From 71979729a3b5084d27057f9c83d43a4452888994 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Mon, 3 Dec 2012 12:08:58 -0500 Subject: Use interpolation to build default parameters This patch replaces the code in pkiparser with defaults that are built up using ConfigParser interpolation. The patch gets most (but not all) default parameters. --- base/deploy/config/deployment.cfg | 154 ++++--- base/deploy/src/pkidestroy | 4 - base/deploy/src/pkispawn | 4 - base/deploy/src/scriptlets/pkiconfig.py | 1 - base/deploy/src/scriptlets/pkiparser.py | 730 +++----------------------------- 5 files changed, 139 insertions(+), 754 deletions(-) diff --git a/base/deploy/config/deployment.cfg b/base/deploy/config/deployment.cfg index 6ff7a35bb..9eb930414 100644 --- a/base/deploy/config/deployment.cfg +++ b/base/deploy/config/deployment.cfg @@ -1,8 +1,13 @@ ############################################################################### -## Default Configuration: ## +## Common Configuration: ## +## ## +## Values in this section are common to more than one PKI subsystem, and ## +## contain required information which MAY be overridden by users as ## +## necessary. ## +## ## +## There are also some meta-parameters that determine how the PKI ## +## configuratiion should work. ## ## ## -## This section contains meta-parameters that determine how the PKI ## -## configuration should work. ## ############################################################################### [DEFAULT] @@ -47,35 +52,17 @@ destroy_scriplets= infrastructure_layout finalization -############################################################################### -## Common Configuration: ## -## ## -## Values in this section are common to more than one PKI subsystem, and ## -## contain required information which MAY be overridden by users as ## -## necessary. ## -## ## -## NOTE: Default values will be generated for any and all required ## -## 'common' data values which are left undefined. ## -############################################################################### -[Common] pki_admin_cert_request_type=crmf pki_admin_domain_name= pki_admin_dualkey=False -pki_admin_email= pki_admin_keysize=2048 -pki_admin_name= -pki_admin_nickname= pki_admin_password= -pki_admin_subject_dn= -pki_admin_uid= pki_audit_group=pkiaudit pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_key_size=2048 pki_audit_signing_key_type=rsa -pki_audit_signing_nickname= pki_audit_signing_signing_algorithm=SHA256withRSA -pki_audit_signing_subject_dn= -pki_audit_signing_token= +pki_audit_signing_token=Internal Key Storage Token pki_backup_keys=False pki_backup_password= pki_client_database_dir= @@ -83,21 +70,22 @@ pki_client_database_password= pki_client_database_purge=True pki_client_dir= pki_client_pkcs12_password= -pki_ds_base_dn= pki_ds_bind_dn=cn=Directory Manager -pki_ds_database= -pki_ds_hostname= pki_ds_ldap_port=389 pki_ds_ldaps_port=636 pki_ds_password= pki_ds_remove_data=True pki_ds_secure_connection=False pki_group=pkiuser +pki_http_port=%(default_http_port)s +pki_https_port=%(default_https_port)s +pki_instance_id=%(pki_instance_name)s +pki_instance_name=%(default_instance_name)s pki_issuing_ca= pki_restart_configured_instance=True -pki_security_domain_hostname= +pki_security_domain_hostname=%(hostname)s pki_security_domain_https_port=8443 -pki_security_domain_name= +pki_security_domain_name=%(dns_domainname)s Security Domain pki_security_domain_password= pki_security_domain_user= pki_skip_configuration=False @@ -105,15 +93,14 @@ pki_skip_installation=False pki_ssl_server_key_algorithm=SHA256withRSA pki_ssl_server_key_size=2048 pki_ssl_server_key_type=rsa -pki_ssl_server_nickname= -pki_ssl_server_subject_dn= -pki_ssl_server_token= +pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_id)s +pki_ssl_server_subject_dn=cn=%(hostname)s,o=%(pki_security_domain_name)s +pki_ssl_server_token=Internal Key Storage Token +pki_subsystem=%(subsystem_type)s pki_subsystem_key_algorithm=SHA256withRSA pki_subsystem_key_size=2048 pki_subsystem_key_type=rsa -pki_subsystem_nickname= -pki_subsystem_subject_dn= -pki_subsystem_token= +pki_subsystem_token=Internal Key Storage Token pki_token_name=internal pki_token_password= pki_user=pkiuser @@ -126,9 +113,6 @@ pki_user=pkiuser ## required information which MAY be overridden by users as necessary. ## ############################################################################### [Apache] -pki_instance_name=pki-apache -pki_http_port=80 -pki_https_port=443 ############################################################################### ## Tomcat Configuration: ## @@ -157,9 +141,6 @@ pki_clone_replication_security=None pki_clone_uri= pki_enable_java_debugger=False pki_enable_proxy=False -pki_http_port=8080 -pki_https_port=8443 -pki_instance_name=pki-tomcat pki_proxy_http_port=80 pki_proxy_https_port=443 pki_security_manager=true @@ -185,10 +166,10 @@ pki_tomcat_server_port=8005 pki_ca_signing_key_algorithm=SHA256withRSA pki_ca_signing_key_size=2048 pki_ca_signing_key_type=rsa -pki_ca_signing_nickname= +pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_id)s %(pki_subsystem)s pki_ca_signing_signing_algorithm=SHA256withRSA -pki_ca_signing_subject_dn= -pki_ca_signing_token= +pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s +pki_ca_signing_token=Internal Key Storage Token pki_external=False pki_external_ca_cert_chain_path= pki_external_ca_cert_path= @@ -198,13 +179,25 @@ pki_import_admin_cert=False pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa -pki_ocsp_signing_nickname= +pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s %(pki_subsystem)s pki_ocsp_signing_signing_algorithm=SHA256withRSA -pki_ocsp_signing_subject_dn= -pki_ocsp_signing_token= +pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_token=Internal Key Storage Token pki_subordinate=False -pki_subsystem=CA -pki_subsystem_name= +pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=caadmin +pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s CA +pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-CA +pki_ds_database=%(pki_instance_name)s-CA +pki_ds_hostname=%(hostname)s +pki_subsystem_name=CA %(hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s CA +pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s + ############################################################################### ## KRA Configuration: ## @@ -218,19 +211,30 @@ pki_import_admin_cert=True pki_storage_key_algorithm=SHA256withRSA pki_storage_key_size=2048 pki_storage_key_type=rsa -pki_storage_nickname= +pki_storage_nickname=storageCert cert-%(pki_instance_id)s KRA pki_storage_signing_algorithm=SHA256withRSA -pki_storage_subject_dn= -pki_storage_token= -pki_subsystem=KRA -pki_subsystem_name= +pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s +pki_storage_token=Internal Key Storage Token pki_transport_key_algorithm=SHA256withRSA pki_transport_key_size=2048 pki_transport_key_type=rsa -pki_transport_nickname= +pki_transport_nickname=transportCert cert-%(pki_instance_id)s KRA pki_transport_signing_algorithm=SHA256withRSA -pki_transport_subject_dn= -pki_transport_token= +pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s +pki_transport_token=Internal Key Storage Token +pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=kraadmin +pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s KRA +pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-KRA +pki_ds_database=%(pki_instance_name)s-KRA +pki_ds_hostname=%(hostname)s +pki_subsystem_name=KRA %(hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s KRA +pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s ############################################################################### ## OCSP Configuration: ## @@ -244,12 +248,23 @@ pki_import_admin_cert=True pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa -pki_ocsp_signing_nickname= +pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s OCSP pki_ocsp_signing_signing_algorithm=SHA256withRSA -pki_ocsp_signing_subject_dn= -pki_ocsp_signing_token= -pki_subsystem=OCSP -pki_subsystem_name= +pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_token=Internal Key Storage Token +pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=ocspadmin +pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s OCSP +pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-OCSP +pki_ds_database=%(pki_instance_name)s-OCSP +pki_ds_hostname=%(hostname)s +pki_subsystem_name=OCSP %(hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s OCSP +pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s ############################################################################### ## RA Configuration: ## @@ -258,8 +273,6 @@ pki_subsystem_name= ## required information which MAY be overridden by users as necessary. ## ############################################################################### [RA] -pki_subsystem=RA -pki_subsystem_name= ############################################################################### ## TKS Configuration: ## @@ -270,8 +283,19 @@ pki_subsystem_name= ############################################################################### [TKS] pki_import_admin_cert=True -pki_subsystem=TKS -pki_subsystem_name= +pki_admin_email=%(pki_admin_name)s@%(dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=tksadmin +pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s TKS +pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-TKS +pki_ds_database=%(pki_instance_name)s-TKS +pki_ds_hostname=%(hostname)s +pki_subsystem_name=TKS %(hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s TKS +pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s ############################################################################### ## TPS Configuration: ## @@ -280,5 +304,3 @@ pki_subsystem_name= ## required information which MAY be overridden by users as necessary. ## ############################################################################### [TPS] -pki_subsystem=TPS -pki_subsystem_name= diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 4e8bca9d1..69daa13ad 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -119,8 +119,6 @@ def main(argv): # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_common_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), @@ -133,8 +131,6 @@ def main(argv): # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_common_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index 73d236247..79ab1b230 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -139,8 +139,6 @@ def main(argv): # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_common_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), @@ -153,8 +151,6 @@ def main(argv): # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.format(config.pki_common_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 35c80a5f7..ec6c5ea38 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -205,7 +205,6 @@ pki_console_log_level = None # PKI Deployment Global Dictionaries pki_default_dict = None -pki_common_dict = None pki_web_server_dict = None pki_subsystem_dict = None pki_master_dict = None diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index a99425960..05536f424 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -79,8 +79,7 @@ class PKIConfigParser: dest='pki_deployed_instance_name', action='store', nargs=1, required=True, metavar='', - help='FORMAT: ${pki_instance_name}' - '[.${pki_admin_domain_name}]') + help='FORMAT: ${pki_instance_name}') # Establish 'Optional' command-line options optional = parser.add_argument_group('optional arguments') optional.add_argument('-h', '--help', @@ -219,37 +218,51 @@ class PKIConfigParser: "Read configuration file sections into dictionaries" rv = 0 try: - self.pki_config = ConfigParser.ConfigParser() + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + default_instance_name = 'pki-tomcat' + default_http_port = '8080' + default_https_port = '8443' + else: + default_instance_name = 'pki-apache' + default_http_port = '80' + default_https_port = '443' + + predefined_dict = {'default_instance_name': default_instance_name, + 'default_http_port': default_http_port, + 'default_https_port': default_https_port, + 'dns_domainname': config.pki_dns_domainname, + 'subsystem_type' : config.pki_subsystem, + 'hostname': config.pki_hostname} + + self.pki_config = ConfigParser.SafeConfigParser(predefined_dict) # Make keys case-sensitive! self.pki_config.optionxform = str self.pki_config.read([ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE, config.pkideployment_cfg]) - config.pki_default_dict = self.pki_config.defaults() + config.pki_default_dict = dict(self.pki_config.items('DEFAULT')) pkilogging.sensitive_parameters = config.pki_default_dict['sensitive_parameters'].split() - config.pki_common_dict = dict(self.pki_config._sections['Common']) if config.pki_subsystem == "CA": - config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat']) - config.pki_subsystem_dict = dict(self.pki_config._sections['CA']) + config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) + config.pki_subsystem_dict = dict(self.pki_config.items('CA')) elif config.pki_subsystem == "KRA": - config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat']) - config.pki_subsystem_dict = dict(self.pki_config._sections['KRA']) + config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) + config.pki_subsystem_dict = dict(self.pki_config.items('KRA')) elif config.pki_subsystem == "OCSP": - config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat']) - config.pki_subsystem_dict = dict(self.pki_config._sections['OCSP']) + config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) + config.pki_subsystem_dict = dict(self.pki_config.items('OCSP')) elif config.pki_subsystem == "RA": - config.pki_web_server_dict = dict(self.pki_config._sections['Apache']) - config.pki_subsystem_dict = dict(self.pki_config._sections['RA']) + config.pki_web_server_dict = dict(self.pki_config.items('Apache')) + config.pki_subsystem_dict = dict(self.pki_config.items('RA')) elif config.pki_subsystem == "TKS": - config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat']) - config.pki_subsystem_dict = dict(self.pki_config._sections['TKS']) + config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) + config.pki_subsystem_dict = dict(self.pki_config.items('TKS')) elif config.pki_subsystem == "TPS": - config.pki_web_server_dict = dict(self.pki_config._sections['Apache']) - config.pki_subsystem_dict = dict(self.pki_config._sections['TPS']) + config.pki_web_server_dict = dict(self.pki_config.items('Apache')) + config.pki_subsystem_dict = dict(self.pki_config.items('TPS')) # Insert empty record into dictionaries for "pretty print" statements # NEVER print "sensitive" key value pairs!!! config.pki_default_dict[0] = None - config.pki_common_dict[0] = None config.pki_web_server_dict[0] = None config.pki_subsystem_dict[0] = None except ConfigParser.ParsingError, err: @@ -296,10 +309,10 @@ class PKIConfigParser: # Configuration file name/value pairs # NEVER add "sensitive" key value pairs to the master dictionary!!! config.pki_master_dict.update(config.pki_default_dict) - config.pki_master_dict.update(config.pki_common_dict) config.pki_master_dict.update(config.pki_web_server_dict) config.pki_master_dict.update(config.pki_subsystem_dict) config.pki_master_dict.update(__name__="PKI Master Dictionary") + # IMPORTANT: A "PKI instance" no longer corresponds to a single # pki subystem, but rather to a unique # "Tomcat web instance" or a unique "Apache web instance". @@ -345,17 +358,12 @@ class PKIConfigParser: # OLD: "pki-${pki_subsystem}" # (e. g. Tomcat: "pki-ca", "pki-kra", "pki-ocsp", "pki-tks") # (e. g. Apache: "pki-ra", "pki-tps") - # NEW: "${pki_instance_name}[.${pki_admin_domain_name}]" + # NEW: "${pki_instance_name}" # (e. g. Tomcat: "pki-tomcat", "pki-tomcat.example.com") # (e. g. Apache: "pki-apache", "pki-apache.example.com") # - if len(config.pki_master_dict['pki_admin_domain_name']): - config.pki_master_dict['pki_instance_id'] =\ - config.pki_master_dict['pki_instance_name'] + "." +\ - config.pki_master_dict['pki_admin_domain_name'] - else: - config.pki_master_dict['pki_instance_id'] =\ - config.pki_master_dict['pki_instance_name'] + config.pki_master_dict['pki_instance_id'] = config.pki_master_dict['pki_instance_name'] + # PKI Source name/value pairs config.pki_master_dict['pki_source_conf_path'] =\ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, @@ -1364,7 +1372,6 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and potentially overridden below: # - # config.pki_master_dict['pki_client_database_password'] # config.pki_master_dict['pki_client_dir'] # config.pki_master_dict['pki_client_subsystem_dir'] # @@ -1464,9 +1471,6 @@ class PKIConfigParser: # # config.pki_master_dict['pki_security_domain_user'] # config.pki_master_dict['pki_issuing_ca'] - # config.pki_master_dict['pki_security_domain_hostname'] - # config.pki_master_dict['pki_security_domain_name'] - # config.pki_master_dict['pki_subsystem_name'] # # if security domain user is not defined @@ -1478,44 +1482,16 @@ class PKIConfigParser: config.pki_master_dict['pki_security_domain_user'] =\ self.pki_config.get('CA', 'pki_admin_uid') - # or use the Common admin uid if it's defined - elif self.pki_config.has_option('Common', 'pki_admin_uid') and\ - len(self.pki_config.get('Common', 'pki_admin_uid')) > 0: + # or use the Default admin uid if it's defined + elif self.pki_config.has_option('DEFAULT', 'pki_admin_uid') and\ + len(self.pki_config.get('DEFAULT', 'pki_admin_uid')) > 0: config.pki_master_dict['pki_security_domain_user'] =\ - self.pki_config.get('Common', 'pki_admin_uid') + self.pki_config.get('DEFAULT', 'pki_admin_uid') # otherwise use the default CA admin uid else: config.pki_master_dict['pki_security_domain_user'] = "caadmin" - if not len(config.pki_master_dict['pki_subsystem_name']): - if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS and \ - config.str2bool(config.pki_master_dict['pki_clone']): - config.pki_master_dict['pki_subsystem_name'] =\ - config.PKI_DEPLOYMENT_CLONED_PKI_SUBSYSTEM + " " +\ - config.pki_subsystem + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - elif config.pki_subsystem == "CA" and \ - config.str2bool(config.pki_master_dict['pki_external']): - config.pki_master_dict['pki_subsystem_name'] =\ - config.PKI_DEPLOYMENT_EXTERNAL_CA + " " +\ - config.pki_subsystem + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - elif config.pki_subsystem == "CA" and \ - config.str2bool(config.pki_master_dict['pki_subordinate']): - config.pki_master_dict['pki_subsystem_name'] =\ - config.PKI_DEPLOYMENT_SUBORDINATE_CA + " " +\ - config.pki_subsystem + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - else: - config.pki_master_dict['pki_subsystem_name'] =\ - config.pki_subsystem + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] if config.pki_subsystem != "CA" or\ config.str2bool(config.pki_master_dict['pki_clone']) or\ config.str2bool(config.pki_master_dict['pki_subordinate']): @@ -1523,16 +1499,6 @@ class PKIConfigParser: # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or # Subordinate CA config.pki_master_dict['pki_security_domain_type'] = "existing" - if not len(config.pki_master_dict['pki_security_domain_name']): - # Guess that the security domain resides on the local host - config.pki_master_dict['pki_security_domain_name'] =\ - config.pki_master_dict['pki_dns_domainname'] + " " +\ - "Security Domain" - if not\ - len(config.pki_master_dict['pki_security_domain_hostname']): - # Guess that the security domain resides on the local host - config.pki_master_dict['pki_security_domain_hostname'] =\ - config.pki_master_dict['pki_hostname'] config.pki_master_dict['pki_security_domain_uri'] =\ "https" + "://" +\ config.pki_master_dict['pki_security_domain_hostname'] + ":" +\ @@ -1552,58 +1518,7 @@ class PKIConfigParser: else: # PKI CA config.pki_master_dict['pki_security_domain_type'] = "new" - if not len(config.pki_master_dict['pki_security_domain_name']): - # Guess that the security domain resides on the local host - config.pki_master_dict['pki_security_domain_name'] =\ - config.pki_master_dict['pki_dns_domainname'] + " " +\ - "Security Domain" - # Jython scriptlet - # 'Directory Server' Configuration name/value pairs - # - # Apache - [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_ds_password'] - # config.pki_master_dict['pki_clone_replication_security'] - # config.pki_master_dict['pki_ds_bind_dn'] - # config.pki_master_dict['pki_ds_ldap_port'] - # config.pki_master_dict['pki_ds_ldaps_port'] - # config.pki_master_dict['pki_ds_remove_data'] - # config.pki_master_dict['pki_ds_secure_connection'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_ds_base_dn'] - # config.pki_master_dict['pki_ds_database'] - # config.pki_master_dict['pki_ds_hostname'] - # - if not config.str2bool(config.pki_master_dict['pki_clone']): - if not len(config.pki_master_dict['pki_ds_base_dn']): - # if the instance is NOT a clone, create a default BASE DN - # of "o=${pki_instance_id}"; the reason that this default - # CANNOT be created if the instance is a clone is due to the - # fact that a master and clone MUST share the same BASE DN, - # and creating this default would prevent the ability to - # place a master and clone on the same machine (the method - # most often used for testing purposes) - config.pki_master_dict['pki_ds_base_dn'] =\ - "o=" + config.pki_master_dict['pki_instance_id'] +\ - "-" + config.pki_subsystem - if not len(config.pki_master_dict['pki_ds_database']): - config.pki_master_dict['pki_ds_database'] =\ - config.pki_master_dict['pki_instance_id'] +\ - "-" + config.pki_subsystem - if not len(config.pki_master_dict['pki_ds_hostname']): - # Guess that the Directory Server resides on the local host - config.pki_master_dict['pki_ds_hostname'] =\ - config.pki_master_dict['pki_hostname'] + # Jython scriptlet # 'External CA' Configuration name/value pairs # @@ -1639,566 +1554,23 @@ class PKIConfigParser: config.pki_master_dict['pki_database_path'] + "/" +\ config.pki_master_dict['pki_subsystem'].lower() + "_" +\ "backup" + "_" + "keys" + "." + "p12" - # Jython scriptlet - # 'Admin Certificate' Configuration name/value pairs - # - # Apache - [RA], [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_admin_password'] - # config.pki_master_dict['pki_admin_cert_request_type'] - # config.pki_master_dict['pki_admin_dualkey'] - # config.pki_master_dict['pki_admin_keysize'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_admin_name'] - # config.pki_master_dict['pki_admin_uid'] - # config.pki_master_dict['pki_admin_email'] - # config.pki_master_dict['pki_admin_nickname'] - # config.pki_master_dict['pki_admin_subject_dn'] - # + config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert" - if not len(config.pki_master_dict['pki_admin_uid']): - config.pki_master_dict['pki_admin_uid'] =\ - config.pki_subsystem.lower() + "admin" - if not len (config.pki_master_dict['pki_admin_name']): - config.pki_master_dict['pki_admin_name'] =\ - config.pki_master_dict['pki_admin_uid'] - if not len(config.pki_master_dict['pki_admin_email']): - config.pki_master_dict['pki_admin_email'] =\ - config.pki_master_dict['pki_admin_name'] + "@" +\ - config.pki_master_dict['pki_dns_domainname'] - if not len(config.pki_master_dict['pki_admin_nickname']): - config.pki_master_dict['pki_admin_nickname'] =\ - "PKI Administrator for " +\ - config.pki_master_dict['pki_dns_domainname'] if not 'pki_import_admin_cert' in config.pki_master_dict: config.pki_master_dict['pki_import_admin_cert'] = 'false' - if not len(config.pki_master_dict['pki_admin_subject_dn']): - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=PKI Administrator" +\ - ",e=" + config.pki_master_dict['pki_admin_email'] +\ - ",o=" + config.pki_master_dict['pki_security_domain_name'] - - # Jython scriptlet - # 'CA Signing Certificate' Configuration name/value pairs - # - # Tomcat - [CA] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_ca_signing_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_ca_signing_key_algorithm'] - # config.pki_master_dict['pki_ca_signing_key_size'] - # config.pki_master_dict['pki_ca_signing_key_type'] - # config.pki_master_dict['pki_ca_signing_signing_algorithm'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_ca_signing_nickname'] - # config.pki_master_dict['pki_ca_signing_subject_dn'] - # config.pki_master_dict['pki_ca_signing_token'] - # - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "CA": - # config.pki_master_dict['pki_ca_signing_nickname'] - if not len(config.pki_master_dict\ - ['pki_ca_signing_nickname']): - config.pki_master_dict['pki_ca_signing_nickname'] =\ - "caSigningCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - # config.pki_master_dict['pki_ca_signing_subject_dn'] - if config.str2bool(config.pki_master_dict['pki_external']): - # External CA - if not len(config.pki_master_dict\ - ['pki_ca_signing_subject_dn']): - config.pki_master_dict['pki_ca_signing_subject_dn']\ - = "cn=" + "External CA Signing Certificate" - elif config.str2bool( - config.pki_master_dict['pki_subordinate']): - # Subordinate CA - if not len(config.pki_master_dict\ - ['pki_ca_signing_subject_dn']): - config.pki_master_dict['pki_ca_signing_subject_dn']\ - = "cn=" + "SubCA Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - else: - # PKI CA - if not len(config.pki_master_dict\ - ['pki_ca_signing_subject_dn']): - config.pki_master_dict['pki_ca_signing_subject_dn']\ - = "cn=" + "CA Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - # config.pki_master_dict['pki_ca_signing_tag'] - config.pki_master_dict['pki_ca_signing_tag'] =\ - "signing" - # config.pki_master_dict['pki_ca_signing_token'] - if not len(config.pki_master_dict['pki_ca_signing_token']): - config.pki_master_dict['pki_ca_signing_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'OCSP Signing Certificate' Configuration name/value pairs - # - # Tomcat - [CA], [OCSP] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_ocsp_signing_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_ocsp_signing_key_algorithm'] - # config.pki_master_dict['pki_ocsp_signing_key_size'] - # config.pki_master_dict['pki_ocsp_signing_key_type'] - # config.pki_master_dict['pki_ocsp_signing_signing_algorithm'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_ocsp_signing_nickname'] - # config.pki_master_dict['pki_ocsp_signing_subject_dn'] - # config.pki_master_dict['pki_ocsp_signing_token'] - # - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "CA": - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_nickname']): - config.pki_master_dict['pki_ocsp_signing_nickname'] =\ - "ocspSigningCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if config.str2bool(config.pki_master_dict['pki_external']): - # External CA - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn']): - config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn'] =\ - "cn=" + "External CA OCSP Signing Certificate" - elif config.str2bool( - config.pki_master_dict['pki_subordinate']): - # Subordinate CA - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn']): - config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn'] =\ - "cn=" + "SubCA OCSP Signing Certificate"\ - + "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - else: - # PKI CA - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn']): - config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn'] =\ - "cn=" + "CA OCSP Signing Certificate"\ - + "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - config.pki_master_dict['pki_ocsp_signing_tag'] =\ - "ocsp_signing" - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_token']): - config.pki_master_dict['pki_ocsp_signing_token'] =\ - "Internal Key Storage Token" - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - # PKI OCSP - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_nickname']): - config.pki_master_dict['pki_ocsp_signing_nickname'] =\ - "ocspSigningCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_subject_dn']): - config.pki_master_dict['pki_ocsp_signing_subject_dn'] =\ - "cn=" + "OCSP Signing Certificate" + "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_ocsp_signing_tag'] =\ - "signing" - if not len(config.pki_master_dict\ - ['pki_ocsp_signing_token']): - config.pki_master_dict['pki_ocsp_signing_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'SSL Server Certificate' Configuration name/value pairs - # - # Apache - [RA], [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_ssl_server_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_ssl_server_key_algorithm'] - # config.pki_master_dict['pki_ssl_server_key_size'] - # config.pki_master_dict['pki_ssl_server_key_type'] - # config.pki_master_dict['pki_ssl_server_nickname'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_ssl_server_subject_dn'] - # config.pki_master_dict['pki_ssl_server_token'] - # - if not len(config.pki_master_dict['pki_ssl_server_nickname']): - config.pki_master_dict['pki_ssl_server_nickname'] =\ - "Server-Cert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] - if not len(config.pki_master_dict['pki_ssl_server_subject_dn']): - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - config.pki_master_dict['pki_ssl_server_subject_dn'] =\ - "cn=" + config.pki_master_dict['pki_hostname'] +\ - "," + "ou=" + config.pki_master_dict['pki_instance_id'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if config.pki_master_dict['pki_subsystem'] == "CA" and\ - config.str2bool(config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict['pki_ssl_server_subject_dn'] =\ - "cn=" + config.pki_master_dict['pki_hostname'] +\ - "," + "o=" + "External CA" - else: - # PKI or Cloned CA, KRA, OCSP, TKS, or Subordinate CA - config.pki_master_dict['pki_ssl_server_subject_dn'] =\ - "cn=" + config.pki_master_dict['pki_hostname'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_ca_signing_tag'] = "signing" + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_ocsp_signing_tag'] = "ocsp_signing" + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + config.pki_master_dict['pki_ocsp_signing_tag'] = "signing" config.pki_master_dict['pki_ssl_server_tag'] = "sslserver" - if not len(config.pki_master_dict['pki_ssl_server_token']): - config.pki_master_dict['pki_ssl_server_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'Subsystem Certificate' Configuration name/value pairs - # - # Apache - [RA], [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_subsystem_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_subsystem_key_algorithm'] - # config.pki_master_dict['pki_subsystem_key_size'] - # config.pki_master_dict['pki_subsystem_key_type'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_subsystem_nickname'] - # config.pki_master_dict['pki_subsystem_subject_dn'] - # config.pki_master_dict['pki_subsystem_token'] - # - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - if not len(config.pki_master_dict['pki_subsystem_nickname']): - config.pki_master_dict['pki_subsystem_nickname'] =\ - "subsystemCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict['pki_subsystem_subject_dn']): - if config.pki_master_dict['pki_subsystem'] == "RA": - # PKI RA - config.pki_master_dict['pki_subsystem_subject_dn'] =\ - "cn=" + "RA Subsystem Certificate" +\ - "," + "ou=" + config.pki_master_dict['pki_instance_id']\ - + "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "TPS": - # PKI TPS - config.pki_master_dict['pki_subsystem_subject_dn'] =\ - "cn=" + "TPS Subsystem Certificate" +\ - "," + "ou=" + config.pki_master_dict['pki_instance_id']\ - + "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_subsystem_tag'] = "subsystem" - if not len(config.pki_master_dict['pki_subsystem_token']): - config.pki_master_dict['pki_subsystem_token'] =\ - "Internal Key Storage Token" - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if not len(config.pki_master_dict['pki_subsystem_nickname']): - config.pki_master_dict['pki_subsystem_nickname'] =\ - "subsystemCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict['pki_subsystem_subject_dn']): - if config.pki_master_dict['pki_subsystem'] == "CA": - if config.str2bool( - config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict['pki_subsystem_subject_dn']\ - = "cn=" + "External CA Subsystem Certificate" - elif config.str2bool( - config.pki_master_dict['pki_subordinate']): - # Subordinate CA - config.pki_master_dict['pki_subsystem_subject_dn']\ - = "cn=" + "SubCA Subsystem Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - else: - # PKI CA - config.pki_master_dict['pki_subsystem_subject_dn']\ - = "cn=" + "CA Subsystem Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - config.pki_master_dict['pki_subsystem_subject_dn'] =\ - "cn=" + "DRM Subsystem Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - # PKI OCSP - config.pki_master_dict['pki_subsystem_subject_dn'] =\ - "cn=" + "OCSP Subsystem Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "TKS": - # PKI TKS - config.pki_master_dict['pki_subsystem_subject_dn'] =\ - "cn=" + "TKS Subsystem Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - config.pki_master_dict['pki_subsystem_tag'] = "subsystem" - if not len(config.pki_master_dict['pki_subsystem_token']): - config.pki_master_dict['pki_subsystem_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'Audit Signing Certificate' Configuration name/value pairs - # - # Apache - [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_audit_signing_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_audit_signing_key_algorithm'] - # config.pki_master_dict['pki_audit_signing_key_size'] - # config.pki_master_dict['pki_audit_signing_key_type'] - # config.pki_master_dict['pki_audit_signing_signing_algorithm'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_audit_signing_nickname'] - # config.pki_master_dict['pki_audit_signing_subject_dn'] - # config.pki_master_dict['pki_audit_signing_token'] - # - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - if config.pki_master_dict['pki_subsystem'] != "RA": - if not len(config.pki_master_dict\ - ['pki_audit_signing_nickname']): - config.pki_master_dict['pki_audit_signing_nickname'] =\ - "auditSigningCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] +" " +\ - config.pki_subsystem - if not len(config.pki_master_dict\ - ['pki_audit_signing_subject_dn']): - config.pki_master_dict['pki_audit_signing_subject_dn'] =\ - "cn=" + "TPS Audit Signing Certificate" +\ - "," + "ou=" + config.pki_master_dict['pki_instance_id']\ - + "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_audit_signing_tag'] =\ - "audit_signing" - if not len(config.pki_master_dict['pki_audit_signing_token']): - config.pki_master_dict['pki_audit_signing_token'] =\ - "Internal Key Storage Token" - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if not len(config.pki_master_dict\ - ['pki_audit_signing_nickname']): - config.pki_master_dict['pki_audit_signing_nickname'] =\ - "auditSigningCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict\ - ['pki_audit_signing_subject_dn']): - if config.pki_master_dict['pki_subsystem'] == "CA": - if config.str2bool( - config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict\ - ['pki_audit_signing_subject_dn'] =\ - "cn=" + "External CA Audit Signing Certificate" - elif config.str2bool( - config.pki_master_dict['pki_subordinate']): - # Subordinate CA - config.pki_master_dict\ - ['pki_audit_signing_subject_dn'] =\ - "cn=" + "SubCA Audit Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - else: - # PKI CA - config.pki_master_dict\ - ['pki_audit_signing_subject_dn'] =\ - "cn=" + "CA Audit Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - config.pki_master_dict['pki_audit_signing_subject_dn']\ - = "cn=" + "DRM Audit Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - # PKI OCSP - config.pki_master_dict['pki_audit_signing_subject_dn']\ - = "cn=" + "OCSP Audit Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "TKS": - # PKI TKS - config.pki_master_dict['pki_audit_signing_subject_dn']\ - = "cn=" + "TKS Audit Signing Certificate" +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_audit_signing_tag'] =\ - "audit_signing" - if not len(config.pki_master_dict['pki_audit_signing_token']): - config.pki_master_dict['pki_audit_signing_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'DRM Transport Certificate' Configuration name/value pairs - # - # Tomcat - [KRA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_transport_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_transport_key_algorithm'] - # config.pki_master_dict['pki_transport_key_size'] - # config.pki_master_dict['pki_transport_key_type'] - # config.pki_master_dict['pki_transport_signing_algorithm'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_transport_nickname'] - # config.pki_master_dict['pki_transport_subject_dn'] - # config.pki_master_dict['pki_transport_token'] - # - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - if not len(config.pki_master_dict\ - ['pki_transport_nickname']): - config.pki_master_dict['pki_transport_nickname'] =\ - "transportCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict\ - ['pki_transport_subject_dn']): - config.pki_master_dict['pki_transport_subject_dn']\ - = "cn=" + "DRM Transport Certificate" +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_transport_tag'] =\ - "transport" - if not len(config.pki_master_dict['pki_transport_token']): - config.pki_master_dict['pki_transport_token'] =\ - "Internal Key Storage Token" - # Jython scriptlet - # 'DRM Storage Certificate' Configuration name/value pairs - # - # Tomcat - [KRA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_storage_tag'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_storage_key_algorithm'] - # config.pki_master_dict['pki_storage_key_size'] - # config.pki_master_dict['pki_storage_key_type'] - # config.pki_master_dict['pki_storage_signing_algorithm'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_storage_nickname'] - # config.pki_master_dict['pki_storage_subject_dn'] - # config.pki_master_dict['pki_storage_token'] - # - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - if not len(config.pki_master_dict['pki_storage_nickname']): - config.pki_master_dict['pki_storage_nickname'] =\ - "storageCert" + " " + "cert-" +\ - config.pki_master_dict['pki_instance_id'] + " " +\ - config.pki_subsystem - if not len(config.pki_master_dict\ - ['pki_storage_subject_dn']): - config.pki_master_dict['pki_storage_subject_dn']\ - = "cn=" + "DRM Storage Certificate" +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - config.pki_master_dict['pki_storage_tag'] =\ - "storage" - if not len(config.pki_master_dict['pki_storage_token']): - config.pki_master_dict['pki_storage_token'] =\ - "Internal Key Storage Token" + config.pki_master_dict['pki_subsystem_tag'] = "subsystem" + config.pki_master_dict['pki_audit_signing_tag'] = "audit_signing" + config.pki_master_dict['pki_transport_tag'] = "transport" + config.pki_master_dict['pki_storage_tag'] = "storage" + # Finalization name/value pairs config.pki_master_dict['pki_deployment_cfg_replica'] =\ os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], -- cgit