From d1f004976b9793014443f16ff481de1c548d4a17 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 29 Nov 2012 17:06:35 -0500 Subject: pkispawn changes for a common admin user --- base/deploy/config/pkideployment.cfg | 3 + base/deploy/src/scriptlets/pkijython.py | 50 ++++++----- base/deploy/src/scriptlets/pkiparser.py | 152 +++++--------------------------- 3 files changed, 54 insertions(+), 151 deletions(-) diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index 6630907a7..13f6f2f31 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -27,6 +27,7 @@ pki_token_password= ## 'common' data values which are left undefined. ## ############################################################################### [Common] +pki_admin_cert_file= pki_admin_cert_request_type=crmf pki_admin_domain_name= pki_admin_dualkey=False @@ -78,6 +79,7 @@ pki_subsystem_nickname= pki_subsystem_subject_dn= pki_subsystem_token= pki_token_name=internal +pki_use_common_admin_user=true pki_user=pkiuser ############################################################################### ## 'Apache' Data: ## @@ -162,6 +164,7 @@ pki_ocsp_signing_token= pki_subordinate=False pki_subsystem=CA pki_subsystem_name= +pki_use_common_admin_user=false ############################################################################### ## 'KRA' Data: ## ## ## diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index e6098b01a..595dde2fc 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -350,25 +350,34 @@ class rest_client: data.setAdminPassword(self.sensitive['pki_admin_password']) data.setAdminProfileID(self.master['pki_admin_profile_id']) data.setAdminUID(self.master['pki_admin_uid']) - data.setAdminSubjectDN(self.master['pki_admin_subject_dn']) - if self.master['pki_admin_cert_request_type'] == "crmf": - data.setAdminCertRequestType("crmf") - if config.str2bool(self.master['pki_admin_dualkey']): - crmf_request = generateCRMFRequest( - token, - self.master['pki_admin_keysize'], - self.master['pki_admin_subject_dn'], - "true") - else: - crmf_request = generateCRMFRequest( - token, - self.master['pki_admin_keysize'], - self.master['pki_admin_subject_dn'], - "false") - data.setAdminCertRequest(crmf_request) + if config.str2bool(self.master['pki_use_common_admin_user']): + data.setUseCommonAdmin("true") + # read config from file + f = open(self.master['pki_admin_cert_file']) + b64 = f.read().replace('\n','') + f.close() + data.setAdminCert(b64) else: - javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY) - javasystem.exit(1) + data.setUseCommonAdmin("false") + data.setAdminSubjectDN(self.master['pki_admin_subject_dn']) + if self.master['pki_admin_cert_request_type'] == "crmf": + data.setAdminCertRequestType("crmf") + if config.str2bool(self.master['pki_admin_dualkey']): + crmf_request = generateCRMFRequest( + token, + self.master['pki_admin_keysize'], + self.master['pki_admin_subject_dn'], + "true") + else: + crmf_request = generateCRMFRequest( + token, + self.master['pki_admin_keysize'], + self.master['pki_admin_subject_dn'], + "false") + data.setAdminCertRequest(crmf_request) + else: + javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY) + javasystem.exit(1) def create_system_cert(self, tag): cert = SystemCertData() @@ -569,13 +578,14 @@ class rest_client: javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\ cdata.getRequest()) # Cloned PKI subsystems do not return an Admin Certificate - if not config.str2bool(master['pki_clone']): + if not config.str2bool(master['pki_clone']) and \ + not config.str2bool(master['pki_use_common_admin_user']): admin_cert = response.getAdminCert().getCert() javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\ " " + admin_cert) # Store the Administration Certificate in a file admin_cert_file = os.path.join( - master['pki_client_dir'], + master['pki_database_path'], master['pki_client_admin_cert']) admin_cert_bin_file = admin_cert_file + ".der" javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\ diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 4f2757359..e5be21670 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -1395,6 +1395,15 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_database_path'] + "/" +\ config.pki_master_dict['pki_subsystem'].lower() + "_" +\ "admin" + "_" + "cert" + "." + "p12" + + # the admin cert is stored with the NSS server databases + # in case we want to use a common admin user cert + if not 'pki_admin_cert_file' in config.pki_master_dict or\ + not len(config.pki_master_dict['pki_admin_cert_file']): + config.pki_master_dict['pki_admin_cert_file'] =\ + config.pki_master_dict['pki_database_path'] +\ + "/ca_admin.cert" + # Jython scriptlet name/value pairs config.pki_master_dict['pki_jython_configuration_scriptlet'] =\ os.path.join(sys.prefix, @@ -1635,138 +1644,19 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_admin_name'] + "@" +\ config.pki_master_dict['pki_dns_domainname'] if not len(config.pki_master_dict['pki_admin_nickname']): - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - if config.pki_master_dict['pki_subsystem'] == "RA": - # PKI RA - config.pki_master_dict['pki_admin_nickname'] =\ - "RA Administrator's" + " " +\ - config.pki_master_dict['pki_security_domain_name'] +\ - " " + "ID" - elif config.pki_master_dict['pki_subsystem'] == "TPS": - # PKI TPS - config.pki_master_dict['pki_admin_nickname'] =\ - "TPS Administrator's" + " " +\ - config.pki_master_dict['pki_security_domain_name'] +\ - " " + "ID" - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "CA": - if config.str2bool( - config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict['pki_admin_nickname'] =\ - "CA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "'s" + " " +\ - "External CA ID" - else: - # PKI CA or Subordinate CA - config.pki_master_dict['pki_admin_nickname'] =\ - "CA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "'s" + " " +\ - config.pki_master_dict\ - ['pki_security_domain_name'] + " " + "ID" - elif config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - config.pki_master_dict['pki_admin_nickname'] =\ - "KRA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "'s" + " " +\ - config.pki_master_dict['pki_security_domain_name']\ - + " " + "ID" - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - # PKI OCSP - config.pki_master_dict['pki_admin_nickname'] =\ - "OCSP Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "'s" + " " +\ - config.pki_master_dict['pki_security_domain_name']\ - + " " + "ID" - elif config.pki_master_dict['pki_subsystem'] == "TKS": - # PKI TKS - config.pki_master_dict['pki_admin_nickname'] =\ - "TKS Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "'s" + " " +\ - config.pki_master_dict['pki_security_domain_name']\ - + " " + "ID" + config.pki_master_dict['pki_admin_nickname'] =\ + "PKI Administrator's " +\ + config.pki_master_dict['pki_security_domain_name'] +\ + " ID" + if not 'pki_use_common_admin_user' in config.pki_master_dict: + config.pki_master_dict['pki_use_common_admin_user'] = 'false' + if not len(config.pki_master_dict['pki_admin_subject_dn']): - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - if config.pki_master_dict['pki_subsystem'] == "RA": - # PKI RA - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "RA Administrator" + "," +\ - "uid=" + config.pki_master_dict['pki_admin_uid'] +\ - "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "TPS": - # PKI TPS - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "TPS Administrator" + "," +\ - "uid=" + config.pki_master_dict['pki_admin_uid'] +\ - "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if not config.str2bool(config.pki_master_dict['pki_clone']): - if config.pki_master_dict['pki_subsystem'] == "CA": - if config.str2bool( - config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "CA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "," + "uid=" +\ - config.pki_master_dict['pki_admin_uid']\ - + "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" + "External CA" - else: - # PKI CA or Subordinate CA - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "CA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] +\ - "," + "uid=" +\ - config.pki_master_dict['pki_admin_uid']\ - + "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict\ - ['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "KRA": - # PKI KRA - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "KRA Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] + "," +\ - "uid=" + config.pki_master_dict['pki_admin_uid'] +\ - "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - # PKI OCSP - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "OCSP Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] + "," +\ - "uid=" + config.pki_master_dict['pki_admin_uid'] +\ - "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] - elif config.pki_master_dict['pki_subsystem'] == "TKS": - # PKI TKS - config.pki_master_dict['pki_admin_subject_dn'] =\ - "cn=" + "TKS Administrator of Instance" + " " +\ - config.pki_master_dict['pki_instance_id'] + "," +\ - "uid=" + config.pki_master_dict['pki_admin_uid'] +\ - "," + "e=" +\ - config.pki_master_dict['pki_admin_email'] +\ - "," + "o=" +\ - config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=PKI Administrator" +\ + ",e=" + config.pki_master_dict['pki_admin_email'] +\ + ",o=" + config.pki_master_dict['pki_security_domain_name'] + # Jython scriptlet # 'CA Signing Certificate' Configuration name/value pairs # -- cgit