipFile(name, 'r') + # Extract contents of war file to path + war.extractall(path) + else: + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except zipfile.BadZipfile as exc: + config.pki_log.error(log.PKI_BADZIPFILE_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except zipfile.LargeZipFile as exc: + config.pki_log.error(log.PKI_LARGEZIPFILE_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + +# PKI Deployment Password Class +class password: + def create_password_conf(self, path, pin, pin_sans_token=False, + overwrite_flag=False, critical_failure=True): + try: + if os.path.exists(path): + if overwrite_flag: + config.pki_log.info( + log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # overwrite the existing 'password.conf' file + with open(path, "wt") as fd: + if pin_sans_token == True: + fd.write(str(pin)) + elif master['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + fd.write(master['pki_self_signed_token'] +\ + ":" + str(pin)) + else: + fd.write(master['pki_self_signed_token'] +\ + "=" + str(pin)) + fd.closed + else: + config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # create a new 'password.conf' file + with open(path, "wt") as fd: + if pin_sans_token == True: + fd.write(str(pin)) + elif master['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + fd.write(master['pki_self_signed_token'] +\ + ":" + str(pin)) + else: + fd.write(master['pki_self_signed_token'] +\ + "=" + str(pin)) + fd.closed + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def create_client_pkcs12_password_conf(self, path, overwrite_flag=False, + critical_failure=True): + try: + if os.path.exists(path): + if overwrite_flag: + config.pki_log.info( + log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # overwrite the existing 'pkcs12_password.conf' file + with open(path, "wt") as fd: + fd.write(master['pki_client_pkcs12_password']) + fd.closed + else: + config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # create a new 'pkcs12_password.conf' file + with open(path, "wt") as fd: + fd.write(master['pki_client_pkcs12_password']) + fd.closed + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def get_password(self, path, token_name, critical_failure=True): + if os.path.exists(path) and os.path.isfile(path) and\ + os.access(path, os.R_OK): + tokens = PKIConfigParser.read_simple_configuration_file(path) + hardware_token = "hardware-" + token_name + if tokens.has_key(hardware_token): + token_name = hardware_token + token_pwd = tokens[hardware_token] + elif tokens.has_key(token_name): + token_pwd = tokens[token_name] + + if token_pwd is None or token_pwd == '': + # TODO prompt for this password + config.pki_log.error(log.PKIHELPER_PASSWORD_NOT_FOUND_1, + token_name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + return token_pwd + + +# PKI Deployment NSS 'certutil' Class +class certutil: + def create_security_databases(self, path, pki_cert_database, + pki_key_database, pki_secmod_database, + password_file=None, prefix=None, + critical_failure=True): + try: + # Compose this "certutil" command + command = "certutil" + " " + "-N" + # Provide a path to the NSS security databases + if path: + command = command + " " + "-d" + " " + path + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if password_file != None: + command = command + " " + "-f" + " " + password_file + if prefix != None: + command = command + " " + "-P" + " " + prefix + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(pki_cert_database) or\ + os.path.exists(pki_key_database) or\ + os.path.exists(pki_secmod_database): + # Simply notify user that the security databases exist + config.pki_log.info( + log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3, + pki_cert_database, + pki_key_database, + pki_secmod_database, + extra=config.PKI_INDENTATION_LEVEL_2) + else: + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CREATE_SECURITY_DATABASES_1, + command, + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "certutil" command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def verify_certificate_exists(self, path, pki_cert_database, + pki_key_database, pki_secmod_database, + token, nickname, password_file=None, + silent=True): + rv = 0 + try: + # Compose this "certutil" command + command = "certutil" + " " + "-L" + # Provide a path to the NSS security databases + if path: + command = command + " " + "-d" + " " + path + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the 'token' + if token: + command = command + " " + "-h" + " " + "'" + token + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TOKEN, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the nickname of this self-signed certificate + if nickname: + command = command + " " + "-n" + " " + "'" + nickname + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # OPTIONALLY specify a password file + if password_file != None: + command = command + " " + "-f" + " " + password_file + # By default, execute this command silently + if silent != False: + command = command + " > /dev/null 2>&1" + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(pki_cert_database) or\ + not os.path.exists(pki_key_database) or\ + not os.path.exists(pki_secmod_database): + # NSS security databases MUST exist! + config.pki_log.error( + log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, + pki_cert_database, + pki_key_database, + pki_secmod_database, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Execute this "certutil" command + subprocess.check_call(command, shell=True) + except subprocess.CalledProcessError as exc: + return False + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return True + + def generate_self_signed_certificate(self, path, pki_cert_database, + pki_key_database, pki_secmod_database, + token, nickname, + subject, serial_number, + validity_period, issuer_name, + trustargs, noise_file, + password_file=None, + critical_failure=True): + try: + # Compose this "certutil" command + command = "certutil" + " " + "-S" + # Provide a path to the NSS security databases + if path: + command = command + " " + "-d" + " " + path + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the 'token' + if token: + command = command + " " + "-h" + " " + "'" + token + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TOKEN, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the nickname of this self-signed certificate + if nickname: + command = command + " " + "-n" + " " + "'" + nickname + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the subject name (RFC1485) + if subject: + command = command + " " + "-s" + " " + "'" + subject + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the serial number + if serial_number != None: + command = command + " " + "-m" + " " + str(serial_number) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the months valid + if validity_period != None: + command = command + " " + "-v" + " " + str(validity_period) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the nickname of the issuer certificate + if issuer_name: + command = command + " " + "-c" + " " +\ + "'" + issuer_name + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the certificate trust attributes + if trustargs: + command = command + " " + "-t" + " " + "'" + trustargs + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify a noise file to be used for key generation + if noise_file: + command = command + " " + "-z" + " " + noise_file + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # OPTIONALLY specify a password file + if password_file != None: + command = command + " " + "-f" + " " + password_file + # ALWAYS self-sign this certificate + command = command + " " + "-x" + # ALWAYS mask the command-line output of this command + command = command + " " + "> /dev/null 2>&1" + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(pki_cert_database) or\ + not os.path.exists(pki_key_database) or\ + not os.path.exists(pki_secmod_database): + # NSS security databases MUST exist! + config.pki_log.error( + log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, + pki_cert_database, + pki_key_database, + pki_secmod_database, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(noise_file): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + noise_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Execute this "certutil" command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def import_cert(self, nickname, trust, input_file, password_file, + path=None, token=None, critical_failure=True): + try: + command = ["certutil","-A"] + if path: + command.extend(["-d", path]) + + if token: + command.extend(["-h", token]) + + if nickname: + command.extend(["-n", nickname ]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if trust: + command.extend(["-t", trust]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if input_file: + command.extend(["-i", input_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_INPUT_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if password_file: + command.extend(["-f", password_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def generate_certificate_request(self, subject, key_size, + password_file, noise_file, + output_file = None, path = None, + ascii_format = None, token = None, + critical_failure=True): + try: + command = ["certutil", "-R"] + if path: + command.extend(["-d", path]) + else: + command.extend(["-d", "."]) + + if token: + command.extend(["-h", token]) + + if subject: + command.extend(["-s", subject]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if key_size: + command.extend(["-g", str(key_size)]) + + if noise_file: + command.extend(["-z", noise_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if password_file: + command.extend(["-f", password_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if output_file: + command.extend(["-o", output_file]) + + # set acsii output + if ascii_format: + command.append("-a") + + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CERTUTIL_GENERATE_CSR_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not os.path.exists(noise_file): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + noise_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Execute this "certutil" command + with open(os.devnull, "w") as fnull: + subprocess.call(command, stdout=fnull, stderr=fnull) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + +# pk12util class +class pk12util: + def create_file(self, out_file, nickname, out_pwfile, + db_pwfile, path=None): + try: + command = ["pk12util"] + if path: + command.extend(["-d", path]) + if out_file: + command.extend(["-o", out_file]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_OUTFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if nickname: + command.extend(["-n", nickname]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if out_pwfile: + command.extend(["-w", out_pwfile]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_OUTPWFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if db_pwfile: + command.extend(["-k", db_pwfile]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + with open(os.devnull, "w") as fnull: + subprocess.call(command, stdout=fnull, stderr=fnull) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + +# KRA Connector Class +class kra_connector: + def deregister(self, critical_failure=False): + try: + # this is applicable to KRAs only + if master['pki_subsystem_type'] != "kra": + return + + config.pki_log.info( + log.PKIHELPER_KRACONNECTOR_UPDATE_CONTACT, + extra=config.PKI_INDENTATION_LEVEL_2) + + cs_cfg = PKIConfigParser.read_simple_configuration_file( + master['pki_target_cs_cfg']) + krahost = cs_cfg.get('service.machineName') + kraport = cs_cfg.get('pkicreate.secure_port') + cahost = cs_cfg.get('cloning.ca.hostname') + caport = cs_cfg.get('cloning.ca.httpsport') + if cahost is None or\ + caport is None: + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CA_HOST_PORT, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + # retrieve subsystem nickname + subsystemnick = cs_cfg.get('kra.cert.subsystem.nickname') + if subsystemnick is None: + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + # retrieve name of token based upon type (hardware/software) + if ':' in subsystemnick: + token_name = subsystemnick.split(':')[0] + else: + token_name = "internal" + + token_pwd = password.get_password( + master['pki_shared_password_conf'], + token_name, + critical_failure) + + if token_pwd is None or token_pwd == '': + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_TOKEN_PASSWD_1, + token_name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + self.execute_using_sslget(caport, cahost, subsystemnick, + token_pwd, krahost, kraport) + + except subprocess.CalledProcessError as exc: + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2, + str(krahost), + str(kraport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + return + + def execute_using_pki(self, caport, cahost, subsystemnick, + token_pwd, krahost, kraport, critical_failure=False): + command = "/bin/pki -p '{}' -h '{}' -n '{}' -P https -d '{}' -w '{}' "\ + "kraconnector-del {} {}".format( + caport, cahost, subsystemnick, + master['pki_database_path'], + token_pwd, krahost, kraport) + + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + + error = re.findall("ClientResponseFailure:(.*?)", output) + if error: + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2, + str(krahost), + str(kraport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, output, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + + def execute_using_sslget(self, caport, cahost, subsystemnick, + token_pwd, krahost, kraport): + urlheader = "https://{}:{}".format(cahost, caport) + updateURL = "/ca/rest/admin/kraconnector/remove" + + params = "host=" + str(krahost) +\ + "&port=" + str(kraport) + + command = "/usr/bin/sslget -n '{}' -p '{}' -d '{}' -e '{}' "\ + "-v -r '{}' {}:{} 2>&1".format( + subsystemnick, token_pwd, + master['pki_database_path'], + params, updateURL, + cahost, caport) + + # update KRA connector + # Execute this "sslget" command + # Note that sslget will return non-zero value for HTTP code != 200 + # and this will raise an exception + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + +# PKI Deployment Security Domain Class +class security_domain: + def deregister(self, install_token, critical_failure=False): + # process this PKI subsystem instance's 'CS.cfg' + cs_cfg = PKIConfigParser.read_simple_configuration_file( + master['pki_target_cs_cfg']) + + # assign key name/value pairs + machinename = cs_cfg.get('service.machineName') + sport = cs_cfg.get('service.securityDomainPort') + ncsport = cs_cfg.get('service.non_clientauth_securePort', '') + sechost = cs_cfg.get('securitydomain.host') + httpport = cs_cfg.get('securitydomain.httpport') + seceeport = cs_cfg.get('securitydomain.httpseeport') + secagentport = cs_cfg.get('securitydomain.httpsagentport') + secadminport = cs_cfg.get('securitydomain.httpsadminport') + secname = cs_cfg.get('securitydomain.name', 'unknown') + secselect = cs_cfg.get('securitydomain.select') + adminsport = cs_cfg.get('pkicreate.admin_secure_port', '') + typeval = cs_cfg.get('cs.type', '') + agentsport = cs_cfg.get('pkicreate.agent_secure_port', '') + + # NOTE: Don't check for the existence of 'httpport', as this will + # be undefined for a Security Domain that has been migrated! + if sechost is None or\ + seceeport is None or\ + secagentport is None or\ + secadminport is None: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_UNDEFINED, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + config.pki_log.info(log.PKIHELPER_SECURITY_DOMAIN_CONTACT_1, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + listval = typeval.lower() + "List" + urlheader = "https://{}:{}".format(sechost, seceeport) + urlagentheader = "https://{}:{}".format(sechost, secagentport) + urladminheader = "https://{}:{}".format(sechost, secadminport) + updateURL = "/ca/agent/ca/updateDomainXML" + + params = "name=" + "\"" + master['pki_instance_path'] + "\"" +\ + "&type=" + str(typeval) +\ + "&list=" + str(listval) +\ + "&host=" + str(machinename) +\ + "&sport=" + str(sport) +\ + "&ncsport=" + str(ncsport) +\ + "&adminsport=" + str(adminsport) +\ + "&agentsport=" + str(agentsport) +\ + "&operation=remove" + + if install_token: + try: + # first try install token-based servlet + params += "&sessionID=" + str(install_token) + adminUpdateURL = "/ca/admin/ca/updateDomainXML" + command = "/usr/bin/sslget -p 123456 -d '{}' -e '{}' "\ + "-v -r '{}' {}:{} 2>&1".format( + master['pki_database_path'], + params, adminUpdateURL, + sechost, secadminport) + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + output = self.update_domain_using_agent_port(typeval, + secname, params, updateURL, sechost, secagentport, + critical_failure) + else: + output = self.update_domain_using_agent_port(typeval, + secname, params, updateURL, sechost, secagentport, + critical_failure) + + if not output: + if critical_failure == True: + sys.exit(-1) + else: + return + + config.pki_log.debug(log.PKIHELPER_SSLGET_OUTPUT_1, + output, + extra=config.PKI_INDENTATION_LEVEL_2) + # Search the output for Status + status = re.findall("\(.*?)\<\/Status\>", output) + if not status: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + elif status[0] != "0": + error = re.findall("\(.*?)\<\/Error\>", output) + if not error: + error = "" + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3, + typeval, + secname, + error, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + config.pki_log.info( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + + def update_domain_using_agent_port(self, typeval, secname, params, + updateURL, sechost, secagentport, critical_failure= False): + token_pwd = None + cs_cfg = PKIConfigParser.read_simple_configuration_file( + master['pki_target_cs_cfg']) + # retrieve subsystem nickname + subsystemnick_param = typeval.lower() + ".cert.subsystem.nickname" + subsystemnick = cs_cfg.get(subsystemnick_param) + if subsystemnick is None: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + # retrieve name of token based upon type (hardware/software) + if ':' in subsystemnick: + token_name = subsystemnick.split(':')[0] + else: + token_name = "internal" + + token_pwd = password.get_password( + master['pki_shared_password_conf'], + token_name, + critical_failure) + + if token_pwd is None or token_pwd == '': + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + command = "/usr/bin/sslget -n '{}' -p '{}' -d '{}' -e '{}' "\ + "-v -r '{}' {}:{} 2>&1".format( + subsystemnick, token_pwd, + master['pki_database_path'], + params, updateURL, + sechost, secagentport) + try: + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + return output + except subprocess.CalledProcessError as exc: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + + return None + + + def get_installation_token(self, secuser, secpass, critical_failure=True): + token = None + + if not secuser or not secpass: + return None + + # process this PKI subsystem instance's 'CS.cfg' + cs_cfg = PKIConfigParser.read_simple_configuration_file( + master['pki_target_cs_cfg']) + + # assign key name/value pairs + machinename = cs_cfg.get('service.machineName') + cstype = cs_cfg.get('cs.type', '') + sechost = cs_cfg.get('securitydomain.host') + secadminport = cs_cfg.get('securitydomain.httpsadminport') + secselect = cs_cfg.get('securitydomain.select') + + command = "/bin/pki -p '{}' -h '{}' -P https -u '{}' -w '{}' "\ + "securitydomain-get-install-token --hostname {} "\ + "--subsystem {}".format( + secadminport, sechost, secuser, secpass, + machinename, cstype) + try: + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + + token_list = re.findall("Install token: \"(.*)\"", output) + if not token_list: + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2, + str(sechost), + str(secadminport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, output, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + token = token_list[0] + return token + except subprocess.CalledProcessError as exc: + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2, + str(sechost), + str(secadminport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + return None + +# PKI Deployment 'systemd' Execution Management Class +class systemd: + def start(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "start" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_name'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "start" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_name'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def stop(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "stop" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_name'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "stop" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_name'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def restart(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "restart" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_name'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "restart" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_name'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + +class config_client: + + def configure_pki_data(self, data): + config.pki_log.info(log.PKI_CONFIG_CONFIGURING_PKI_DATA, + extra=config.PKI_INDENTATION_LEVEL_2) + + self.connection = pki.client.PKIConnection( + protocol='https', + hostname=master['pki_hostname'], + port=master['pki_https_port'], + subsystem=master['pki_subsystem_type']) + + try: + client = pki.system.SystemConfigClient(self.connection) + response = client.configure(data) + + config.pki_log.debug(log.PKI_CONFIG_RESPONSE_STATUS +\ + " " + str(response['status']), + extra=config.PKI_INDENTATION_LEVEL_2) + certs = response['systemCerts'] + for cdata in certs: + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external']) and\ + not config.str2bool(master['pki_external_step_two']): + # External CA Step 1 + if cdata['tag'].lower() == "signing": + config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST +\ + " " + cdata['request'], + extra=config.PKI_INDENTATION_LEVEL_2) + + # Save 'External CA Signing Certificate' CSR (Step 1) + config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE +\ + " '" + master['pki_external_csr_path'] + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + directory.create( + os.path.dirname(master['pki_external_csr_path'])) + with open(master['pki_external_csr_path'], "w") as f: + f.write(cdata['request']) + return + else: + config.pki_log.debug(log.PKI_CONFIG_CDATA_TAG +\ + " " + cdata['tag'], + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKI_CONFIG_CDATA_CERT +\ + " " + cdata['cert'], + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKI_CONFIG_CDATA_REQUEST +\ + " " + cdata['request'], + extra=config.PKI_INDENTATION_LEVEL_2) + + # Cloned PKI subsystems do not return an Admin Certificate + if not config.str2bool(master['pki_clone']) and \ + not config.str2bool(master['pki_import_admin_cert']): + admin_cert = response['adminCert']['cert'] + self.process_admin_cert(admin_cert) + except Exception, e: + config.pki_log.error( + log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " + str(e), + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def process_admin_cert(self, admin_cert): + config.pki_log.debug(log.PKI_CONFIG_RESPONSE_ADMIN_CERT +\ + " " + admin_cert, + extra=config.PKI_INDENTATION_LEVEL_2) + + # Store the Administration Certificate in a file + admin_cert_file = master['pki_client_admin_cert'] + admin_cert_bin_file = admin_cert_file + ".der" + config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE +\ + " '" + admin_cert_file + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + with open(admin_cert_file, "w") as f: + f.write(admin_cert) + + # convert the cert file to binary + command = ["AtoB", admin_cert_file, admin_cert_bin_file] + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + + os.chmod(admin_cert_file, + config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + + os.chmod(admin_cert_bin_file, + config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + + # Import the Administration Certificate + # into the client NSS security database + certutil.import_cert( + re.sub("'", "'", master['pki_admin_nickname']), + "u,u,u", + admin_cert_bin_file, + master['pki_client_password_conf'], + master['pki_client_database_dir'], + None, + True) + + # create directory for p12 file if it does not exist + directory.create(os.path.dirname( + master['pki_client_admin_cert_p12'])) + + # Export the Administration Certificate from the + # client NSS security database into a PKCS #12 file + pk12util.create_file( + master['pki_client_admin_cert_p12'], + re.sub("'","'", master['pki_admin_nickname']), + master['pki_client_pkcs12_password_conf'], + master['pki_client_password_conf'], + master['pki_client_database_dir']) + + os.chmod(master['pki_client_admin_cert_p12'], + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + + + def construct_pki_configuration_data(self): + config.pki_log.info(log.PKI_CONFIG_CONSTRUCTING_PKI_DATA, + extra=config.PKI_INDENTATION_LEVEL_2) + + data = pki.system.ConfigurationRequest() + + # Miscellaneous Configuration Information + data.pin = master['pki_one_time_pin'] + data.subsystemName = master['pki_subsystem_name'] + + # Cloning parameters + if master['pki_instance_type'] == "Tomcat": + if config.str2bool(master['pki_clone']): + self.set_cloning_parameters(data) + else: + data.isClone = "false" + + # Hierarchy + self.set_hierarchy_parameters(data) + + # Security Domain + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or + # Subordinate CA + self.set_existing_security_domain(data) + else: + # PKI CA or External CA + self.set_new_security_domain(data) + + # database + if master['pki_subsystem'] != "RA": + self.set_database_parameters(data) + + # backup + if master['pki_instance_type'] == "Tomcat": + self.set_backup_parameters(data) + + # admin user + if not config.str2bool(master['pki_clone']): + self.set_admin_parameters(data) + + # Issuing CA Information + self.set_issuing_ca_parameters(data) + + # Create system certs + self.set_system_certs(data) + + return data + + def set_system_certs(self, data): + systemCerts = [] + + # Create 'CA Signing Certificate' + if master['pki_subsystem'] == "CA": + if not config.str2bool(master['pki_clone']): + cert1 = self.create_system_cert("ca_signing") + cert1.signingAlgorithm =\ + master['pki_ca_signing_signing_algorithm'] + if config.str2bool(master['pki_external_step_two']): + # Load the 'External CA Signing Certificate' (Step 2) + print( + log.PKI_CONFIG_EXTERNAL_CA_LOAD + " " +\ + "'" + master['pki_external_ca_cert_path'] + "'") + with open(master['pki_external_ca_cert_path']) as f: + external_cert = f.read() + cert1.cert = external_cert + + # Load the 'External CA Signing Certificate Chain' (Step 2) + print( + log.PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD + " " +\ + "'" + master['pki_external_ca_cert_chain_path'] +\ + "'") + with open(master['pki_external_ca_cert_chain_path']) as f: + external_cert_chain = f.read() + + cert1.certChain = external_cert_chain + systemCerts.append(cert1) + + # Create 'OCSP Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "CA" or\ + master['pki_subsystem'] == "OCSP": + # External CA, Subordinate CA, PKI CA, or PKI OCSP + cert2 = self.create_system_cert("ocsp_signing") + cert2.signingAlgorithm =\ + master['pki_ocsp_signing_signing_algorithm'] + systemCerts.append(cert2) + + # Create 'SSL Server Certificate' + # all subsystems + + # create new sslserver cert only if this is a new instance + cert3 = None + system_list = instance.tomcat_instance_subsystems() + if len(system_list) >= 2: + data.generateServerCert = "false" + for subsystem in system_list: + dst = master['pki_instance_path'] + '/conf/' +\ + subsystem.lower() + '/CS.cfg' + if subsystem != master['pki_subsystem'] and \ + os.path.exists(dst): + cert3 = self.retrieve_existing_server_cert(dst) + break + else: + cert3 = self.create_system_cert("ssl_server") + systemCerts.append(cert3) + + # Create 'Subsystem Certificate' + if not config.str2bool(master['pki_clone']): + cert4 = self.create_system_cert("subsystem") + systemCerts.append(cert4) + + # Create 'Audit Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] != "RA": + cert5 = self.create_system_cert("audit_signing") + cert5.signingAlgorithm =\ + master['pki_audit_signing_signing_algorithm'] + systemCerts.append(cert5) + + # Create DRM Transport and storage Certificates + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "KRA": + cert6 = self.create_system_cert("transport") + systemCerts.append(cert6) + + cert7 = self.create_system_cert("storage") + systemCerts.append(cert7) + + data.systemCerts = systemCerts + + def set_cloning_parameters(self, data): + data.isClone = "true" + data.cloneUri = master['pki_clone_uri'] + data.p12File = master['pki_clone_pkcs12_path'] + data.p12Password = master['pki_clone_pkcs12_password'] + data.replicateSchema = master['pki_clone_replicate_schema'] + data.replicationSecurity =\ + master['pki_clone_replication_security'] + if master['pki_clone_replication_master_port']: + data.masterReplicationPort =\ + master['pki_clone_replication_master_port'] + if master['pki_clone_replication_clone_port']: + data.cloneReplicationPort =\ + master['pki_clone_replication_clone_port'] + + def set_hierarchy_parameters(self, data): + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']): + # Cloned CA + data.hierarchy = "root" + elif config.str2bool(master['pki_external']): + # External CA + data.hierarchy = "join" + elif config.str2bool(master['pki_subordinate']): + # Subordinate CA + data.hierarchy = "join" + else: + # PKI CA + data.hierarchy = "root" + + def set_existing_security_domain(self, data): + data.securityDomainType = "existingdomain" + data.securityDomainUri = master['pki_security_domain_uri'] + data.securityDomainUser = master['pki_security_domain_user'] + data.securityDomainPassword = master['pki_security_domain_password'] + + def set_new_security_domain(self, data): + data.securityDomainType = "newdomain" + data.securityDomainName = master['pki_security_domain_name'] + + def set_database_parameters(self, data): + data.dsHost = master['pki_ds_hostname'] + data.dsPort = master['pki_ds_ldap_port'] + data.baseDN = master['pki_ds_base_dn'] + data.bindDN = master['pki_ds_bind_dn'] + data.database = master['pki_ds_database'] + data.bindpwd = master['pki_ds_password'] + if config.str2bool(master['pki_ds_remove_data']): + data.removeData = "true" + else: + data.removeData = "false" + if config.str2bool(master['pki_ds_secure_connection']): + data.secureConn = "true" + else: + data.secureConn = "false" + + def set_backup_parameters(self, data): + if config.str2bool(master['pki_backup_keys']): + data.backupKeys = "true" + data.backupFile = master['pki_backup_keys_p12'] + data.backupPassword = master['pki_backup_password'] + else: + data.backupKeys = "false" + + def set_admin_parameters(self, data): + data.adminEmail = master['pki_admin_email'] + data.adminName = master['pki_admin_name'] + data.adminPassword = master['pki_admin_password'] + data.adminProfileID = master['pki_admin_profile_id'] + data.adminUID = master['pki_admin_uid'] + data.adminSubjectDN = master['pki_admin_subject_dn'] + if config.str2bool(master['pki_import_admin_cert']): + data.importAdminCert = "true" + # read config from file + with open(master['pki_admin_cert_file']) as f: + b64 = f.read().replace('\n','') + data.adminCert = b64 + else: + data.importAdminCert = "false" + data.adminSubjectDN = master['pki_admin_subject_dn'] + if master['pki_admin_cert_request_type'] == "pkcs10": + data.adminCertRequestType = "pkcs10" + + noise_file = os.path.join( + master['pki_client_database_dir'], "noise") + + output_file = os.path.join( + master['pki_client_database_dir'], "admin_pkcs10.bin") + + file.generate_noise_file( + noise_file, int(master['pki_admin_keysize'])) + + certutil.generate_certificate_request( + master['pki_admin_subject_dn'], + master['pki_admin_keysize'], + master['pki_client_password_conf'], + noise_file, + output_file, + master['pki_client_database_dir'], + None, None, True) + + # convert output to ascii + command = ["BtoA", output_file, output_file + ".asc"] + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + + with open(output_file + ".asc") as f: + b64 = f.read().replace('\n','') + + data.adminCertRequest = b64 + else: + print "log.PKI_CONFIG_PKCS10_SUPPORT_ONLY" + sys.exit(1) + + def set_issuing_ca_parameters(self, data): + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']) or\ + config.str2bool(master['pki_external']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, + # Subordinate CA, or External CA + data.issuingCA = master['pki_issuing_ca'] + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external_step_two']): + # External CA Step 2 + data.stepTwo = "true"; + + def create_system_cert(self, tag): + cert = pki.system.SystemCertData() + cert.tag = master["pki_%s_tag" % tag] + cert.keyAlgorithm = master["pki_%s_key_algorithm" % tag] + cert.keySize = master["pki_%s_key_size" % tag] + cert.keyType = master["pki_%s_key_type" % tag] + cert.nickname = master["pki_%s_nickname" % tag] + cert.subjectDN = master["pki_%s_subject_dn" % tag] + cert.token = master["pki_%s_token" % tag] + return cert + + def retrieve_existing_server_cert(self, cfg_file): + cs_cfg = PKIConfigParser.read_simple_configuration_file(cfg_file) + cstype = cs_cfg.get('cs.type').lower() + cert = pki.system.SystemCertData() + cert.tag = master["pki_ssl_server_tag"] + cert.keyAlgorithm = master["pki_ssl_server_key_algorithm"] + cert.keySize = master["pki_ssl_server_key_size"] + cert.keyType = master["pki_ssl_server_key_type"] + cert.nickname = cs_cfg.get(cstype + ".sslserver.nickname") + cert.cert = cs_cfg.get(cstype + ".sslserver.cert") + cert.request = cs_cfg.get(cstype + ".sslserver.certreq") + cert.subjectDN = master["pki_ssl_server_subject_dn"] + cert.token = cs_cfg.get(cstype + ".sslserver.tokenname") + return cert + +# PKI Deployment Helper Class Instances +identity = identity() +namespace = namespace() +configuration_file = configuration_file() +#xml_file = xml_file() +instance = instance() +directory = directory() +file = file() +symlink = symlink() +war = war() +password = password() +certutil = certutil() +pk12util = pk12util() +security_domain = security_domain() +kra_connector = kra_connector() +systemd = systemd() diff --git a/base/server/src/engine/pkilogging.py b/base/server/src/engine/pkilogging.py new file mode 100644 index 000000000..319616145 --- /dev/null +++ b/base/server/src/engine/pkilogging.py @@ -0,0 +1,76 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import logging +import os +import pprint + +sensitive_parameters = [] + +# Initialize 'pretty print' for objects +pp = pprint.PrettyPrinter(indent=4) + +def format(dict): + new_dict = {} + + # mask sensitive data + for key in dict: + if key in sensitive_parameters: + value = 'XXXXXXXX' + else: + value = dict[key] + new_dict[key] = value + + return pp.pformat(new_dict) + +# PKI Deployment Logging Functions +def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name): + if not os.path.isdir(log_dir): + try: + os.makedirs(log_dir) + except OSError: + return OSError + + # Configure logger + logger = logging.getLogger(name) + logger.setLevel(log_level) + + # Configure console handler + console = logging.StreamHandler() + console.setLevel(console_log_level) + console_format = logging.Formatter('%(name)-12s: ' +\ + '%(levelname)-8s ' +\ + '%(indent)s%(message)s') + console.setFormatter(console_format) + logger.addHandler(console) + + # Configure file handler + file = logging.FileHandler(log_dir + "/" + log_name, 'w') + file.setLevel(log_level) + file_format = logging.Formatter('%(asctime)s %(name)-12s: ' +\ + '%(levelname)-8s ' +\ + '%(indent)s%(message)s', + '%Y-%m-%d %H:%M:%S') + file.setFormatter(file_format) + logger.addHandler(file) + + return logger diff --git a/base/server/src/engine/pkimanifest.py b/base/server/src/engine/pkimanifest.py new file mode 100644 index 000000000..04a638f06 --- /dev/null +++ b/base/server/src/engine/pkimanifest.py @@ -0,0 +1,101 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +from collections import namedtuple +import csv +import sys + + +# PKI Deployment Imports +import pkiconfig as config +import pkimessages as log + + +# PKI Deployment Manifest Constants +RECORD_TYPE_DIRECTORY = "directory" +RECORD_TYPE_FILE = "file" +RECORD_TYPE_SYMLINK = "symlink" + + +# PKI Deployment Manifest Record Class +class record(object): + __slots__= "name",\ + "type",\ + "user",\ + "group",\ + "uid",\ + "gid",\ + "permissions",\ + "acls", + + def items(self): + "dict style items" + return [ + (field_name, getattr(self, field_name)) + for field_name in self.__slots__] + + def __iter__(self): + "iterate over fields tuple/list style" + for field_name in self.__slots__: + yield getattr(self, field_name) + + def __getitem__(self, index): + "tuple/list style getitem" + return getattr(self, self.__slots__[index]) + + +# PKI Deployment Manifest File Class +class file: + global database + filename = None + + def register(self, name): + self.filename = name + + def write(self): + try: + fd = open(self.filename, "wt") + c = csv.writer(fd) + for record in database: + c.writerow(tuple(record)) + fd.close() + except IOError as exc: + config.pki_log.error(log.PKI_IOERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_1) + sys.exit(1) + + def read(self): + try: + fd = open(self.filename, "rt") + cr = csv.reader(fd) + for row in cr: + print tuple(row) + fd.close() + except IOError as exc: + config.pki_log.error(log.PKI_IOERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_1) + sys.exit(1) + + +# PKI Deployment Global Named Tuples +database = [] +file = file() diff --git a/base/server/src/engine/pkimessages.py b/base/server/src/engine/pkimessages.py new file mode 100644 index 000000000..a6361dc8b --- /dev/null +++ b/base/server/src/engine/pkimessages.py @@ -0,0 +1,361 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Engine Messages +PKI_DICTIONARY_DEFAULT ="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI DEFAULT DICTIONARY\n"\ +"=====================================================" +PKI_DICTIONARY_MASTER="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI MASTER DICTIONARY\n"\ +"=====================================================" +PKI_DICTIONARY_SLOTS="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI SLOTS DICTIONARY\n"\ +"=====================================================" +PKI_DICTIONARY_SUBSYSTEM="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI SUBSYSTEM DICTIONARY\n"\ +"=====================================================" +PKI_DICTIONARY_WEB_SERVER="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI WEB SERVER DICTIONARY\n"\ +"=====================================================" +# NEVER print out 'sensitive' data dictionary!!! + + +# PKI Deployment Log Messages +PKI_VERBOSITY=\ +"VERBOSITY FLAGS CONSOLE MESSAGE LEVEL LOG MESSAGE LEVEL\n"\ +"=======================================================================\n"\ +" NONE error|warning error|warning|info\n"\ +" -v error|warning|info error|warning|info\n"\ +" -vv error|warning|info error|warning|info|debug\n"\ +" -vvv error|warning|info|debug error|warning|info|debug\n"\ +" " + +# PKI Deployment Error Messages +PKI_BADZIPFILE_ERROR_1 = "zipfile.BadZipFile: %s!" +PKI_CONFIGURATION_RESTART_1 = "After configuration, the server can be "\ + "operated by the command:\n\n%s" +PKI_CONFIGURATION_URL_1 = "Please start the configuration by accessing:\n\n%s" +PKI_CONFIGURATION_WIZARD_RESTART_1 = "After configuration, the server can be "\ + "operated by the command:\n%s" +PKI_CONFIGURATION_WIZARD_URL_1 = "Configuration Wizard listening on\n%s" +PKI_DIRECTORY_ALREADY_EXISTS_1 = "Directory '%s' already exists!" +PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1 = "Directory '%s' already "\ + "exists BUT it is NOT a "\ + "directory!" +PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 = "Directory '%s' is either "\ + "missing or is NOT a directory!" +PKI_DNS_DOMAIN_NOT_SET = "A valid DNS domain name MUST be established "\ + "to use PKI services!" +PKI_FILE_ALREADY_EXISTS_1 = "File '%s' already exists!" +PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 = "File '%s' already "\ + "exists BUT it is NOT a "\ + "file!" +PKI_FILE_MISSING_OR_NOT_A_FILE_1 = "File '%s' is either missing "\ + "or is NOT a regular file!" +PKI_FILE_NOT_A_WAR_FILE_1 = "File '%s' is NOT a war file!" +PKI_INSTANCE_DOES_NOT_EXIST_1 = "PKI instance '%s' does NOT exist!" +PKI_SECURITY_DATABASES_ALREADY_EXIST_3 = "Security databases '%s', '%s', "\ + "and/or '%s' already exist!" +PKI_SECURITY_DATABASES_DO_NOT_EXIST_3 = "Security databases '%s', '%s', "\ + "and/or '%s' do NOT exist!" +PKI_SUBSYSTEM_NOT_INSTALLED_1 = "Package pki-%s is NOT installed!" +PKI_SUBSYSTEM_ALREADY_EXISTS_2 = "PKI subsystem '%s' for instance '%s' "\ + "already exists!" +PKI_SUBSYSTEM_DOES_NOT_EXIST_2 = "PKI subsystem '%s' for instance '%s' "\ + "does NOT exist!" + +PKI_IOERROR_1 = "IOError: %s!" +PKI_KEYERROR_1 = "KeyError: %s!" +PKI_LARGEZIPFILE_ERROR_1 = "zipfile.LargeZipFile: %s!" +PKI_MANIFEST_MESSAGE_1 = "generating manifest file called '%s'" +PKI_OSERROR_1 = "OSError: %s!" +PKI_SHUTIL_ERROR_1 = "shutil.Error: %s!" +PKI_SUBPROCESS_ERROR_1 = "subprocess.CalledProcessError: %s!" +PKI_SYMLINK_ALREADY_EXISTS_1 = "Symlink '%s' already exists!" +PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1 = "Symlink '%s' already "\ + "exists BUT it is NOT a "\ + "symlink!" +PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1 = "Symlink '%s' is either missing "\ + "or is NOT a symbolic link!" +PKI_UNABLE_TO_PARSE_1 = "'Could not parse: '%s'" +PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 = "Could not create log directory '%s'!" +PKI_VERBOSITY_LEVELS_MESSAGE = "Only up to 3 levels of verbosity are supported!" + + +# PKI Deployment 'pkispawn' and 'pkidestroy' Messages +PKIDESTROY_BEGIN_MESSAGE_2 = "BEGIN destroying subsystem '%s' of "\ + "instance '%s' . . ." +PKIDESTROY_END_MESSAGE_2 = "END destroying subsystem '%s' of "\ + "instance '%s'" +PKIDESTROY_EPILOG =\ +"REMINDER:\n\n"\ +" The default PKI instance path will be calculated and placed in front\n"\ +" of the mandatory '-i ' parameter, and the values that reside\n"\ +" in deployment configuration file that was most recently used\n"\ +" by this instance's 'pkispawn' (or 'pkispawn -u') command will be\n"\ +" utilized by 'pkidestroy' to remove this instance.\n\n"\ +" Finally, if an optional '-p ' is defined, this value WILL be\n"\ +" prepended to the default PKI instance path which is placed in front\n"\ +" of the specified '-i ' parameter.\n\n" +\ +PKI_VERBOSITY +PKIRESPAWN_BEGIN_MESSAGE_2 = "BEGIN respawning subsystem '%s' of "\ + "instance '%s' . . ." +PKIRESPAWN_END_MESSAGE_2 = "END respawning subsystem '%s' of "\ + "instance '%s'" +PKISPAWN_BEGIN_MESSAGE_2 = "BEGIN spawning subsystem '%s' of "\ + "instance '%s' . . ." +PKISPAWN_END_MESSAGE_2 = "END spawning subsystem '%s' of "\ + "instance '%s'" +PKISPAWN_EPILOG =\ +"REMINDER:\n\n"\ +" If two or more Apache or Tomcat PKI 'instances' are specified via\n"\ +" separate configuration files, remember that the following parameters\n"\ +" MUST differ between PKI 'instances':\n\n"\ +" Apache: 'pki_instance_name', 'pki_http_port', and 'pki_https_port'\n"\ +" Tomcat: 'pki_instance_name', 'pki_http_port', 'pki_https_port',\n"\ +" 'pki_ajp_port', and 'pki_tomcat_server_port'\n\n"\ +" Finally, if an optional '-p ' is defined, this value WILL NOT\n"\ +" be prepended in front of the mandatory '-f '.\n\n" +\ +PKI_VERBOSITY + + +# PKI Deployment "Helper" Messages +PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ + "Apache PKI subsystems" +PKIHELPER_APACHE_INSTANCES_2 = "PKI Apache registry '%s' contains '%d' "\ + "Apache PKI instances" +PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\ + "slot substitutions on '%s'" +PKIHELPER_CERTUTIL_GENERATE_CSR_1 = "executing '%s'" +PKIHELPER_CERTUTIL_MISSING_INPUT_FILE = "certutil: Missing "\ + "'-i input-file' option!" +PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = "certutil: Missing "\ + "'-c issuer-name' option!" +PKIHELPER_CERTUTIL_MISSING_NICKNAME = "certutil: Missing "\ + "'-n nickname' option!" +PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = "certutil: Missing "\ + "'-z noise-file' option!" +PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE = "certutil: Missing "\ + "'-f password-file' option!" +PKIHELPER_CERTUTIL_MISSING_PATH = "certutil: Missing '-d path' option!" +PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER = "certutil: Missing "\ + "'-m serial-number' option!" +PKIHELPER_CERTUTIL_MISSING_SUBJECT = "certutil: Missing '-s subject' option!" +PKIHELPER_CERTUTIL_MISSING_TOKEN = "certutil: Missing '-h token' option!" +PKIHELPER_CERTUTIL_MISSING_TRUSTARGS = "certutil: Missing "\ + "'-t trustargs' option!" +PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD = "certutil: Missing "\ + "'-v months-valid' option!" +PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1 = "executing '%s'" +PKIHELPER_CHMOD_2 = "chmod %o %s" +PKIHELPER_CHOWN_3 = "chown %s:%s %s" +PKIHELPER_CHOWN_H_3 = "chown -h %s:%s %s" +PKIHELPER_COMMAND_LINE_PARAMETER_MISMATCH_2 = "the command-line parameter "\ + "'%s' DOES NOT match the "\ + "configuration file value '%s'!" +PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2 = "copying '%s' --> '%s' "\ + "with slot substitution" +PKIHELPER_CP_P_2 = "cp -p %s %s" +PKIHELPER_CP_RP_2 = "cp -rp %s %s" +PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'" +PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'" +PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1 = "KeyError: Master dictionary "\ + "is missing the key called '%s'!" +PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty" +PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty" +PKIHELPER_GID_2 = "GID of '%s' is %s" +PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ." +PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." +PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." +PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" +PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" +PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\ + "context %s" +PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" +PKIHELPER_IS_A_FILE_1 = "'%s' is a file" +PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink" +PKIHELPER_JAR_XF_C_2 = "jar -xf %s -C %s" +PKIHELPER_KRACONNECTOR_UPDATE_CONTACT =\ + "contacting the CA to update the KRA connector" +PKIHELPER_KRACONNECTOR_UPDATE_FAILURE = "Failed to update KRA connector on CA" +PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2 = "Failed to update KRA connector for %s:%s" +PKIHELPER_LINK_S_2 = "ln -s %s %s" +PKIHELPER_MKDIR_1 = "mkdir -p %s" +PKIHELPER_MODIFY_DIR_1 = "modifying '%s'" +PKIHELPER_MODIFY_FILE_1 = "modifying '%s'" +PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = "cloned CAs and external "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\ + "CAs, and subordinate CAs"\ + "MUST ALL be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA = "external CAs and subordinate "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_NAMESPACE_COLLISION_2 = "PKI instance '%s' would produce a "\ + "namespace collision with '%s'!" +PKIHELPER_NAMESPACE_RESERVED_NAME_2 = "PKI instance '%s' is already a "\ + "reserved name under '%s'!" +PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\ + "filling it with '%d' random bytes" +PKIHELPER_PASSWORD_CONF_1 = "generating '%s'" +PKIHELPER_PASSWORD_NOT_FOUND_1 = "no password found for '%s'!" +PKIHELPER_PK12UTIL_MISSING_DBPWFILE = "pk12util missing "\ + "-k db-password-file option!" +PKIHELPER_PK12UTIL_MISSING_NICKNAME = "pk12util missing "\ + "-n nickname option!" +PKIHELPER_PK12UTIL_MISSING_OUTFILE = "pk12util missing "\ + "-o output-file option!" +PKIHELPER_PK12UTIL_MISSING_PWFILE = "pk12util missing "\ + "-w pw-file option!" + +PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ + "PKI subsystems" +PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'" +PKIHELPER_RM_F_1 = "rm -f %s" +PKIHELPER_RM_RF_1 = "rm -rf %s" +PKIHELPER_RMDIR_1 = "rmdir %s" +PKIHELPER_SECURITY_DOMAIN_CONTACT_1 =\ + "contacting the security domain master to update security domain '%s'" +PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2 =\ + "Failed to get installation token from security domain '%s:%s'" +PKIHELPER_SECURITY_DOMAIN_UNDEFINED =\ + "No security domain defined.\n"\ + "If this is an unconfigured instance, then that is OK.\n"\ + "Otherwise, manually delete the entry from the security domain master." +PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1 =\ + "security domain '%s' may be offline or unreachable!" +PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2 =\ + "this '%s' entry may not be registered with security domain '%s'!" +PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2 =\ + "this '%s' entry will NOT be deleted from security domain '%s'!" +PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3 =\ + "updateDomainXML FAILED to delete this '%s' entry from "\ + "security domain '%s': '%s'" +PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2 =\ + "updateDomainXML SUCCESSFULLY deleted this '%s' entry from "\ + "security domain '%s'" +PKIHELPER_SELINUX_DISABLED = "Selinux is disabled. Not checking port contexts" +PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'" +PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'" +PKIHELPER_SSLGET_OUTPUT_1 = "\n"\ + "Dump of 'sslget' output:\n"\ + "=====================================================\n"\ + "%s\n"\ + "=====================================================" +PKIHELPER_SYSTEMD_COMMAND_1 = "executing '%s'" +PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ + "Tomcat PKI subsystems" +PKIHELPER_TOMCAT_INSTANCES_2 = "PKI Tomcat registry '%s' contains '%d' "\ + "Tomcat PKI instances" +PKIHELPER_TOUCH_1 = "touch %s" +PKIHELPER_UID_2 = "UID of '%s' is %s" +PKIHELPER_UNDEFINED_CA_HOST_PORT = "CA Host or Port is undefined" +PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2 =\ + "Either a value for '%s' MUST be defined in '%s', or "\ + "the randomly generated client pin MUST be used" +PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 =\ + "A value for '%s' MUST be defined in '%s'" +PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME = "subsystem nickname not defined" +PKIHELPER_UNDEFINED_TOKEN_PASSWD_1 = "Password for token '%s' not defined" +PKIHELPER_USER_1 = "retrieving UID for '%s' . . ." +PKIHELPER_USER_ADD_2 = "adding UID '%s' for user '%s' . . ." +PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ." +PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s" +PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s" + +PKI_CONFIG_ADMIN_CERT_SAVE = "saving Admin Certificate to file:" +PKI_CONFIG_ADMIN_CERT_ATOB = "converting Admin Certificate to binary:" +PKI_CONFIG_CDATA_TAG = "tag:" +PKI_CONFIG_CDATA_CERT = "cert:" +PKI_CONFIG_CDATA_REQUEST = "request:" +PKI_CONFIG_CONFIGURING_PKI_DATA = "configuring PKI configuration data." +PKI_CONFIG_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data." +PKI_CONFIG_PKCS10_SUPPORT_ONLY = "only the 'pkcs10' certificate request type "\ + "is currently supported" +PKI_CONFIG_EXTERNAL_CA_LOAD = "loading external CA signing certificate "\ + "from file:" +PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD = "loading external CA signing certificate "\ + "chain from file:" +PKI_CONFIG_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:" +PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION =\ + "Exception from Java Configuration Servlet:" +PKI_CONFIG_RESPONSE_ADMIN_CERT = "adminCert:" +PKI_CONFIG_RESPONSE_STATUS = "status:" +PKI_CONFIG_NOT_YET_IMPLEMENTED_1 = " %s NOT YET IMPLEMENTED" + +# PKI Deployment "Scriptlet" Messages +ADMIN_DOMAIN_DESTROY_1 = "depopulating '%s'" +ADMIN_DOMAIN_RESPAWN_1 = "repopulating '%s'" +ADMIN_DOMAIN_SPAWN_1 = "populating '%s'" +CONFIGURATION_DESTROY_1 = "unconfiguring '%s'" +CONFIGURATION_RESPAWN_1 = "reconfiguring '%s'" +CONFIGURATION_SPAWN_1 = "configuring '%s'" +FINALIZATION_DESTROY_1 = "finalizing '%s'" +FINALIZATION_RESPAWN_1 = "finalizing '%s'" +FINALIZATION_SPAWN_1 = "finalizing '%s'" +INITIALIZATION_DESTROY_1 = "initializing '%s'" +INITIALIZATION_RESPAWN_1 = "initializing '%s'" +INITIALIZATION_SPAWN_1 = "initializing '%s'" +INSTANCE_DESTROY_1 = "depopulating '%s'" +INSTANCE_RESPAWN_1 = "repopulating '%s'" +INSTANCE_SPAWN_1 = "populating '%s'" +RESIDUAL_DESTROY_1 = "depopulating '%s'" +RESIDUAL_RESPAWN_1 = "repopulating '%s'" +RESIDUAL_SPAWN_1 = "populating '%s'" +SECURITY_DATABASES_DESTROY_1 = "removing '%s'" +SECURITY_DATABASES_RESPAWN_1 = "regenerating '%s'" +SECURITY_DATABASES_SPAWN_1 = "generating '%s'" +SELINUX_DESTROY_1 = "depopulating '%s'" +SELINUX_RESPAWN_1 = "repopulating '%s'" +SELINUX_SPAWN_1 = "populating '%s'" +SELINUX_DISABLED_DESTROY_1 = "selinux disabled. skipping unlabelling '%s'" +SELINUX_DISABLED_SPAWN_1 = "selinux disabled. skipping labelling '%s'" +SLOT_ASSIGNMENT_DESTROY_1 = "unassigning slots for '%s'" +SLOT_ASSIGNMENT_RESPAWN_1 = "reassigning slots for '%s'" +SLOT_ASSIGNMENT_SPAWN_1 = "assigning slots for '%s'" +SUBSYSTEM_DESTROY_1 = "depopulating '%s'" +SUBSYSTEM_RESPAWN_1 = "repopulating '%s'" +SUBSYSTEM_SPAWN_1 = "populating '%s'" +WEBAPP_DEPLOYMENT_DESTROY_1 = "removing '%s'" +WEBAPP_DEPLOYMENT_RESPAWN_1 = "redeploying '%s'" +WEBAPP_DEPLOYMENT_SPAWN_1 = "deploying '%s'" +SKIP_ADMIN_DOMAIN_SPAWN_1 = "skip populating '%s'" +SKIP_CONFIGURATION_SPAWN_1 = "skip configuring '%s'" +SKIP_FINALIZATION_SPAWN_1 = "skip finalizing '%s'" +SKIP_INITIALIZATION_SPAWN_1 = "skip initializing '%s'" +SKIP_INSTANCE_SPAWN_1 = "skip populating '%s'" +SKIP_RESIDUAL_SPAWN_1 = "skip populating '%s'" +SKIP_SECURITY_DATABASES_SPAWN_1 = "skip generating '%s'" +SKIP_SELINUX_SPAWN_1 = "skip populating '%s'" +SKIP_SLOT_ASSIGNMENT_SPAWN_1 = "skip assigning slots for '%s'" +SKIP_SUBSYSTEM_SPAWN_1 = "skip populating '%s'" +SKIP_WEBAPP_DEPLOYMENT_SPAWN_1 = "skip deploying '%s'" diff --git a/base/server/src/engine/pkiparser.py b/base/server/src/engine/pkiparser.py new file mode 100644 index 000000000..c4bf9b886 --- /dev/null +++ b/base/server/src/engine/pkiparser.py @@ -0,0 +1,1069 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import ConfigParser +import argparse +import getpass +import ldap +import logging +import os +import random +import string +import subprocess +import sys +import time + + +# PKI Deployment Imports +import pkilogging +import pkiconfig as config +import pkimessages as log + +import pki.account +import pki.client +import pki.system + +class PKIConfigParser: + + COMMENT_CHAR = '#' + OPTION_CHAR = '=' + + def __init__(self, description, epilog): + self.pki_config = None + + "Read and process command-line options" + self.arg_parser = argparse.ArgumentParser( + description=description, + add_help=False, + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=epilog) + + # Establish 'Mandatory' command-line options + self.mandatory = self.arg_parser.add_argument_group('mandatory arguments') + + # Establish 'Optional' command-line options + self.optional = self.arg_parser.add_argument_group('optional arguments') + self.optional.add_argument('-s', + dest='pki_subsystem', action='store', + nargs=1, choices=config.PKI_SUBSYSTEMS, + metavar='', + help='where is ' + 'CA, KRA, OCSP, RA, TKS, or TPS') + self.optional.add_argument('-h', '--help', + dest='help', action='help', + help='show this help message and exit') + self.optional.add_argument('-v', + dest='pki_verbosity', action='count', + help='display verbose information (details below)') + + # Establish 'Test' command-line options + test = self.arg_parser.add_argument_group('test arguments') + test.add_argument('-p', + dest='pki_root_prefix', action='store', + nargs=1, metavar='', + help='directory prefix to specify local directory ' + '[TEST ONLY]') + + self.indent = 0 + + # PKI Deployment Helper Functions + def process_command_line_arguments(self, argv): + + # Parse command-line options + args = self.arg_parser.parse_args() + + # Process 'Mandatory' command-line options + + # Process 'Optional' command-line options + # '-v' + if args.pki_verbosity == 1: + config.pki_console_log_level = logging.INFO + config.pki_log_level = logging.INFO + elif args.pki_verbosity == 2: + config.pki_console_log_level = logging.INFO + config.pki_log_level = logging.DEBUG + elif args.pki_verbosity == 3: + config.pki_console_log_level = logging.DEBUG + config.pki_log_level = logging.DEBUG + elif args.pki_verbosity > 3: + print "ERROR: " + log.PKI_VERBOSITY_LEVELS_MESSAGE + print + self.arg_parser.print_help() + self.arg_parser.exit(-1); + else: + # Set default log levels + config.pki_console_log_level = logging.WARNING + config.pki_log_level = logging.INFO + + # Process 'Test' command-line options + # '-p' + if args.pki_root_prefix is None: + config.pki_root_prefix = "" + else: + config.pki_root_prefix = str(args.pki_root_prefix).strip('[\']') + + return args + + + def validate(self): + + # Validate command-line options + if len(config.pki_root_prefix) > 0: + if not os.path.exists(config.pki_root_prefix) or\ + not os.path.isdir(config.pki_root_prefix): + print "ERROR: " +\ + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 %\ + config.pki_root_prefix + print + self.arg_parser.print_help() + self.arg_parser.exit(-1); + + # always default that configuration file exists + if not os.path.exists(config.default_deployment_cfg) or\ + not os.path.isfile(config.default_deployment_cfg): + print "ERROR: " +\ + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ + config.default_deployment_cfg + print + self.arg_parser.print_help() + self.arg_parser.exit(-1); + + if config.user_deployment_cfg: + # verify user configuration file exists + if not os.path.exists(config.user_deployment_cfg) or\ + not os.path.isfile(config.user_deployment_cfg): + print "ERROR: " +\ + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ + config.user_deployment_cfg + print + parser.arg_parser.print_help() + parser.arg_parser.exit(-1); + + + def init_config(self): + + # RESTEasy + resteasy_lib = subprocess.check_output(\ + 'source /etc/pki/pki.conf && echo $RESTEASY_LIB', + shell=True).strip() + + # JNI jar location + jni_jar_dir = subprocess.check_output(\ + 'source /etc/pki/pki.conf && echo $JNI_JAR_DIR', + shell=True).strip() + + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + default_instance_name = 'pki-tomcat' + default_http_port = '8080' + default_https_port = '8443' + else: + default_instance_name = 'pki-apache' + default_http_port = '80' + default_https_port = '443' + + self.pki_config = ConfigParser.SafeConfigParser({ + 'pki_instance_name': default_instance_name, + 'pki_http_port': default_http_port, + 'pki_https_port': default_https_port, + 'pki_dns_domainname': config.pki_dns_domainname, + 'pki_subsystem': config.pki_subsystem, + 'pki_subsystem_type': config.pki_subsystem.lower(), + 'pki_root_prefix' : config.pki_root_prefix, + 'resteasy_lib': resteasy_lib, + 'jni_jar_dir': jni_jar_dir, + 'home_dir': os.path.expanduser("~"), + 'pki_hostname': config.pki_hostname}) + + # Make keys case-sensitive! + self.pki_config.optionxform = str + + config.user_config = ConfigParser.SafeConfigParser() + config.user_config.optionxform = str + + with open(config.default_deployment_cfg) as f: + self.pki_config.readfp(f) + + self.flatten_master_dict() + + + # The following code is based heavily upon + # "http://www.decalage.info/en/python/configparser" + @staticmethod + def read_simple_configuration_file(filename): + values = {} + f = open(filename) + for line in f: + # First, remove comments: + if PKIConfigParser.COMMENT_CHAR in line: + # split on comment char, keep only the part before + line, comment = line.split(PKIConfigParser.COMMENT_CHAR, 1) + # Second, find lines with an name=value: + if PKIConfigParser.OPTION_CHAR in line: + # split on name char: + name, value = line.split(PKIConfigParser.OPTION_CHAR, 1) + # strip spaces: + name = name.strip() + value = value.strip() + # store in dictionary: + values[name] = value + f.close() + return values + + + def set_property(self, section, property, value): + if section != "DEFAULT" and not self.pki_config.has_section(section): + self.pki_config.add_section(section) + self.pki_config.set(section, property, value) + self.flatten_master_dict() + + if section != "DEFAULT" and not config.user_config.has_section(section): + config.user_config.add_section(section) + config.user_config.set(section, property, value) + + + def print_text(self, message): + print ' ' * self.indent + message + + def read_text(self, message, + section=None, property=None, default=None, + options=None, sign=':', allowEmpty=True, caseSensitive=True): + + if default is None and property is not None: + default = config.pki_master_dict[property] + if default: + message = message + ' [' + default + ']' + message = ' ' * self.indent + message + sign + ' ' + + done = False + while not done: + value = raw_input(message) + value = value.strip() + + if len(value) == 0: # empty value + if allowEmpty: + value = default + done = True + break + + else: # non-empty value + if options is not None: + for v in options: + if caseSensitive: + if v == value: + done = True + break + else: + if v.lower() == value.lower(): + done = True + break + else: + done = True + break + + value = value.replace("%", "%%") + if section: + self.set_property(section, property, value) + + return value + + + def read_password(self, message, section=None, property=None, + verifyMessage=None): + message = ' ' * self.indent + message + ': ' + if verifyMessage is not None: + verifyMessage = ' ' * self.indent + verifyMessage + ': ' + + while True: + password = '' + while len(password) == 0: + password = getpass.getpass(prompt=message) + + if verifyMessage is not None: + verification = '' + while len(verification) == 0: + verification = getpass.getpass(prompt=verifyMessage) + + if password != verification: + self.print_text('Passwords do not match.') + continue + + break + + password = password.replace("%", "%%") + if section: + self.set_property(section, property, password) + + return password + + def read_pki_configuration_file(self): + "Read configuration file sections into dictionaries" + rv = 0 + try: + if config.user_deployment_cfg: + print 'Loading deployment configuration from ' + config.user_deployment_cfg + '.' + self.pki_config.read([config.user_deployment_cfg]) + + except ConfigParser.ParsingError, err: + print err + rv = err + return rv + + + def flatten_master_dict(self): + config.pki_master_dict.update(__name__="PKI Master Dictionary") + + default_dict = dict(self.pki_config.items('DEFAULT')) + default_dict[0] = None + config.pki_master_dict.update(default_dict) + + web_server_dict = None + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if self.pki_config.has_section('Tomcat'): + web_server_dict = dict(self.pki_config.items('Tomcat')) + else: + if self.pki_config.has_section('Apache'): + web_server_dict = dict(self.pki_config.items('Apache')) + + if web_server_dict: + web_server_dict[0] = None + config.pki_master_dict.update(web_server_dict) + + if self.pki_config.has_section(config.pki_subsystem): + subsystem_dict = dict(self.pki_config.items(config.pki_subsystem)) + subsystem_dict[0] = None + config.pki_master_dict.update(subsystem_dict) + + + def ds_connect(self): + + hostname = config.pki_master_dict['pki_ds_hostname'] + + if config.str2bool(config.pki_master_dict['pki_ds_secure_connection']): + protocol = 'ldaps' + port = config.pki_master_dict['pki_ds_ldaps_port'] + else: + protocol = 'ldap' + port = config.pki_master_dict['pki_ds_ldap_port'] + + self.ds_connection = ldap.initialize(protocol + '://' + hostname + ':' + port) + self.ds_connection.search_s('', ldap.SCOPE_BASE) + + def ds_bind(self): + self.ds_connection.simple_bind_s( + config.pki_master_dict['pki_ds_bind_dn'], + config.pki_master_dict['pki_ds_password']) + + def ds_base_dn_exists(self): + try: + results = self.ds_connection.search_s( + config.pki_master_dict['pki_ds_base_dn'], + ldap.SCOPE_BASE) + + if results is None or len(results) == 0: + return False + + return True + + except ldap.NO_SUCH_OBJECT as e: + return False + + def ds_close(self): + self.ds_connection.unbind_s() + + def sd_connect(self): + self.sd_connection = pki.client.PKIConnection( + protocol='https', + hostname=config.pki_master_dict['pki_security_domain_hostname'], + port=config.pki_master_dict['pki_security_domain_https_port'], + subsystem='ca') + + def sd_get_info(self): + sd = pki.system.SecurityDomainClient(self.sd_connection) + return sd.getSecurityDomainInfo() + + def sd_authenticate(self): + self.sd_connection.authenticate( + config.pki_master_dict['pki_security_domain_user'], + config.pki_master_dict['pki_security_domain_password']) + + account = pki.account.AccountClient(self.sd_connection) + account.login() + account.logout() + + def compose_pki_master_dictionary(self): + "Create a single master PKI dictionary from the sectional dictionaries" + try: + # 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs + config.pki_master_dict['pki_deployment_executable'] =\ + config.pki_deployment_executable + config.pki_master_dict['pki_install_time'] = config.pki_install_time + config.pki_master_dict['pki_timestamp'] = config.pki_timestamp + config.pki_master_dict['pki_certificate_timestamp'] =\ + config.pki_certificate_timestamp + config.pki_master_dict['pki_architecture'] = config.pki_architecture + config.pki_master_dict['pki_default_deployment_cfg'] = config.default_deployment_cfg + config.pki_master_dict['pki_user_deployment_cfg'] = config.user_deployment_cfg + config.pki_master_dict['pki_deployed_instance_name'] =\ + config.pki_deployed_instance_name + # Generate random 'pin's for use as security database passwords + # and add these to the "sensitive" key value pairs read in from + # the configuration file + pin_low = 100000000000 + pin_high = 999999999999 + config.pki_master_dict['pki_pin'] =\ + random.randint(pin_low, pin_high) + config.pki_master_dict['pki_client_pin'] =\ + random.randint(pin_low, pin_high) + + self.flatten_master_dict() + + pkilogging.sensitive_parameters = config.pki_master_dict['sensitive_parameters'].split() + + # PKI Target (slot substitution) name/value pairs + config.pki_master_dict['pki_target_cs_cfg'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "CS.cfg") + config.pki_master_dict['pki_target_registry'] =\ + os.path.join(config.pki_master_dict['pki_instance_registry_path'], + config.pki_master_dict['pki_instance_name']) + if config.pki_master_dict['pki_subsystem'] == "CA" and\ + config.str2bool(config.pki_master_dict['pki_external_step_two']): + # Use the 'pki_one_time_pin' established during the setup of + # External CA Step 1 + if os.path.exists(config.pki_master_dict['pki_target_cs_cfg'])\ + and\ + os.path.isfile(config.pki_master_dict['pki_target_cs_cfg']): + cs_cfg = self.read_simple_configuration_file( + config.pki_master_dict['pki_target_cs_cfg']) + config.pki_master_dict['pki_one_time_pin'] =\ + cs_cfg.get('preop.pin') + else: + config.pki_log.error(log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + config.pki_master_dict['pki_target_cs_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + # Generate a one-time pin to be used prior to configuration + # and add this to the "sensitive" key value pairs read in from + # the configuration file + config.pki_master_dict['pki_one_time_pin'] =\ + ''.join(random.choice(string.ascii_letters + string.digits)\ + for x in range(20)) + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_target_catalina_properties'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "catalina.properties") + config.pki_master_dict['pki_target_servercertnick_conf'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "serverCertNick.conf") + config.pki_master_dict['pki_target_server_xml'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "server.xml") + config.pki_master_dict['pki_target_context_xml'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "context.xml") + config.pki_master_dict['pki_target_tomcat_conf_instance_id'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + "/etc/sysconfig/" +\ + config.pki_master_dict['pki_instance_name'] + config.pki_master_dict['pki_target_tomcat_conf'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "tomcat.conf") + # in-place slot substitution name/value pairs + config.pki_master_dict['pki_target_velocity_properties'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "velocity.properties") + config.pki_master_dict['pki_target_subsystem_web_xml'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "web.xml") + config.pki_master_dict['pki_target_subsystem_web_xml_orig'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "web.xml.orig") + # subystem-specific slot substitution name/value pairs + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_target_flatfile_txt'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "flatfile.txt") + config.pki_master_dict['pki_target_proxy_conf'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "proxy.conf") + config.pki_master_dict['pki_target_registry_cfg'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "registry.cfg") + # '*.profile' + config.pki_master_dict['pki_target_admincert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "adminCert.profile") + config.pki_master_dict['pki_target_caauditsigningcert_profile']\ + = os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caAuditSigningCert.profile") + config.pki_master_dict['pki_target_cacert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caCert.profile") + config.pki_master_dict['pki_target_caocspcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caOCSPCert.profile") + config.pki_master_dict['pki_target_servercert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "serverCert.profile") + config.pki_master_dict['pki_target_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "subsystemCert.profile") + # in-place slot substitution name/value pairs + config.pki_master_dict['pki_target_profileselect_template'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_path'], + "ee", + config.pki_master_dict['pki_subsystem'].lower(), + "ProfileSelect.template") + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # '*.profile' + config.pki_master_dict['pki_target_servercert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "serverCert.profile") + config.pki_master_dict['pki_target_storagecert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "storageCert.profile") + config.pki_master_dict['pki_target_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "subsystemCert.profile") + config.pki_master_dict['pki_target_transportcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "transportCert.profile") + # Slot assignment name/value pairs + # NOTE: Master key == Slots key; Master value ==> Slots value + config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\ + config.pki_master_dict['pki_instance_name'] + config.pki_master_dict['PKI_INSTANCE_INITSCRIPT_SLOT'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + config.pki_master_dict['pki_instance_name']) + config.pki_master_dict['PKI_REGISTRY_FILE_SLOT'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + config.pki_master_dict['pki_instance_name']) + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + config.pki_master_dict['FORTITUDE_APACHE_SLOT'] = None + config.pki_master_dict['FORTITUDE_AUTH_MODULES_SLOT'] = None + config.pki_master_dict['FORTITUDE_DIR_SLOT'] = None + config.pki_master_dict['FORTITUDE_LIB_DIR_SLOT'] = None + config.pki_master_dict['FORTITUDE_MODULE_SLOT'] = None + config.pki_master_dict['FORTITUDE_NSS_MODULES_SLOT'] = None + config.pki_master_dict['HTTPD_CONF_SLOT'] = None + config.pki_master_dict['LIB_PREFIX_SLOT'] = None + config.pki_master_dict['NON_CLIENTAUTH_SECURE_PORT_SLOT'] = None + config.pki_master_dict['NSS_CONF_SLOT'] = None + config.pki_master_dict['OBJ_EXT_SLOT'] = None + config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ + os.path.join("/var/lock/pki", + "apache") + config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ + os.path.join("/var/run/pki", + "apache") + config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] = "apache" + config.pki_master_dict['PORT_SLOT'] = None + config.pki_master_dict['PROCESS_ID_SLOT'] = None + config.pki_master_dict['REQUIRE_CFG_PL_SLOT'] = None + config.pki_master_dict['SECURE_PORT_SLOT'] = None + config.pki_master_dict['SECURITY_LIBRARIES_SLOT'] = None + config.pki_master_dict['SERVER_NAME_SLOT'] = None + config.pki_master_dict['SERVER_ROOT_SLOT'] = None + config.pki_master_dict['SYSTEM_LIBRARIES_SLOT'] = None + config.pki_master_dict['SYSTEM_USER_LIBRARIES_SLOT'] = None + config.pki_master_dict['TMP_DIR_SLOT'] = None + config.pki_master_dict['TPS_DIR_SLOT'] = None + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['INSTALL_TIME_SLOT'] =\ + config.pki_master_dict['pki_install_time'] + config.pki_master_dict['PKI_ADMIN_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict\ + ['PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict\ + ['PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_AGENT_CLIENTAUTH_SLOT'] =\ + "want" + config.pki_master_dict['PKI_AGENT_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_AJP_PORT_SLOT'] =\ + config.pki_master_dict['pki_ajp_port'] + config.pki_master_dict['PKI_AJP_REDIRECT_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_CERT_DB_PASSWORD_SLOT'] =\ + config.pki_master_dict['pki_pin'] + config.pki_master_dict['PKI_CFG_PATH_NAME_SLOT'] =\ + config.pki_master_dict['pki_target_cs_cfg'] + config.pki_master_dict\ + ['PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict\ + ['PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict\ + ['PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict\ + ['PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_EE_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict['PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_GROUP_SLOT'] =\ + config.pki_master_dict['pki_group'] + config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\ + config.pki_master_dict['pki_instance_path'] + config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\ + config.pki_master_dict['pki_path'] + config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ + os.path.join("/var/lock/pki", + "tomcat") + config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\ + config.pki_master_dict['pki_hostname'] + config.pki_master_dict\ + ['PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] = "" + config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] = "" + config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_SECURITY_MANAGER_SLOT'] =\ + config.pki_master_dict['pki_security_manager'] + config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\ + config.pki_master_dict['pki_target_server_xml'] + config.pki_master_dict['PKI_SUBSYSTEM_DIR_SLOT'] =\ + config.pki_master_dict['pki_subsystem'].lower() + "/" + config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\ + config.pki_master_dict['pki_subsystem'].lower() + config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\ + "pki-tomcatd" + "@" +\ + config.pki_master_dict['pki_instance_name'] + ".service" + config.pki_master_dict['PKI_UNSECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_http_port'] + config.pki_master_dict['PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unsecure" + config.pki_master_dict['PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_USER_SLOT'] =\ + config.pki_master_dict['pki_user'] + config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] =\ + "tomcat" + config.pki_master_dict['PKI_WEBAPPS_NAME_SLOT'] =\ + "webapps" + config.pki_master_dict['TOMCAT_CFG_SLOT'] =\ + config.pki_master_dict['pki_target_tomcat_conf'] + config.pki_master_dict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "*.jar") + config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\ + config.pki_master_dict['pki_instance_log_path'] + config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\ + "/var/run/pki/tomcat/" + config.pki_master_dict['pki_instance_name'] + ".pid" + config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\ + config.pki_master_dict['pki_tomcat_server_port'] + config.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] =\ + "-SSL2_RC4_128_WITH_MD5," +\ + "-SSL2_RC4_128_EXPORT40_WITH_MD5," +\ + "-SSL2_RC2_128_CBC_WITH_MD5," +\ + "-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5," +\ + "-SSL2_DES_64_CBC_WITH_MD5," +\ + "-SSL2_DES_192_EDE3_CBC_WITH_MD5" + config.pki_master_dict['TOMCAT_SSL3_CIPHERS_SLOT'] =\ + "-SSL3_FORTEZZA_DMS_WITH_NULL_SHA," +\ + "-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA," +\ + "+SSL3_RSA_WITH_RC4_128_SHA," +\ + "-SSL3_RSA_EXPORT_WITH_RC4_40_MD5," +\ + "+SSL3_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+SSL3_RSA_WITH_DES_CBC_SHA," +\ + "-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5," +\ + "-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA," +\ + "-SSL_RSA_FIPS_WITH_DES_CBC_SHA," +\ + "+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA," +\ + "-SSL3_RSA_WITH_NULL_MD5," +\ + "-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + config.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] =\ + "ssl2=true," +\ + "ssl3=true," +\ + "tls=true" + config.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] =\ + "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_RSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + # Shared Apache/Tomcat NSS security database name/value pairs + config.pki_master_dict['pki_shared_pfile'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "pfile") + config.pki_master_dict['pki_shared_password_conf'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "password.conf") + config.pki_master_dict['pki_cert_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "cert8.db") + config.pki_master_dict['pki_key_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "key3.db") + config.pki_master_dict['pki_secmod_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "secmod.db") + config.pki_master_dict['pki_self_signed_token'] = "internal" + config.pki_master_dict['pki_self_signed_nickname'] =\ + "Server-Cert cert-" + config.pki_master_dict['pki_instance_name'] + config.pki_master_dict['pki_self_signed_subject'] =\ + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ + "o=" + config.pki_master_dict['pki_certificate_timestamp'] + config.pki_master_dict['pki_self_signed_serial_number'] = 0 + config.pki_master_dict['pki_self_signed_validity_period'] = 12 + config.pki_master_dict['pki_self_signed_issuer_name'] =\ + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ + "o=" + config.pki_master_dict['pki_certificate_timestamp'] + config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu" + config.pki_master_dict['pki_self_signed_noise_file'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "noise") + config.pki_master_dict['pki_self_signed_noise_bytes'] = 1024 + # Shared Apache/Tomcat NSS security database convenience symbolic links + config.pki_master_dict\ + ['pki_subsystem_configuration_password_conf_link'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "password.conf") + + if not len(config.pki_master_dict['pki_client_database_password']): + # use randomly generated client 'pin' + config.pki_master_dict['pki_client_database_password'] =\ + str(config.pki_master_dict['pki_client_pin']) + + # Configuration scriptlet + # 'Security Domain' Configuration name/value pairs + # 'Subsystem Name' Configuration name/value pairs + # 'Token' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_security_domain_type'] + # config.pki_master_dict['pki_security_domain_uri'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_clone_pkcs12_password'] + # config.pki_master_dict['pki_security_domain_password'] + # config.pki_master_dict['pki_token_password'] + # config.pki_master_dict['pki_clone_pkcs12_path'] + # config.pki_master_dict['pki_clone_uri'] + # config.pki_master_dict['pki_security_domain_https_port'] + # config.pki_master_dict['pki_token_name'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_security_domain_user'] + # config.pki_master_dict['pki_issuing_ca'] + # + + # if security domain user is not defined + if not len(config.pki_master_dict['pki_security_domain_user']): + + # use the CA admin uid if it's defined + if self.pki_config.has_option('CA', 'pki_admin_uid') and\ + len(self.pki_config.get('CA', 'pki_admin_uid')) > 0: + config.pki_master_dict['pki_security_domain_user'] =\ + self.pki_config.get('CA', 'pki_admin_uid') + + # or use the Default admin uid if it's defined + elif self.pki_config.has_option('DEFAULT', 'pki_admin_uid') and\ + len(self.pki_config.get('DEFAULT', 'pki_admin_uid')) > 0: + config.pki_master_dict['pki_security_domain_user'] =\ + self.pki_config.get('DEFAULT', 'pki_admin_uid') + + # otherwise use the default CA admin uid + else: + config.pki_master_dict['pki_security_domain_user'] = "caadmin" + + if config.pki_subsystem != "CA" or\ + config.str2bool(config.pki_master_dict['pki_clone']) or\ + config.str2bool(config.pki_master_dict['pki_subordinate']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or + # Subordinate CA + config.pki_master_dict['pki_security_domain_type'] = "existing" + config.pki_master_dict['pki_security_domain_uri'] =\ + "https" + "://" +\ + config.pki_master_dict['pki_security_domain_hostname'] + ":" +\ + config.pki_master_dict['pki_security_domain_https_port'] + + elif config.str2bool(config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict['pki_security_domain_type'] = "new" + if not len(config.pki_master_dict['pki_issuing_ca']): + config.pki_master_dict['pki_issuing_ca'] = "External CA" + else: + # PKI CA + config.pki_master_dict['pki_security_domain_type'] = "new" + + # 'External CA' Configuration name/value pairs + # + # Tomcat - [External CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_external_ca_cert_chain_path'] + # config.pki_master_dict['pki_external_ca_cert_path'] + # config.pki_master_dict['pki_external_csr_path'] + # config.pki_master_dict['pki_external_step_two'] + # + + # 'Backup' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_backup_password'] + # config.pki_master_dict['pki_backup_keys'] + # + if config.str2bool(config.pki_master_dict['pki_backup_keys']): + # NOTE: ALWAYS store the PKCS #12 backup keys file + # in with the NSS "server" security databases + config.pki_master_dict['pki_backup_keys_p12'] =\ + config.pki_master_dict['pki_database_path'] + "/" +\ + config.pki_master_dict['pki_subsystem'].lower() + "_" +\ + "backup" + "_" + "keys" + "." + "p12" + + config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert" + + if not 'pki_import_admin_cert' in config.pki_master_dict: + config.pki_master_dict['pki_import_admin_cert'] = 'false' + + config.pki_master_dict['pki_ca_signing_tag'] = "signing" + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_ocsp_signing_tag'] = "ocsp_signing" + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + config.pki_master_dict['pki_ocsp_signing_tag'] = "signing" + config.pki_master_dict['pki_ssl_server_tag'] = "sslserver" + config.pki_master_dict['pki_subsystem_tag'] = "subsystem" + config.pki_master_dict['pki_audit_signing_tag'] = "audit_signing" + config.pki_master_dict['pki_transport_tag'] = "transport" + config.pki_master_dict['pki_storage_tag'] = "storage" + + # Finalization name/value pairs + config.pki_master_dict['pki_default_deployment_cfg_replica'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + config.DEFAULT_DEPLOYMENT_CONFIGURATION) + config.pki_master_dict['pki_user_deployment_cfg_replica'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + config.USER_DEPLOYMENT_CONFIGURATION) + config.pki_master_dict['pki_user_deployment_cfg_spawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "spawn" + "_" +\ + config.USER_DEPLOYMENT_CONFIGURATION + "." +\ + config.pki_master_dict['pki_timestamp'] + config.pki_master_dict['pki_default_deployment_cfg_respawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "respawn" + "_" +\ + config.DEFAULT_DEPLOYMENT_CONFIGURATION + "." +\ + config.pki_master_dict['pki_timestamp'] + config.pki_master_dict['pki_user_deployment_cfg_respawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "respawn" + "_" +\ + config.USER_DEPLOYMENT_CONFIGURATION + "." +\ + config.pki_master_dict['pki_timestamp'] + config.pki_master_dict['pki_manifest'] =\ + config.pki_master_dict['pki_subsystem_registry_path'] + "/" +\ + "manifest" + config.pki_master_dict['pki_manifest_spawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "spawn" + "_" + "manifest" + "." +\ + config.pki_master_dict['pki_timestamp'] + config.pki_master_dict['pki_manifest_respawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "respawn" + "_" + "manifest" + "." +\ + config.pki_master_dict['pki_timestamp'] + # Construct the configuration URL containing the one-time pin + # and add this to the "sensitive" key value pairs read in from + # the configuration file + # + # NOTE: This is the one and only parameter containing a sensitive + # parameter that may be stored in a log file and displayed + # to the screen. + # + config.pki_master_dict['pki_configuration_url'] =\ + "https://{}:{}/{}/{}?pin={}".format( + config.pki_master_dict['pki_hostname'], + config.pki_master_dict['pki_https_port'], + config.pki_master_dict['pki_subsystem'].lower(), + "admin/console/config/login", + config.pki_master_dict['pki_one_time_pin']) + # Compose this "systemd" execution management command + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + config.pki_master_dict['pki_registry_initscript_command'] =\ + "systemctl" + " " +\ + "restart" + " " +\ + "pki-apached" + "@" +\ + config.pki_master_dict['pki_instance_name'] + "." + "service" + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_registry_initscript_command'] =\ + "systemctl" + " " +\ + "restart" + " " +\ + "pki-tomcatd" + "@" +\ + config.pki_master_dict['pki_instance_name'] + "." + "service" + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + except KeyError as err: + config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1, + err, extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + + def compose_pki_slots_dictionary(self): + """Read the slots configuration file to create + the appropriate PKI slots dictionary""" + rv = 0 + try: + config.pki_slots_dict = dict() + parser = ConfigParser.ConfigParser() + # Make keys case-sensitive! + parser.optionxform = str + parser.read(config.PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE) + # Slots configuration file name/value pairs + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + config.pki_slots_dict = dict(parser._sections['Apache']) + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_slots_dict = dict(parser._sections['Tomcat']) + except ConfigParser.ParsingError, err: + rv = err + return rv diff --git a/base/server/src/engine/pkiscriptlet.py b/base/server/src/engine/pkiscriptlet.py new file mode 100644 index 000000000..767b3c609 --- /dev/null +++ b/base/server/src/engine/pkiscriptlet.py @@ -0,0 +1,46 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import abc + + +# PKI Deployment Abstract Base PKI Scriptlet +class AbstractBasePkiScriptlet(object): + __metaclass__ = abc.ABCMeta + + @abc.abstractmethod + def spawn(self): + """Retrieve data from the specified PKI dictionary and + use it to install a new PKI instance.""" + return + + @abc.abstractmethod + def respawn(self): + """Retrieve data from the specified PKI dictionary and + use it to update an existing PKI instance.""" + return + + @abc.abstractmethod + def destroy(self): + """Retrieve data from the specified PKI dictionary and + use it to destroy an existing PKI instance.""" + return diff --git a/base/server/src/pkidestroy b/base/server/src/pkidestroy new file mode 100755 index 000000000..4e23445f1 --- /dev/null +++ b/base/server/src/pkidestroy @@ -0,0 +1,264 @@ +#!/usr/bin/python -tu +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2011 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import sys +import signal + +if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: + print "Python version %s.%s.%s is too old." % sys.version_info[:3] + print "Please upgrade to at least Python 2.7.0." + sys.exit(1) +try: + import argparse + import logging + import os + import socket + import struct + import subprocess + import time + from time import strftime as date + from pki.deployment import pkiconfig as config + from pki.deployment.pkiparser import PKIConfigParser + from pki.deployment import pkilogging + from pki.deployment import pkimessages as log +except ImportError: + print >> sys.stderr, """\ +There was a problem importing one of the required Python modules. The +error was: + + %s +""" % sys.exc_value + sys.exit(1) + +#Handle the Keyboard Interrupt +def interrupt_handler(signal, frame): + print + print '\nUninstallation canceled.' + sys.exit(1) + +# PKI Deployment Functions +def main(argv): + "main entry point" + + config.pki_deployment_executable = os.path.basename(argv[0]) + + # Only run this program as "root". + if not os.geteuid() == 0: + sys.exit("'%s' must be run as root!" % argv[0]) + + # Set the umask + os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK) + + # Set installation time + ticks = time.time() + config.pki_install_time = time.asctime(time.localtime(ticks)) + + # Generate a timestamp + config.pki_timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) + config.pki_certificate_timestamp =\ + date('%Y-%m-%d %H:%M:%S', time.localtime(ticks)) + + # Obtain the architecture bit-size + config.pki_architecture = struct.calcsize("P") * 8 + + # Retrieve hostname + config.pki_hostname = socket.getfqdn() + + # Retrieve DNS domainname + config.pki_dns_domainname = None + try: + config.pki_dns_domainname = subprocess.check_output("dnsdomainname", + shell=True) + config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') + if not len(config.pki_dns_domainname): + print log.PKI_DNS_DOMAIN_NOT_SET + sys.exit(1) + except subprocess.CalledProcessError as exc: + print log.PKI_SUBPROCESS_ERROR_1 % exc + sys.exit(1) + + # Read and process command-line arguments. + parser = PKIConfigParser( + 'PKI Instance Removal', + log.PKIDESTROY_EPILOG) + + parser.optional.add_argument('-i', + dest='pki_deployed_instance_name', + action='store', + nargs=1, metavar='', + help='FORMAT: ${pki_instance_name}') + + parser.optional.add_argument('-u', + dest='pki_secdomain_user', + action='store', + nargs=1, metavar='', + help='security domain user') + + parser.optional.add_argument('-W', + dest='pki_secdomain_pass_file', + action='store', + nargs=1, metavar='', + help='security domain password file path') + + + args = parser.process_command_line_arguments(argv) + + interactive = False + + while True: + + # -s + if args.pki_subsystem is None: + interactive = True + config.pki_subsystem = parser.read_text('Subsystem (CA/KRA/OCSP/TKS)', + options=['CA', 'KRA', 'OCSP', 'TKS'], + default='CA', caseSensitive=False).upper() + else: + config.pki_subsystem = str(args.pki_subsystem).strip('[\']') + + # -i + if args.pki_deployed_instance_name is None: + interactive = True + config.pki_deployed_instance_name = parser.read_text('Instance', default='pki-tomcat') + else: + config.pki_deployed_instance_name = str(args.pki_deployed_instance_name).strip('[\']') + + if interactive: + print + parser.indent = 0 + + begin = parser.read_text('Begin uninstallation (Yes/No/Quit)', + options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'], + sign='?', allowEmpty=False, caseSensitive=False).lower() + + print + + if begin == 'q' or begin == 'quit': + print "Uninstallation canceled." + sys.exit(0) + + elif begin == 'y' or begin == 'yes': + break + + else: + break + + # '-u' + if args.pki_secdomain_user: + config.pki_secdomain_user = str(args.pki_secdomain_user).strip('[\']') + + # '-W' password file + if args.pki_secdomain_pass_file: + with open(str(args.pki_secdomain_pass_file).strip('[\']'),'r') as pwd_file: + config.pki_secdomain_pass = pwd_file.readline().strip('\n') + + # verify that previously deployed instance exists + deployed_pki_instance_path = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_BASE_ROOT + "/" +\ + config.pki_deployed_instance_name + if not os.path.exists(deployed_pki_instance_path): + print "ERROR: " + log.PKI_INSTANCE_DOES_NOT_EXIST_1 %\ + deployed_pki_instance_path + print + parser.arg_parser.exit(-1); + + # verify that previously deployed subsystem for this instance exists + deployed_pki_subsystem_path = deployed_pki_instance_path + "/" +\ + config.pki_subsystem.lower() + if not os.path.exists(deployed_pki_subsystem_path): + print "ERROR: " + log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2 %\ + (config.pki_subsystem, deployed_pki_instance_path) + print + parser.arg_parser.exit(-1); + + config.default_deployment_cfg = config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + + # establish complete path to previously deployed configuration file + config.user_deployment_cfg =\ + deployed_pki_subsystem_path + "/" +\ + "registry" + "/" +\ + config.pki_subsystem.lower() + "/" +\ + config.USER_DEPLOYMENT_CONFIGURATION + + parser.validate() + parser.init_config() + + # Enable 'pkidestroy' logging. + config.pki_log_dir = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_LOG_ROOT + config.pki_log_name = "pki" + "-" +\ + config.pki_subsystem.lower() +\ + "-" + "destroy" + "." +\ + config.pki_timestamp + "." + "log" + rv = pkilogging.enable_pki_logger(config.pki_log_dir, + config.pki_log_name, + config.pki_log_level, + config.pki_console_log_level, + "pkidestroy") + if rv != OSError: + config.pki_log = rv + else: + print log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir + sys.exit(1) + + # Read the specified PKI configuration file. + rv = parser.read_pki_configuration_file() + if rv != 0: + config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, + extra=config.PKI_INDENTATION_LEVEL_0) + sys.exit(1) + + # Combine the various sectional dictionaries into a PKI master dictionary + parser.compose_pki_master_dictionary() + config.pki_master_dict['pki_destroy_log'] = config.pki_log_dir + "/" +\ + config.pki_log_name + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.format(config.pki_master_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + + print "Uninstalling " + config.pki_subsystem + " from " + deployed_pki_instance_path + "." + + # Process the various "scriptlets" to remove the specified PKI subsystem. + pki_subsystem_scriptlets = config.pki_master_dict['destroy_scriplets'].split() + rv = 0 + for pki_scriptlet in pki_subsystem_scriptlets: + scriptlet = __import__("pki.deployment." + + pki_scriptlet, + fromlist = [pki_scriptlet]) + instance = scriptlet.PkiScriptlet() + rv = instance.destroy() + if rv != 0: + sys.exit(1) + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.format(config.pki_master_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + + print + print "Uninstallation complete." + + +# PKI Deployment Entry Point +if __name__ == "__main__": + signal.signal(signal.SIGINT, interrupt_handler) + main(sys.argv) diff --git a/base/server/src/pkispawn b/base/server/src/pkispawn new file mode 100755 index 000000000..447240ecf --- /dev/null +++ b/base/server/src/pkispawn @@ -0,0 +1,413 @@ +#!/usr/bin/python -tu +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2011 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import sys +import signal + +if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: + print "Python version %s.%s.%s is too old." % sys.version_info[:3] + print "Please upgrade to at least Python 2.7.0." + sys.exit(1) +try: + import argparse + import ldap + import logging + import os + import requests + import socket + import struct + import subprocess + import time + import urllib2 + from time import strftime as date + from pki.deployment import pkiconfig as config + from pki.deployment.pkiparser import PKIConfigParser + from pki.deployment import pkilogging + from pki.deployment import pkimessages as log +except ImportError: + print >> sys.stderr, """\ +There was a problem importing one of the required Python modules. The +error was: + + %s +""" % sys.exc_value + sys.exit(1) + +#Handle the Keyboard Interrupt +def interrupt_handler(signal, frame): + print + print '\nInstallation canceled.' + sys.exit(1) + +# PKI Deployment Functions +def main(argv): + "main entry point" + + config.pki_deployment_executable = os.path.basename(argv[0]) + + # Only run this program as "root". + if not os.geteuid() == 0: + sys.exit("'%s' must be run as root!" % argv[0]) + + # Set the umask + os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK) + + # Set installation time + ticks = time.time() + config.pki_install_time = time.asctime(time.localtime(ticks)) + + # Generate a timestamp + config.pki_timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) + config.pki_certificate_timestamp =\ + date('%Y-%m-%d %H:%M:%S', time.localtime(ticks)) + + # Obtain the architecture bit-size + config.pki_architecture = struct.calcsize("P") * 8 + + # Retrieve hostname + config.pki_hostname = socket.getfqdn() + + # Retrieve DNS domainname + config.pki_dns_domainname = None + try: + config.pki_dns_domainname = subprocess.check_output("dnsdomainname", + shell=True) + config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') + if not len(config.pki_dns_domainname): + print log.PKI_DNS_DOMAIN_NOT_SET + sys.exit(1) + except subprocess.CalledProcessError as exc: + print log.PKI_SUBPROCESS_ERROR_1 % exc + sys.exit(1) + + # Read and process command-line arguments. + parser = PKIConfigParser( + 'PKI Instance Installation and Configuration', + log.PKISPAWN_EPILOG) + + parser.optional.add_argument('-f', + dest='user_deployment_cfg', action='store', + nargs=1, metavar='', + help='configuration filename ' + '(MUST specify complete path)') + + parser.optional.add_argument('-u', + dest='pki_update_flag', action='store_true', + help='update instance of specified subsystem') + + args = parser.process_command_line_arguments(argv) + + config.default_deployment_cfg = config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + + # -f + if args.user_deployment_cfg is not None: + config.user_deployment_cfg = str(args.user_deployment_cfg).strip('[\']') + + # -u + config.pki_update_flag = args.pki_update_flag + + parser.validate() + interactive = False + + while True: + + # -s + if args.pki_subsystem is None: + interactive = True + parser.indent = 0 + + config.pki_subsystem = parser.read_text('Subsystem (CA/KRA/OCSP/TKS)', + options=['CA', 'KRA', 'OCSP', 'TKS'], + default='CA', caseSensitive=False).upper() + print + else: + config.pki_subsystem = str(args.pki_subsystem).strip('[\']') + + parser.init_config() + + if config.user_deployment_cfg is None: + interactive = True + parser.indent = 2 + + print "Tomcat:" + parser.read_text('Instance', 'DEFAULT', 'pki_instance_name') + parser.read_text('HTTP port', config.pki_subsystem, 'pki_http_port') + parser.read_text('Secure HTTP port', config.pki_subsystem, 'pki_https_port') + parser.read_text('AJP port', config.pki_subsystem, 'pki_ajp_port') + parser.read_text('Management port', config.pki_subsystem, 'pki_tomcat_server_port') + print + + print "Administrator:" + parser.read_text('Username', config.pki_subsystem, 'pki_admin_uid') + + admin_password = parser.read_password( + 'Password', config.pki_subsystem, 'pki_admin_password', + verifyMessage='Verify password') + + parser.set_property(config.pki_subsystem, 'pki_backup_password', admin_password) + parser.set_property(config.pki_subsystem, 'pki_client_database_password', admin_password) + parser.set_property(config.pki_subsystem, 'pki_client_pkcs12_password', admin_password) + + if config.pki_master_dict['pki_import_admin_cert'] == 'True': + import_cert = 'Y' + else: + import_cert = 'N' + + import_cert = parser.read_text('Import certificate (Yes/No)', + default=import_cert, options=['Yes', 'Y', 'No', 'N'], + sign='?', caseSensitive=False).lower() + + if import_cert == 'y' or import_cert == 'yes': + parser.set_property(config.pki_subsystem, 'pki_import_admin_cert', 'True') + parser.read_text('Import certificate from', config.pki_subsystem, 'pki_admin_cert_file') + else: + parser.set_property(config.pki_subsystem, 'pki_import_admin_cert', 'False') + + parser.read_text('Export certificate to', config.pki_subsystem, 'pki_client_admin_cert') + print + + print "Directory Server:" + while True: + parser.read_text('Hostname', config.pki_subsystem, 'pki_ds_hostname') + parser.read_text('Port', config.pki_subsystem, 'pki_ds_ldap_port') + + try: + parser.ds_connect() + break + + except ldap.LDAPError as e: + parser.print_text('ERROR: ' + e.message['desc']) + + while True: + parser.read_text('Bind DN', config.pki_subsystem, 'pki_ds_bind_dn') + parser.read_password('Password', config.pki_subsystem, 'pki_ds_password') + + try: + parser.ds_bind() + break + + except ldap.LDAPError as e: + parser.print_text('ERROR: ' + e.message['desc']) + + while True: + parser.read_text('Base DN', config.pki_subsystem, 'pki_ds_base_dn') + try: + if not parser.ds_base_dn_exists(): + break + + except ldap.LDAPError as e: + parser.print_text('ERROR: ' + e.message['desc']) + continue + + remove = parser.read_text('Base DN already exists. Overwrite (Yes/No/Quit)', + options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'], + sign='?', allowEmpty=False, caseSensitive=False).lower() + + if remove == 'q' or remove == 'quit': + print "Installation canceled." + sys.exit(0) + + if remove == 'y' or remove == 'yes': + break + + parser.ds_close() + + print + + print "Security Domain:" + + if config.pki_subsystem == "CA": + parser.read_text('Name', config.pki_subsystem, 'pki_security_domain_name') + + else: + while True: + parser.read_text('Hostname', config.pki_subsystem, 'pki_security_domain_hostname') + parser.read_text('Secure HTTP port', config.pki_subsystem, 'pki_security_domain_https_port') + + try: + parser.sd_connect() + info = parser.sd_get_info() + parser.print_text('Name: ' + info.name) + parser.set_property(config.pki_subsystem, 'pki_security_domain_name', info.name) + break + except requests.exceptions.ConnectionError as e: + parser.print_text('ERROR: ' + str(e)) + + while True: + parser.read_text('Username', config.pki_subsystem, 'pki_security_domain_user') + parser.read_password('Password', config.pki_subsystem, 'pki_security_domain_password') + + try: + parser.sd_authenticate() + break + except requests.exceptions.HTTPError as e: + parser.print_text('ERROR: ' + str(e)) + + print + + if interactive: + parser.indent = 0 + + begin = parser.read_text('Begin installation (Yes/No/Quit)', + options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'], + sign='?', allowEmpty=False, caseSensitive=False).lower() + print + + if begin == 'q' or begin == 'quit': + print "Installation canceled." + sys.exit(0) + + if begin == 'y' or begin == 'yes': + break + + else: + break + + if not os.path.exists(config.PKI_DEPLOYMENT_SOURCE_ROOT +\ + "/" + config.pki_subsystem.lower()): + print "ERROR: " + log.PKI_SUBSYSTEM_NOT_INSTALLED_1 %\ + config.pki_subsystem.lower() + sys.exit(1) + + # Enable 'pkispawn' logging. + rv = 0 + if not config.pki_update_flag: + config.pki_log_dir = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_LOG_ROOT + config.pki_log_name = "pki" + "-" +\ + config.pki_subsystem.lower() +\ + "-" + "spawn" + "." +\ + config.pki_timestamp + "." + "log" + rv = pkilogging.enable_pki_logger(config.pki_log_dir, + config.pki_log_name, + config.pki_log_level, + config.pki_console_log_level, + "pkispawn") + else: + config.pki_log_dir = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_LOG_ROOT + config.pki_log_name = "pki" + "-" +\ + config.pki_subsystem.lower() +\ + "-" + "respawn" + "." +\ + config.pki_timestamp + "." + "log" + rv = pkilogging.enable_pki_logger(config.pki_log_dir, + config.pki_log_name, + config.pki_log_level, + config.pki_console_log_level, + "pkirespawn") + if rv != OSError: + config.pki_log = rv + else: + print log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir + sys.exit(1) + + # Read the specified PKI configuration file. + rv = parser.read_pki_configuration_file() + if rv != 0: + config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, + extra=config.PKI_INDENTATION_LEVEL_0) + sys.exit(1) + + # Read in the PKI slots configuration file. + parser.compose_pki_slots_dictionary() + config.pki_log.debug(log.PKI_DICTIONARY_SLOTS, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.format(config.pki_slots_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + + # Combine the various sectional dictionaries into a PKI master dictionary + parser.compose_pki_master_dictionary() + + if not config.pki_update_flag: + config.pki_master_dict['pki_spawn_log'] = config.pki_log_dir + "/" +\ + config.pki_log_name + else: + config.pki_master_dict['pki_respawn_log'] = config.pki_log_dir + "/" +\ + config.pki_log_name + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.format(config.pki_master_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + + if not interactive and\ + not config.str2bool(config.pki_master_dict['pki_skip_configuration']): + try: + parser.ds_connect() + parser.ds_bind() + + if parser.ds_base_dn_exists() and\ + not config.str2bool(config.pki_master_dict['pki_ds_remove_data']): + print 'ERROR: Base DN already exists.' + sys.exit(1) + + parser.ds_close() + + except ldap.LDAPError as e: + print 'ERROR: Unable to access directory server: ' + e.message['desc'] + sys.exit(1) + + if config.pki_subsystem != "CA" or\ + config.str2bool(config.pki_master_dict['pki_clone']) or\ + config.str2bool(config.pki_master_dict['pki_subordinate']): + try: + parser.sd_connect() + info = parser.sd_get_info() + parser.set_property(config.pki_subsystem, 'pki_security_domain_name', info.name) + parser.sd_authenticate() + + except requests.exceptions.ConnectionError as e: + print('ERROR: Unable to access security domain: ' + str(e)) + sys.exit(1) + + except requests.exceptions.HTTPError as e: + print('ERROR: Unable to access security domain: ' + str(e)) + sys.exit(1) + + print "Installing " + config.pki_subsystem + " into " + config.pki_master_dict['pki_instance_path'] + "." + + # Process the various "scriptlets" to create the specified PKI subsystem. + pki_subsystem_scriptlets = config.pki_master_dict['spawn_scriplets'].split() + rv = 0 + for pki_scriptlet in pki_subsystem_scriptlets: + scriptlet = __import__("pki.deployment." + + pki_scriptlet, + fromlist = [pki_scriptlet]) + instance = scriptlet.PkiScriptlet() + if not config.pki_update_flag: + rv = instance.spawn() + else: + rv = instance.respawn() + if rv != 0: + sys.exit(1) + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.format(config.pki_master_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + + print + print "Installation complete." + + +# PKI Deployment Entry Point +if __name__ == "__main__": + signal.signal(signal.SIGINT, interrupt_handler) + main(sys.argv) diff --git a/base/server/src/scriptlets/configuration.py b/base/server/src/scriptlets/configuration.py new file mode 100644 index 000000000..7bd1b017a --- /dev/null +++ b/base/server/src/scriptlets/configuration.py @@ -0,0 +1,150 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet +import json +import pki.system +import pki.encoder + + +# PKI Deployment Configuration Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_configuration']): + config.pki_log.info(log.SKIP_CONFIGURATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # Place "slightly" less restrictive permissions on + # the top-level client directory ONLY + util.directory.create(master['pki_client_subsystem_dir'], + uid=0, gid=0, + perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a client password file + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_client_password_conf'], + master['pki_client_database_password'], pin_sans_token=True) + util.file.modify(master['pki_client_password_conf'], + uid=0, gid=0) + # Similarly, create a simple password file containing the + # PKCS #12 password used when exporting the "Admin Certificate" + # into a PKCS #12 file + util.password.create_client_pkcs12_password_conf( + master['pki_client_pkcs12_password_conf']) + util.file.modify(master['pki_client_pkcs12_password_conf']) + util.directory.create(master['pki_client_database_dir'], + uid=0, gid=0) + util.certutil.create_security_databases( + master['pki_client_database_dir'], + master['pki_client_cert_database'], + master['pki_client_key_database'], + master['pki_client_secmod_database'], + password_file=master['pki_client_password_conf']) + util.symlink.create(master['pki_systemd_service'], + master['pki_systemd_service_link']) + + # Start/Restart this Apache/Tomcat PKI Process + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + apache_instance_subsystems =\ + util.instance.apache_instance_subsystems() + if apache_instance_subsystems == 1: + util.systemd.start() + elif apache_instance_subsystems > 1: + util.systemd.restart() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Optionally prepare to enable a java debugger + # (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.prepare_for_an_external_java_debugger( + master['pki_target_tomcat_conf_instance_id']) + tomcat_instance_subsystems =\ + len(util.instance.tomcat_instance_subsystems()) + if tomcat_instance_subsystems == 1: + util.systemd.start() + elif tomcat_instance_subsystems > 1: + util.systemd.restart() + + # wait for startup + status = util.instance.wait_for_startup(60) + if status == None: + config.pki_log.error("server failed to restart", + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + # Optionally wait for debugger to attach (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.wait_to_attach_an_external_java_debugger() + + config_client = util.config_client() + # Construct PKI Subsystem Configuration Data + data = None + if master['pki_instance_type'] == "Apache": + if master['pki_subsystem'] == "RA": + config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, + master['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + return rv + elif master['pki_subsystem'] == "TPS": + config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, + master['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + return rv + elif master['pki_instance_type'] == "Tomcat": + # CA, KRA, OCSP, or TKS + data = config_client.construct_pki_configuration_data() + + # Configure the substem + config_client.configure_pki_data( + json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) + + return self.rv + + def respawn(self): + config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 1: + if util.directory.exists(master['pki_client_dir']): + util.directory.delete(master['pki_client_dir']) + util.symlink.delete(master['pki_systemd_service_link']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 1: + if util.directory.exists(master['pki_client_dir']): + util.directory.delete(master['pki_client_dir']) + util.symlink.delete(master['pki_systemd_service_link']) + return self.rv diff --git a/base/server/src/scriptlets/finalization.py b/base/server/src/scriptlets/finalization.py new file mode 100644 index 000000000..6ddc98d03 --- /dev/null +++ b/base/server/src/scriptlets/finalization.py @@ -0,0 +1,114 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimanifest as manifest +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Finalization Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external_step_two']): + # must check for 'External CA Step 2' installation PRIOR to + # 'pki_skip_installation' since this value has been set to true + # by the initialization scriptlet + pass + elif config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_FINALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.FINALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # For debugging/auditing purposes, save a timestamped copy of + # this configuration file in the subsystem archive + util.file.copy(master['pki_user_deployment_cfg_replica'], + master['pki_user_deployment_cfg_spawn_archive']) + # Save a copy of the installation manifest file + config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, master['pki_manifest'], + extra=config.PKI_INDENTATION_LEVEL_2) + # for record in manifest.database: + # print tuple(record) + manifest.file.register(master['pki_manifest']) + manifest.file.write() + util.file.modify(master['pki_manifest'], silent=True) + + # Also, for debugging/auditing purposes, save a timestamped copy of + # this installation manifest file + util.file.copy(master['pki_manifest'], + master['pki_manifest_spawn_archive']) + # Optionally, programmatically 'restart' the configured PKI instance + if config.str2bool(master['pki_restart_configured_instance']): + util.systemd.restart() + # Optionally, 'purge' the entire temporary client infrastructure + # including the client NSS security databases and password files + # + # WARNING: If the PKCS #12 file containing the Admin Cert was + # placed under this infrastructure, it may accidentally + # be deleted! + # + if config.str2bool(master['pki_client_database_purge']): + if util.directory.exists(master['pki_client_subsystem_dir']): + util.directory.delete(master['pki_client_subsystem_dir']) + # If instance has not been configured, print the + # configuration URL to the log + if config.str2bool(master['pki_skip_configuration']): + util.configuration_file.log_configuration_url() + # Log final process messages + config.pki_log.info(log.PKISPAWN_END_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + util.file.modify(master['pki_spawn_log'], silent=True) + # If instance has not been configured, print the + # configuration URL to the screen + if config.str2bool(master['pki_skip_configuration']): + util.configuration_file.display_configuration_url() + return self.rv + + def respawn(self): + config.pki_log.info(log.FINALIZATION_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.FINALIZATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.file.modify(master['pki_destroy_log'], silent=True) + # Start this Apache/Tomcat PKI Process + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() >= 1: + util.systemd.start() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) >= 1: + util.systemd.start() + config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + return self.rv diff --git a/base/server/src/scriptlets/infrastructure_layout.py b/base/server/src/scriptlets/infrastructure_layout.py new file mode 100644 index 000000000..69a905849 --- /dev/null +++ b/base/server/src/scriptlets/infrastructure_layout.py @@ -0,0 +1,116 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Top-Level Infrastructure Layout Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_ADMIN_DOMAIN_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.ADMIN_DOMAIN_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # NOTE: It was determined that since the "pkidestroy" command + # relies upon a symbolic link to a replica of the original + # deployment configuration file used by the + # "pkispawn" command of an instance, it is necessary to + # create any required instance and subsystem directories + # in this top-level "infrastructure_layout" scriptlet + # (rather than the "instance_layout" and "subsystem_layout" + # scriptlets) so that a copy of this configuration file can + # be saved, and the required symbolic link can be created. + # + # establish the top-level infrastructure, instance, and subsystem + # registry directories for storage of a copy of the original + # deployment configuration file used to spawn this instance, + # and save a copy of this file + util.directory.create(master['pki_registry_path']) + util.directory.create(master['pki_instance_type_registry_path']) + util.directory.create(master['pki_instance_registry_path']) + util.directory.create(master['pki_subsystem_registry_path']) + util.file.copy(master['pki_default_deployment_cfg'], + master['pki_default_deployment_cfg_replica']) + + print "Storing deployment configuration into " + config.pki_master_dict['pki_user_deployment_cfg_replica'] + "." + if master['pki_user_deployment_cfg']: + util.file.copy(master['pki_user_deployment_cfg'], + master['pki_user_deployment_cfg_replica']) + else: + with open(master['pki_user_deployment_cfg_replica'], 'w') as f: + config.user_config.write(f) + + # establish top-level infrastructure, instance, and subsystem + # base directories and create the "registry" symbolic link that + # the "pkidestroy" executable relies upon + util.directory.create(master['pki_path']) + util.directory.create(master['pki_instance_path']) + util.directory.create(master['pki_subsystem_path']) + util.symlink.create(master['pki_instance_registry_path'], + master['pki_subsystem_registry_link']) + # + # NOTE: If "infrastructure_layout" scriptlet execution has been + # successfully executed to this point, the "pkidestroy" command + # may always be utilized to remove the entire infrastructure. + # + # no need to establish top-level infrastructure logs + # since it now stores 'pkispawn'/'pkidestroy' logs + # and will already exist + # util.directory.create(master['pki_log_path']) + # establish top-level infrastructure configuration + if master['pki_configuration_path'] !=\ + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: + util.directory.create(master['pki_configuration_path']) + return self.rv + + def respawn(self): + config.pki_log.info(log.ADMIN_DOMAIN_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.ADMIN_DOMAIN_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # remove top-level infrastructure base + if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + util.instance.pki_instance_subsystems() == 0: + # remove top-level infrastructure base + util.directory.delete(master['pki_path']) + # do NOT remove top-level infrastructure logs + # since it now stores 'pkispawn'/'pkidestroy' logs + # util.directory.delete(master['pki_log_path']) + # remove top-level infrastructure configuration + if util.directory.is_empty(master['pki_configuration_path'])\ + and master['pki_configuration_path'] !=\ + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: + util.directory.delete(master['pki_configuration_path']) + # remove top-level infrastructure registry + util.directory.delete(master['pki_registry_path']) + return self.rv diff --git a/base/server/src/scriptlets/initialization.py b/base/server/src/scriptlets/initialization.py new file mode 100644 index 000000000..3494ebdc7 --- /dev/null +++ b/base/server/src/scriptlets/initialization.py @@ -0,0 +1,126 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Initialization Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + # begin official logging + config.pki_log.info(log.PKISPAWN_BEGIN_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_INITIALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + else: + config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external_step_two']): + # verify that this type of "subsystem" currently EXISTS + # for this "instance" (External CA Step 2) + util.instance.verify_subsystem_exists() + master['pki_skip_installation'] = "True"; + else: + # verify that this type of "subsystem" does NOT yet + # exist for this "instance" + util.instance.verify_subsystem_does_not_exist() + # detect and avoid any namespace collisions + util.namespace.collision_detection() + # initialize 'uid' and 'gid' + util.identity.add_uid_and_gid(master['pki_user'], master['pki_group']) + # establish 'uid' and 'gid' + util.identity.set_uid(master['pki_user']) + util.identity.set_gid(master['pki_group']) + # verify existence of SENSITIVE configuration file data + util.configuration_file.verify_sensitive_data() + # verify existence of MUTUALLY EXCLUSIVE configuration file data + util.configuration_file.verify_mutually_exclusive_data() + # verify existence of PREDEFINED configuration file data + util.configuration_file.verify_predefined_configuration_file_data() + # verify selinux context of selected ports + util.configuration_file.populate_non_default_ports() + util.configuration_file.verify_selinux_ports() + return self.rv + + def respawn(self): + # begin official logging + config.pki_log.info(log.PKIRESPAWN_BEGIN_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.info(log.INITIALIZATION_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # verify that this type of "subsystem" currently EXISTS + # for this "instance" + util.instance.verify_subsystem_exists() + return self.rv + + def destroy(self): + # begin official logging + config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # verify that this type of "subsystem" currently EXISTS + # for this "instance" + util.instance.verify_subsystem_exists() + # verify that the command-line parameters match the values + # that are present in the corresponding configuration file + util.configuration_file.verify_command_matches_configuration_file() + # establish 'uid' and 'gid' + util.identity.set_uid(master['pki_user']) + util.identity.set_gid(master['pki_group']) + # get ports to remove selinux context + util.configuration_file.populate_non_default_ports() + + # get deinstallation token + token = util.security_domain.get_installation_token( + config.pki_secdomain_user, config.pki_secdomain_pass) + + # remove kra connector from CA if this is a KRA + util.kra_connector.deregister() + + # de-register instance from its Security Domain + # + # NOTE: Since the security domain of an instance must be up + # and running in order to be de-registered, this step + # must be done PRIOR to instance shutdown because this + # instance's security domain may be a part of a + # tightly-coupled shared instance. + # + util.security_domain.deregister(token) + # ALWAYS Stop this Apache/Tomcat PKI Process + util.systemd.stop() + return self.rv diff --git a/base/server/src/scriptlets/instance_layout.py b/base/server/src/scriptlets/instance_layout.py new file mode 100644 index 000000000..843227a84 --- /dev/null +++ b/base/server/src/scriptlets/instance_layout.py @@ -0,0 +1,190 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import os + + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet +import os + + +# PKI Deployment Instance Layout Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_INSTANCE_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.INSTANCE_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # establish instance logs + util.directory.create(master['pki_instance_log_path']) + # establish instance configuration + util.directory.create(master['pki_instance_configuration_path']) + # establish Apache/Tomcat specific instance + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # establish Tomcat instance configuration + util.directory.copy(master['pki_source_server_path'], + master['pki_instance_configuration_path'], + overwrite_flag=True) + # establish Tomcat instance base + util.directory.create(master['pki_tomcat_common_path']) + util.directory.create(master['pki_tomcat_common_lib_path']) + # establish Tomcat instance library + util.directory.create(master['pki_instance_lib']) + for name in os.listdir(master['pki_tomcat_lib_path']): + util.symlink.create( + os.path.join( + master['pki_tomcat_lib_path'], + name), + os.path.join( + master['pki_instance_lib'], + name)) + util.symlink.create(master['pki_instance_conf_log4j_properties'], + master['pki_instance_lib_log4j_properties']) + util.directory.create(master['pki_tomcat_tmpdir_path']) + util.directory.create(master['pki_tomcat_webapps_path']) + util.directory.create(master['pki_tomcat_work_path']) + util.directory.create(master['pki_tomcat_work_catalina_path']) + util.directory.create(master['pki_tomcat_work_catalina_host_path']) + util.directory.create( + master['pki_tomcat_work_catalina_host_run_path']) + util.directory.create( + master['pki_tomcat_work_catalina_host_subsystem_path']) + # establish Tomcat instance logs + # establish Tomcat instance registry + # establish Tomcat instance convenience symbolic links + util.symlink.create(master['pki_tomcat_bin_path'], + master['pki_tomcat_bin_link']) + util.symlink.create(master['pki_tomcat_systemd'], + master['pki_instance_systemd_link'], + uid=0, gid=0) + # establish Tomcat instance common lib jar symbolic links + util.symlink.create(master['pki_apache_commons_collections_jar'], + master['pki_apache_commons_collections_jar_link']) + util.symlink.create(master['pki_apache_commons_lang_jar'], + master['pki_apache_commons_lang_jar_link']) + util.symlink.create(master['pki_apache_commons_logging_jar'], + master['pki_apache_commons_logging_jar_link']) + util.symlink.create(master['pki_commons_codec_jar'], + master['pki_commons_codec_jar_link']) + util.symlink.create(master['pki_httpclient_jar'], + master['pki_httpclient_jar_link']) + util.symlink.create(master['pki_httpcore_jar'], + master['pki_httpcore_jar_link']) + util.symlink.create(master['pki_javassist_jar'], + master['pki_javassist_jar_link']) + util.symlink.create(master['pki_resteasy_jaxrs_api_jar'], + master['pki_resteasy_jaxrs_api_jar_link']) + util.symlink.create(master['pki_jettison_jar'], + master['pki_jettison_jar_link']) + util.symlink.create(master['pki_jss_jar'], + master['pki_jss_jar_link']) + util.symlink.create(master['pki_ldapjdk_jar'], + master['pki_ldapjdk_jar_link']) + util.symlink.create(master['pki_tomcat_jar'], + master['pki_tomcat_jar_link']) + util.symlink.create(master['pki_resteasy_atom_provider_jar'], + master['pki_resteasy_atom_provider_jar_link']) + util.symlink.create(master['pki_resteasy_jaxb_provider_jar'], + master['pki_resteasy_jaxb_provider_jar_link']) + util.symlink.create(master['pki_resteasy_jaxrs_jar'], + master['pki_resteasy_jaxrs_jar_link']) + util.symlink.create(master['pki_resteasy_jettison_provider_jar'], + master['pki_resteasy_jettison_provider_jar_link']) + util.symlink.create(master['pki_scannotation_jar'], + master['pki_scannotation_jar_link']) + if master['pki_subsystem'] == 'TKS': + util.symlink.create(master['pki_symkey_jar'], + master['pki_symkey_jar_link']) + util.symlink.create(master['pki_tomcatjss_jar'], + master['pki_tomcatjss_jar_link']) + util.symlink.create(master['pki_velocity_jar'], + master['pki_velocity_jar_link']) + util.symlink.create(master['pki_xerces_j2_jar'], + master['pki_xerces_j2_jar_link']) + util.symlink.create(master['pki_xml_commons_apis_jar'], + master['pki_xml_commons_apis_jar_link']) + util.symlink.create(master['pki_xml_commons_resolver_jar'], + master['pki_xml_commons_resolver_jar_link']) + # establish shared NSS security databases for this instance + util.directory.create(master['pki_database_path']) + # establish instance convenience symbolic links + util.symlink.create(master['pki_database_path'], + master['pki_instance_database_link']) + util.symlink.create(master['pki_instance_configuration_path'], + master['pki_instance_conf_link']) + util.symlink.create(master['pki_instance_log_path'], + master['pki_instance_logs_link']) + return self.rv + + def respawn(self): + config.pki_log.info(log.INSTANCE_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.INSTANCE_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] == 'TKS': + util.symlink.delete(master['pki_symkey_jar_link']) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0: + # remove Apache instance base + util.directory.delete(master['pki_instance_path']) + # remove Apache instance logs + # remove shared NSS security database path for this instance + util.directory.delete(master['pki_database_path']) + # remove Apache instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + # remove Apache instance registry + util.directory.delete(master['pki_instance_registry_path']) + # remove Apache PKI registry (if empty) + if util.instance.apache_instances() == 0: + util.directory.delete( + master['pki_instance_type_registry_path']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 0: + # remove Tomcat instance base + util.directory.delete(master['pki_instance_path']) + # remove Tomcat instance logs + util.directory.delete(master['pki_instance_log_path']) + # remove shared NSS security database path for this instance + util.directory.delete(master['pki_database_path']) + # remove Tomcat instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + # remove PKI 'tomcat.conf' instance file + util.file.delete(master['pki_target_tomcat_conf_instance_id']) + # remove Tomcat instance registry + util.directory.delete(master['pki_instance_registry_path']) + # remove Tomcat PKI registry (if empty) + if util.instance.tomcat_instances() == 0: + util.directory.delete( + master['pki_instance_type_registry_path']) + return self.rv diff --git a/base/server/src/scriptlets/security_databases.py b/base/server/src/scriptlets/security_databases.py new file mode 100644 index 000000000..9ac4784e5 --- /dev/null +++ b/base/server/src/scriptlets/security_databases.py @@ -0,0 +1,119 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Security Databases Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SECURITY_DATABASES_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.password.create_password_conf( + master['pki_shared_password_conf'], + master['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_shared_pfile'], + master['pki_pin'], pin_sans_token=True) + util.file.modify(master['pki_shared_password_conf']) + util.certutil.create_security_databases( + master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + password_file=master['pki_shared_pfile']) + util.file.modify(master['pki_cert_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_key_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_secmod_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + + if len(util.instance.tomcat_instance_subsystems()) < 2: + # only create a self signed cert for a new instance + rv = util.certutil.verify_certificate_exists( + master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + master['pki_self_signed_token'], + master['pki_self_signed_nickname'], + password_file=master['pki_shared_pfile']) + if not rv: + util.file.generate_noise_file( + master['pki_self_signed_noise_file'], + master['pki_self_signed_noise_bytes']) + util.certutil.generate_self_signed_certificate( + master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + master['pki_self_signed_token'], + master['pki_self_signed_nickname'], + master['pki_self_signed_subject'], + master['pki_self_signed_serial_number'], + master['pki_self_signed_validity_period'], + master['pki_self_signed_issuer_name'], + master['pki_self_signed_trustargs'], + master['pki_self_signed_noise_file'], + password_file=master['pki_shared_pfile']) + # Delete the temporary 'noise' file + util.file.delete(master['pki_self_signed_noise_file']) + # Delete the temporary 'pfile' + util.file.delete(master['pki_shared_pfile']) + return self.rv + + def respawn(self): + config.pki_log.info(log.SECURITY_DATABASES_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + return self.rv diff --git a/base/server/src/scriptlets/selinux_setup.py b/base/server/src/scriptlets/selinux_setup.py new file mode 100644 index 000000000..552ab3f41 --- /dev/null +++ b/base/server/src/scriptlets/selinux_setup.py @@ -0,0 +1,175 @@ +#!/usr/bin/python -t +# Authors: +# Ade Lee +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +from pkiconfig import pki_selinux_config_ports as ports +import pkihelper as util +import pkimessages as log +import pkiscriptlet +import selinux +if selinux.is_selinux_enabled(): + import seobject + + +# PKI Deployment Selinux Setup Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + suffix = "(/.*)?" + + def restore_context(self): + selinux.restorecon(master['pki_instance_path'], True) + selinux.restorecon(config.PKI_DEPLOYMENT_LOG_ROOT, True) + selinux.restorecon(master['pki_instance_log_path'], True) + selinux.restorecon(master['pki_instance_configuration_path'], True) + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SELINUX_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + if not bool(selinux.is_selinux_enabled()): + config.pki_log.info(log.SELINUX_DISABLED_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + config.pki_log.info(log.SELINUX_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # check first if any transactions are required + if len(ports) == 0 and master['pki_instance_name'] == \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + self.restore_context() + return self.rv + + # add SELinux contexts when adding the first subsystem + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 1 or\ + master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 1: + + trans = seobject.semanageRecords("targeted") + trans.start() + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + + fcon = seobject.fcontextRecords() + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_path'] + self.suffix, + config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "") + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_log_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_log_path'] + self.suffix, + config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "") + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_configuration_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_configuration_path'] + self.suffix, + config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "") + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_database_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_database_path'] + self.suffix, + config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") + + portRecords = seobject.portRecords() + for port in ports: + config.pki_log.info("adding selinux port %s", port, + extra=config.PKI_INDENTATION_LEVEL_2) + portRecords.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) + + trans.finish() + + self.restore_context() + return self.rv + + def respawn(self): + config.pki_log.info(log.SELINUX_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + self.restore_context() + return self.rv + + def destroy(self): + if not bool(selinux.is_selinux_enabled()): + config.pki_log.info(log.SELINUX_DISABLED_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SELINUX_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # check first if any transactions are required + if len(ports) == 0 and master['pki_instance_name'] == \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + return self.rv + + # remove SELinux contexts when removing the last subsystem + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0 or\ + master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 0: + + trans = seobject.semanageRecords("targeted") + trans.start() + + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + + fcon = seobject.fcontextRecords() + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_path'] + self.suffix , "") + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_log_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_log_path'] + self.suffix, "") + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_configuration_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_configuration_path'] + \ + self.suffix, "") + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_database_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_database_path'] + self.suffix , "") + + portRecords = seobject.portRecords() + for port in ports: + config.pki_log.info("deleting selinux port %s", port, + extra=config.PKI_INDENTATION_LEVEL_2) + portRecords.delete(port, "tcp") + + trans.finish() + + return self.rv diff --git a/base/server/src/scriptlets/slot_substitution.py b/base/server/src/scriptlets/slot_substitution.py new file mode 100644 index 000000000..205ed49f6 --- /dev/null +++ b/base/server/src/scriptlets/slot_substitution.py @@ -0,0 +1,103 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +from pkiconfig import pki_slots_dict as slots +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Slot Substitution Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SLOT_ASSIGNMENT_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SLOT_ASSIGNMENT_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'], + master['pki_target_cs_cfg']) + util.file.copy_with_slot_substitution(master['pki_source_registry'], + master['pki_target_registry'], + uid=0, gid=0, overwrite_flag=True) + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + util.file.copy_with_slot_substitution( + master['pki_source_catalina_properties'], + master['pki_target_catalina_properties'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_servercertnick_conf'], + master['pki_target_servercertnick_conf'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_server_xml'], + master['pki_target_server_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_context_xml'], + master['pki_target_context_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf_instance_id'], + uid=0, gid=0, overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf'], + overwrite_flag=True) + util.file.apply_slot_substitution( + master['pki_target_velocity_properties']) + util.file.apply_slot_substitution( + master['pki_target_subsystem_web_xml']) + # Strip "" section from subsystem "web.xml" + # This is ONLY necessary because XML comments cannot be "nested"! + #util.file.copy(master['pki_target_subsystem_web_xml'], + # master['pki_target_subsystem_web_xml_orig']) + #util.file.delete(master['pki_target_subsystem_web_xml']) + #util.xml_file.remove_filter_section_from_web_xml( + # master['pki_target_subsystem_web_xml_orig'], + # master['pki_target_subsystem_web_xml']) + #util.file.delete(master['pki_target_subsystem_web_xml_orig']) + if master['pki_subsystem'] == "CA": + util.file.copy_with_slot_substitution( + master['pki_source_proxy_conf'], + master['pki_target_proxy_conf']) + util.file.apply_slot_substitution( + master['pki_target_profileselect_template']) + return self.rv + + def respawn(self): + config.pki_log.info(log.SLOT_ASSIGNMENT_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.SLOT_ASSIGNMENT_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + config.pki_log.info("NOTHING NEEDS TO BE IMPLEMENTED", + extra=config.PKI_INDENTATION_LEVEL_2) + return self.rv diff --git a/base/server/src/scriptlets/subsystem_layout.py b/base/server/src/scriptlets/subsystem_layout.py new file mode 100644 index 000000000..c4c4c2283 --- /dev/null +++ b/base/server/src/scriptlets/subsystem_layout.py @@ -0,0 +1,126 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Subsystem Layout Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SUBSYSTEM_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SUBSYSTEM_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # establish instance-based subsystem logs + util.directory.create(master['pki_subsystem_log_path']) + util.directory.create(master['pki_subsystem_archive_log_path']) + if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS: + util.directory.create(master['pki_subsystem_signed_audit_log_path']) + # establish instance-based subsystem configuration + util.directory.create(master['pki_subsystem_configuration_path']) + # util.directory.copy(master['pki_source_conf_path'], + # master['pki_subsystem_configuration_path']) + # establish instance-based Apache/Tomcat specific subsystems + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # establish instance-based Tomcat PKI subsystem base + if master['pki_subsystem'] == "CA": + util.directory.copy(master['pki_source_emails'], + master['pki_subsystem_emails_path']) + util.directory.copy(master['pki_source_profiles'], + master['pki_subsystem_profiles_path']) + # establish instance-based Tomcat PKI subsystem logs + # establish instance-based Tomcat PKI subsystem configuration + if master['pki_subsystem'] == "CA": + util.file.copy(master['pki_source_flatfile_txt'], + master['pki_target_flatfile_txt']) + util.file.copy(master['pki_source_registry_cfg'], + master['pki_target_registry_cfg']) + # '*.profile' + util.file.copy(master['pki_source_admincert_profile'], + master['pki_target_admincert_profile']) + util.file.copy(master['pki_source_caauditsigningcert_profile'], + master['pki_target_caauditsigningcert_profile']) + util.file.copy(master['pki_source_cacert_profile'], + master['pki_target_cacert_profile']) + util.file.copy(master['pki_source_caocspcert_profile'], + master['pki_target_caocspcert_profile']) + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile']) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile']) + elif master['pki_subsystem'] == "KRA": + # '*.profile' + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile']) + util.file.copy(master['pki_source_storagecert_profile'], + master['pki_target_storagecert_profile']) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile']) + util.file.copy(master['pki_source_transportcert_profile'], + master['pki_target_transportcert_profile']) + # establish instance-based Tomcat PKI subsystem registry + # establish instance-based Tomcat PKI subsystem convenience + # symbolic links + util.symlink.create(master['pki_tomcat_webapps_path'], + master['pki_subsystem_tomcat_webapps_link']) + # establish instance-based subsystem convenience symbolic links + util.symlink.create(master['pki_instance_database_link'], + master['pki_subsystem_database_link']) + util.symlink.create(master['pki_subsystem_configuration_path'], + master['pki_subsystem_conf_link']) + util.symlink.create(master['pki_subsystem_log_path'], + master['pki_subsystem_logs_link']) + util.symlink.create(master['pki_instance_registry_path'], + master['pki_subsystem_registry_link']) + return self.rv + + def respawn(self): + config.pki_log.info(log.SUBSYSTEM_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.SUBSYSTEM_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # remove instance-based subsystem base + if master['pki_subsystem'] == "CA": + util.directory.delete(master['pki_subsystem_emails_path']) + util.directory.delete(master['pki_subsystem_profiles_path']) + util.directory.delete(master['pki_subsystem_path']) + # remove instance-based subsystem logs + if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS: + util.directory.delete(master['pki_subsystem_signed_audit_log_path']) + util.directory.delete(master['pki_subsystem_archive_log_path']) + util.directory.delete(master['pki_subsystem_log_path']) + # remove instance-based subsystem configuration + util.directory.delete(master['pki_subsystem_configuration_path']) + # remove instance-based subsystem registry + util.directory.delete(master['pki_subsystem_registry_path']) + return self.rv diff --git a/base/server/src/scriptlets/webapp_deployment.py b/base/server/src/scriptlets/webapp_deployment.py new file mode 100644 index 000000000..e72752ee8 --- /dev/null +++ b/base/server/src/scriptlets/webapp_deployment.py @@ -0,0 +1,170 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import os + + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Web Application Deployment Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_WEBAPP_DEPLOYMENT_SPAWN_1, + __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.WEBAPP_DEPLOYMENT_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # Copy /usr/share/pki/server/webapps/ROOT + # to /webapps/ROOT + util.directory.create(master['pki_tomcat_webapps_root_path']) + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "ROOT"), + master['pki_tomcat_webapps_root_path'], + overwrite_flag=True) + + util.directory.create(master['pki_tomcat_webapps_common_path']) + + # If desired and available, + # copy selected server theme + # to /webapps/pki + if config.str2bool(master['pki_theme_enable']) and\ + os.path.exists(master['pki_theme_server_dir']): + util.directory.copy(master['pki_theme_server_dir'], + master['pki_tomcat_webapps_common_path'], + overwrite_flag=True) + + # Copy /usr/share/pki/server/webapps/pki/js + # to /webapps/pki/js + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "pki", + "js"), + os.path.join( + master['pki_tomcat_webapps_common_path'], + "js"), + overwrite_flag=True) + + # Copy /usr/share/pki/server/webapps/pki/META-INF + # to /webapps/pki/META-INF + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "pki", + "META-INF"), + os.path.join( + master['pki_tomcat_webapps_common_path'], + "META-INF"), + overwrite_flag=True) + + # Copy /usr/share/pki/server/webapps/pki/admin + # to /webapps//admin + # TODO: common templates should be deployed in common webapp + util.directory.create(master['pki_tomcat_webapps_subsystem_path']) + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "pki", + "admin"), + os.path.join( + master['pki_tomcat_webapps_subsystem_path'], + "admin"), + overwrite_flag=True) + + # Copy /usr/share/pki//webapps/ + # to /webapps/ + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + master['pki_subsystem'].lower(), + "webapps", + master['pki_subsystem'].lower()), + master['pki_tomcat_webapps_subsystem_path'], + overwrite_flag=True) + + util.directory.create( + master['pki_tomcat_webapps_subsystem_webinf_classes_path']) + util.directory.create( + master['pki_tomcat_webapps_subsystem_webinf_lib_path']) + # establish Tomcat webapps subsystem WEB-INF lib symbolic links + util.symlink.create(master['pki_certsrv_jar'], + master['pki_certsrv_jar_link']) + util.symlink.create(master['pki_cmsbundle'], + master['pki_cmsbundle_jar_link']) + util.symlink.create(master['pki_cmscore'], + master['pki_cmscore_jar_link']) + util.symlink.create(master['pki_cms'], + master['pki_cms_jar_link']) + util.symlink.create(master['pki_cmsutil'], + master['pki_cmsutil_jar_link']) + util.symlink.create(master['pki_nsutil'], + master['pki_nsutil_jar_link']) + if master['pki_subsystem'] == "CA": + util.symlink.create(master['pki_ca_jar'], + master['pki_ca_jar_link']) + elif master['pki_subsystem'] == "KRA": + util.symlink.create(master['pki_kra_jar'], + master['pki_kra_jar_link']) + elif master['pki_subsystem'] == "OCSP": + util.symlink.create(master['pki_ocsp_jar'], + master['pki_ocsp_jar_link']) + elif master['pki_subsystem'] == "TKS": + util.symlink.create(master['pki_tks_jar'], + master['pki_tks_jar_link']) + # set ownerships, permissions, and acls + util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path']) + return self.rv + + def respawn(self): + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_log.info(log.WEBAPP_DEPLOYMENT_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_log.info(log.WEBAPP_DEPLOYMENT_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.directory.delete(master['pki_tomcat_webapps_subsystem_path']) + return self.rv diff --git a/scripts/compose_pki_core_packages b/scripts/compose_pki_core_packages index 74e872589..76a770430 100755 --- a/scripts/compose_pki_core_packages +++ b/scripts/compose_pki_core_packages @@ -39,7 +39,7 @@ PKI_CORE_VERSION="10.0.1" ## PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_CORE}.spec" -PKI_COMPONENT_LIST="test setup symkey util common native-tools java-tools deploy selinux ca kra ocsp tks silent" +PKI_COMPONENT_LIST="test setup symkey util common native-tools java-tools server selinux ca kra ocsp tks silent" if [ "$JAVADOC" = "" ]; then PKI_COMPONENT_LIST="$PKI_COMPONENT_LIST javadoc" diff --git a/specs/pki-core.spec b/specs/pki-core.spec index 4bd4f0100..73c374d8e 100644 --- a/specs/pki-core.spec +++ b/specs/pki-core.spec @@ -5,7 +5,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} Name: pki-core Version: 10.0.1 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -810,6 +810,8 @@ fi %doc base/common/LICENSE %dir %{_datadir}/pki %{_datadir}/pki/VERSION +%dir %{_sysconfdir}/pki +%config(noreplace) %{_sysconfdir}/pki/pki.conf %dir %{_javadir}/pki %{_javadir}/pki/pki-cmsutil.jar %{_javadir}/pki/pki-nsutil.jar @@ -857,9 +859,7 @@ fi %files -n pki-server %defattr(-,root,root,-) %doc base/common/THIRD_PARTY_LICENSES -%doc base/deploy/LICENSE -%dir %{_sysconfdir}/pki/ -%config(noreplace) %{_sysconfdir}/pki/pki.conf +%doc base/server/LICENSE %{_sysconfdir}/pki/default.cfg %{_sbindir}/pkispawn %{_sbindir}/pkidestroy @@ -902,7 +902,6 @@ fi %config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tomcat.conf %{_datadir}/pki/setup/ -%dir %{_datadir}/pki/server %{_datadir}/pki/server/ %if ! 0%{?rhel} && 0%{?fedora} <= 17 @@ -1007,6 +1006,11 @@ fi %changelog +* Fri Apr 5 2013 Endi S. Dewata 10.0.1-9 +- Renamed base/deploy to base/server. +- Moved pki.conf into pki-base. +- Removed redundant pki/server folder declaration. + * Tue Mar 19 2013 Ade Lee 10.0.1-8 - Removed jython dependency -- cgit