From 81bb209d0a3227f544b7b8e4ec3fc0631c8f3c47 Mon Sep 17 00:00:00 2001
From: Endi Sukma Dewata <edewata@redhat.com>
Date: Tue, 4 Dec 2012 07:19:43 -0500
Subject: Archiving default deployment configuration.
The default deployment configuration has been renamed and moved to
/etc/pki/default.cfg to make it more accessible to users. The pkispawn
has been modified to archive the default deployment configuration
along with the user-provided configuration in the registry. The
pkidestroy will now use both archived configuration files to ensure
proper removal of the subsystem.
Ticket #399
---
base/deploy/CMakeLists.txt | 7 +
base/deploy/config/deployment.cfg | 315 ---------------------
base/deploy/etc/default.cfg | 315 +++++++++++++++++++++
base/deploy/src/pkidestroy | 52 +++-
base/deploy/src/pkispawn | 29 +-
base/deploy/src/scriptlets/finalization.py | 6 +-
.../deploy/src/scriptlets/infrastructure_layout.py | 6 +-
base/deploy/src/scriptlets/pkiconfig.py | 13 +-
base/deploy/src/scriptlets/pkihelper.py | 52 ++--
base/deploy/src/scriptlets/pkiparser.py | 173 +++++------
specs/pki-core.spec | 6 +-
11 files changed, 521 insertions(+), 453 deletions(-)
delete mode 100644 base/deploy/config/deployment.cfg
create mode 100644 base/deploy/etc/default.cfg
diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt
index 3848bd499..d63176f1a 100644
--- a/base/deploy/CMakeLists.txt
+++ b/base/deploy/CMakeLists.txt
@@ -62,6 +62,13 @@ install(
${DATA_INSTALL_DIR}/deployment
)
+install(
+ DIRECTORY
+ etc/
+ DESTINATION
+ ${SYSCONF_INSTALL_DIR}/pki
+)
+
find_package(PythonInterp REQUIRED)
execute_process(
COMMAND
diff --git a/base/deploy/config/deployment.cfg b/base/deploy/config/deployment.cfg
deleted file mode 100644
index abd0fb441..000000000
--- a/base/deploy/config/deployment.cfg
+++ /dev/null
@@ -1,315 +0,0 @@
-###############################################################################
-## Default Configuration: ##
-## ##
-## Values in this section are common to more than one PKI subsystem, and ##
-## contain required information which MAY be overridden by users as ##
-## necessary. ##
-## ##
-## There are also some meta-parameters that determine how the PKI ##
-## configuratiion should work. ##
-## ##
-###############################################################################
-[DEFAULT]
-
-# The sensitive_parameters contains a list of parameters which may contain
-# sensitive information which must not be displayed to the console nor stored
-# in log files for security reasons.
-sensitive_parameters=
- pki_admin_password
- pki_backup_password
- pki_client_database_password
- pki_client_pin
- pki_client_pkcs12_password
- pki_clone_pkcs12_password
- pki_ds_password
- pki_one_time_pin
- pki_pin
- pki_security_domain_password
- pki_token_password
-
-# The spawn_scriplets contains a list of scriplets to be executed by pkispawn.
-spawn_scriplets=
- initialization
- infrastructure_layout
- instance_layout
- subsystem_layout
- selinux_setup
- webapp_deployment
- slot_substitution
- security_databases
- configuration
- finalization
-
-# The destroy_scriplets contains a list of scriplets to be executed by pkidestroy.
-destroy_scriplets=
- initialization
- configuration
- webapp_deployment
- subsystem_layout
- security_databases
- instance_layout
- selinux_setup
- infrastructure_layout
- finalization
-
-# By default, the following parameters will be set for Tomcat and Apache instances.
-# There is no reason to uncomment these. They are provided for reference in
-# case someone wants to override them in their config file.
-#
-# Tomcat instances:
-# pki_subsystem_name=pki_tomcat
-# pki_https_port=8443
-# pki_http_port=8080
-#
-# Apache instances:
-# pki_subsystem_name=pki_tomcat
-# pki_https_port=443
-# pki_http_port=80
-
-pki_admin_cert_request_type=crmf
-pki_admin_dualkey=False
-pki_admin_keysize=2048
-pki_admin_password=
-pki_audit_group=pkiaudit
-pki_audit_signing_key_algorithm=SHA256withRSA
-pki_audit_signing_key_size=2048
-pki_audit_signing_key_type=rsa
-pki_audit_signing_signing_algorithm=SHA256withRSA
-pki_audit_signing_token=Internal Key Storage Token
-pki_backup_keys=False
-pki_backup_password=
-pki_client_database_dir=
-pki_client_database_password=
-pki_client_database_purge=True
-pki_client_dir=
-pki_client_pkcs12_password=
-pki_ds_bind_dn=cn=Directory Manager
-pki_ds_ldap_port=389
-pki_ds_ldaps_port=636
-pki_ds_password=
-pki_ds_remove_data=True
-pki_ds_secure_connection=False
-pki_group=pkiuser
-pki_instance_id=%(pki_instance_name)s
-pki_issuing_ca=
-pki_restart_configured_instance=True
-pki_security_domain_hostname=%(pki_hostname)s
-pki_security_domain_https_port=8443
-pki_security_domain_name=%(pki_dns_domainname)s Security Domain
-pki_security_domain_password=
-pki_security_domain_user=
-pki_skip_configuration=False
-pki_skip_installation=False
-pki_ssl_server_key_algorithm=SHA256withRSA
-pki_ssl_server_key_size=2048
-pki_ssl_server_key_type=rsa
-pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_id)s
-pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s
-pki_ssl_server_token=Internal Key Storage Token
-pki_subsystem_key_algorithm=SHA256withRSA
-pki_subsystem_key_size=2048
-pki_subsystem_key_type=rsa
-pki_subsystem_token=Internal Key Storage Token
-pki_token_name=internal
-pki_token_password=
-pki_user=pkiuser
-
-###############################################################################
-## Apache Configuration: ##
-## ##
-## Values in this section are common to PKI subsystems that run ##
-## as an instance of 'Apache' (RA and TPS subsystems), and contain ##
-## required information which MAY be overridden by users as necessary. ##
-###############################################################################
-[Apache]
-
-###############################################################################
-## Tomcat Configuration: ##
-## ##
-## Values in this section are common to PKI subsystems that run ##
-## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ##
-## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ##
-## required information which MAY be overridden by users as necessary. ##
-## ##
-## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ##
-## or a 'TKS Clone', change the value of 'pki_clone' ##
-## from 'False' to 'True'. ##
-## ##
-## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
-## are MUTUALLY EXCLUSIVE entities!!! ##
-###############################################################################
-[Tomcat]
-pki_ajp_port=8009
-pki_clone=False
-pki_clone_pkcs12_password=
-pki_clone_pkcs12_path=
-pki_clone_replicate_schema=True
-pki_clone_replication_master_port=
-pki_clone_replication_clone_port=
-pki_clone_replication_security=None
-pki_clone_uri=
-pki_enable_java_debugger=False
-pki_enable_proxy=False
-pki_proxy_http_port=80
-pki_proxy_https_port=443
-pki_security_manager=true
-pki_tomcat_server_port=8005
-
-###############################################################################
-## CA Configuration: ##
-## ##
-## Values in this section are common to CA subsystems including 'PKI CAs', ##
-## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ##
-## required information which MAY be overridden by users as necessary. ##
-## ##
-## EXTERNAL CAs: To specify an 'External CA', change the value ##
-## of 'pki_external' from 'False' to 'True'. ##
-## ##
-## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ##
-## of 'pki_subordinate' from 'False' to 'True'. ##
-## ##
-## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
-## are MUTUALLY EXCLUSIVE entities!!! ##
-###############################################################################
-[CA]
-pki_ca_signing_key_algorithm=SHA256withRSA
-pki_ca_signing_key_size=2048
-pki_ca_signing_key_type=rsa
-pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_id)s CA
-pki_ca_signing_signing_algorithm=SHA256withRSA
-pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
-pki_ca_signing_token=Internal Key Storage Token
-pki_external=False
-pki_external_ca_cert_chain_path=
-pki_external_ca_cert_path=
-pki_external_csr_path=
-pki_external_step_two=False
-pki_import_admin_cert=False
-pki_ocsp_signing_key_algorithm=SHA256withRSA
-pki_ocsp_signing_key_size=2048
-pki_ocsp_signing_key_type=rsa
-pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s CA
-pki_ocsp_signing_signing_algorithm=SHA256withRSA
-pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s
-pki_ocsp_signing_token=Internal Key Storage Token
-pki_subordinate=False
-pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
-pki_admin_name=%(pki_admin_uid)s
-pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
-pki_admin_uid=caadmin
-pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s CA
-pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s
-pki_ds_base_dn=o=%(pki_instance_id)s-CA
-pki_ds_database=%(pki_instance_name)s-CA
-pki_ds_hostname=%(pki_hostname)s
-pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s
-pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s CA
-pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s
-
-
-###############################################################################
-## KRA Configuration: ##
-## ##
-## Values in this section are common to KRA subsystems ##
-## including 'PKI KRAs' and 'Cloned KRAs', and contain ##
-## required information which MAY be overridden by users as necessary. ##
-###############################################################################
-[KRA]
-pki_import_admin_cert=True
-pki_storage_key_algorithm=SHA256withRSA
-pki_storage_key_size=2048
-pki_storage_key_type=rsa
-pki_storage_nickname=storageCert cert-%(pki_instance_id)s KRA
-pki_storage_signing_algorithm=SHA256withRSA
-pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s
-pki_storage_token=Internal Key Storage Token
-pki_transport_key_algorithm=SHA256withRSA
-pki_transport_key_size=2048
-pki_transport_key_type=rsa
-pki_transport_nickname=transportCert cert-%(pki_instance_id)s KRA
-pki_transport_signing_algorithm=SHA256withRSA
-pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s
-pki_transport_token=Internal Key Storage Token
-pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
-pki_admin_name=%(pki_admin_uid)s
-pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
-pki_admin_uid=kraadmin
-pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s KRA
-pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s
-pki_ds_base_dn=o=%(pki_instance_id)s-KRA
-pki_ds_database=%(pki_instance_name)s-KRA
-pki_ds_hostname=%(pki_hostname)s
-pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s
-pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s KRA
-pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s
-
-###############################################################################
-## OCSP Configuration: ##
-## ##
-## Values in this section are common to OCSP subsystems ##
-## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ##
-## required information which MAY be overridden by users as necessary. ##
-###############################################################################
-[OCSP]
-pki_import_admin_cert=True
-pki_ocsp_signing_key_algorithm=SHA256withRSA
-pki_ocsp_signing_key_size=2048
-pki_ocsp_signing_key_type=rsa
-pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s OCSP
-pki_ocsp_signing_signing_algorithm=SHA256withRSA
-pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s
-pki_ocsp_signing_token=Internal Key Storage Token
-pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
-pki_admin_name=%(pki_admin_uid)s
-pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
-pki_admin_uid=ocspadmin
-pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s OCSP
-pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s
-pki_ds_base_dn=o=%(pki_instance_id)s-OCSP
-pki_ds_database=%(pki_instance_name)s-OCSP
-pki_ds_hostname=%(pki_hostname)s
-pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s
-pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s OCSP
-pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s
-
-###############################################################################
-## RA Configuration: ##
-## ##
-## Values in this section are common to PKI RA subsystems, and contain ##
-## required information which MAY be overridden by users as necessary. ##
-###############################################################################
-[RA]
-
-###############################################################################
-## TKS Configuration: ##
-## ##
-## Values in this section are common to TKS subsystems ##
-## including 'PKI TKSs' and 'Cloned TKSs', and contain ##
-## required information which MAY be overridden by users as necessary. ##
-###############################################################################
-[TKS]
-pki_import_admin_cert=True
-pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
-pki_admin_name=%(pki_admin_uid)s
-pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
-pki_admin_uid=tksadmin
-pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s TKS
-pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s
-pki_ds_base_dn=o=%(pki_instance_id)s-TKS
-pki_ds_database=%(pki_instance_name)s-TKS
-pki_ds_hostname=%(pki_hostname)s
-pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s
-pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s TKS
-pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s
-
-###############################################################################
-## TPS Configuration: ##
-## ##
-## Values in this section are common to PKI TPS subsystems, and contain ##
-## required information which MAY be overridden by users as necessary. ##
-###############################################################################
-[TPS]
diff --git a/base/deploy/etc/default.cfg b/base/deploy/etc/default.cfg
new file mode 100644
index 000000000..abd0fb441
--- /dev/null
+++ b/base/deploy/etc/default.cfg
@@ -0,0 +1,315 @@
+###############################################################################
+## Default Configuration: ##
+## ##
+## Values in this section are common to more than one PKI subsystem, and ##
+## contain required information which MAY be overridden by users as ##
+## necessary. ##
+## ##
+## There are also some meta-parameters that determine how the PKI ##
+## configuratiion should work. ##
+## ##
+###############################################################################
+[DEFAULT]
+
+# The sensitive_parameters contains a list of parameters which may contain
+# sensitive information which must not be displayed to the console nor stored
+# in log files for security reasons.
+sensitive_parameters=
+ pki_admin_password
+ pki_backup_password
+ pki_client_database_password
+ pki_client_pin
+ pki_client_pkcs12_password
+ pki_clone_pkcs12_password
+ pki_ds_password
+ pki_one_time_pin
+ pki_pin
+ pki_security_domain_password
+ pki_token_password
+
+# The spawn_scriplets contains a list of scriplets to be executed by pkispawn.
+spawn_scriplets=
+ initialization
+ infrastructure_layout
+ instance_layout
+ subsystem_layout
+ selinux_setup
+ webapp_deployment
+ slot_substitution
+ security_databases
+ configuration
+ finalization
+
+# The destroy_scriplets contains a list of scriplets to be executed by pkidestroy.
+destroy_scriplets=
+ initialization
+ configuration
+ webapp_deployment
+ subsystem_layout
+ security_databases
+ instance_layout
+ selinux_setup
+ infrastructure_layout
+ finalization
+
+# By default, the following parameters will be set for Tomcat and Apache instances.
+# There is no reason to uncomment these. They are provided for reference in
+# case someone wants to override them in their config file.
+#
+# Tomcat instances:
+# pki_subsystem_name=pki_tomcat
+# pki_https_port=8443
+# pki_http_port=8080
+#
+# Apache instances:
+# pki_subsystem_name=pki_tomcat
+# pki_https_port=443
+# pki_http_port=80
+
+pki_admin_cert_request_type=crmf
+pki_admin_dualkey=False
+pki_admin_keysize=2048
+pki_admin_password=
+pki_audit_group=pkiaudit
+pki_audit_signing_key_algorithm=SHA256withRSA
+pki_audit_signing_key_size=2048
+pki_audit_signing_key_type=rsa
+pki_audit_signing_signing_algorithm=SHA256withRSA
+pki_audit_signing_token=Internal Key Storage Token
+pki_backup_keys=False
+pki_backup_password=
+pki_client_database_dir=
+pki_client_database_password=
+pki_client_database_purge=True
+pki_client_dir=
+pki_client_pkcs12_password=
+pki_ds_bind_dn=cn=Directory Manager
+pki_ds_ldap_port=389
+pki_ds_ldaps_port=636
+pki_ds_password=
+pki_ds_remove_data=True
+pki_ds_secure_connection=False
+pki_group=pkiuser
+pki_instance_id=%(pki_instance_name)s
+pki_issuing_ca=
+pki_restart_configured_instance=True
+pki_security_domain_hostname=%(pki_hostname)s
+pki_security_domain_https_port=8443
+pki_security_domain_name=%(pki_dns_domainname)s Security Domain
+pki_security_domain_password=
+pki_security_domain_user=
+pki_skip_configuration=False
+pki_skip_installation=False
+pki_ssl_server_key_algorithm=SHA256withRSA
+pki_ssl_server_key_size=2048
+pki_ssl_server_key_type=rsa
+pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_id)s
+pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s
+pki_ssl_server_token=Internal Key Storage Token
+pki_subsystem_key_algorithm=SHA256withRSA
+pki_subsystem_key_size=2048
+pki_subsystem_key_type=rsa
+pki_subsystem_token=Internal Key Storage Token
+pki_token_name=internal
+pki_token_password=
+pki_user=pkiuser
+
+###############################################################################
+## Apache Configuration: ##
+## ##
+## Values in this section are common to PKI subsystems that run ##
+## as an instance of 'Apache' (RA and TPS subsystems), and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[Apache]
+
+###############################################################################
+## Tomcat Configuration: ##
+## ##
+## Values in this section are common to PKI subsystems that run ##
+## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ##
+## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ##
+## required information which MAY be overridden by users as necessary. ##
+## ##
+## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ##
+## or a 'TKS Clone', change the value of 'pki_clone' ##
+## from 'False' to 'True'. ##
+## ##
+## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
+## are MUTUALLY EXCLUSIVE entities!!! ##
+###############################################################################
+[Tomcat]
+pki_ajp_port=8009
+pki_clone=False
+pki_clone_pkcs12_password=
+pki_clone_pkcs12_path=
+pki_clone_replicate_schema=True
+pki_clone_replication_master_port=
+pki_clone_replication_clone_port=
+pki_clone_replication_security=None
+pki_clone_uri=
+pki_enable_java_debugger=False
+pki_enable_proxy=False
+pki_proxy_http_port=80
+pki_proxy_https_port=443
+pki_security_manager=true
+pki_tomcat_server_port=8005
+
+###############################################################################
+## CA Configuration: ##
+## ##
+## Values in this section are common to CA subsystems including 'PKI CAs', ##
+## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+## ##
+## EXTERNAL CAs: To specify an 'External CA', change the value ##
+## of 'pki_external' from 'False' to 'True'. ##
+## ##
+## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ##
+## of 'pki_subordinate' from 'False' to 'True'. ##
+## ##
+## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
+## are MUTUALLY EXCLUSIVE entities!!! ##
+###############################################################################
+[CA]
+pki_ca_signing_key_algorithm=SHA256withRSA
+pki_ca_signing_key_size=2048
+pki_ca_signing_key_type=rsa
+pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_id)s CA
+pki_ca_signing_signing_algorithm=SHA256withRSA
+pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
+pki_ca_signing_token=Internal Key Storage Token
+pki_external=False
+pki_external_ca_cert_chain_path=
+pki_external_ca_cert_path=
+pki_external_csr_path=
+pki_external_step_two=False
+pki_import_admin_cert=False
+pki_ocsp_signing_key_algorithm=SHA256withRSA
+pki_ocsp_signing_key_size=2048
+pki_ocsp_signing_key_type=rsa
+pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s CA
+pki_ocsp_signing_signing_algorithm=SHA256withRSA
+pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_token=Internal Key Storage Token
+pki_subordinate=False
+pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=caadmin
+pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s CA
+pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-CA
+pki_ds_database=%(pki_instance_name)s-CA
+pki_ds_hostname=%(pki_hostname)s
+pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s CA
+pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s
+
+
+###############################################################################
+## KRA Configuration: ##
+## ##
+## Values in this section are common to KRA subsystems ##
+## including 'PKI KRAs' and 'Cloned KRAs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[KRA]
+pki_import_admin_cert=True
+pki_storage_key_algorithm=SHA256withRSA
+pki_storage_key_size=2048
+pki_storage_key_type=rsa
+pki_storage_nickname=storageCert cert-%(pki_instance_id)s KRA
+pki_storage_signing_algorithm=SHA256withRSA
+pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s
+pki_storage_token=Internal Key Storage Token
+pki_transport_key_algorithm=SHA256withRSA
+pki_transport_key_size=2048
+pki_transport_key_type=rsa
+pki_transport_nickname=transportCert cert-%(pki_instance_id)s KRA
+pki_transport_signing_algorithm=SHA256withRSA
+pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s
+pki_transport_token=Internal Key Storage Token
+pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=kraadmin
+pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s KRA
+pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-KRA
+pki_ds_database=%(pki_instance_name)s-KRA
+pki_ds_hostname=%(pki_hostname)s
+pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s KRA
+pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s
+
+###############################################################################
+## OCSP Configuration: ##
+## ##
+## Values in this section are common to OCSP subsystems ##
+## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[OCSP]
+pki_import_admin_cert=True
+pki_ocsp_signing_key_algorithm=SHA256withRSA
+pki_ocsp_signing_key_size=2048
+pki_ocsp_signing_key_type=rsa
+pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s OCSP
+pki_ocsp_signing_signing_algorithm=SHA256withRSA
+pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_token=Internal Key Storage Token
+pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=ocspadmin
+pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s OCSP
+pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-OCSP
+pki_ds_database=%(pki_instance_name)s-OCSP
+pki_ds_hostname=%(pki_hostname)s
+pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s OCSP
+pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s
+
+###############################################################################
+## RA Configuration: ##
+## ##
+## Values in this section are common to PKI RA subsystems, and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[RA]
+
+###############################################################################
+## TKS Configuration: ##
+## ##
+## Values in this section are common to TKS subsystems ##
+## including 'PKI TKSs' and 'Cloned TKSs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[TKS]
+pki_import_admin_cert=True
+pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=tksadmin
+pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s TKS
+pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-TKS
+pki_ds_database=%(pki_instance_name)s-TKS
+pki_ds_hostname=%(pki_hostname)s
+pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s TKS
+pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s
+
+###############################################################################
+## TPS Configuration: ##
+## ##
+## Values in this section are common to PKI TPS subsystems, and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[TPS]
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 9e0a37396..7d30d743a 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -52,6 +52,8 @@ error was:
def main(argv):
"main entry point"
+ config.pki_deployment_executable = os.path.basename(argv[0])
+
# Only run this program as "root".
if not os.geteuid() == 0:
sys.exit("'%s' must be run as root!" % argv[0])
@@ -88,8 +90,54 @@ def main(argv):
sys.exit(1)
# Read and process command-line arguments.
- parser = PKIConfigParser()
- parser.process_command_line_arguments(argv)
+ parser = PKIConfigParser(
+ 'PKI Instance Removal',
+ log.PKIDESTROY_EPILOG)
+
+ parser.mandatory.add_argument('-i',
+ dest='pki_deployed_instance_name',
+ action='store',
+ nargs=1, required=True, metavar='<instance>',
+ help='FORMAT: ${pki_instance_name}')
+
+ args = parser.process_command_line_arguments(argv)
+
+ # -i <instance name>
+ config.pki_deployed_instance_name =\
+ str(args.pki_deployed_instance_name).strip('[\']')
+
+ # verify that previously deployed instance exists
+ deployed_pki_instance_path = config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_BASE_ROOT + "/" +\
+ config.pki_deployed_instance_name
+ if not os.path.exists(deployed_pki_instance_path):
+ print "ERROR: " + log.PKI_INSTANCE_DOES_NOT_EXIST_1 %\
+ deployed_pki_instance_path
+ print
+ parser.arg_parser.exit(-1);
+
+ # verify that previously deployed subsystem for this instance exists
+ deployed_pki_subsystem_path = deployed_pki_instance_path + "/" +\
+ config.pki_subsystem.lower()
+ if not os.path.exists(deployed_pki_subsystem_path):
+ print "ERROR: " + log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2 %\
+ (config.pki_subsystem, deployed_pki_instance_path)
+ print
+ parser.arg_parser.exit(-1);
+
+ # establish complete path to previously deployed configuration file
+ config.default_deployment_cfg =\
+ deployed_pki_subsystem_path + "/" +\
+ "registry" + "/" +\
+ config.pki_subsystem.lower() + "/" +\
+ config.DEFAULT_DEPLOYMENT_CONFIGURATION
+ config.user_deployment_cfg =\
+ deployed_pki_subsystem_path + "/" +\
+ "registry" + "/" +\
+ config.pki_subsystem.lower() + "/" +\
+ config.USER_DEPLOYMENT_CONFIGURATION
+
+ parser.validate()
# Enable 'pkidestroy' logging.
config.pki_log_dir = config.pki_root_prefix +\
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index 21da9aef7..f64d79575 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -52,6 +52,8 @@ error was:
def main(argv):
"main entry point"
+ config.pki_deployment_executable = os.path.basename(argv[0])
+
# Only run this program as "root".
if not os.geteuid() == 0:
sys.exit("'%s' must be run as root!" % argv[0])
@@ -88,8 +90,31 @@ def main(argv):
sys.exit(1)
# Read and process command-line arguments.
- parser = PKIConfigParser()
- parser.process_command_line_arguments(argv)
+ parser = PKIConfigParser(
+ 'PKI Instance Installation and Configuration',
+ log.PKISPAWN_EPILOG)
+
+ parser.mandatory.add_argument('-f',
+ dest='user_deployment_cfg', action='store',
+ nargs=1, required=True, metavar='<file>',
+ help='configuration filename '
+ '(MUST specify complete path)')
+
+ parser.optional.add_argument('-u',
+ dest='pki_update_flag', action='store_true',
+ help='update instance of specified subsystem')
+
+ args = parser.process_command_line_arguments(argv)
+
+ config.default_deployment_cfg = config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
+
+ # -f <user deployment config>
+ config.user_deployment_cfg = str(args.user_deployment_cfg).strip('[\']')
+
+ # -u
+ config.pki_update_flag = args.pki_update_flag
+
+ parser.validate()
if not os.path.exists(config.PKI_DEPLOYMENT_SOURCE_ROOT +\
"/" + config.pki_subsystem.lower()):
diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py
index 55a007bca..ec8fa6eff 100644
--- a/base/deploy/src/scriptlets/finalization.py
+++ b/base/deploy/src/scriptlets/finalization.py
@@ -41,8 +41,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
# For debugging/auditing purposes, save a timestamped copy of
# this configuration file in the subsystem archive
- util.file.copy(master['pki_deployment_cfg_replica'],
- master['pki_deployment_cfg_spawn_archive'])
+ util.file.copy(master['pki_default_deployment_cfg_replica'],
+ master['pki_default_deployment_cfg_spawn_archive'])
+ util.file.copy(master['pki_user_deployment_cfg_replica'],
+ master['pki_user_deployment_cfg_spawn_archive'])
# Save a copy of the installation manifest file
config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, master['pki_manifest'],
extra=config.PKI_INDENTATION_LEVEL_2)
diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py
index 8eed598cd..947fbcdfe 100644
--- a/base/deploy/src/scriptlets/infrastructure_layout.py
+++ b/base/deploy/src/scriptlets/infrastructure_layout.py
@@ -56,8 +56,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.directory.create(master['pki_instance_type_registry_path'])
util.directory.create(master['pki_instance_registry_path'])
util.directory.create(master['pki_subsystem_registry_path'])
- util.file.copy(master['pki_deployment_cfg'],
- master['pki_deployment_cfg_replica'])
+ util.file.copy(master['pki_default_deployment_cfg'],
+ master['pki_default_deployment_cfg_replica'])
+ util.file.copy(master['pki_user_deployment_cfg'],
+ master['pki_user_deployment_cfg_replica'])
# establish top-level infrastructure, instance, and subsystem
# base directories and create the "registry" symbolic link that
# the "pkidestroy" executable relies upon
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index ec6c5ea38..4bbf92e91 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -100,13 +100,13 @@ PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVICE_NAME = "tomcat"
PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME = "pki-apache"
PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME = "pki-tomcat"
-PKI_DEPLOYMENT_CONFIGURATION_DIR =\
- "/usr/share/pki/deployment/config"
-PKI_DEPLOYMENT_CONFIGURATION_FILE = "deployment.cfg"
+DEFAULT_DEPLOYMENT_CONFIGURATION = "default.cfg"
+USER_DEPLOYMENT_CONFIGURATION = "deployment.cfg"
+
PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE =\
- PKI_DEPLOYMENT_CONFIGURATION_DIR + "/" + PKI_DEPLOYMENT_CONFIGURATION_FILE
+ PKI_DEPLOYMENT_CONFIGURATION_ROOT + "/" + DEFAULT_DEPLOYMENT_CONFIGURATION
PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\
- PKI_DEPLOYMENT_CONFIGURATION_DIR + "/pkislots.cfg"
+ PKI_DEPLOYMENT_SOURCE_ROOT + "/deployment/config/pkislots.cfg"
# subtypes of PKI subsystems
PKI_DEPLOYMENT_CLONED_PKI_SUBSYSTEM = "Cloned"
@@ -140,7 +140,8 @@ pki_deployment_executable = None
# PKI Deployment "Mandatory" Command-Line Variables
pki_subsystem = None
# 'pkispawn' ONLY
-pkideployment_cfg = None
+default_deployment_cfg = None
+user_deployment_cfg = None
# 'pkidestroy' ONLY
pki_deployed_instance_name = None
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index 8be6c5c5d..2d7b75938 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -442,7 +442,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_ds_password",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# Verify existence of Admin Password (except for Clones)
@@ -452,7 +452,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_admin_password",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# If required, verify existence of Backup Password
@@ -462,7 +462,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_backup_password",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# Verify existence of Client Pin for NSS client security databases
@@ -471,7 +471,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2,
"pki_client_database_password",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# Verify existence of Client PKCS #12 Password for Admin Cert
@@ -480,7 +480,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_client_pkcs12_password",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# Verify existence of PKCS #12 Password (ONLY for Clones)
@@ -490,7 +490,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_clone_pkcs12_password",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# Verify existence of Security Domain Password File
@@ -503,7 +503,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_security_domain_password",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# If required, verify existence of Token Password
@@ -513,7 +513,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_token_password",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
return
@@ -527,28 +527,28 @@ class configuration_file:
config.str2bool(master['pki_subordinate']):
config.pki_log.error(
log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA,
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
elif config.str2bool(master['pki_clone']) and\
config.str2bool(master['pki_external']):
config.pki_log.error(
log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA,
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
elif config.str2bool(master['pki_clone']) and\
config.str2bool(master['pki_subordinate']):
config.pki_log.error(
log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA,
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
elif config.str2bool(master['pki_external']) and\
config.str2bool(master['pki_subordinate']):
config.pki_log.error(
log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA,
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
@@ -571,7 +571,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_ds_base_dn",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
if not master.has_key('pki_ds_ldap_port') or\
@@ -582,7 +582,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_ds_ldap_port",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
if not master.has_key('pki_ds_ldaps_port') or\
@@ -593,7 +593,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_ds_ldaps_port",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
# NOTE: Although this will be checked prior to getting to
@@ -609,7 +609,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_ajp_port",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
if not master.has_key('pki_http_port') or\
@@ -620,7 +620,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_http_port",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
if not master.has_key('pki_https_port') or\
@@ -631,7 +631,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_https_port",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
if not master.has_key('pki_tomcat_server_port') or\
@@ -642,7 +642,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_tomcat_server_port",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
if not master.has_key('pki_clone_pkcs12_path') or\
@@ -650,7 +650,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_clone_pkcs12_path",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
elif not os.path.isfile(master['pki_clone_pkcs12_path']):
@@ -664,7 +664,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_clone_replication_security",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
if not master.has_key('pki_clone_uri') or\
@@ -672,7 +672,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_clone_uri",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
elif master['pki_subsystem'] == "CA" and\
@@ -682,7 +682,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_external_step_two",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
if not config.str2bool(master['pki_step_two']):
@@ -691,7 +691,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_external_csr_path",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
elif not os.path.isfile(master['pki_external_csr_path']):
@@ -706,7 +706,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_external_ca_cert_chain_path",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
elif not os.path.isfile(
@@ -721,7 +721,7 @@ class configuration_file:
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_external_ca_cert_path",
- master['pki_deployment_cfg'],
+ master['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
elif not os.path.isfile(
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 6109e7486..80bdcb216 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -41,80 +41,52 @@ class PKIConfigParser:
COMMENT_CHAR = '#'
OPTION_CHAR = '='
- def __init__(self):
+ def __init__(self, description, epilog):
self.pki_config = None
- # PKI Deployment Helper Functions
- def process_command_line_arguments(self, argv):
"Read and process command-line options"
- config.pki_deployment_executable = os.path.basename(argv[0])
- description = None
- if config.pki_deployment_executable == 'pkispawn':
- description = 'PKI Instance Installation and Configuration'
- epilog = log.PKISPAWN_EPILOG
- elif config.pki_deployment_executable == 'pkidestroy':
- description = 'PKI Instance Removal'
- epilog = log.PKIDESTROY_EPILOG
- parser = argparse.ArgumentParser(
+ self.arg_parser = argparse.ArgumentParser(
description=description,
add_help=False,
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=epilog)
+
# Establish 'Mandatory' command-line options
- mandatory = parser.add_argument_group('mandatory arguments')
- mandatory.add_argument('-s',
+ self.mandatory = self.arg_parser.add_argument_group('mandatory arguments')
+ self.mandatory.add_argument('-s',
dest='pki_subsystem', action='store',
nargs=1, choices=config.PKI_SUBSYSTEMS,
required=True, metavar='<subsystem>',
help='where <subsystem> is '
'CA, KRA, OCSP, RA, TKS, or TPS')
- if config.pki_deployment_executable == 'pkispawn':
- mandatory.add_argument('-f',
- dest='pkideployment_cfg', action='store',
- nargs=1, required=True, metavar='<file>',
- help='configuration filename '
- '(MUST specify complete path)')
- elif config.pki_deployment_executable == 'pkidestroy':
- mandatory.add_argument('-i',
- dest='pki_deployed_instance_name',
- action='store',
- nargs=1, required=True, metavar='<instance>',
- help='FORMAT: ${pki_instance_name}')
# Establish 'Optional' command-line options
- optional = parser.add_argument_group('optional arguments')
- optional.add_argument('-h', '--help',
+ self.optional = self.arg_parser.add_argument_group('optional arguments')
+ self.optional.add_argument('-h', '--help',
dest='help', action='help',
help='show this help message and exit')
- if config.pki_deployment_executable == 'pkispawn':
- optional.add_argument('-u',
- dest='pki_update_flag', action='store_true',
- help='update instance of specified subsystem')
- optional.add_argument('-v',
+ self.optional.add_argument('-v',
dest='pki_verbosity', action='count',
help='display verbose information (details below)')
+
# Establish 'Test' command-line options
- test = parser.add_argument_group('test arguments')
+ test = self.arg_parser.add_argument_group('test arguments')
test.add_argument('-p',
dest='pki_root_prefix', action='store',
nargs=1, metavar='<prefix>',
help='directory prefix to specify local directory '
'[TEST ONLY]')
+
+ # PKI Deployment Helper Functions
+ def process_command_line_arguments(self, argv):
+
# Parse command-line options
- args = parser.parse_args()
+ args = self.arg_parser.parse_args()
+
# Process 'Mandatory' command-line options
# '-s'
config.pki_subsystem = str(args.pki_subsystem).strip('[\']')
- if config.pki_deployment_executable == 'pkispawn':
- # '-f'
- config.pkideployment_cfg = str(args.pkideployment_cfg).strip('[\']')
- elif config.pki_deployment_executable == 'pkidestroy':
- # '-i'
- config.pki_deployed_instance_name =\
- str(args.pki_deployed_instance_name).strip('[\']')
+
# Process 'Optional' command-line options
- if config.pki_deployment_executable == 'pkispawn':
- # '-u'
- config.pki_update_flag = args.pki_update_flag
# '-v'
if args.pki_verbosity == 1:
config.pki_jython_log_level = config.PKI_JYTHON_INFO_LOG_LEVEL
@@ -131,63 +103,56 @@ class PKIConfigParser:
elif args.pki_verbosity > 3:
print "ERROR: " + log.PKI_VERBOSITY_LEVELS_MESSAGE
print
- parser.print_help()
- parser.exit(-1);
+ self.arg_parser.print_help()
+ self.arg_parser.exit(-1);
else:
# Set default log levels
config.pki_jython_log_level = config.PKI_JYTHON_WARNING_LOG_LEVEL
config.pki_console_log_level = logging.WARNING
config.pki_log_level = logging.INFO
+
# Process 'Test' command-line options
# '-p'
- if not args.pki_root_prefix is None:
+ if args.pki_root_prefix is None:
+ config.pki_root_prefix = ""
+ else:
config.pki_root_prefix = str(args.pki_root_prefix).strip('[\']')
+
+ return args
+
+
+ def validate(self):
+
# Validate command-line options
- if config.pki_root_prefix is None or\
- len(config.pki_root_prefix) == 0:
- config.pki_root_prefix = ""
- elif not os.path.exists(config.pki_root_prefix) or\
- not os.path.isdir(config.pki_root_prefix):
+ if len(config.pki_root_prefix) > 0:
+ if not os.path.exists(config.pki_root_prefix) or\
+ not os.path.isdir(config.pki_root_prefix):
+ print "ERROR: " +\
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 %\
+ config.pki_root_prefix
+ print
+ self.arg_parser.print_help()
+ self.arg_parser.exit(-1);
+
+ # always default that configuration file exists
+ if not os.path.exists(config.default_deployment_cfg) or\
+ not os.path.isfile(config.default_deployment_cfg):
print "ERROR: " +\
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 %\
- config.pki_root_prefix
+ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\
+ config.default_deployment_cfg
print
- parser.print_help()
- parser.exit(-1);
- if config.pki_deployment_executable == 'pkidestroy':
- # verify that previously deployed instance exists
- deployed_pki_instance_path = config.pki_root_prefix +\
- config.PKI_DEPLOYMENT_BASE_ROOT + "/" +\
- config.pki_deployed_instance_name
- if not os.path.exists(deployed_pki_instance_path):
- print "ERROR: " + log.PKI_INSTANCE_DOES_NOT_EXIST_1 %\
- deployed_pki_instance_path
- print
- parser.exit(-1);
- # verify that previously deployed subsystem for this instance exists
- deployed_pki_subsystem_path = deployed_pki_instance_path + "/" +\
- config.pki_subsystem.lower()
- if not os.path.exists(deployed_pki_subsystem_path):
- print "ERROR: " + log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2 %\
- (config.pki_subsystem, deployed_pki_instance_path)
- print
- parser.exit(-1);
- # establish complete path to previously deployed configuration file
- config.pkideployment_cfg =\
- deployed_pki_subsystem_path + "/" +\
- "registry" + "/" +\
- config.pki_subsystem.lower() + "/" +\
- config.PKI_DEPLOYMENT_CONFIGURATION_FILE
- # always verify that configuration file exists
- if not os.path.exists(config.pkideployment_cfg) or\
- not os.path.isfile(config.pkideployment_cfg):
+ self.arg_parser.print_help()
+ self.arg_parser.exit(-1);
+
+ # verify user configuration file exists
+ if not os.path.exists(config.user_deployment_cfg) or\
+ not os.path.isfile(config.user_deployment_cfg):
print "ERROR: " +\
log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\
- config.pkideployment_cfg
+ config.user_deployment_cfg
print
- parser.print_help()
- parser.exit(-1);
- return
+ self.arg_parser.print_help()
+ self.arg_parser.exit(-1);
# The following code is based heavily upon
@@ -238,8 +203,8 @@ class PKIConfigParser:
# Make keys case-sensitive!
self.pki_config.optionxform = str
self.pki_config.read([
- config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE,
- config.pkideployment_cfg])
+ config.default_deployment_cfg,
+ config.user_deployment_cfg])
config.pki_default_dict = dict(self.pki_config.items('DEFAULT'))
pkilogging.sensitive_parameters = config.pki_default_dict['sensitive_parameters'].split()
if config.pki_subsystem == "CA":
@@ -285,7 +250,8 @@ class PKIConfigParser:
config.pki_master_dict['pki_architecture'] = config.pki_architecture
config.pki_master_dict['pki_jython_log_level'] =\
config.pki_jython_log_level
- config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg
+ config.pki_master_dict['pki_default_deployment_cfg'] = config.default_deployment_cfg
+ config.pki_master_dict['pki_user_deployment_cfg'] = config.user_deployment_cfg
config.pki_master_dict['pki_deployed_instance_name'] =\
config.pki_deployed_instance_name
# Generate random 'pin's for use as security database passwords
@@ -1568,18 +1534,31 @@ class PKIConfigParser:
config.pki_master_dict['pki_storage_tag'] = "storage"
# Finalization name/value pairs
- config.pki_master_dict['pki_deployment_cfg_replica'] =\
+ config.pki_master_dict['pki_default_deployment_cfg_replica'] =\
+ os.path.join(config.pki_master_dict['pki_subsystem_registry_path'],
+ config.DEFAULT_DEPLOYMENT_CONFIGURATION)
+ config.pki_master_dict['pki_user_deployment_cfg_replica'] =\
os.path.join(config.pki_master_dict['pki_subsystem_registry_path'],
- config.PKI_DEPLOYMENT_CONFIGURATION_FILE)
- config.pki_master_dict['pki_deployment_cfg_spawn_archive'] =\
+ config.USER_DEPLOYMENT_CONFIGURATION)
+ config.pki_master_dict['pki_default_deployment_cfg_spawn_archive'] =\
+ config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\
+ "spawn" + "_" +\
+ config.DEFAULT_DEPLOYMENT_CONFIGURATION + "." +\
+ config.pki_master_dict['pki_timestamp']
+ config.pki_master_dict['pki_user_deployment_cfg_spawn_archive'] =\
config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\
"spawn" + "_" +\
- config.PKI_DEPLOYMENT_CONFIGURATION_FILE + "." +\
+ config.USER_DEPLOYMENT_CONFIGURATION + "." +\
+ config.pki_master_dict['pki_timestamp']
+ config.pki_master_dict['pki_default_deployment_cfg_respawn_archive'] =\
+ config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\
+ "respawn" + "_" +\
+ config.DEFAULT_DEPLOYMENT_CONFIGURATION + "." +\
config.pki_master_dict['pki_timestamp']
- config.pki_master_dict['pki_deployment_cfg_respawn_archive'] =\
+ config.pki_master_dict['pki_user_deployment_cfg_respawn_archive'] =\
config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\
"respawn" + "_" +\
- config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + "." +\
+ config.USER_DEPLOYMENT_CONFIGURATION + "." +\
config.pki_master_dict['pki_timestamp']
config.pki_master_dict['pki_manifest'] =\
config.pki_master_dict['pki_subsystem_registry_path'] + "/" +\
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index d0cdfcb2f..8c3c7913e 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: pki-core
Version: 10.0.0
-Release: %{?relprefix}53%{?prerel}%{?dist}
+Release: %{?relprefix}54%{?prerel}%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -809,6 +809,7 @@ fi
%files -n pki-server
%defattr(-,root,root,-)
%doc base/deploy/LICENSE
+%{_sysconfdir}/pki/default.cfg
%{_sbindir}/pkispawn
%{_sbindir}/pkidestroy
#%{_bindir}/pki-setup-proxy
@@ -958,6 +959,9 @@ fi
%changelog
+* Tue Dec 4 2012 Endi S. Dewata <edewata@redhat.com> 10.0.0-0.54.b3
+- Moved default deployment configuration to /etc/pki.
+
* Mon Nov 19 2012 Ade Lee <alee@redhat.com> 10.0.0-0.53.b3
- Cleaned up spec file to provide only support rhel 7+, f17+
- Added resteasy-base dependency for rhel 7
--
cgit