From 310a30f230eae7fd34d8a41e54ee3125ffb91046 Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Wed, 28 Nov 2012 09:27:16 -0500 Subject: Reorganized sensitive parameters. Previously sensitive parameters are stored in the Sensitive section in the configuration file, separate from the hierarchical structure used by non-sensitive parameters. To allow defining multiple subsystems in a single configuration file the sensitive and non-sensitive parameters have been reorganized into the same hierarchical structure. To maintain the security a new meta-parameter has been added to list all sensitive parameter names. This way the deployment code will know whether a parameter is sensitive, which then will mask the value before displaying it to the screen or storing it in a log file. Ticket #399 --- base/deploy/config/pkideployment.cfg | 76 +++++++++++++++++++++++------------- 1 file changed, 49 insertions(+), 27 deletions(-) (limited to 'base/deploy/config') diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index 6630907a7..133d4e993 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -1,23 +1,29 @@ ############################################################################### -## 'Sensitive' Data: ## -## ## -## Values in this section pertain to various PKI subsystems, and contain ## -## required 'sensitive' information which MUST ALWAYS be provided by users. ## -## ## -## IMPORTANT: Sensitive data values must NEVER be displayed to the ## -## console NOR stored in log files!!! ## -############################################################################### -[Sensitive] -pki_admin_password= -pki_backup_password= -pki_client_database_password= -pki_client_pkcs12_password= -pki_clone_pkcs12_password= -pki_ds_password= -pki_security_domain_password= -pki_token_password= -############################################################################### -## 'Common' Data: ## +## Default Configuration: ## +## ## +## This section contains meta-parameters that determine how the PKI ## +## configuration should work. ## +############################################################################### +[DEFAULT] + +# The sensitive_parameters contains a list of parameters which may contain +# sensitive information which must not be displayed to the console nor stored +# in log files for security reasons. +sensitive_parameters= + pki_admin_password + pki_backup_password + pki_client_database_password + pki_client_pin + pki_client_pkcs12_password + pki_clone_pkcs12_password + pki_ds_password + pki_one_time_pin + pki_pin + pki_security_domain_password + pki_token_password + +############################################################################### +## Common Configuration: ## ## ## ## Values in this section are common to more than one PKI subsystem, and ## ## contain required information which MAY be overridden by users as ## @@ -34,6 +40,7 @@ pki_admin_email= pki_admin_keysize=2048 pki_admin_name= pki_admin_nickname= +pki_admin_password= pki_admin_subject_dn= pki_admin_uid= pki_audit_group=pkiaudit @@ -45,15 +52,19 @@ pki_audit_signing_signing_algorithm=SHA256withRSA pki_audit_signing_subject_dn= pki_audit_signing_token= pki_backup_keys=False +pki_backup_password= pki_client_database_dir= +pki_client_database_password= pki_client_database_purge=True pki_client_dir= +pki_client_pkcs12_password= pki_ds_base_dn= pki_ds_bind_dn=cn=Directory Manager pki_ds_database= pki_ds_hostname= pki_ds_ldap_port=389 pki_ds_ldaps_port=636 +pki_ds_password= pki_ds_remove_data=True pki_ds_secure_connection=False pki_group=pkiuser @@ -62,6 +73,7 @@ pki_restart_configured_instance=True pki_security_domain_hostname= pki_security_domain_https_port=8443 pki_security_domain_name= +pki_security_domain_password= pki_security_domain_user= pki_skip_configuration=False pki_skip_installation=False @@ -78,9 +90,11 @@ pki_subsystem_nickname= pki_subsystem_subject_dn= pki_subsystem_token= pki_token_name=internal +pki_token_password= pki_user=pkiuser + ############################################################################### -## 'Apache' Data: ## +## Apache Configuration: ## ## ## ## Values in this section are common to PKI subsystems that run ## ## as an instance of 'Apache' (RA and TPS subsystems), and contain ## @@ -90,8 +104,9 @@ pki_user=pkiuser pki_instance_name=pki-apache pki_http_port=80 pki_https_port=443 + ############################################################################### -## 'Tomcat' Data: ## +## Tomcat Configuration: ## ## ## ## Values in this section are common to PKI subsystems that run ## ## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## @@ -108,6 +123,7 @@ pki_https_port=443 [Tomcat] pki_ajp_port=8009 pki_clone=False +pki_clone_pkcs12_password= pki_clone_pkcs12_path= pki_clone_replicate_schema=True pki_clone_replication_master_port= @@ -123,8 +139,9 @@ pki_proxy_http_port=80 pki_proxy_https_port=443 pki_security_manager=true pki_tomcat_server_port=8005 + ############################################################################### -## 'CA' Data: ## +## CA Configuration: ## ## ## ## Values in this section are common to CA subsystems including 'PKI CAs', ## ## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## @@ -162,8 +179,9 @@ pki_ocsp_signing_token= pki_subordinate=False pki_subsystem=CA pki_subsystem_name= + ############################################################################### -## 'KRA' Data: ## +## KRA Configuration: ## ## ## ## Values in this section are common to KRA subsystems ## ## including 'PKI KRAs' and 'Cloned KRAs', and contain ## @@ -186,8 +204,9 @@ pki_transport_nickname= pki_transport_signing_algorithm=SHA256withRSA pki_transport_subject_dn= pki_transport_token= + ############################################################################### -## 'OCSP' Data: ## +## OCSP Configuration: ## ## ## ## Values in this section are common to OCSP subsystems ## ## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## @@ -203,8 +222,9 @@ pki_ocsp_signing_subject_dn= pki_ocsp_signing_token= pki_subsystem=OCSP pki_subsystem_name= + ############################################################################### -## 'RA' Data: ## +## RA Configuration: ## ## ## ## Values in this section are common to PKI RA subsystems, and contain ## ## required information which MAY be overridden by users as necessary. ## @@ -212,8 +232,9 @@ pki_subsystem_name= [RA] pki_subsystem=RA pki_subsystem_name= + ############################################################################### -## 'TKS' Data: ## +## TKS Configuration: ## ## ## ## Values in this section are common to TKS subsystems ## ## including 'PKI TKSs' and 'Cloned TKSs', and contain ## @@ -222,8 +243,9 @@ pki_subsystem_name= [TKS] pki_subsystem=TKS pki_subsystem_name= + ############################################################################### -## 'TPS' Data: ## +## TPS Configuration: ## ## ## ## Values in this section are common to PKI TPS subsystems, and contain ## ## required information which MAY be overridden by users as necessary. ## -- cgit