From 8dd3aa3a0acaa786b7794744a31bb44d991c2fb1 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 5 May 2016 18:10:23 +0200 Subject: Added cleanUp() and cert_import scriptlet. --- base/common/python/pki/system.py | 13 +- .../certsrv/system/SystemConfigResource.java | 4 + .../dogtagpki/server/rest/SystemConfigService.java | 42 ++-- base/server/etc/default.cfg | 1 + .../python/pki/server/deployment/pkihelper.py | 38 ++-- .../server/deployment/scriptlets/cert_import.py | 248 +++++++++++++++++++++ .../server/deployment/scriptlets/configuration.py | 206 +---------------- .../server/deployment/scriptlets/finalization.py | 6 + 8 files changed, 321 insertions(+), 237 deletions(-) create mode 100644 base/server/python/pki/server/deployment/scriptlets/cert_import.py diff --git a/base/common/python/pki/system.py b/base/common/python/pki/system.py index 7607578df..945c06407 100644 --- a/base/common/python/pki/system.py +++ b/base/common/python/pki/system.py @@ -267,7 +267,6 @@ class SystemConfigClient(object): :param data: Configuration request containing all the input needed to configure the subsystem :type data: ConfigurationRequest - :return: ConfigurationResponse -- response from configuration servlet. """ headers = {'Content-type': 'application/json', 'Accept': 'application/json'} @@ -318,14 +317,22 @@ class SystemConfigClient(object): """ Contacts the server and invokes the Java configuration REST API to finalize subsystem configuration. - - :return: ConfigurationResponse -- response from configuration servlet. """ headers = {'Content-type': 'application/json', 'Accept': 'application/json'} self.connection.post('/rest/installer/finalizeConfiguration', None, headers) + def cleanUp(self): + """ + Contacts the server and invokes the Java configuration REST API to + clean up the configuration. + """ + headers = {'Content-type': 'application/json', + 'Accept': 'application/json'} + self.connection.post('/rest/installer/cleanUp', None, + headers) + def getConfigurationResult(self): """ Contacts the server and invokes the Java configuration REST API to diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java index 4835843c5..870664979 100644 --- a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java +++ b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java @@ -51,6 +51,10 @@ public interface SystemConfigResource { @Path("finalizeConfiguration") public void finalizeConfiguration() throws Exception; + @POST + @Path("cleanUp") + public void cleanUp() throws Exception; + @POST @Path("result") public ConfigurationResponse getConfigurationResponse() throws Exception; diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index e4f5aec3f..7cedbf24b 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -266,6 +266,29 @@ public class SystemConfigService extends PKIService implements SystemConfigResou finalizeConfiguration(request, response); } + @Override + public void cleanUp() { + + cs.putInteger("cs.state", 1); + + // update serial numbers for clones + + // save some variables, remove remaining preops + try { + ConfigurationUtils.removePreopConfigEntries(); + } catch (EBaseException e) { + CMS.debug(e); + throw new PKIException("Errors when removing preop config entries: " + e, e); + } + + // Create an empty file that designates the fact that although + // this server instance has been configured, it has NOT yet + // been restarted! + String restart_server = instanceRoot + "/conf/" + RESTART_SERVER_AFTER_CONFIGURATION; + Utils.exec("touch " + restart_server); + Utils.exec("chmod 00660 " + restart_server); + } + @Override public ConfigurationResponse getConfigurationResponse() { @@ -636,25 +659,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } public void finalizeConfiguration(ConfigurationRequest request, ConfigurationResponse response) { - - cs.putInteger("cs.state", 1); - - // update serial numbers for clones - - // save some variables, remove remaining preops - try { - ConfigurationUtils.removePreopConfigEntries(); - } catch (EBaseException e) { - CMS.debug(e); - throw new PKIException("Errors when removing preop config entries: " + e, e); - } - - // Create an empty file that designates the fact that although - // this server instance has been configured, it has NOT yet - // been restarted! - String restart_server = instanceRoot + "/conf/" + RESTART_SERVER_AFTER_CONFIGURATION; - Utils.exec("touch " + restart_server); - Utils.exec("chmod 00660 " + restart_server); } public void configureAdministrator(ConfigurationRequest data, ConfigurationResponse response) { diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index c759556de..24008a328 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -43,6 +43,7 @@ spawn_scriplets= security_databases client_database csr_generation + cert_import configuration finalization diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 24e6ee0c2..2dc8a29cf 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -3802,31 +3802,42 @@ class ConfigClient: self.mdict['pki_req_ext_add']) self.security_domain_type = self.mdict['pki_security_domain_type'] self.san_inject = config.str2bool(self.mdict['pki_san_inject']) + self.connection = None + self.client = None - def configure_pki_data(self, data): - config.pki_log.info( - log.PKI_CONFIG_CONFIGURING_PKI_DATA, - extra=config.PKI_INDENTATION_LEVEL_2) + def connect(self): - connection = pki.client.PKIConnection( + self.connection = pki.client.PKIConnection( protocol='https', hostname=self.mdict['pki_hostname'], port=self.mdict['pki_https_port'], subsystem=self.mdict['pki_subsystem_type'], trust_env=False) + self.client = pki.system.SystemConfigClient(self.connection) + + def clean_up(self): + + if not (self.external or self.standalone) or self.external_step_two: + self.client.cleanUp() + + def configure_pki_data(self, data): + + config.pki_log.info( + log.PKI_CONFIG_CONFIGURING_PKI_DATA, + extra=config.PKI_INDENTATION_LEVEL_2) + try: - client = pki.system.SystemConfigClient(connection) - client.configure(data) + self.client.configure(data) if not (self.external or self.standalone) or self.external_step_two: - client.createCertificates() - client.backupKeys() - client.createUsers() - client.configureSecurityDomain() - client.finalizeConfiguration() + self.client.createCertificates() + self.client.backupKeys() + self.client.createUsers() + self.client.configureSecurityDomain() + self.client.finalizeConfiguration() - response = client.getConfigurationResult() + response = self.client.getConfigurationResult() config.pki_log.debug( 'Configuration complete', @@ -4664,7 +4675,6 @@ class PKIDeployer: self.servercertnick_conf = ServerCertNickConf(self) self.systemd = Systemd(self) self.tps_connector = TPSConnector(self) - self.config_client = ConfigClient(self) def init(self): diff --git a/base/server/python/pki/server/deployment/scriptlets/cert_import.py b/base/server/python/pki/server/deployment/scriptlets/cert_import.py new file mode 100644 index 000000000..76e6b26d8 --- /dev/null +++ b/base/server/python/pki/server/deployment/scriptlets/cert_import.py @@ -0,0 +1,248 @@ +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import + +# PKI Deployment Imports +from .. import pkiconfig as config +from .. import pkimessages as log +from .. import pkiscriptlet + +import pki.encoder +import pki.nssdb +import pki.server +import pki.system +import pki.util + + +# PKI Deployment Configuration Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + def spawn(self, deployer): + + if config.str2bool(deployer.mdict['pki_skip_configuration']): + config.pki_log.info(log.SKIP_CONFIGURATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return + + config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + deployer.instance.verify_subsystem_exists() + + instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) + instance.load() + + subsystem = instance.get_subsystem( + deployer.mdict['pki_subsystem'].lower()) + + token = deployer.mdict['pki_token_name'] + nssdb = instance.open_nssdb(token) + + existing = deployer.configuration_file.existing + external = deployer.configuration_file.external + standalone = deployer.configuration_file.standalone + step_one = deployer.configuration_file.external_step_one + step_two = deployer.configuration_file.external_step_two + + try: + if existing or external and step_two: + # existing CA or external CA step 2 + + # If specified, import CA signing CSR into CS.cfg. + signing_csr_path = deployer.mdict['pki_external_csr_path'] + if signing_csr_path: + config.pki_log.info( + "importing CA signing CSR from %s", + signing_csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) + with open(signing_csr_path) as f: + signing_csr = f.read() + signing_csr = pki.nssdb.convert_csr( + signing_csr, 'pem', 'base64') + subsystem.config['ca.signing.certreq'] = signing_csr + + # If specified, import CA signing cert into NSS database. + signing_nickname = deployer.mdict['pki_ca_signing_nickname'] + signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] + if signing_cert_file: + config.pki_log.info( + "importing %s from %s", + signing_nickname, signing_cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) + nssdb.add_cert( + nickname=signing_nickname, + cert_file=signing_cert_file, + trust_attributes='CT,C,C') + + # If specified, import certs and keys from PKCS #12 file + # into NSS database. + pkcs12_file = deployer.mdict['pki_external_pkcs12_path'] + if pkcs12_file: + config.pki_log.info( + "importing certificates and keys from %s", pkcs12_file, + extra=config.PKI_INDENTATION_LEVEL_2) + pkcs12_password = deployer.mdict[ + 'pki_external_pkcs12_password'] + nssdb.import_pkcs12(pkcs12_file, pkcs12_password) + + # If specified, import cert chain into NSS database. + # Note: Cert chain must be imported after the system certs + # to ensure that the system certs are imported with + # the correct nicknames. + external_ca_cert_chain_nickname = \ + deployer.mdict['pki_external_ca_cert_chain_nickname'] + external_ca_cert_chain_file = deployer.mdict[ + 'pki_external_ca_cert_chain_path'] + if external_ca_cert_chain_file: + config.pki_log.info( + "importing certificate chain %s from %s", + external_ca_cert_chain_nickname, + external_ca_cert_chain_file, + extra=config.PKI_INDENTATION_LEVEL_2) + cert_chain, _nicks = nssdb.import_cert_chain( + nickname=external_ca_cert_chain_nickname, + cert_chain_file=external_ca_cert_chain_file, + trust_attributes='CT,C,C') + subsystem.config['ca.external_ca_chain.cert'] = cert_chain + + # Export CA signing cert from NSS database and import + # it into CS.cfg. + signing_cert_data = nssdb.get_cert( + nickname=signing_nickname, + output_format='base64') + subsystem.config['ca.signing.nickname'] = signing_nickname + subsystem.config['ca.signing.tokenname'] = ( + deployer.mdict['pki_ca_signing_token']) + subsystem.config['ca.signing.cert'] = signing_cert_data + subsystem.config['ca.signing.cacertnickname'] = signing_nickname + subsystem.config['ca.signing.defaultSigningAlgorithm'] = ( + deployer.mdict['pki_ca_signing_signing_algorithm']) + + subsystem.save() + + elif standalone and step_two: + + # To be implemented in ticket #1692. + # Import standalone system certificates into NSS database. + + pass + + else: # self-signed CA + + # To be implemented in ticket #1692. + # Generate self-signed CA cert. + # Import self-signed CA cert into NSS database. + + pass + + finally: + nssdb.close() + + if external and step_one: + return + + if len(deployer.instance.tomcat_instance_subsystems()) < 2: + + deployer.password.create_password_conf( + deployer.mdict['pki_shared_pfile'], + deployer.mdict['pki_pin'], pin_sans_token=True) + + # only create a self signed cert for a new instance + # + # NOTE: ALWAYS create the temporary sslserver certificate + # in the software DB regardless of whether the + # instance will utilize 'softokn' or an HSM + # + rv = deployer.certutil.verify_certificate_exists( + deployer.mdict['pki_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], + deployer.mdict['pki_self_signed_token'], + deployer.mdict['pki_self_signed_nickname'], + password_file=deployer.mdict['pki_shared_pfile']) + + if not rv: + + # note: in the function below, certutil is used to generate + # the request for the self signed cert. The keys are generated + # by NSS, which does not actually use the data in the noise + # file, so it does not matter what is in this file. Certutil + # still requires it though, otherwise it waits for keyboard + # input + with open( + deployer.mdict['pki_self_signed_noise_file'], 'w') as f: + f.write("not_so_random_data") + + deployer.certutil.generate_self_signed_certificate( + deployer.mdict['pki_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], + deployer.mdict['pki_self_signed_token'], + deployer.mdict['pki_self_signed_nickname'], + deployer.mdict['pki_self_signed_subject'], + deployer.mdict['pki_self_signed_serial_number'], + deployer.mdict['pki_self_signed_validity_period'], + deployer.mdict['pki_self_signed_issuer_name'], + deployer.mdict['pki_self_signed_trustargs'], + deployer.mdict['pki_self_signed_noise_file'], + password_file=deployer.mdict['pki_shared_pfile']) + + # Delete the temporary 'noise' file + deployer.file.delete( + deployer.mdict['pki_self_signed_noise_file']) + + # Always delete the temporary 'pfile' + deployer.file.delete(deployer.mdict['pki_shared_pfile']) + + # Start/Restart this Tomcat PKI Process + # Optionally prepare to enable a java debugger + # (e. g. - 'eclipse'): + if config.str2bool(deployer.mdict['pki_enable_java_debugger']): + config.prepare_for_an_external_java_debugger( + deployer.mdict['pki_target_tomcat_conf_instance_id']) + tomcat_instance_subsystems = \ + len(deployer.instance.tomcat_instance_subsystems()) + if tomcat_instance_subsystems == 1: + deployer.systemd.start() + elif tomcat_instance_subsystems > 1: + deployer.systemd.restart() + + # wait for startup + status = deployer.instance.wait_for_startup(60) + if status is None: + config.pki_log.error( + "server failed to restart", + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception("server failed to restart") + + # Optionally wait for debugger to attach (e. g. - 'eclipse'): + if config.str2bool(deployer.mdict['pki_enable_java_debugger']): + config.wait_to_attach_an_external_java_debugger() + + def destroy(self, deployer): + + config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if len(deployer.instance.tomcat_instance_subsystems()) == 1: + if deployer.directory.exists(deployer.mdict['pki_client_dir']): + deployer.directory.delete(deployer.mdict['pki_client_dir']) diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index d8cf1145a..5a59faf27 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -23,6 +23,7 @@ import json # PKI Deployment Imports from .. import pkiconfig as config +from .. import pkihelper from .. import pkimessages as log from .. import pkiscriptlet @@ -46,214 +47,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - deployer.instance.verify_subsystem_exists() - - instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) - instance.load() - - subsystem = instance.get_subsystem( - deployer.mdict['pki_subsystem'].lower()) - - token = deployer.mdict['pki_token_name'] - nssdb = instance.open_nssdb(token) - - existing = deployer.configuration_file.existing - external = deployer.configuration_file.external - standalone = deployer.configuration_file.standalone - step_one = deployer.configuration_file.external_step_one - step_two = deployer.configuration_file.external_step_two - - try: - if existing or external and step_two: - # existing CA or external CA step 2 - - # If specified, import CA signing CSR into CS.cfg. - signing_csr_path = deployer.mdict['pki_external_csr_path'] - if signing_csr_path: - config.pki_log.info( - "importing CA signing CSR from %s", - signing_csr_path, - extra=config.PKI_INDENTATION_LEVEL_2) - with open(signing_csr_path) as f: - signing_csr = f.read() - signing_csr = pki.nssdb.convert_csr( - signing_csr, 'pem', 'base64') - subsystem.config['ca.signing.certreq'] = signing_csr - - # If specified, import CA signing cert into NSS database. - signing_nickname = deployer.mdict['pki_ca_signing_nickname'] - signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] - if signing_cert_file: - config.pki_log.info( - "importing %s from %s", - signing_nickname, signing_cert_file, - extra=config.PKI_INDENTATION_LEVEL_2) - nssdb.add_cert( - nickname=signing_nickname, - cert_file=signing_cert_file, - trust_attributes='CT,C,C') - - # If specified, import certs and keys from PKCS #12 file - # into NSS database. - pkcs12_file = deployer.mdict['pki_external_pkcs12_path'] - if pkcs12_file: - config.pki_log.info( - "importing certificates and keys from %s", pkcs12_file, - extra=config.PKI_INDENTATION_LEVEL_2) - pkcs12_password = deployer.mdict[ - 'pki_external_pkcs12_password'] - nssdb.import_pkcs12(pkcs12_file, pkcs12_password) - - # If specified, import cert chain into NSS database. - # Note: Cert chain must be imported after the system certs - # to ensure that the system certs are imported with - # the correct nicknames. - external_ca_cert_chain_nickname = \ - deployer.mdict['pki_external_ca_cert_chain_nickname'] - external_ca_cert_chain_file = deployer.mdict[ - 'pki_external_ca_cert_chain_path'] - if external_ca_cert_chain_file: - config.pki_log.info( - "importing certificate chain %s from %s", - external_ca_cert_chain_nickname, - external_ca_cert_chain_file, - extra=config.PKI_INDENTATION_LEVEL_2) - cert_chain, _nicks = nssdb.import_cert_chain( - nickname=external_ca_cert_chain_nickname, - cert_chain_file=external_ca_cert_chain_file, - trust_attributes='CT,C,C') - subsystem.config['ca.external_ca_chain.cert'] = cert_chain - - # Export CA signing cert from NSS database and import - # it into CS.cfg. - signing_cert_data = nssdb.get_cert( - nickname=signing_nickname, - output_format='base64') - subsystem.config['ca.signing.nickname'] = signing_nickname - subsystem.config['ca.signing.tokenname'] = ( - deployer.mdict['pki_ca_signing_token']) - subsystem.config['ca.signing.cert'] = signing_cert_data - subsystem.config['ca.signing.cacertnickname'] = signing_nickname - subsystem.config['ca.signing.defaultSigningAlgorithm'] = ( - deployer.mdict['pki_ca_signing_signing_algorithm']) - - subsystem.save() - - elif standalone and step_two: - - # To be implemented in ticket #1692. - # Import standalone system certificates into NSS database. - - pass - - else: # self-signed CA - - # To be implemented in ticket #1692. - # Generate self-signed CA cert. - # Import self-signed CA cert into NSS database. - - pass - - finally: - nssdb.close() - - if external and step_one: - return - - if len(deployer.instance.tomcat_instance_subsystems()) < 2: - - deployer.password.create_password_conf( - deployer.mdict['pki_shared_pfile'], - deployer.mdict['pki_pin'], pin_sans_token=True) - - # only create a self signed cert for a new instance - # - # NOTE: ALWAYS create the temporary sslserver certificate - # in the software DB regardless of whether the - # instance will utilize 'softokn' or an HSM - # - rv = deployer.certutil.verify_certificate_exists( - deployer.mdict['pki_database_path'], - deployer.mdict['pki_cert_database'], - deployer.mdict['pki_key_database'], - deployer.mdict['pki_secmod_database'], - deployer.mdict['pki_self_signed_token'], - deployer.mdict['pki_self_signed_nickname'], - password_file=deployer.mdict['pki_shared_pfile']) - - if not rv: - - # note: in the function below, certutil is used to generate - # the request for the self signed cert. The keys are generated - # by NSS, which does not actually use the data in the noise - # file, so it does not matter what is in this file. Certutil - # still requires it though, otherwise it waits for keyboard - # input - with open( - deployer.mdict['pki_self_signed_noise_file'], 'w') as f: - f.write("not_so_random_data") - - deployer.certutil.generate_self_signed_certificate( - deployer.mdict['pki_database_path'], - deployer.mdict['pki_cert_database'], - deployer.mdict['pki_key_database'], - deployer.mdict['pki_secmod_database'], - deployer.mdict['pki_self_signed_token'], - deployer.mdict['pki_self_signed_nickname'], - deployer.mdict['pki_self_signed_subject'], - deployer.mdict['pki_self_signed_serial_number'], - deployer.mdict['pki_self_signed_validity_period'], - deployer.mdict['pki_self_signed_issuer_name'], - deployer.mdict['pki_self_signed_trustargs'], - deployer.mdict['pki_self_signed_noise_file'], - password_file=deployer.mdict['pki_shared_pfile']) - - # Delete the temporary 'noise' file - deployer.file.delete( - deployer.mdict['pki_self_signed_noise_file']) - - # Always delete the temporary 'pfile' - deployer.file.delete(deployer.mdict['pki_shared_pfile']) - - # Start/Restart this Tomcat PKI Process - # Optionally prepare to enable a java debugger - # (e. g. - 'eclipse'): - if config.str2bool(deployer.mdict['pki_enable_java_debugger']): - config.prepare_for_an_external_java_debugger( - deployer.mdict['pki_target_tomcat_conf_instance_id']) - tomcat_instance_subsystems = \ - len(deployer.instance.tomcat_instance_subsystems()) - if tomcat_instance_subsystems == 1: - deployer.systemd.start() - elif tomcat_instance_subsystems > 1: - deployer.systemd.restart() - - # wait for startup - status = deployer.instance.wait_for_startup(60) - if status is None: - config.pki_log.error( - "server failed to restart", - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception("server failed to restart") - - # Optionally wait for debugger to attach (e. g. - 'eclipse'): - if config.str2bool(deployer.mdict['pki_enable_java_debugger']): - config.wait_to_attach_an_external_java_debugger() + config_client = pkihelper.ConfigClient(deployer) + config_client.connect() # Construct PKI Subsystem Configuration Data - data = None - if deployer.mdict['pki_instance_type'] == "Tomcat": - # CA, KRA, OCSP, TKS, or TPS - data = deployer.config_client.construct_pki_configuration_data() + data = config_client.construct_pki_configuration_data() # Configure the subsystem - deployer.config_client.configure_pki_data( + config_client.configure_pki_data( json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) def destroy(self, deployer): config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - if len(deployer.instance.tomcat_instance_subsystems()) == 1: - if deployer.directory.exists(deployer.mdict['pki_client_dir']): - deployer.directory.delete(deployer.mdict['pki_client_dir']) diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py index 3dc7f66de..236e665e0 100644 --- a/base/server/python/pki/server/deployment/scriptlets/finalization.py +++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py @@ -22,6 +22,7 @@ from __future__ import absolute_import # PKI Deployment Imports from .. import pkiconfig as config +from .. import pkihelper from .. import pkimessages as log from .. import pkiscriptlet @@ -44,6 +45,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.FINALIZATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) + # Finalize configuration + config_client = pkihelper.ConfigClient(deployer) + config_client.connect() + config_client.clean_up() + # Optionally, programmatically 'enable' the configured PKI instance # to be started upon system boot (default is True) if not config.str2bool(deployer.mdict['pki_enable_on_system_boot']): -- cgit