From d0ec0c056f132e13bf606f595d1d26ab6486bc5a Mon Sep 17 00:00:00 2001 From: Andrew Wnuk Date: Mon, 20 Aug 2012 15:38:31 -0700 Subject: subsequent OCSPs and DRM connector protection This patch corrects process of attaching OCSP subsystem to CA. It improves handling of adding subsequent OCSP subsystems to CA. This patch also prevents DRM connector to be overwritten by subsequent DRM installations. Bug 804179. --- .../netscape/cms/servlet/csadmin/DonePanel.java | 1 + .../cms/servlet/csadmin/UpdateConnector.java | 79 ++++++++++++---------- .../cms/servlet/csadmin/UpdateOCSPConfig.java | 30 ++++---- 3 files changed, 60 insertions(+), 50 deletions(-) (limited to 'base/common/src/com') diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index f514a59f0..e81afdd2f 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -178,6 +178,7 @@ public class DonePanel extends WizardPanelBase { ConfigurationUtils.setupClientAuthUser(); } } catch (Exception e) { + context.put("info", "Failed to update connector information. "+e.getMessage()); CMS.debug("DonePanel - update(): Error while pushing KRA connectot information to the CA: " + e); e.printStackTrace(); } diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java index b6f64767a..b62e184b7 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java @@ -51,6 +51,7 @@ public class UpdateConnector extends CMSServlet { */ private static final long serialVersionUID = 972871860008509849L; private final static String SUCCESS = "0"; + private final static String FAILED = "1"; private final static String AUTH_FAILURE = "2"; public UpdateConnector() { @@ -121,42 +122,47 @@ public class UpdateConnector extends CMSServlet { return; } - IConfigStore cs = CMS.getConfigStore(); - - @SuppressWarnings("unchecked") - Enumeration list = httpReq.getParameterNames(); - while (list.hasMoreElements()) { - String name = list.nextElement(); - String val = httpReq.getParameter(name); - if (name != null && name.startsWith("ca.connector")) { - CMS.debug("Adding connector update name=" + name + " val=" + val); - cs.putString(name, val); - } else { - CMS.debug("Skipping connector update name=" + name + " val=" + val); + // check if connector exists + ICertificateAuthority ca = (ICertificateAuthority)CMS.getSubsystem("ca"); + ICAService caService = (ICAService)ca.getCAService(); + boolean connectorExists = (caService.getKRAConnector() != null)? true:false; + if (connectorExists) { + CMS.debug("UpdateConnector: KRA connector already exists"); + } else { + IConfigStore cs = CMS.getConfigStore(); + + @SuppressWarnings("unchecked") + Enumeration list = httpReq.getParameterNames(); + while (list.hasMoreElements()) { + String name = list.nextElement(); + String val = httpReq.getParameter(name); + if (name != null && name.startsWith("ca.connector")) { + CMS.debug("Adding connector update name=" + name + " val=" + val); + cs.putString(name, val); + } else { + CMS.debug("Skipping connector update name=" + name + " val=" + val); + } } - } - try { - String nickname = cs.getString("ca.subsystem.nickname", ""); - String tokenname = cs.getString("ca.subsystem.tokenname", ""); - if (!tokenname.equals("Internal Key Storage Token")) - nickname = tokenname + ":" + nickname; - cs.putString("ca.connector.KRA.nickName", nickname); - cs.commit(false); - } catch (Exception e) { - } + try { + String nickname = cs.getString("ca.subsystem.nickname", ""); + String tokenname = cs.getString("ca.subsystem.tokenname", ""); + if (!tokenname.equals("Internal Key Storage Token")) + nickname = tokenname + ":" + nickname; + cs.putString("ca.connector.KRA.nickName", nickname); + cs.commit(false); + } catch (Exception e) { + } - // start the connector - try { - ICertificateAuthority ca = (ICertificateAuthority) - CMS.getSubsystem("ca"); - ICAService caService = (ICAService) ca.getCAService(); - IConnector kraConnector = caService.getConnector( - cs.getSubStore("ca.connector.KRA")); - caService.setKRAConnector(kraConnector); - kraConnector.start(); - } catch (Exception e) { - CMS.debug("Failed to start connector " + e); + // start the connector + try { + IConnector kraConnector = caService.getConnector( + cs.getSubStore("ca.connector.KRA")); + caService.setKRAConnector(kraConnector); + kraConnector.start(); + } catch (Exception e) { + CMS.debug("Failed to start connector " + e); + } } // send success status back to the requestor @@ -165,7 +171,12 @@ public class UpdateConnector extends CMSServlet { XMLObject xmlObj = new XMLObject(); Node root = xmlObj.createRoot("XMLResponse"); - xmlObj.addItemToContainer(root, "Status", SUCCESS); + if (connectorExists) { + xmlObj.addItemToContainer(root, "Status", FAILED); + xmlObj.addItemToContainer(root, "Error", "DRM connector already exists."); + } else { + xmlObj.addItemToContainer(root, "Status", SUCCESS); + } byte[] cb = xmlObj.toByteArray(); outputResult(httpResp, "application/xml", cb); diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java index 3d564e955..c34df8b9c 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java @@ -116,24 +116,22 @@ public class UpdateOCSPConfig extends CMSServlet { String ocsphost = httpReq.getParameter("ocsp_host"); String ocspport = httpReq.getParameter("ocsp_port"); + String ocspname = ocsphost.replace('.', '-')+"-"+ocspport; + String publisherPrefix = "ca.publish.publisher.instance.OCSPPublisher-"+ocspname; + String rulePrefix = "ca.publish.rule.instance.ocsprule-"+ocspname; try { cs.putString("ca.publish.enable", "true"); - cs.putString("ca.publish.publisher.instance.OCSPPublisher.host", - ocsphost); - cs.putString("ca.publish.publisher.instance.OCSPPublisher.port", - ocspport); - cs.putString("ca.publish.publisher.instance.OCSPPublisher.nickName", - nickname); - cs.putString("ca.publish.publisher.instance.OCSPPublisher.path", - "/ocsp/agent/ocsp/addCRL"); - cs.putString("ca.publish.publisher.instance.OCSPPublisher.pluginName", "OCSPPublisher"); - cs.putString("ca.publish.publisher.instance.OCSPPublisher.enableClientAuth", "true"); - cs.putString("ca.publish.rule.instance.ocsprule.enable", "true"); - cs.putString("ca.publish.rule.instance.ocsprule.mapper", "NoMap"); - cs.putString("ca.publish.rule.instance.ocsprule.pluginName", "Rule"); - cs.putString("ca.publish.rule.instance.ocsprule.publisher", - "OCSPPublisher"); - cs.putString("ca.publish.rule.instance.ocsprule.type", "crl"); + cs.putString(publisherPrefix+".host", ocsphost); + cs.putString(publisherPrefix+".port", ocspport); + cs.putString(publisherPrefix+".nickName", nickname); + cs.putString(publisherPrefix+".path", "/ocsp/agent/ocsp/addCRL"); + cs.putString(publisherPrefix+".pluginName", "OCSPPublisher"); + cs.putString(publisherPrefix+".enableClientAuth", "true"); + cs.putString(rulePrefix+".enable", "true"); + cs.putString(rulePrefix+".mapper", "NoMap"); + cs.putString(rulePrefix+".pluginName", "Rule"); + cs.putString(rulePrefix+".publisher", "OCSPPublisher-"+ocspname); + cs.putString(rulePrefix+".type", "crl"); cs.commit(false); // insert info CMS.debug("UpdateOCSPConfig: Sending response"); -- cgit